There is a new attack being used on people who might have valuable or high profile bank, email, web hosting, twitter, or other such accounts.

If you make use of a cell phone to receive email or SMS text messages, and manage any of your important accounts that way, including perhaps handling password reset requests or having other critical information "in the cloud" (backed up from your cell phone, by your provider), then you are at risk.

The thief walks into a retail store for the phone company providing your cell phone service and using the usual social engineering tricks, convinces them that they are you and gets the store to issue a new SIMM card for your account, canceling the SIMM card actually in your phone.

Depending on just how your accounts and security are setup, they might be able to quickly drain your bank account, hack your twitter account, steal your website domain name, or read all your incoming email and respond to it as you.

Linus of Linus Media Group explains how it's done, from the perspective of being a recent victim himself, in this video:
LlcAHkjbARs

Hey Paul, as a tech savvy guy you are, can you give some tip and tricks to help people to get more secure.

Hey Paul, as a tech savvy guy you are, can you give some tip and tricks to help people to get more secure.

Well ... much depends on whether you're using big old desktop PC's in your home, or laptops out and about, or smart phones or tablets. Much also depends on whether you're using Linux, Mac, Windows, or Android. Much further depends on your level of expertise.

Number one in my book is good backups. I have backups of my backups of my backups of my backups of my backups ... but I'm a bit weird in that regard.

Number two in my book is a good password manager, such as 1Password, LastPass, or Dashlane. Personally, I use Lastpass.

For home equipment, I'd have a decent firewall/router between you and the Internet (one that you control, not the one from your Internet Service Provider).

From what I hear (often via Steve Gibson on Security Now (https://www.grc.com/securitynow.htm)), if I was using Windows, I'd avoid security software by Symantec (which includes Norton) and Commodo. I'd prefer Kaspersky instead.

Thanks for answering.
I'm using self built desktop. Quite a dinosaur Q6600@3GHz with 660ti.
I use windows as I must due to autocad, 3ds and other programs. Plan is to make a make linux server separately and connect everything over it. I Also lack separate firewall/router. Hold up is $ atm.
Regarding backups, I'm in a same boat as you. I burned myself many times before :)
I also avoid Symantec products like ebola. Only thing I found useful from them is Norton Ghost for disk images.
Passwords I keep in my head and on paper, old school, I also use double verification pass system if available.

Here have a cookie in a form of a good tune for answering:
http://rossocorsarecords.bandcamp.com/track/converter

... and of course, if you're running web servers (such as the Avalon server) then the important security issues are different - backups are still important of course, but one also needs custom or powerful firewall tools, as sites such as Avalon are constantly under assault.

In the last two years, one of my custom developed firewall tools has issued over 30,000 bans for over 6000 IP's, with some IP's coming back repeatedly to earn over 200 bans each. So far, only a single actual Avalon member has been unintentionally blocked, for a short while, until we figured out what was going on and fixed it. Another of my custom firewalls (this one more of a custom configuration of existing tools than an entire custom tool of my own writing) has blocked over a half million accesses to the Avalon server over the last month from over 40,000 distinct IP's.

Home computers are much easier than web servers, and are also much easier than portable laptops, phones and tablets. Home computers are relatively secure physically, and can usually be kept behind a reasonable firewall/router, so that they only see web traffic that is in response to requests they just sent out. Portable devices lack that physical security and are often used in a variety of insecure, even hostile Wi-Fi network environments or more easily (as my opening post above documents) compromised mobile phone environments. Web servers have to handle (somehow, even if just quickly rejecting) whatever traffic shows up at the front door.

Here have a cookie in a form of a good tune
Nice tune - thanks :).

I totally regret that I didn't get into that part of the tech.

Thanks for giving me insight how is that managed.

Here's a good documentary. It about BBS, invention of modem, pirate scene, ARJ, Netscape... interviewing the actual people who invented them. Great piece of history that needs to be watched.
Unfortunately physical DVDs are no longer in sale. They said it will go digital, but who knows when.
Its 8 part video:

396oqBBwU4g

http://www.bbsdocumentary.com/

I'm always leary of online transactions, even if everything is secure and its a legitimate site ... I sometimes get a prepaid card use it for one bill or something and then get a different one, never using the same card... its just scary...

All my passwords are "pleasedonthackme" for just in case. Just kidding ;-)

All my passwords are "pleasedonthackme" for just in case. Just kidding ;-)

everyone should stop using the term "password" and switch to "passphrase"

"pleasedonthackme" is better than "H@{kpr0Of"

the longer your passphrase the better, mine are a min of 16 characters (but its a pass "phrase" its so much easier to remember a short sentence).


ALSO:

This "hack" won't really work as described.. just having a SIM card isn't enough to do all these things he said.. you need other items as well (namely: google login info or other credentials) so this is not something I would fear much...


in short:

not much to worry about here.. the chances of this happening to anyone are pretty low, the chances of it happening to YOU are almost non-existent.


I'm always leary of online transactions, even if everything is secure and its a legitimate site ... I sometimes get a prepaid card use it for one bill or something and then get a different one, never using the same card... its just scary...

Meh.. this is why credit card companies charge a fee... they will support you just be vigilant of your accounts and make sure no unexpected charges show up.. if they do dispute; them I've never had issues (disputed a few charges) as they seem to support the "card holder" over the "charging party".

really this stuff is super rare (personal financial loss) it's mostly corporate or government that this type of activity happens around.



Number one in my book is good backups. I have backups of my backups of my backups of my backups of my backups ... but I'm a bit weird in that regard.

Number two in my book is a good password manager, such as 1Password, LastPass, or Dashlane. Personally, I use Lastpass.

For home equipment, I'd have a decent firewall/router between you and the Internet (one that you control, not the one from your Internet Service Provider).

From what I hear (often via Steve Gibson on Security Now (https://www.grc.com/securitynow.htm)), if I was using Windows, I'd avoid security software by Symantec (which includes Norton) and Commodo. I'd prefer Kaspersky instead.


Learn about hard drive encryption, encrypt everything... 256bit key MINIMUM.

PATCH REGULARLY! (these updates fix old security holes.. old security holes are how 90% of "hacks" happen)

don't use "passwords" use "pass phrases" and DON'T WORRY! as long as you're not being super lax about it this WON'T happen to you.

..........

https://www.trusona.com/ offers four-factor authentication, though I talked them into offering five-factor authentication once our PAC is up and running. Using that hardware/software combo coupled with tethering only Internet access between laptop and cell phone, along with COMPLETELY scrubbing your online account access information after you set up secure hardware/software and being careful to only access required web sites on secure hardware, you're good to go.

Simple credit freezes also work.

5 factor????


Here's the possible authentication factors I know of:

1) Something you know (passphrase, pin code, etc..)

2) Something you have (card, key, physical device)

3) Something you are (finger print, iris scan, bio-metrics)

4) somewhere you are (location mixed with the above)

5) the only other possibility is time i guess... but WHY would you go through all that effort?

I work with classified information and we never go beyond 3 factor (and I wouldn't suggest it either, though 4 factor is pretty reasonable (if hte 4th factor is location)).

Learn about hard drive encryption, encrypt everything... 256bit key MINIMUM. .
In my view, hard drive encryption is not always recommended.

Such bulk encryption increases the routine cost of accessing data, and (more importantly for some of us) increases the risk of bulk data loss. I can, and have, extracted data from drives that had been left unused, in storage, for decades. if such drives had been encrypted, the odds are high that I would have had no clue how to extract the data (unless I had physically labeled the drive with the passwords and instructions required to decrypt it, which sort of defeats the purpose of encrypting it in the first place.)

I make extensive use of encryption, and have for a long time. But I do so more at the application or file level, not at the physical disk level.


In short, before choosing to encrypt one's drive, one should consider whether one is more concerned with (1) a thief stealing one's data by physically stealing the drive (perhaps as part of a laptop, tablet or phone), or with (2) losing one's own access to the data, due to loss of the key or of the software or hardware required to decrypt the drive.

Also, partial data recovery from physically damaged drives can be greatly hindered by hard drive encryption.

In my case, I keep long term, archival storage in physically secure locations, not bulk disk encrypted. Those portable devices that I might carry out and about in the world are kept free of any sensitive data; they don't have data I'd worry about losing and they don't have data I'd worry about others seeing. I normally cannot even access my online accounts when out and about.