Hacking Studio

Guest


Author Topic: Account Security  (Read 361 times)

Fitz

  • Administrator
  • Newbie
  • *****
  • Posts: 6
  • Who me?
    • View Profile
    • Hacking Studio
Account Security
« on: August 30, 2016, 08:19:19 PM »
Below you can find some basic tips that most of you probably know already.
However it's our responsibility to stress this more than necessary, just in case someone doesn't.

  • Use secure passwords/passphrases
  • Don't reuse your passwords on other sites
  • Confirm SSL
  • Don't share your account
  • Be careful on public networks
  • Note on e-mail:
  • Think about what you're using
  • Think about what you're sharing

Use secure passwords/passphrases
A very basic principle that many seem to forget for accessibility purposes. In the 2010-something LinkedIn dump, over 60% of sha1 hashes was very easily cracked. (http://www.computerworld.com/article/2504078/cybercrime-hacking/hackers-crack-more-than-60--of-breached-linkedin-passwords.html)
Now we can discuss that this is due to the "weakness" of the sha1 algorithm, but if your password is "admin06", there's nothing ANY algorithm can do for you.
Please take this into consideration.

We at Hacking Studio do our very best to protect you on our side, however, as vulnerabilities and exploits are globally discovered every day, there's a chance that one day, we too will fall victim (although we count on our wonderful community to help us find these bugs before "the bad guys" do  ;) ).

There's plenty of password managers out there to make it easier for you to log in with difficult/unguessable passwords, please use them as it will most definitely add a layer of security to your account!

Don't reuse your passwords on other sites
A lot of people do this or have done this, and even use the same password for every account online.
It's a very simple equation, if one account gets hacked, there's a very good chance all your others are lost as well.
Again, while we do what we can to protect you, there are others who do not care to invest their time into protecting their members and will spray your info and weakly hashed passwords into the open.

Confirm SSL
HackingStudio makes use of LetsEncrypt to secure your traffic from and to our server.
If at any point you receive Certificate Errors or other weird messages, please do not proceed to login, but verify where these messages are coming from.
If something seems off, contact an administrator on our IRC network. You do not need to be authenticated or have ssl enabled on our #help channel, so you can use it securely without exposing any details.
Don't feel bad for asking a "stupid" question, we prefer our members to be secured and will happily verify the issue for you.
In case of a real problem, it might also help identify attacks against our members or bugs, so basically you're helping us by letting us help you ! :)

Sidenote on confirming SSL:
Users might embed pictures in post that come from http sources rather than https.
This can trigger certain browsers (like firefox) into warning you about mixed content.
Should you get such a warning, feel free to verify that it is really the user's post that's causing this issue.
You can simply hit F12 in FireFox to open the developer console and confirm that this is the case.
Should it be something that's on our side, feel free to contact us so we can get it fixed!

Don't share your account:
It's just a bad idea to do this. Get in a fight with your buddy? Your buddy has bad security? Aliens abduct him and reset all his passwords?
It's not hard to make an account here, if someone asks you to share accounts, it is good practice to deny this oh so humble request.

Be careful on public networks:
If you verify SSL like told above, this should be less of an issue, however, never say it can't happen.
Anyone at any time might be intercepting your traffic on a public network.
In your work place for example, your employer might have installed an SSL Cert in your browsers that allows him to decrypt your data, and you wouldn't notice a damn thing.
We can not or will not enforce policies to lock you into an IP-address. Because we give you that liberty, it's your responsibility to check the network you're logging in from.

Note on E-mail:
It's considered good practice to use dedicated mail accounts in order to monitor where your mail address is going once it has been stored on a server after completing a registration procedure.
As you might have noticed, me and Simmons are fans of Protonmail, as it provides default PGP encryption between it's members.
It's free, but paid plans are available which are most certainly worth a look at.

You can of course use any mail provider but of course you should take privacy and security into consideration as needed.

Another thing is that people involved with Hacking Studio will NEVER ask for your password. Period.
If anyone asks you for your password, report them to us on IRC or in a forum post, with screenshots / mails / flying unicorns as evidence.
It's not cool to "hack" other members, even if you have differences. Consequences will be taken if this should happen and should be proven.

Think about what you're using:
Again, we do our best on our side, but the tools you are using and how you are using them can also cause security problems.
If you use an online password manager and it get's hacked, you're f*cked.
If you use untrusted software and get rootkits, you're f*cked.
If you use a proxy, your traffic might be going through it unencrypted and basically, you're f*cked.

Think about the services you're using and how you're using them.

It's all about trust, and you do well not to trust everything blindly.
Feel free to search for discussions about software and setups, or open a new post if the tool you want to talk about hasn't been discussed yet!

Think about what you're sharing
Sometimes you can post screenshots, share links, share stories that give away information that can help hacking, tracking or making you look like a fool (remember that American official that had his porn tabs open in a screenshot of his browser?  ;D).
All hilarity aside, it's a good idea to check you have censored out any data you don't want publicized!

Conclusion
These are not rules, these are tips we want to share with you.
It's up to you to decide how far you wanna go with your security and privacy and how much of those you need.
As a hacking community, we of course want to stimulate you to keep it up as high as possible, this is 2016, people hack things.

If you have any tips for us, or found some things we need to work on, again, do not hesitate to contact us!

Happy Hacking! :)
"Any sufficiently advanced technology is indistinguishable from magic."
- Arthur C. Clarke