Security Questions

Viewing 31 reply threads
  • Author
    Posts
    • #6984
      Ps_107
      Participant

      I don’t know where else to post this so I’ll post this right here..

      1) What are the most “secure” places for using a laptop?

      2) Also, would it be possible for someone to hack into a personal laptop if the owner was using it some place else other than their own home?

    • #43396
      hayabusa
      Participant

      1.) anywhere it is NOT connected to a network or the internet.  (sorry, but it’s the truth.)  Anywhere else, you take your chances.  The laptop is only as secure as you make it.  Just keep updated Antivirus and Antispyware on it, and be wary of anything that looks unusual, such as certificate warnings to sites you frequent regularly, and normally don’t see errors on.

      2.)  home or not doesn’t matter.  If the circumstances are right, you’ll get hacked ANYWHERE.

    • #43397
      p0et
      Participant

      Hayabusa’s right on the money.  There really is no “secure” place to use your laptop other than anyplace you turn off wifi and unplug your network cable.  😉  I would have to say that it’s more common to have your wireless devices “hacked” or the traffic sniffed outside of the home.  That’s just what I’ve personally noticed though.

    • #43398
      Ps_107
      Participant

      @hayabusa wrote:

      1.) anywhere it is NOT connected to a network or the internet.  (sorry, but it’s the truth.)  Anywhere else, you take your chances.  The laptop is only as secure as you make it.  Just keep updated Antivirus and Antispyware on it, and be wary of anything that looks unusual, such as certificate warnings to sites you frequent regularly, and normally don’t see errors on.

      2.)  home or not doesn’t matter.  If the circumstances are right, you’ll get hacked ANYWHERE.

      Thank you to Hayabusa and Poet for you guys’ feedback.

      Well, here’s the other thing.. 

      I’ve been considering getting a laptop and having an “Antivirus” and an “Antispyware” installed, along with having a Web Application Security Tester to protect my business.

      After I’ve done that though, does that necessarily mean that my new laptop’s going to be all patched-up from vulnerabilities?

    • #43399
      White ghost
      Participant

      what is your laptop os?
      if you have windows on your laptop you msut have an updated antivirus (Total security version of antiviruses are batter) and you must update your windows to patch all known security bugs

      and about where is safe for laptop?
      whenever you connect to any network with your laptop ( no matter there ishas internet or not) it maybe dangerous

    • #43400
      hayabusa
      Participant

      @Ps_107 – you might be all ‘patched up’ today, but understand that new vulnerabilities are found, daily, so it’s a never-ending process to stay safe.

      I’m sorry if my first response put some fear into you.  Just that, in reality, that’s the way it is, nowadays.

    • #43401
      Triban
      Participant

      There is always risk involved when connecting your computer to any network.  I keep shields up at all times (firewall active and AV actively running).  When I am traveling I tend to VPN into my home network before I do anything.  I have more control of that network than hotels, Panera’s or Starbucks.  You Web application tester will probably have some skills with helping you secure your personal laptop but honestly, keeping AV updated, local firewall running and updating ALL software regularly will keep you about as secure as you can get. 

      If you are worried about data, you can always utilize software like Truecrypt and create encrypted containers on your local/network storage drives.  Windows 7 also utilizes Bitlocker in the Business/Ultimate editions. 

      Also if you are using something other than Windows (Mac or Linux) do not assume you are immune to attacks.  Mac OS exploits and viruses have been coming out much more frequently than in the past and Linux is also vulnerable to attacks.  Granted they are much less than Windows and even Mac but they are still out there.  Besides what you have that a blackhat might want is not necessarily on your local systems.  They may want access to your email, your web hosting information and credentials, bank information and all that is out on the web.

      Education is your best friend and common sense goes a long way.  Don’t hinder your business by being too paranoid, but use the paranoia to better secure your business.

      Also as far as securing your home office, I would recommend investing in a SOHO style firewall (Small Office Home Office) such as a Sonicwall or Watchguard device.  They are fairly easy to manage once they are setup and they have a low reoccuring cost for service and support.  The bonus to these devices is that they will include other services besides simple port forwarding.  The Sonicwalls (I am most familiar with) provide IDS/IPS as well as gateway antivirus.  So that ends up filtering much of the garbage before it hits your internal network.  Something to think about.

      Also as you are building this business, don’t get frustrated if some new security software/hardware makes something not work.  Rather than turning off the security feature, make sure it is properly configured with the correct exceptions to keep your apps running properly.

      Good luck!

    • #43402
      WCNA
      Participant

      107- You might want to consider using a Live CD or bootable USB stick when you are out and about (I would suggest the latest Ubuntu if you have little experience or a secure distro if you do). It’s somewhat safer than using Windows directly from your hard drive.

      If you must use Windows, then (with all the above advice from other forum members) use Sandboxie to make it much harder for a script kiidie to do permanent damage in addition to encrypting all your sensitive data (most people like TrueCrypt).

    • #43403
      Ps_107
      Participant

      @White ghost wrote:

      what is your laptop os?
      if you have windows on your laptop you msut have an updated antivirus (Total security version of antiviruses are batter) and you must update your windows to patch all known security bugs

      and about where is safe for laptop?
      whenever you connect to any network with your laptop ( no matter there ishas internet or not) it maybe dangerous

      I truly appreciate your input.

      When you say, “you must update your windows to patch all known security bugs,” are you referring to upgrading to a more recent and better brand of Windows or are you saying to simply upgrade the version of Windows that I have right now?

      Also, what’s the best version of Windows that I can own right now?

      Thanks again.

    • #43404
      Ps_107
      Participant

      @hayabusa wrote:

      @Ps_107 – you might be all ‘patched up’ today, but understand that new vulnerabilities are found, daily, so it’s a never-ending process to stay safe.

      I’m sorry if my first response put some fear into you.  Just that, in reality, that’s the way it is, nowadays.

      Hey man, thank you again for taking the time to respond.

      It looks like I don’t have much of a choice but to become a hacker myself (ethical of course).

      But seriously, I like straight-forward answers and I truly appreciate your honesty.

      I have a better understanding of what steps need to be taken, no matter how costly they may be.

      Peace.

    • #43405
      hayabusa
      Participant

      No worries about taking the time to respond. 

      We’re here to help one another learn.  Sometimes, folks take posts the wrong way (aka – another of my responses, today, drew fire.)  They’re rarely intended negatively, but they’re generally brutally honest, so sometimes I (and others) have to double-check wording, to make sure the point is made without offending or scaring someone.

      Anyway, if you have further questions, that’s what we’re all here for.  Learning and info-share.

      Have a great day!

    • #43406
      Ps_107
      Participant

      @3xban wrote:

      There is always risk involved when connecting your computer to any network.  I keep shields up at all times (firewall active and AV actively running).  When I am traveling I tend to VPN into my home network before I do anything.  I have more control of that network than hotels, Panera’s or Starbucks.  You Web application tester will probably have some skills with helping you secure your personal laptop but honestly, keeping AV updated, local firewall running and updating ALL software regularly will keep you about as secure as you can get. 

      If you are worried about data, you can always utilize software like Truecrypt and create encrypted containers on your local/network storage drives.  Windows 7 also utilizes Bitlocker in the Business/Ultimate editions. 

      Also if you are using something other than Windows (Mac or Linux) do not assume you are immune to attacks.  Mac OS exploits and viruses have been coming out much more frequently than in the past and Linux is also vulnerable to attacks.  Granted they are much less than Windows and even Mac but they are still out there.  Besides what you have that a blackhat might want is not necessarily on your local systems.  They may want access to your email, your web hosting information and credentials, bank information and all that is out on the web.

      Education is your best friend and common sense goes a long way.  Don’t hinder your business by being too paranoid, but use the paranoia to better secure your business.

      Also as far as securing your home office, I would recommend investing in a SOHO style firewall (Small Office Home Office) such as a Sonicwall or Watchguard device.  They are fairly easy to manage once they are setup and they have a low reoccuring cost for service and support.  The bonus to these devices is that they will include other services besides simple port forwarding.  The Sonicwalls (I am most familiar with) provide IDS/IPS as well as gateway antivirus.  So that ends up filtering much of the garbage before it hits your internal network.  Something to think about.

      Also as you are building this business, don’t get frustrated if some new security software/hardware makes something not work.  Rather than turning off the security feature, make sure it is properly configured with the correct exceptions to keep your apps running properly.

      Good luck!

      Thank you very much for all of the helpful information you’ve provided me. 

      You said, “When I am traveling I tend to VPN into my home network before I do anything.”, I’m a little confused.  I thought a VPN could only be accessed in other public locations other than your own home.. (such as a business complex or maybe even a library).  I’m probably just missing something though, so would you mind explaining how to VPN your own “home network” without being in a business complex and the like?

      Other than that, I’m definitely going to take everything you’ve said into consideration.

    • #43407
      eth3real
      Participant

      If I go to Starbucks or the airport, or really anywhere that has an open network, I’ll forward all of my traffic through an SSH tunnel to my home network. That way it just looks like encrypted traffic on the public network, but I still have to rely on the security of my home network to make sure my data is safe. 😛

    • #43408
      hayabusa
      Participant

      @eth3real ++1

    • #43409
      Ps_107
      Participant

      @WCNA wrote:

      107- You might want to consider using a Live CD or bootable USB stick when you are out and about (I would suggest the latest Ubuntu if you have little experience or a secure distro if you do). It’s somewhat safer than using Windows directly from your hard drive.

      If you must use Windows, then (with all the above advice from other forum members) use Sandboxie to make it much harder for a script kiidie to do permanent damage in addition to encrypting all your sensitive data (most people like TrueCrypt).

      Thank you very much for the program’s you’ve suggested.

      I’ve done my research on all of them and I’m more than likely going to implement them into my work.

      Thanks again for the helpful information.

    • #43410
      Ps_107
      Participant

      @hayabusa wrote:

      No worries about taking the time to respond. 

      We’re here to help one another learn.  Sometimes, folks take posts the wrong way (aka – another of my responses, today, drew fire.)  They’re rarely intended negatively, but they’re generally brutally honest, so sometimes I (and others) have to double-check wording, to make sure the point is made without offending or scaring someone.

      Anyway, if you have further questions, that’s what we’re all here for.  Learning and info-share.

      Have a great day!

      I’m a brutally honest kinda guy too, so I know exactly where you’re coming from. 🙂

      Thanks again bro.

    • #43411
      Ps_107
      Participant

      @eth3real wrote:

      If I go to Starbucks or the airport, or really anywhere that has an open network, I’ll forward all of my traffic through an SSH tunnel to my home network. That way it just looks like encrypted traffic on the public network, but I still have to rely on the security of my home network to make sure my data is safe. 😛

      I don’t quite know what all of that means, but when I figure it out, I just might give it a try.  Thanks. 🙂

    • #43412
      hayabusa
      Participant

      Means he has an ssh server setup at home, and tunnels all of his traffic back, through that, rather than directly browsing over his hotel internet IP address.  Other ways might be setting up a vpn server at home (same principal for tunneling your traffic,) and connecting through that.  In essence, it makes all of your browsing appear to originate from your home IP address, as well as making your home network gateway and security measures work, for your remote / hotel / coffee shop connection.

    • #43413
      Triban
      Participant

      @Ps_107 wrote:

      Thank you very much for all of the helpful information you’ve provided me. 

      You said, “When I am traveling I tend to VPN into my home network before I do anything.”, I’m a little confused.  I thought a VPN could only be accessed in other public locations other than your own home.. (such as a business complex or maybe even a library).  I’m probably just missing something though, so would you mind explaining how to VPN your own “home network” without being in a business complex and the like?

      Other than that, I’m definitely going to take everything you’ve said into consideration.

      I have a home server running a couple different virtual appliances.  One is a virtual OpenVPN server.  OpenVPN allows you to have a single free VPN (virtual private network) connection.  You can pay for it and get additional connections.  There are some decent documents from them on how to setup both server and client.  There are also a number of services you can subscribe to for a VPN but again you don’t have control of the provider so it is not 100% secure.  It probably is more secure than using the straight “Free” wi-fi at whatever coffee shop, airport or bookstore has available.  The reason you don’t see VPNs used in a more personal level is sometimes due to the cost of the devices that support them.  Typically small/medium businesses have a higher end firewall that supports VPN and they use an internal server for authentication means.  Those of us in the IT realm tend to have home networks that can support a similar setup and since we are the only users, we are only affected when it is down.

      For you I would recommend implementing a server for both your file storage and use of RADIUS authentication for a VPN solution supported through your firewall.  That way when you travel you can VPN into your home office for file access and more secure communications.

      Glad I can help!

    • #43414
      hayabusa
      Participant

      If you’re looking for a ‘free’ solution, too, I THINK the freeware version of Untangle has VPN, as well.

    • #43415
      Ps_107
      Participant

      Thank you again to all of you who’ve been kind enough to make a contribution to my inquiries.

      I’ve done as much research as I possibly could (so far) on just about everything you’ve all suggested.  I’ll more than likely have to put a little more time into understanding all of the minute intricacies of you guys’ responses.

      Although the majority of what you’ve all given me sounds pretty complex at the moment (at least from my perspective), it’s still fascinating nonetheless.

      If you all don’t mind, I do have some more questions in regards to security however.. most of which might come across as sounding pretty ignorant but I hope you’ll bare with me.

      1)  Does a Penetration Tester need to physically be in-front of their clients CPU in order to perform a successful Penetration Test?

      2)  If not, would the outcome of a Penetration Test still be as thorough and effective if let’s say the Tester performed their tasks while being in a totally different location than their client?

      3)  I understand that a computer system can get so jacked-up that a hacker could actually end-up “owning” the victims computer and have total control over it.  So, let’s say I hired a Penetration Tester who just so happened to be in some far-off distant land like Kansas and let’s just pretend that I lived in Seattle.  Would my hired Tester from Kansas be able to detect someone who was actually “owning” my system and then be able to actually kick them off of it, and then patch-up my systems vulnerabilities afterwards?

      Note:  I’m well aware that a Pen-Tester could do all of that while in the physical presence of the infected computer system.  I’m curious however if they’d actually have the same effect by testing the computer from another location.

      Thank you for your patience.

    • #43416
      Triban
      Participant

      Ps_107

      It all depends on the scope of the project.  There are internal and external tests and both come with their own scope of work.  But lets take a step back for a second.  Penetration tests are not cheap (if you stick with a reputable company).  If you are currently a single person environment with no server at the moment.  Then a penetration test is not really something you need. 

      I would suggest brining in an IT consultant in your area who is familiar with the needs of a small business client to assist in your setup.  This also holds a cost but it is much less than a penetration test.  We usually schedule a test when we know we have done all we can to secure our systems and want to see how we do.  It also helps us in deciding where we need to improve more and budget that accordingly.

      Don’t get too paranoid with securing a network that may or may not exist.  Figure out what you want to do with the network and work on securing it based on that.

      Lets say I was building a new network for a small business < 5 workstations and MAYBE a server.  For less than 5 people I would probably not waste money on an inhouse server.  I would probably look to something like Amazon Cloud services or Google Apps depending on what your industry is.  If you are a one man shop, you can keep the costs down by using online resources for email and storage.  Ensure they solution supports SSL based access as well as encryption for storage, or you can simply encrypt the data afterwards. 

      Again all this is really based on your industry and your business plan.  If you don’t like keeping your stuff up on the internet, then at least utilize it for backups.  Keep in mind the larger the chunk of data you are backing up, the longer it will take to restore.  I like to recommend backing local up on an external drive and copying that to an online backup solution such as Carbonite. 

      If you do not keep any resources in house, then you can easily lock down your firewall device so only the necessary ports are allowed out and nothing is allowed in.  Utilize 15+ character passwords using mixed case, numbers and special characters and keep services such as Windows 7’s User Access Control (UAC) enabled.  That is the box that pops up when you try to install something even though you are an local admin, it still requires the OK to proceed.

      Keep it simple stupid is what I like to say.  You can only lock down so much before it impacts your business.  In this day and age you need to have an internet presence, twitter account and hell even facebook to an extent because that is where you will find the business.  For all that you need to be online in some fashion.  Just practice safe use and you are as protected as you can be.

    • #43417
      Ps_107
      Participant

      @3xban wrote:

      Ps_107

      Keep it simple stupid is what I like to say. 

      Sometimes, it isn’t quite that simple.

      If you only understood the gravity of my situation, I think you’d have a better appreciation for all of the inquiries I’ve made thus far.

      So let’s take a step forward.  Could you please elaborate on what you meant when you said, “It all depends on the scope of the project.  There are internal and external tests and both come with their own scope of work.”?

    • #43418
      hayabusa
      Participant

      With regard to scope…

      All project and pentests need to be ‘clearly’ defined / scoped.  What is and isn’t off-limits?  What processes and systems are to be tested?  Is it a website- only test, or are you to test perimeter routers and gateways?  Is social engineering in the scope?  What hours is the testing to be done, during?

      The list goes on, and on, and on…

      But it all needs clear definition, so that you don’t overstep authority, or break systems that you’re not supposed to affect.

    • #43419
      Ps_107
      Participant

      @hayabusa wrote:

      With regard to scope…

      All project and pentests need to be ‘clearly’ defined / scoped.  What is and isn’t off-limits?  What processes and systems are to be tested?  Is it a website- only test, or are you to test perimeter routers and gateways?  Is social engineering in the scope?  What hours is the testing to be done, during?

      The list goes on, and on, and on…

      But it all needs clear definition, so that you don’t overstep authority, or break systems that you’re not supposed to affect.

      So would a Pen-Tester be able to obtain a clear definition for someone cracking into a system while maliciously distributing personal information all over the internet?

    • #43420
      eth3real
      Participant

      Ps_107, are you saying that someone has taken control of your computer, gained access to your personal information, and is spreading that information out on the internet?

      I would advise running Wireshark on your computer while in use to see if there’s any strange traffic. Maybe even install an IDS on your network, just to see if anything is picked up. There’s a turnkey solution called Insta-Snorby that may do the trick.

      If you do in fact have an attacker active on your system, then there are a lot of extra steps you need to take.

    • #43421
      Ps_107
      Participant

      @eth3real wrote:

      Ps_107, are you saying that someone has taken control of your computer, gained access to your personal information, and is spreading that information out on the internet?

      I would advise running Wireshark on your computer while in use to see if there’s any strange traffic. Maybe even install an IDS on your network, just to see if anything is picked up. There’s a turnkey solution called Insta-Snorby that may do the trick.

      If you do in fact have an attacker active on your system, then there are a lot of extra steps you need to take.

      Thank you very much for your recommendation Eth3real.

      I’ve still gotta learn how to use it properly but I feel a little better knowing that I’ve got some sort of reliable security on my computer other than “Norton.”

      I’ve gotta go so I’ll continue this message a little bit later on.

      Thanks again.

    • #43422
      Triban
      Participant

      Understandable Ps_107.  And yes I do not know your situation.  As we all have a wealth of information behind us, we can only speculate at what you are ultimately trying to do and protect.  I do understand your hightened awareness due to past issues.  If you have intellectual properly that needs protecting, you should also insure you have some legal protection going forward with your new project.  I understand the costs involved with protecting intellectual properly could be high, but so are penetration tests. 

      In most cases a Pen tester is not looking for other people breaking in, but looking for a way in themselves and telling you about it after.  The goal of the pen test could vary from simply breaking the perimeter to obtaining access to critical company data.  But it is all in the scope.

      I would highly recommend you create a relationship with a local IT firm that can better understand your situation and recommend a solution that will best suit you.  We can only speculate and rather than give you information overload, it is much easier to make recommendations and answer your questions when we actually know what needs protecting.  Obviously I am not asking you to divulge that information to us.  But working with someone directly may give you better answers than posting on a forum.  If anything you can always pass the recommendations by us and hear our opinions on them. 

    • #43423
      hayabusa
      Participant

      Agreed with 3xban.

      It almost sounded, from your last reply, Ps_107, that you’re thinking more in terms of a CHFI (Hacking Forensics), rather than an ethical hacker/ penetration tester.  There are occasions when a person will do both, but more often, there are those that specialize in each area, and you’d be best served, as 3xban noted, in talking to someone closer to you, who might be able to advise you which route you’re really looking to pursue.

      Good luck, and keep us posted.

    • #43424
      Ps_107
      Participant

      @3xban wrote:

      Understandable Ps_107.  And yes I do not know your situation.  As we all have a wealth of information behind us, we can only speculate at what you are ultimately trying to do and protect.  I do understand your hightened awareness due to past issues.  If you have intellectual properly that needs protecting, you should also insure you have some legal protection going forward with your new project.  I understand the costs involved with protecting intellectual properly could be high, but so are penetration tests. 

      In most cases a Pen tester is not looking for other people breaking in, but looking for a way in themselves and telling you about it after.  The goal of the pen test could vary from simply breaking the perimeter to obtaining access to critical company data.  But it is all in the scope.

      I would highly recommend you create a relationship with a local IT firm that can better understand your situation and recommend a solution that will best suit you.  We can only speculate and rather than give you information overload, it is much easier to make recommendations and answer your questions when we actually know what needs protecting.  Obviously I am not asking you to divulge that information to us.  But working with someone directly may give you better answers than posting on a forum.  If anything you can always pass the recommendations by us and hear our opinions on them. 

      I’ve already started looking into a couple of IT firms but actually developing a relationship with them is a whole other thing.

      Other than that, that’s a great idea and I’ll do whatever I can to get any of those guys to help me out.

    • #43425
      Ps_107
      Participant

      @hayabusa wrote:

      Agreed with 3xban.

      It almost sounded, from your last reply, Ps_107, that you’re thinking more in terms of a CHFI (Hacking Forensics), rather than an ethical hacker/ penetration tester.  There are occasions when a person will do both, but more often, there are those that specialize in each area, and you’d be best served, as 3xban noted, in talking to someone closer to you, who might be able to advise you which route you’re really looking to pursue.

      Good luck, and keep us posted.

      Although I knew that forensics work is completely different than conducting a Pen-Test, I had no idea those were two totally separate fields.

      I always figured that a Pen-tester would be able to do both and that’s exactly what I’m looking for right now.

      I will definitely look into it.

    • #43426
      Ps_107
      Participant

      So in terms of what I actually have control over right now, at the moment, the very best I can do is “protect” my system from any further intruders (or I can at least have some sort of an indicator of who’s been in and out of my network).

      I’ve got Wireshark all set-up but it probably would be a good idea to have a separate Intrusion Detection System to go along with it.

      In you guys’ opinion, would you all prefer “Snort” or “Snorby” or something else? 

Viewing 31 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2022 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?