Secure yourself and your service.

March 5, 2017

Hey, guys. What’s up!

Recently at Crident there has been an increase in clients finding their account/service has been breached/hacked/taken over/cancelled/deleted and a plethora of other horrible things which we hate to hear about when our clients have worked hard on their projects.

We thought it would be appropriate to give you guys some easy but critical security tips to make sure you are safe from pesky hackers out there. So, let’s get started, shall we?

Step 1 – Different passwords for different accounts

Explanation: This is probably the most-effort-required and annoying step but typically how your accounts get breached starts with another site you use has their database dumped with your hashed password stored – this password is probably the same as some if not all of your other accounts; see where we are going here? If you are a target, they can then use this password from the database and access all of your important accounts, sometimes even including your email. You can check if you are in an already leaked database by using this handy search tool – bare in mind this tool is only checking the databases it has, who knows what private databases are being traded in the underground marketplaces. No one knows what big business’ have had their data breached.

Execution: Ideally, if you care about being safe online you would use a random password for every account. Using a unique password for each website is truly the best route to go down, making sure every one of your accounts is fully isolated. The result is that if one site’s database gets dumped, it only leaves that specific website compromised. Obviously having a random string of characters for every account is not be easy to remember, so this is where password managers come into play. Password Managers are a vast topic to go into, but if you are looking for a local solution where a third party does not store your data, and only accessible on a local machine, we would suggest KeePass. If you are looking for a cloud solution where you can access your passwords from multiple devices such as your smartphone; we have had a great experience with LastPass. If you plan on switching all of your accounts into random passwords (congratulations on making a great & smart decision), then we recommend starting with your email(s) account and down into whatever accounts you have signed up that specific email.

Step 2 – 2-factor authentication, always use it!

Explanation: 2FA(2-Factor-Authentication) offers a physical level of account security, with most sites offer this very powerful feature. The most common 2FA application which is Google Authenticator – this application adds an extra level of authentication where you receive a 6 character randomized numerical code which is valid for only 30 seconds before it generates a new random code. You enter it after entering your normal password, providing a much more secure login. Provided the website does not end up getting breached. 2FA can sound pretty annoying already, but it is worth it for the peace of mind. Most websites providers have a “Remember Me” checkbox when logging in, which only requires you to enter the code once without having to do the process repetitively.

Execution: You want to make sure the specific site supports 2FA; first. It is usually located under “account security” or the same place you can change your password. If you are struggling to find out how to enable 2FA on a specific site, there’s a helpful resource here with a list of compiled sites with specific steps on how to enable 2FA.

Step 3 – Common sense usually does the job

Explanation: In current cyber security, believe it or not – there’s still very obvious scams which people still fall for. No, you cannot get free currency generators for your favorite games. No, you cannot get premium software for free in a simple exe. No, no, no. Only download software from reputable sites you know and trust. Pirated torrents tend to be a different story, they exist, they are used, and they are accessible. If you must use these sources, only make sure you are downloading from reputable sites with a large audience. It is still a bad idea, however, and because you are already downloading something dodgy, it is a great opportunity for hackers to slip anything else dodgy in there as well.

Execution: If you are unsure about downloading a certain software, it is always good to be safe than sorry. Services like VirusTotal exist. This tool is essentially a massive database which grabs information from a bunch of antivirus engines regarding common malicious detections and runs your uploaded source through their lists.

Other little things you should probably take note of:

  1. When using a public connection, your traffic is usually at risk of being analyzed/captured by hackers. Always make sure (when you are submitting login information) you have got a green padlock in your address bar, this ensures your data is encrypted with an SSL certificate.
  2. If you are very conscious about your security, there’s a variety of other solutions you can use such as a VPN, securing your DNS, monitoring your outbound connections and even your keystrokes.
  3. If you ever need to share a password with your friend or similar situations, send part of the password in one application such as steam, then maybe the second half in Skype if it is access yields power.
  4. If you have got a service with us, make sure to generate your Rcon passwords randomly and always set the appropriate sub-user access levels if you are hiring a developer to help you out! They do not need access to absolutely everything.

Stay safe, don’t wait until it happens to protect your online security. Any questions? @lew_par