domoarigato042
Posts: 3
Joined: 6/3/2012
Status: offline
|
Read through most the thread, my comments on the several things the thread touched on.
1) For not logging out, really depends are you using wireless, a hardline and where. If it is wireless I would say yes, wireless on an unsecured network doubly so. For a hardline, if it is your own then not so much, in a public place, yes you are very vulnerable as it most likely is a public machines. Also, having some form of anti-virus and malware software on your machine helps. Which one, really depends on preference, but it is insane not to have one. Lets face it most people run windows which is has terrible security when compared to a Unix or Linux system. As far as I can tell CollarMe as a site does not have very good security. The main tip off of this, if you forget your password they can send it to you. This means that there server has the plaintext of the password which means if someone compromises the server they have everyone's email address and password. You know they are going to try that password on the email addresses they pilfered along with the most commonly used banking sites. So for starters I would not really trust CM as a site for security. Pity they do not support secure communications with the https...
2) The person who had physical access to your computer. Really depends on his character, were you sharing a user account, and how computer savvy he was. If you left on good terms I would not worry too much, however I would change my passwords to everything important (email, bank account etc. Make each one different so if someone compromises one it is much harder for them to get the others. If you write it down, best place to put it is in your wallet or in a encrypted file. Lets face it if you lose your wallet probably going to have to rekey those things anyway, just do not put what the passwords are for). If you had separate accounts I believe windows enforces user views so he would not be able to see your stuff. However, if he is computer savvy he can always find a linux disk, pop it in and overwrite your password to get access.. unless you have locked the bios or have encrypted your user space.
3) SANS is a pretty good organization, they do a lot of research and tracking of computer security related issues. If they recommend something it is probably a good idea to take their advice. I disagree on the anti-virus side, to me it is insane to not have one. The trick is to get a reputable one from a reputable site (like CNET). The ones that boast a lot of people probably are fine. If they harvested your data and did not do something you can bet there would probably be a lawsuit against them. As to which is best, I will not get into that argument.
4) Password length should be at least 16 characters, if they are using RSA based encryption or any of the older legacy SHA algorithms. If they are using one of the newer ones or ECC a shorter password is probably fine, I just would not risk it. The problem with a 8 character password is that without other precautions they can be brute forced quite trivially. The problem is of course that most sites do not let you have a password of longer than 8 characters, then add their own restrictions which further makes the things easier to brute force. So yea you are being forced to create un-secure passwords.
In closing a few recommendations:
1) If possible create separate 16 character passwords or 4 word pass phrases for everything. If you cannot remember this, then take a tiered approach, one set of passwords for stuff you do not care about (this site, news sites, etc), another set for things you care slightly more about (junk email addresses, this site if you value it such, etc.), another for high value things like bank accounts and your primary email account. You can probably get by writing down the passwords to the sites you do not really care about to save you memory there.
2) If possible encrypted your hard drive. Most encryption is rigged so the security lays in the key, and unless someone has the key, it will take at least 15 years (if not thousands of years using current tech) of non-stop computation to get it. Also have separate accounts for everyone and do not give them root access. If your willing to give it a whirl I would suggest a linux based system. It was designed for multiple users and has very strong access controls, though it does have a very steep learning curve.
That is all I have for now, hope it helps.
|
RE: Is it true that if you do not log out of CM that yo... - 
Profile
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread