Blackmail

jakedude182 · 17 Sep 2019 at 01:19

I feel that downloading all the latest exploit updates from microsoft seems unnecessary if your careful online and about what you do. Yes your computer is less secure, but using the latest browsers firewalls and malware protection, I feel that its not quite unnecessary but something that takes continuous attention to stay updated with the patches.

noticed this new malwarebytes chrome add on recently that looks good for free:

Nice first few responses in this thread, they pretty much nailed it on the head

MissChief · 17 Sep 2019 at 08:07

Windows defender was recently found to be the best at identifying threats and quarantining them in a recent test. It comes with W10 by default and runs automatically. In fact I don't even know how to turn it off.

BananaDunka · 17 Sep 2019 at 08:35

MissChief said:
Windows defender was recently found to be the best at identifying threats and quarantining them in a recent test. It comes with W10 by default and runs automatically. In fact I don't even know how to turn it off.

You can't (easily). If you install a third party app, defender will delegate itself as a second opinion still protecting the system because third party apps can't do as good a job.

For all Microsoft's recent failings (the windows update goofs in recent weeks), Defender is one of their solid products and how it is ingrained into the OS is brilliant. The user doesn't have to do a thing 99% of the time.

Yaayuh! · 17 Sep 2019 at 08:45

Sui said:
It's a scam, your password will be from one of the many data breaches.

Visit https://haveibeenpwned.com/ and input your email to check.

I recommend changing passwords if they were used elsewhere.

This.

BowdonUK · 17 Sep 2019 at 11:14

I bet I've had 100's of these to one of my email accounts in the last 6 months.

It's a load of rubbish.

Scort · 17 Sep 2019 at 12:04

WT3-Bey said:
snip

Some hilarious advice in this thread - some proper scare-mongering Daily Mail stuff too

My 2p:

Ignore this email, it is a scam, hoping you'll put X amount of crypto-currency into a wallet. All that has happened, is one of the sites you use that email account & password on, has been breached - the inclusion of the password is designed to freak people out into believing the claims. I understand the latest one, has change the general 'porn' claims, to ones of pedophilia!

First port of call, and ideally as soon as possible - would be to change the password (wherever it has been used).

Don't worry about your cheap Windows 10, though the key is likely dubious (could be a volume license one, or OEM), I highly doubt that the image was laced with nasty stuff. I too have used these, and have never once had an issue.

Out of the box, Windows 10 is fine with its in-built security* - so you really don't need to panic and start buying other solutions, and installing free AV. Sure you can if you wish, but I have always run Windows 10 completely standard, and run an occasional free malwarebytes scan every so often - zero gets found. * I am however, very careful where I go, what I click and what I open!

Hilly · 17 Sep 2019 at 12:11

I think there's a little bit of misinformation in this thread by a few;

So to recap (and this is from a security 'professional'); Passwords should be different for each website you use. Whats happened here is your main password has been leaked by a company which doesn't properly store credentials; likely these have been stored in plain text in a DB. A hacker has infiltrated the environment and then found these and leaked them. This happens a lot, you see it a lot when travelling onto sites;

However, the chances are that you've done something wrong to leak your password are slim. You could have been phished, but it's more likely you've been 'pwned' - check the link posted a couple of times above to check if you exist within the DB; If you do, change passwords associated to that account as soon as you have secured the current machine you're using - so Antivirus, MWB etc. Get a password safe (last pass for example) to store your passwords in. This will also allow you to generate passwords for the sites you want to use, so that these are unique.

Also there's some misconceptions around SMS being 2FA; SMS is not a recommended 2FA method. A research group targeted Coinbase in 2017 and proved that SMS could be hijacked. Although still common place technology is catching up and SMS is being phased out - why carry on with an insecure method of 2FA, which costs you money every time you send a text? It makes no sense.

Your email account should be the most protected; if you use gmail for example you'll be prompted to use their authenticator - which is a proper 2FA service.

AHarvey · 17 Sep 2019 at 12:18

Hilly said:
I think there's a little bit of misinformation in this thread by a few;

So to recap (and this is from a security 'professional');

Is that what you do for a living Hilly?

Can I ask who for in Telford?

I'm self-teaching and looking at getting into the security industry, it's always nice to know local companies to watch for positions?

My linkedin is in the careers subforum if you'd rather not post it public

Hilly · 17 Sep 2019 at 12:34

AHarvey said:
Is that what you do for a living Hilly?

Can I ask who for in Telford?

I'm self-teaching and looking at getting into the security industry, it's always nice to know local companies to watch for positions?

My linkedin is in the careers subforum if you'd rather not post it public

I'll drop you a linkedin

I'm a senior IT Security Consultant, specialising in OpenBanking, Federation and Identity and Access Management; So Forgerock, Ping, CyberArk, Sailpoint, FIM/ILM etc.

theone8181 · 17 Sep 2019 at 13:18

sideways14a said:
Right first off the biggie and this goes for everyone.
You need bloody security on everything, thats windows 10, mac os, android phones bloody wheelie bins... if its pissaboutable then it needs security.

Minimum is free stuff like windows defender which is reasonable these days and something like malwarebytes (even the free version but remember to regularly scan) - do it properly with a paid sub for MWB its not much and will make the computer much more secure.
As for patches, i read a lot on here about stopping windows updates... staying with windows 7 because you dont like being spied on (rubbish) - forget it... get onto 10 and get it patched as soon as you can. Yes updates cause issues from time to time but your leaving your ass wide open to a good kick by sitting on an ancient OS and no patches.

Even on phones? I've never bothered but is it really needed on them?

Hilly · 17 Sep 2019 at 13:25

theone8181 said:
Even on phones? I've never bothered but is it really needed on them?

Android phones are the most targeted due to their app store policy which leaves a lot to be desired. Apple protect their app store by checking what is uploaded, that the apps contain no third party pieces in them; But still, phones should be protected.

Do you have a banking app on your phone? Email? NFC to cards? Probably yes to all of those.

Blackjack Davy · 17 Sep 2019 at 15:55

MonkeyMan said:
The cheap keys are grey keys which shouldn't really be sold and may stop working in the future but wont cause any harm as its exactly the same software.

Will stop working, usually about the time the refund/claim window expires...

Scort · 17 Sep 2019 at 16:24

Blackjack Davy said:
Will stop working, usually about the time the refund/claim window expires...

Not usually - most are OEM licenses, I've never had any such O/S keys expire in ~10 years.

Puzzled · 17 Sep 2019 at 16:32

Blackjack Davy said:
Will stop working, usually about the time the refund/claim window expires...

Luck of the draw, I've got some that have been going for years others than stopped after a few months and the seller just gave me another one. Windows 10 will happily work without a licence anyway so doesn't really matter if the key deactivates, you won't lose access to the OS.

WT3-Bey · 17 Sep 2019 at 17:20

Thanks for all the advice in here chaps, really appreciate it.

dan958 · 17 Sep 2019 at 17:28

WT3-Bey said:
.

It’s a password that I have used for banking, eBay, amazon, Hotmail, gmail etc. And even my computer login and steam. I’ve changed my banking, amazon and eBay. Not much I can do to change windows and steam password at the moment.

Therein lies the problem, don't use the same password for everything, expecially for your banking! All it takes it one company you have an account with to store your password insecurely, get a databreach, and then they have access to all your accounts.

jpaul · 17 Sep 2019 at 17:47

Although this is unlikely to be ops case - would be interesting to know if usb win10 image downloads have ever been impregnated with malware,
equally, if someone was monitoring clandestinely activity on your computer, guess the first thing you would see is that they had touched your bank account,
(and you'd get a text message confirming the authorisation unless that was intercepted) ,as opposed to ransomware emails, like the op.

About 2fa, although sms is open to man in the middle attacks, most banks aren't offering google authenticator or hardware fobs... so they deem it acceptable.

theone8181 · 17 Sep 2019 at 19:44

Hilly said:
Android phones are the most targeted due to their app store policy which leaves a lot to be desired. Apple protect their app store by checking what is uploaded, that the apps contain no third party pieces in them; But still, phones should be protected.

Do you have a banking app on your phone? Email? NFC to cards? Probably yes to all of those.

Only yes to the first 2, I don't use NFC.