just finished interviewing bellini for one of my finals in my comedy class and i'm losing my mind over bellini going on a tangent about how if he were grading my comedy over the past year he would give me an A+. like i didn't ask him to say that and it wasn't related to any of the questions i asked but you better believe i'm leaving that in to be like see professor? BELLINI gave me an A+!!!

Take Your Gunbot Security to Advanced Level....EASY IN 5 MIN!

Are you using all advantage of security features that Gunbot offers to protect your money?

Like in real life, cyber-space is full of pick-pockets. You would never leave your phone and wallet with credit cards and cash on the table coffee bar while going to the restroom for a few minutes? Of course, you would not. But, are you aware of all potential threats that can harm your hard-earned crypto-cash while you sleeping? Is your answer YES? Then, you must have headaches and insomnia from reading all the news, hack forums, CVE site, and others. Is your answer NO? Good for you, the grass is green, the sky is blue, you sleep calmly. Everything is fine until something bad happens. Then you start asking questions like “What I could do to prevent it” or “How it happened??”

Here in Gunthy, we consider security as the top priority. Money is money, no matter is it in the form of paper, number on your bank account or cryptocurrency, you should know how to protect it.

Encryption and security today is perfect. It’s based on mathematical functions built-in ways it’s impossible to break down. Even with all computer power in the world, it can take more than a few million years to break one cryptographic key pair. So, how all these thefts happen you may ask? The answer is not “easy” or something that will blow your mind. The answer is most of the times HUMAN error. Lack of knowledge, wrong or partial security implementation, being lazy and careless result running unprotected machines or software are common causes of all “hacks”. Ok, I didn’t forget social engineering, but it's topic for next time. Grab your cup of coffee and let’s start, this will be quick and easy  

1. Most of Gunbot users use Linux VPS server to run their bots. Why you should too?

SECURITY! Linux is free and open-source software and its code are reviewed by thousands of developers all over the world compared to dozen of employees that code other closed-source OS, like Windows. Maybe you heard something like “Viruses don’t hit Linux!”, it’s partially true. Most of the software for Linux is free and open-source, anyone can review it – that means it’s hard to “hide” malicious code inside. PERFORMANCE! Running fully functional OS without graphic with only command line sounds like a nightmare to you? It takes some time to get used, but once you master it, it becomes much faster. Remove the graphic user interface and leave CPU and RAM for running things that matter. Most modern Linux distros use less than 250MB of RAM space after boot. Also, not having bloatware installed increases stability – it’s crucial if you want your money-maker bots to run 24/7/365 without interruption. Did you know that you can update all your Linux apps and packages without ever restarting the machine? Even upgrade OS is possible. Imagine migration from Win 7 to Win 10 without restarting your machine, crazy isn’t it? PRICE! Period. You can’t beat free, right? Especially with that performance, you can save on the VPS plan and buy cheaper ones.

2. Installing Gunbot on your VPS and secure it!

Ok, now the fun starts. Download your Gunbot to your machine, unzip it and… DON’T RUN IT YET! We have important things to do before, security first, right? Probably you running Linux and access to your machine via SSH. Great, but if your GUI is still unprotected. First, you need to install “OpenSSL” package, type in terminal (for most distributions): sudo apt-get install openssl Then navigate to /lin folder where you unzipped Gunbot. Type in terminal: openssl req -newkey rsa:2048 -nodes -keyout localhost.key -x509 -days 365 -out localhost.crt   You will be asked to enter the country code, after that you can leave everything blank. It will not affect security. Now, you have to edit your config.js file from Gunbot installation. Find: "https": false, and change it to: "https": true, Save config.js file. You have successfully enabled SSL for your Gunbot GUI! Now, you can start Gunbot and access it via a web browser at: https://your-vps-ip:5000 But wait, it says “your connection is not secure!!” That happens because SSL certificate is self-signed, it’s normal. You can have signed an SSL certificate by companies like VeriSign, Norton, etc, but they cost a lot of money. Only payment sites use them and if you ever go to the site that requests your credit card info or similar with self-signed certificate ��� RUN AWAY! “Your connection is not secure” warning is actually for that moments. Now, with SSL installed – you can create a password for Gunbot GUI without fear that anyone will intercept your password in-between your PC and VPS server. The last thing for today (I said it will be quick and easy) is setting up 2FA authentication. It is a good idea if you completed previous steps with your PC, now use your phone, laptop or any other device for this step. This is the last line of defense and you don’t want to make mistake now. Even if someone has compromised your PC and watching your whole time while you entering a new password for your GUI, let’s say “it’s still OK”. Change device, use your phone for example. Install any 2FA software, depends on your preference, like Gauth, Authy, etc... Go to https://your-vps-ip:5000, enter your password. Navigate to Settings > Authentication > Enable Two-Factor Authentication. Scan QR code or copy the “QR Code” phase under the QR code image to your preferred 2FA application. Make sure you make a backup of the QR code or phase in case you lose your 2FA device. Do not store it on your PC or phone, best practice is to write it on a piece of paper and store it safely. Congratulations! You are safe now! Well, almost. There are many other ways for hackers to exploit, but more on that later, I promised to be short right now. Even this 10 minutes of your work can make your Gunbot protected enough for some attackers to quit and leave you alone and go search for next easy target.

Install self-signed SSL certificate

It encrypts all communication between your PC and your Gunbot GUI. All passwords, settings, API keys and everything you do is impossible to see for any Man-in-the-Middle. Your ISP, VPN, various routers around internet or even other devices connected to your WiFi network can see your passwords and all you do if you are not using HTTPS.

Setting GUI password

It’s obvious. But this feature is used very poor by many people. Did you know how easy is for modern computer to brute-force passwords? All 8-lenght lower-case combinations can be brute-forced in few hours on home PC. Good strong password should be at least 16 characters, contain upper-case and lower-case letters, special signs as !./%# and numbers. It would take more than many million years with all computers in existance to guess correct password. Use password managers and protect them also! You can’t blame Gunbot security if you use LetMeIn! as your password. Also use different password for every site in case one of sites go down. There is big chance that one of forums, web-shops, etc where you have account already got hacked!

Two-Factor Authentication

It’s your last resort if your password goes down! 2FA device generates new code every minute and old one becomes invalid, so if attacker doesn’t have latest key he is unable to get in.

Now with bot set up like this, #ifyouarenotinkrakentradingcompetitionyouaregay

Read the full article

Twitter lost control of its internal systems to Bitcoin-scamming hackers

Enlarge / A Twitter logo displayed on a smartphone.

Twitter lost control of its internal systems to attackers who hijacked almost a dozen high-profile accounts, in a breach that raises serious concerns about the security of a platform that’s growing increasingly influential.

The first signs of compromise occurred around 1 PM California time when hijacked accounts—belonging to Vice President Joe Biden, Elon Musk, Bill Gates, and other people with millions or tens of millions of followers—started pumping out messages that tried to scam people into transferring cryptocurrency to attacker-controlled wallets.

In a tweet issued about seven hours after the mass takeover spree began, Twitter officials said the attackers appeared to take control by tricking or otherwise convincing employees to hand over credentials.

“We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools,” the tweet said. “We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.”

We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.

— Twitter Support (@TwitterSupport) July 16, 2020

Once Twitter learned of the takeovers, company personnel locked down the accounts and removed the tweets. Twitter’s tweet thread didn’t explain why Musk’s account posted fraudulent tweets after previous ones had been deleted.

Bad for national security, too

The compromise raises serious national security concerns because of the potential it had to sow panic and chaos. With control of virtually Twitter account, the attackers could have hijacked those belonging to President Trump or government agencies and done much worse than replay a cryptocurrency scam that has been going on for years. Twitter eventually contained the mass compromise but only after a flood of scam messages steadily flowed out of the social media site over several hours.

It’s not the first time Twitter has suffered a serious breach of this sort. In 2010, the company settled Federal Trade Commission charges for lapses that allowed hackers to obtain unauthorized administrative control of internal systems. The breach, the FTC said, gave the attackers access to user data and private tweets and the ability to make phony tweets from any account including those belonging to then-President-elect Barack Obama and Fox News.

Just hours after Wednesday’s breach came to light, US Senator Josh Hawley sent a letter to Twitter CEO Jack Dorsey asking that he contact the FBI to make sure the site is secure.

“I am concerned that this event may represent not merely a coordinated set of separate hacking incidents but rather a successful attack on the security of Twitter itself,” Hawley wrote. “As you know, millions of your users rely on your service not just to tweet publicly but also to communicate privately through your direct message service. A successful attack on your system’s servers represents a threat to all of your users’ privacy and data security.”

An article posted by Motherboard, citing unnamed hackers and corroborating screenshots, said the attackers gained access by paying a Twitter insider. The post went on to show a panel controlling the account of Binance, a cryptocurrency exchange whose Twitter personna was hijacked.

Other screenshots that circulated widely showed what purportedly were screenshots of Twitter administrative tools. While the screenshots haven’t been confirmed, Twitter repeatedly took two of them down and terminated the account of a person who initially posted them. Hackers and security people said they considered them plausible. The two initial screenshots appear below:

Andrian Lamo’s coveted Twitter handle targeted, too

Besides those of celebrities, business leaders, politicians, the Twitter account of Adrian Lamo—a hacker known for high-profile exploits and for turning in Chelsea Manning and who died in 2018—was also compromised on Wednesday under similar circumstances.

Fellow hacker and friend Lucky225, who has had control of the account since Lamo’s death (with the blessing of his father), said Twitter sent him both a password reset confirmation code for the account at 11:23 AM California time, about 90 minutes before the first public signs of a breach. Despite not entering the code, Lucky225 (his legal name, he says) then received an email notifying him a new device had logged into the Lamo account for the first time.

Lucky225

In stroke of luck, Lucky225 said he was able to regain control of the account because while the hackers had changed the email address associated with the account, they failed to change the phone number. Lucky225 said he used the phone number to regain control. Then, in a strange and currently unexplained twist, Lamo’s friend said that at 8:30 PM he discovered the account had again been hijacked—or at least partially so—when Twitter emailed him again to say two-factor authentication had just been turned off.

Lucky225

“What’s weird.. the password (which was just randomly generated in PW manager today when I recovered the account earlier) still works,” Lucky225 told me in a text message that dropped and abbreviated some words. “But when I use it to login it says account’s locked. And then wants me to change my pw to continue but won’t actually let me do that since email was apparently changed.”

He said it’s possible that Twitter is behind the second takeover because company employees mistakenly believed the account was still compromised. Another possibility is that hackers somehow managed to force their way back in by exploiting a vulnerability in several third-party apps that, through the OAuth protocol, had permission to access the Lamo account.

Lucky225 said he suspects attackers targeted Lamo’s account for its handle—@6—which at a single character, is highly coveted by many hackers. He’s not sure if the same hackers were responsible for the hijackings of both the Lamo and celebrity accounts, but he said the ability to twice bypass 2FA and password controls suggests whoever is behind the Lamo account takeover had control of internal Twitter systems.

A Twitter spokeswoman said the company had nothing to add beyond the information in the tweet thread.

Twitter account holders should follow the usual security guidance to lock down accounts. The advice includes using a strong password (unique to the account, randomly generated using either dice words or letters, numbers, and special characters), 2FA, and to turn on Twitter’s password reset protection, which requires users to provide additional information before a passphrase can be changed. Given that those measures were bypassed on Wednesday, they may not be enough.

Source link

قالب وردپرس

from World Wide News https://ift.tt/2WmRejO