Malware warning

[ph1l]

Never trust password managers.

You can trust a password creator like:

#!/usr/bin/perl
# poor-man password generator.
# input lines from the standard input have your password (no spaces) optionally followed by the number of characters in the generated password
# output goes to standard output.

use warnings;
use strict;
use Digest::SHA qw/sha512_base64/;

while (<STDIN>)
{
    $_ =~ s/^\s+//;                                                                 # remove leading white space
    my ($pw, $length) = $_ =~ /([^\s]+)\s(\d*)/;                                    # extract password and length
    if ( !defined($pw) ) { next; }                                                  # ignore empty lines
    if ( !defined($length) || ($length eq "") || ($length == 0) ) { $length = 64; } # default length
    if ($length > 64) { $length = 64; }                                             # max length

    my $digest = sha512_base64($pw);                                                # hash your password
    $digest =~ tr#ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/#9QsJatlpYDRfAbno5PMjdmVFTHwNrU8gCOi7Lqx1Sh6B+Z0vzcKW/Ee4yu3IXkG2#;
                  # base64 character set                                           secret key to remap the base 64 characters (rearrange and/or change above characters to others if desired).
    print substr($digest, 0, $length), "\n";
}

Example run:

$ genpws
Dumb_password 30
Ed6VIMfGlogSS9ob1U+8LrSTeZmQs5
Dump_password 30
eecafStxf1daiitw3YZBseh6gkr2JZ
iLikeLongPasswords
KA3PYcbqOkEYAIRsZgpDxECuquG5bDy55h7vtX+fiW2cIl0XU9YRsQEDrX98X5yo
a
p/JXLZSLthPEsF10NoVsXZFF/SyTAE4CVBcd/tTnJEAsOCcqR2sbmCDM6qu/Y5ml
b
dxUeisf0TLEY2nt8crhuKkTsK4kAYm8qtqmhLgY0GA8EI4+T/gkQcHbzIIstOqpd
I_made_my_money_the_old_fashioned_way_by_inheriting_it! 16
S/PTN6QN+KU8SrRs

 

[GrowleyMonster]

Linux is technically and theoretically not totally immune, but with intelligent computing it is as close as it gets. One reason is that it is an open source operating system. There are a million nerds out there poring over every line of code and looking for exploits, and though very very few are found and they generally are pretty harmless or can't leverage a reasonably well used linux computer, the same guy or others can write a patch and upload it to the project, and it is included, or modified and included, or dismissed by very smart guys interested in protecting the integrity of the OS. Black hat hackers can't really get away with much because they are quickly found out. The Linux operating system in most flavors by default does not set up a root account, and to really leverage the system, a hacker has to achieve root access. The user does what he has to do with the sudo command which opens things up temporarily to get the job done and then closes. WinDOHs believes in security through obscurity. Mac, too, though Mac's Unix heritage and miserly user privileges actually makes it fairly robust and very secure, for a closed source operating system.

So all in all, if you want security, switch to a respected flavor of Linux. It is free, and most software you would install is also free, and open source. Popular apps are not going to contain any bad payloads if you install from a proper repository or download the source code from a trusted source and compile it yourself.

Don't want to abandon the closed source world? Your loss. But intelligent computing will still make you much less vulnerable, even if you don't switch to a more secure OS. With a WinDOHs system, a good security package is absolutely essential. It is too full of holes that take too long to get patched, and it is a big fat target. You need another layer of protection. Even WinDOHs Defender is better than nothing, and is free, and is fairly effective. A good two way firewall is also important, and the knowledge to properly configure it. For just email and googling stuff and idle web surfing, things aren't quite as critical, but when you are managing your brokerage account on the computer, THAT'S YOUR MONEY you are risking.

Software from unknown or untrustworthy sources should NEVER be installed or even downloaded to your trading computer!!!!!!!!!!!!! It's not worth it! As you have discovered.

I don't know how they are now, but before I totally abandoned WinDOHs, I was using Zone Alarm for a firewall. A PITA to configure but it controlled traffic both in and out. This is important. A hardware firewall is good, too. All that is, is another computer between your internet connection and the rest of your home network.

Consider using your trading computer for ONLY trading. No games, no email, no nothing. Be careful what you click on. One of WinDOH's most glaring faults in recent editions is by default it hides the filename extension of known file types. CHANGE THAT. Disable your paging file, too. As for the file type, often you will be presented with a file that maybe says something like "hot chick and a randy donkey - MUST SEE.avi.com or something like that and you see that it is an avi but it is not an avi at all. The com or bat or exe filename extension is hidden and when you click, you are running a script or program that you don't know about. The paging file is sort of like the swap file in a Linux or Unix system. You can shut something down or delete something and it could still be in your paging file. Don't hard code passwords or keys into scripts. Keep them on a USB thumb drive or manually type them in. Encrypt your hard drive, if you can do that in WinDOHs. Store your actual decryption key elsewhere so you can recover your drive's data if your computer fails or the HD itself fails.

Security is no joke. Honestly I am waiting for the shoe to drop, and suddenly 10k WinDOHs users all cry out a collective "DOH!" when they find that their account has been cleaned out. It is a ticking time bomb. There is a HUGE back door into the system including the kernel. Supposedly it is only open to Microsoft. They are a hyper-user that can change ANYTHING on your computer without asking you or even informing you. It is right there in the EULA. So far I don't think anyone outside the evil empire has managed to exploit that, but you better believe there are plenty of black hats working hard on it. And you will scream and cry and nobody will do anything to help you and basically nobody will care. Totally opposite the sentiment in the Linux community. Just sayin.

 

[Bugsy]

Interesting to read here a lot of discussion about storing (or not storing) passwords, but nobody talking about 2 factor authentication (2FA). Using 2FA could save you from a lot of problems.

I actually had phone login setup on Gmail AFTER the incident and somehow they logged right back in. This was after all malware had been removed, password changed, and mobile verification instituted. I'm thinking maybe they either swiped the universal codes on their previous login just in case, or they used some bypass with the old password and stated they didn't have mobile. Not quite sure. Haven't had a problem since in all honesty. For some reason, and I have several Gmail accounts, the phone login was not instituted for this particular gmail account though I am positive I set it up for it like all the rest at a prior date. This was the only email they compromised.

 

[Bugsy]

Linux is technically and theoretically not totally immune, but with intelligent computing it is as close as it gets. One reason is that it is an open source operating system. There are a million nerds out there poring over every line of code and looking for exploits, and though very very few are found and they generally are pretty harmless or can't leverage a reasonably well used linux computer, the same guy or others can write a patch and upload it to the project, and it is included, or modified and included, or dismissed by very smart guys interested in protecting the integrity of the OS. Black hat hackers can't really get away with much because they are quickly found out. The Linux operating system in most flavors by default does not set up a root account, and to really leverage the system, a hacker has to achieve root access. The user does what he has to do with the sudo command which opens things up temporarily to get the job done and then closes. WinDOHs believes in security through obscurity. Mac, too, though Mac's Unix heritage and miserly user privileges actually makes it fairly robust and very secure, for a closed source operating system.

So all in all, if you want security, switch to a respected flavor of Linux. It is free, and most software you would install is also free, and open source. Popular apps are not going to contain any bad payloads if you install from a proper repository or download the source code from a trusted source and compile it yourself.

Don't want to abandon the closed source world? Your loss. But intelligent computing will still make you much less vulnerable, even if you don't switch to a more secure OS. With a WinDOHs system, a good security package is absolutely essential. It is too full of holes that take too long to get patched, and it is a big fat target. You need another layer of protection. Even WinDOHs Defender is better than nothing, and is free, and is fairly effective. A good two way firewall is also important, and the knowledge to properly configure it. For just email and googling stuff and idle web surfing, things aren't quite as critical, but when you are managing your brokerage account on the computer, THAT'S YOUR MONEY you are risking.

Software from unknown or untrustworthy sources should NEVER be installed or even downloaded to your trading computer!!!!!!!!!!!!! It's not worth it! As you have discovered.

I don't know how they are now, but before I totally abandoned WinDOHs, I was using Zone Alarm for a firewall. A PITA to configure but it controlled traffic both in and out. This is important. A hardware firewall is good, too. All that is, is another computer between your internet connection and the rest of your home network.

Consider using your trading computer for ONLY trading. No games, no email, no nothing. Be careful what you click on. One of WinDOH's most glaring faults in recent editions is by default it hides the filename extension of known file types. CHANGE THAT. Disable your paging file, too. As for the file type, often you will be presented with a file that maybe says something like "hot chick and a randy donkey - MUST SEE.avi.com or something like that and you see that it is an avi but it is not an avi at all. The com or bat or exe filename extension is hidden and when you click, you are running a script or program that you don't know about. The paging file is sort of like the swap file in a Linux or Unix system. You can shut something down or delete something and it could still be in your paging file. Don't hard code passwords or keys into scripts. Keep them on a USB thumb drive or manually type them in. Encrypt your hard drive, if you can do that in WinDOHs. Store your actual decryption key elsewhere so you can recover your drive's data if your computer fails or the HD itself fails.

Security is no joke. Honestly I am waiting for the shoe to drop, and suddenly 10k WinDOHs users all cry out a collective "DOH!" when they find that their account has been cleaned out. It is a ticking time bomb. There is a HUGE back door into the system including the kernel. Supposedly it is only open to Microsoft. They are a hyper-user that can change ANYTHING on your computer without asking you or even informing you. It is right there in the EULA. So far I don't think anyone outside the evil empire has managed to exploit that, but you better believe there are plenty of black hats working hard on it. And you will scream and cry and nobody will do anything to help you and basically nobody will care. Totally opposite the sentiment in the Linux community. Just sayin.

Unfortunately I'm not very technically savvy or I'd do all of that.

 

[AbbotAle]

A good way to stay clear of malware is to have a seperate PC just for trading. No email on it, and no surfing.

Also, consider building your own PC, it's 10 times easier than you think, basically plugging the blue lead into the red hole etc, no need to be a real nerd.

Loads of youtube build videos for any sort of machine. Buy the same parts, follow the video as the man builds it, and it will work out great.

Cheaper as well than buying and you can get the right components for the job. For general trading I recommend a Ryzen 5 or better chip, 16GB Ram and a 256+GB SSD. This will last at least 4-5 years before it needs replacing.

 

[virtusa]

This is the ultimate solution:

https://www.qubes-os.org/

Anybody installed Qubes?

To me it seems the best solution as you can download anything in a seperated qube that has no connection at all with the rest of your PC. So you don't need another PC just for trading. If it contains something harmful, just delete the qube and the problem is solved. The software in a qube cannot make any connection with what is outside that qube on your PC. So your PC cannot get infected. Is it like a virtual machine?

I found this explanation:
"Qubes is the most secure & anonymous OS (far more so than Tails, Whonix, or any other for that matter). Built on top of encryption, Tor, and compartmentalized security & virtualization, the possibilities are infinite, from running Windows OS alongside Linux or even Android OS, all while still anonymous and protected by the security and anonymity features of Qubes OS.

Qubes is encrypted by default, allows full Tor OS tunneling, compartmentalized VM computing (securely walling off each point of vulnerability (network, filesystem, etc.) from the user & each other), and so much more.

The virtualization technology Qubes is built on even enables you to run Linux and Windows apps (either full OS or individual programs!) side-by-side, securely and anonymously. All the features & functions of Linux & Windows without their individual security concerns, together with Tor, compartmentalized security, encryption, optional Tails OS-like disposability (Backup/restore), and more!"

 

[virtusa]

Interesting to read here a lot of discussion about storing (or not storing) passwords, but nobody talking about 2 factor authentication (2FA). Using 2FA could save you from a lot of problems.

Don't trust double authentication too much. I will tell you what happened to me with double authentication.

A few years ago I noticed that one of my email accounts on Gmail listed an unknown IP address that accessed that Gmail email account. Normally that is impossible as I have double authentication on all my accounts. So it had to be someone who had access to my double authentication codes. As I had a hard copy of the intruder with his IP address, and the exact time when it happened, I went to Court. The cyber crime unit in my country started an investigation. After a few months I received the message that my complaint was dismissed and classified. I asked why they did stop the investigation but did not receive an answer.

I then asked someone to check the IP address. He first contacted the internet service provider to ask to whom the IP address was belonging. They refused to answer. So he traced the IP address himself. He found the exact location and that address was a building occupied by the Ministry of Finance in my country. My conclusion is that Google helps authorities to hack email accounts that they manage. There was never an investigation or a complaint against me for any financial offense, so I did not understand why the Ministry of Finance would like to look into my email account.

Later I understood what happened. A few days before the hack I visited a department in the Ministry of Finance for a fiscal ruling. I asked information about setting up an investment fund. The aim was to do that legally. This department gave my information to another department as they thought I was doing illegal things, so they checked me completely, email accounts, bank accounts, tax declarations...



Conclusion: don’t trust Google at all. Even not with double authentication.

 

[HobbyTrading]

Conclusion: don’t trust Google at all.

Going back to the very first post in this thread and reading all messages, that seems to be *the* underlying advice here.

 

[GrowleyMonster]

Unfortunately I'm not very technically savvy or I'd do all of that.

Upgrading to Linux in one of the more popular flavors doesn't require technical savvy. Properly securing a WinDOHs system is actually a lot more technical than installing Ubuntu or Mint. From there, just use good computing practices, especially on your trading computer.

The only real problem is some desktop trading platforms do not run on Linux. FWIW, both TOS and TWS run just fine on Linux.

 

[virtusa]