Use Stronger Passwords People, C’mon
Seems about once a month I get some random spam from a family member, friend, doctor, former employer, another doctor, multiple family members’ friends, aunt’s friend, Mom’s friend’s friend, Dad’s business partner just now… I flip open the email headers to see whether or not the email was forged from China or Eastern Europe or if it was relayed through Hotmail or AOL (usually AOL) whatever (if the mailer has full access to the account), then I have to advise the person of the situation and what to do, then I have to feel pissed off now that yet another spammer has my primary address because these people either didn’t use strong passwords or think LinkedIn is going to help them out. It’s aggravating. Man I wish I could still swear here.
In general with password selection your only excuse out of the really bad etiquette for not using a different password for every different service you use is because you are coming down with dementia or have some sort of amnesia. That’s all I can think of to give you a pass if you get hacked at both your expense and mine. And maybe even then you shouldn’t be driving on the web, you’re a liability to us all, go play bridge. It would be nice if you could go an extra mile and change passwords every now and then, but I concede that’s a tall order, but how about throwing in a random symbol or a capital in there at least? Have you thought about how hard it might be to assess the damage were your account to be hacked, and then what do you do? Identity theft, among other things that can come with the fallout, is a real bitch.
You are aware, right, that in your Hotmail account or whatever it is you use, in addition to your address book, a bot can sift through all of your emails to collect addresses, phone numbers and any numbers that match patterns of credit cards, socials and so forth, as well as extremely sensitive company information if you happen to work for a company that is concerned with privacy and you don’t think the IT rules about mixing work data with Hotmail accounts are any more serious than highway speed limits – you are potentially jeopardizing your company’s reputation if anything juicy flies out to Lithuania and someone manages to spot it as pertinent to their nefarious interests.
Are you technical? Netstat is your friend. Linux? SNORT, dnotify/fam, Tripwire among many others. Also try common sense, it’s been ported to most platforms. And update your php and mysql!! Update everything especially if you run your own server, even if it’s a hobby server.
All right so please use stronger passwords, for the sake of people belonging to your organization do not, do not use your company account’s password on any other service, … you know the drill, please follow it. Don’t like your company’s IT policy? Think your IT guys like to pretend they are running the CIA when sending company data to your Gmail account and Dropbox? Then ask them to either relax the rules, make an exception for you because you’re special and want to read PDFs on your iPad or give you a satisfactory answer as to why they won’t, and until then, cut the shit. Damnit these spammers drive me nuts. Your email account is suffering constant hacking attempts, you’ve got sensitive stuff in there, act accordingly. It is a real pain in your own balls, not to mention the people whom you expose when getting hacked, to mitigate the situation; make an effort to avoid it please and thank you.
Oh and watch out for keyloggers (thanks, China)…
Is every email account being hacked into by brute force? Or is there another weakness being successfully exploited? It seems to me that online email providers should be able to detect brute force attacks and shut them down the source.
Gary: Some are in the way I think you’re describing (a computer just keeps on trying to sign in to gmail with a username and a few million variations of the password) and yes that’s detectable and simple to stop, but not when there is a sea of botnets, tens of thousands of computers, doing the same thing. Or someone manages to squeeze in through an unpatched server or calls some AOL employee and tricks him into giving him some sort of access to something, then digs his way to a password file, then discovers the password file is either completely unencrypted or poorly encrypted, and then performs a brute force or dictionary or rainbow table kind of attack. So at that point having a strong password, like =hep*5pH, instead of your dog’s name with a 1 substituted for an i, is going to help you dodge a brute force or dictionary bullet.
Another way as I alluded to at the end is keylogging malware, something that quietly relaxes in the background of your computer’s brain logging to a file everything you type, beaming it to China someplace now and then. The server in China receiving this data sifts through it looking for things that might be usernames (text coming shortly after something like hotmail.com is typed), things that pass publicly known credit card algorithms, socials and so on. Unless you only use your computer for nothing but recreation, you’re better off getting a virus that melts your hard drive than a “phone-home” keylogger. Identity theft is a bitch.
I hate antivirus software as much as the next guy, .. well never mind I don’t want to bring that up now.
It very often comes down to two things — human error and SQL vulnerabilities, which also usually goes under human error.
Glad you brought this up Doug. Only two days after the LinkedIn compromise was made public, I received an email from Amazon thanking me for ordering a 100 dollar gift card. Luckily, I had my notifications routed to my GSII Skyrocket via Gmail and was able to contact Amazon and cancel the order before the perpetrator could collect on the gift card. After getting the problem at hand taken care of, I changed my Amazon password to avoid future acts of terrorism. After a bit of digging I discovered that my former Amazon password was exactly the same as …… you guessed it …… my LinkedIn account password. Strangely enough, I was not even on the list of LinkedIn’s compromised accounts, therefore I never received a password reset notification from them to secure my account. OK, I know that the main person at fault here was me and that I had no one but myself to blame for this weak security. But it does make me wonder just how many other LinkedIn accounts were compromised without the owners ever being notified. I can’t help but think that this breach in their security went further than they even knew, or even know at this time. I would strongly suggest that if you have a LinkedIn account, that you immediately log in and change you password to avoid pain and suffering in the future. I was extremely lucky inasmuch that I had access to my Gmail notifications while in the middle of an ordinary day while at work, and could head these @$$holes off at the pass so to speak.
Ouch. People rip on Facebook about extreme datamining but LinkedIn isn’t just a mine of data about what’s your favorite band and relationship status and pictures of you doing a kegstand but every drop of professional information you can come up with to try to dazzle your way into some company, starting with right up front all the different ways to contact you and demographics in great detail. So, provided I heard about the service being hacked on the news in time for me to change my password before someone tried to sabatoge my life, but just a bot of sorts sifting up data to somehow leverage me into buying something or being extorted, I think I’d be more worried about LinkedIn.
I was just talking about password safety for Joe User, not Joe Admin. It is stunning that an outfit like LinkedIn was not using a no-brainer encryption supplementation, salts, which aren’t hard to implement and without them the accounts on your system, the password file, if leaked could be much more effectively compromised in less time. Heads should really roll for that, regardless of whether or not it would have significantly or marginally mitigated or prevented the huge compromise.
Me, I would be more pissed off at LinkedIn than whoever managed to hack inside and subsequently crack the password file. On the bright side I suppose LinkedIn sounded an alarm extra loudly to other operations from Amazon to Fandango to read up a bit on hacking and make sure they aren’t forgetting anything, like salts.