Tuesday, December 14, 2010

1.3 Million Users Hacked on Sunday. Are you safe?

Sunday December 12, 2010 was another of those wake-up call stories you might hear about most don’t take seriously.  A web server for Gawker (who most average –users don’t even know of) was hacked and 1.3 million usernames and passwords were stolen from their encrypted servers.  Keep in mind, most of the users of this kind of site are technically savvy users, not people who are the normal target for people just wanting to hack your facebook profile.  If you’d like to read about the Gawker hack direct from them,  click here.

We had a user today who had an account on Gawker, not a random person, but someone we actually know and love. Using her stolen email address and password they went to Amazon.com and purchased $400.00 in presents for themselves.

Why YOU Should Care?

Hundreds of other sites, including the New York Times, CNN, CBS, Washington Post, and others use the same protocols on their web sites. ANYONE can read their material for free, but if you want to leave a comment or make a post then you first have to register with an email and a password. Most people consider their New York times password too unimportant to even think about, right? Well, suppose it was Yahoo news, or the NY Times, or any other media outlet you use to communicate with that was hacked. Now they have your email adddress, so they know what your email is, and your password to the site they just hacked. All it takes is a brief second to see if you used that same password on your email account. So let’s say my Gawker account was user@aol.com and my password was 12345678. Now they can simply go to aol.com and enter my email address and try to see if the same password works for that.  Is your email password the same as your other passwords? Guess what… you just became a target.


Who cares if they got my email password?

Don’t even think the damage stops there. Let’s assume we’re still talking about user@aol.com for a minute. So, now I go to www.aol.com and login as that person. I simply open your email and search for “password". What’s the odds that you probably saved your banking password the bank sent you when you first signed up… just in case you forgot it, right? How about your amazon password, or yahoo password? Did you ever email your husband/wife/mother/father/friend and ask them “what’s the password to  our joint bak account again?” Now they’ve stolen your password and your spouses, or friends’ too. If someone has your email, it’s a simple guess to go from there to Yahoo, Gmail, Banking, Amazon, Facebook, etc. Within less than 5 minutes they can change all your passwords, update your shipping address to their address, then start ordering stuff in your name.


Was My Password Stolen?

A company named Slate has written a program to check the database of stolen passwords to let you know if you were one of the users who were affected. Simply to go http://www.slate.com/id/2277768/ and enter your email address in the box on the page. If your email address wasn’t in the database, it will let you know you’re safe (At least from this hack attempt).

So am I safe?

Friday December 10th, 2010: The Walgreens customer database was hacked. They stole all the email addresses of every Walgreens user that had an email address listed.

Sunday December 12th, 2010: Gawker Hacked. 1.3 millions usernames AND passwords stolen. A couple hours later, a “couple hundred thousand” twitter accounts were hacked as a direct result of the information obtained from the Gawker hack.

Monday December 13th, 2010: McDonalds hacked. They got email, phone numbers, birthdays, addresses, and any other specific you shared when you signed up for coupons or whatever.


What Will Happen Now?

Well, after the people involved have sucked every financially profitable piece of information from these millions of users hacked JUST IN THE LAST WEEK, the most likely thing I would do is sell the lists to spamming companies. How valuable is a list of a half a million prescription drug shoppers to companies who want to send prescription drug spam emails? Think about it for a minute.. that’s worth millions right there!


How Can I Be Safe?

The trick to passwords (for the normal human) is keeping it REALLY simple, REALLY convenient, but yet REALLY secure.  Here’s a system I’ve used in the past that works well for any company or web site.

  • Pick a Word
  • Pick a Number (lots of web sites are requiring at least 1 number for your password)
  • Use the company/website you’re on as a reminder.

I’m going to show you an example:

My word will be “shine.” It means nothing to me and it’s short and easy to remember.

My number will be 77. That’s easy. It’s the year I was born. Not likely to forget that one right?

How we use this system:

I’ll do an example using Yahoo.

Starts with a “Y”… that’s our first code.

Shine is our word, the second part of our code.

77 is my number and yahoo has 5 letters in it, so I’m going to deduct 5 from 77 and make it 72

My password for Yahoo would be “yShine72”
First letter of the company or web site, then the code word with the first letter capitalized, then the number.

All you ever have to remember is your own little code.. no need for paper, ever.

Using this, let’s generate a password for a couple web sites to show you the trick of it.

  • Amazon.com
  • BarnesAndNoble.com
  • Progressive.com
  • Gmail.com

The passwords would be

  • a for “Amazon” + Shine +(77-6 letters)71, so the password is aShine71
  • b for “Barnes and Noble" + Shine +63, so the password is bShine63
  • p for “Progressive” + Shine + (77-11 letters for the amount of letters in Progressive)=66, so the password is pShine66.
  • g for “Gmail” + Shine +72 = gShine72

Every password is different, secure, yet you can always remember it.

Want to make it MORE complicated? Ok. Try This. If the website begins with A-M, then you subtract the number from your code number. If it begins with N-Z then you add your number to the code number. It can be as simple or as complex as you want.

Whatever you do, do NOT make your password for email the same as the one you use for generic-web sites. Keep your banking, email, and Facebook passwords completely unique as those are always the most likely targets of hackers.


A True Story:

Our user’s name is Jennifer, a good long time friend of one of our developers here at Remote247.com. Her story on Facebook was what inspired us to write this article to warn others.
Note: Jennifer is actually much smarter about computer security the average user and she got hacked too. If they got to her, they can get to you!

When I woke up yesterday, December 14, my Gmail account was locked out. I had to prove my identity to Google in order to regain access to my account. The only information they had was that they had reason to believe that my account had been compromised. I couldn't imagine how it had been, but I jumped through the hoops and had my account unlocked within the hour. Throughout the day yesterday, I received several e-mails from various sites I've joined over the years informing me that there was a request to change my password, and asking me to verify that. There were also several e-mails from websites letting me know that some of my accounts had been locked.

It was clear to me then that some account, somewhere had been broken into and that my personal information had been compromised. I did not know which account on which website, but something was compromised. I went around and changed all of my passwords on anywhere I could think of, and went about my day. Late last night, there were a batch of very well forged e-mails from a phisher trying to break into my World of Warcraft account. I would have fallen for it had I been willing to click a link about World of Warcraft in an e-mail. The headers were impeccably forged. I'm sure thousands of people lost their accounts.

This morning, I woke up to find just over $400 in goods ordered on my Amazon.com account. Fortunately, none of it had shipped yet, and I was able to cancel everything. I had a slew of e-mails from various accounts that were locked out, including my Facebook. My Gmail account was also locked out again. At around noon, I received an e-mail from Gawker Media informing me of a breach in their security. A group of hackers from 4chan broke into their system and stole the usernames, passwords and associated e-mails of their entire userbase. This was the source of my compromised accounts. I'm going to go over the remaining issues in bullet point form.

  • -I do not use the same passwords across multiple accounts. I have some passwords that are similar to one another, but they are not the same. Once the script kiddies had my username and e-mail address, they were able to obtain my passwords to other sites by brute force.
  • -I have never used any current Gawker Media site. Consumerist.com, a blog I read regularly, used to be owned by Gawker Media. They were purchased by Consumer Reports last year, and my username and password was in the Gawker system from when Consumerist was owned by them.
  • -I did everything a security expert (And common sense) would recommend for keeping your online accounts secure. Some would suggest using a different e-mail address for every single account you open, but as a general rule, it's not something that's usually done. The fault in this issue lies entirely with Gawker Media for failing to secure their servers and database to standard levels.
  • -Gawker Media was aware that they were a target of /b/ nearly a week ago. Rather than alert their userbase and lock down their systems, they ignored this. Furthermore, once the breach occurred, they failed to notify their users until over 24 hours later. It's my understanding that something was posted on their website, but I don't visit their website. It wasn't until today that they sent out an e-mail letting people know what was going on.

The lessons to learn from this is as follows:

  • -Even when you do everything you can to secure your passwords and online identity, it's ultimately up to the websites you register on to ensure that your data can be trusted. If they have lax security, any measures you take are pointless, aside from one.
  • -The only guaranteed way to keep everything online secure is to use a different e-mail address for everything you do online. Keep your bank accounts under one address, your e-mail under another, your social media accounts on another, and things you don't care about under another. This way, if one thing is breached, there's no way for a hacker to get to other things.

No comments:

Post a Comment

Thanks for taking a moment to leave a comment! Please keep the language clean. (If you are considering spamming the blog, don't bother. It's going to be deleted anyway.)