Hacker protection tips for ordinary people...
January 21, 2012 11:25 AM Subscribe
Email Security: As the News International scandal unravels more cases of 'email hacking' are coming to light so I wanted to know the view of the hive on how easy it might be to hack into someone's email and tips on how to avoid being hacked.
Most of these cases dont appear to be someone from yahoomail contacting you and asking you for your passwords - which is a fairly old trick which sometimes works.
The way the media portrays email hacking, it appear to be a simple way of of hiding a 'trojan' and emailing someone with it and this trojan installs itself and sends out private information.
1. Is is possible for this trojan to work without the recipient clicking anything?
2. Were the victims careless and didn't use the usual precautions and we used the usual precautions we could be safe?
3. Is one more or less safe when using a web based email or an email software or a mobile device?
4. Do usual virus/malware protection software protect you against such mischief?
Would love to know how I can change my internet behaviour to become safer. Thanks.
Most of these cases dont appear to be someone from yahoomail contacting you and asking you for your passwords - which is a fairly old trick which sometimes works.
The way the media portrays email hacking, it appear to be a simple way of of hiding a 'trojan' and emailing someone with it and this trojan installs itself and sends out private information.
1. Is is possible for this trojan to work without the recipient clicking anything?
2. Were the victims careless and didn't use the usual precautions and we used the usual precautions we could be safe?
3. Is one more or less safe when using a web based email or an email software or a mobile device?
4. Do usual virus/malware protection software protect you against such mischief?
Would love to know how I can change my internet behaviour to become safer. Thanks.
The article dfriedman linked to convinced me to enable 2-step verification for my Google account, which you may want to look into.
posted by bdk3clash at 12:19 PM on January 21, 2012 [1 favorite]
posted by bdk3clash at 12:19 PM on January 21, 2012 [1 favorite]
Yes. Enable two factor auth for gmail. Use longer passwords (see xkcd) and enable the lock feature on your smartphones.
posted by jeffamaphone at 12:48 PM on January 21, 2012
posted by jeffamaphone at 12:48 PM on January 21, 2012
I could be wrong, but I thought all these phishing scams were just an email with a link to something like gmail.google.com.scammer.net or something, so you think it's from Google. When you click the link, it takes you to a site set up to look like Google's login screen. You enter your username and password, and now they have access to your account.
The beauty of 2-step verification is that your username and password aren't enough to get access to your account. In addition to your username and password, Google sends a number to your phone that's required to log in. That way, scammers would also need access to your text messages (If you've got an Android phone, there's a Google Authenticator app that acts like a SecurID keyfob thing).
Another thing to be mindful of is security questions. Sarah Palin's Yahoo! account was "hacked" by simply correctly answering a couple security questions. The questions were apparently things that they found just by looking at her Wikipedia page.
I try not to use security questions at all, but if they're required, I have the answers be complete gibberish. So my first pet's name is something like lXs%$fb2398efsTTdjn. I keep these values stored with other login information in Keepass.
posted by VoteBrian at 1:28 PM on January 21, 2012 [1 favorite]
The beauty of 2-step verification is that your username and password aren't enough to get access to your account. In addition to your username and password, Google sends a number to your phone that's required to log in. That way, scammers would also need access to your text messages (If you've got an Android phone, there's a Google Authenticator app that acts like a SecurID keyfob thing).
Another thing to be mindful of is security questions. Sarah Palin's Yahoo! account was "hacked" by simply correctly answering a couple security questions. The questions were apparently things that they found just by looking at her Wikipedia page.
I try not to use security questions at all, but if they're required, I have the answers be complete gibberish. So my first pet's name is something like lXs%$fb2398efsTTdjn. I keep these values stored with other login information in Keepass.
posted by VoteBrian at 1:28 PM on January 21, 2012 [1 favorite]
By the way, Google recently started a big ad campaign to educate the public on good internet practices, Good to Know.
posted by VoteBrian at 1:31 PM on January 21, 2012
posted by VoteBrian at 1:31 PM on January 21, 2012
You should use a unique strong password for your email.
For example, Zappos.com (the shoe retailer) was recently hacked. The hackers now know my e-mail and have a hash of my Zappos password. Depending on Zappos' security practices, it's possible the hackers could figure out my Zappos password from the hash.
Luckily, it's not the same as my Gmail password.
One reason this is so important is that most web services use your email for account verification, confirmations, etc.
So, if the Zappos hacker logs in to my Facebook or Amazon accounts (which probably do have the same password my Zappos account did) and tries to change anything or order anything, I'll likely get an e-mail confirming shipment or confirming the change, thus alerting me to the nefarious activity.
But if they also had my Gmail account password, they could lock me out of that first and then lock me out or fuck me over on every other account I have on the internet.
posted by User7 at 2:30 PM on January 21, 2012 [1 favorite]
For example, Zappos.com (the shoe retailer) was recently hacked. The hackers now know my e-mail and have a hash of my Zappos password. Depending on Zappos' security practices, it's possible the hackers could figure out my Zappos password from the hash.
Luckily, it's not the same as my Gmail password.
One reason this is so important is that most web services use your email for account verification, confirmations, etc.
So, if the Zappos hacker logs in to my Facebook or Amazon accounts (which probably do have the same password my Zappos account did) and tries to change anything or order anything, I'll likely get an e-mail confirming shipment or confirming the change, thus alerting me to the nefarious activity.
But if they also had my Gmail account password, they could lock me out of that first and then lock me out or fuck me over on every other account I have on the internet.
posted by User7 at 2:30 PM on January 21, 2012 [1 favorite]
Best answer: 1. Is is possible for this trojan to work without the recipient clicking anything?
Yes, but it's rare. If your e-mail client downloads images and your e-mail client is susceptible to something like a Javascript attach to read properties, it can be done. Is it like? Not at all. Every major client--and every minor one I can think of--automatically blocks the display of images which aren't attached to the e-mail. The user has to manually enable this.
2. Were the victims careless and didn't use the usual precautions and we used the usual precautions we could be safe?
Possibly, since a lot of these "trojans" depend on the user not paying attention. Thunderbird, Outlook, Mail.app, and others all attempt to warn the user if it detects a scam link, but if the user says "open it anyway," there's nothing the e-mail client can do. The point? Don't click on e-mail links about which you are not absolutely certain, especially if they show up in HTML-formatted messages.
3. Is one more or less safe when using a web based email or an email software or a mobile device?
It's a trade-off. A web-based client can be open to browser-based attacks like cross-site scripting, but a standalone client can use a rendering engine that doesn't receive much love in terms of bug fixes and security checks. On the other hand, most standalone clients provide ways to disable all HTML rendering of e-mail--and most web clients don't have that option--which is safer (though less pretty).
4. Do usual virus/malware protection software protect you against such mischief?
Sometimes. Full suite software can inspect links that you click and warn you in advance, but stock-standard software that checks files and memory for viruses and malware programs generally won't help unless the trojan downloads something to get you to run.
My tips for e-mail safety:
- Use different e-mail addresses for different sites. I have a catchall domain, we'll call it "something.example.org," and have set it so that every e-mail address at that domain forwards to my regular account. So, Amazon is amazon@something.example.org, and my bank is banking@something.example.org. I set it as a subdomain because those are much more difficult for spammers to find so it keeps the spam to a minimum.
- Speaking of domains, buy your own domain and use it instead of a big provider like Hotmail or Gmail. Both of those services will let you bring your own domain (as will virtually every domain registration company on the planet), so you can still use their interface and servers without having to directly reveal that you're using them. Why does this matter? The big services are more of a target, so addresses ending in those domains will be more "attractive" for trolling large quantities of users. Putting yourself on your own domain both camouflages your actual e-mail service and, unrelated to security, provides portability in case your current provider does something you don't like.
- As has been mentioned, don't make your e-mail password the same as your banking password or the same as any other password. Use a program like KeePass to store passwords if you like, but keep passwords separate. Both Zappos and DreamHost e-mailed me in the past week to say "hey, change your password," but I wasn't too concerned because neither of those e-mail addresses or passwords are used elsewhere.
posted by fireoyster at 3:27 PM on January 21, 2012 [1 favorite]
Yes, but it's rare. If your e-mail client downloads images and your e-mail client is susceptible to something like a Javascript attach to read properties, it can be done. Is it like? Not at all. Every major client--and every minor one I can think of--automatically blocks the display of images which aren't attached to the e-mail. The user has to manually enable this.
2. Were the victims careless and didn't use the usual precautions and we used the usual precautions we could be safe?
Possibly, since a lot of these "trojans" depend on the user not paying attention. Thunderbird, Outlook, Mail.app, and others all attempt to warn the user if it detects a scam link, but if the user says "open it anyway," there's nothing the e-mail client can do. The point? Don't click on e-mail links about which you are not absolutely certain, especially if they show up in HTML-formatted messages.
3. Is one more or less safe when using a web based email or an email software or a mobile device?
It's a trade-off. A web-based client can be open to browser-based attacks like cross-site scripting, but a standalone client can use a rendering engine that doesn't receive much love in terms of bug fixes and security checks. On the other hand, most standalone clients provide ways to disable all HTML rendering of e-mail--and most web clients don't have that option--which is safer (though less pretty).
4. Do usual virus/malware protection software protect you against such mischief?
Sometimes. Full suite software can inspect links that you click and warn you in advance, but stock-standard software that checks files and memory for viruses and malware programs generally won't help unless the trojan downloads something to get you to run.
My tips for e-mail safety:
- Use different e-mail addresses for different sites. I have a catchall domain, we'll call it "something.example.org," and have set it so that every e-mail address at that domain forwards to my regular account. So, Amazon is amazon@something.example.org, and my bank is banking@something.example.org. I set it as a subdomain because those are much more difficult for spammers to find so it keeps the spam to a minimum.
- Speaking of domains, buy your own domain and use it instead of a big provider like Hotmail or Gmail. Both of those services will let you bring your own domain (as will virtually every domain registration company on the planet), so you can still use their interface and servers without having to directly reveal that you're using them. Why does this matter? The big services are more of a target, so addresses ending in those domains will be more "attractive" for trolling large quantities of users. Putting yourself on your own domain both camouflages your actual e-mail service and, unrelated to security, provides portability in case your current provider does something you don't like.
- As has been mentioned, don't make your e-mail password the same as your banking password or the same as any other password. Use a program like KeePass to store passwords if you like, but keep passwords separate. Both Zappos and DreamHost e-mailed me in the past week to say "hey, change your password," but I wasn't too concerned because neither of those e-mail addresses or passwords are used elsewhere.
posted by fireoyster at 3:27 PM on January 21, 2012 [1 favorite]
Best answer: People jumping on the two-factor bandwagon are, in my opinion, overreacting. I can see no reason why logging in to the genuine site with a genuinely strong and genuinely unique password should be inadequately secure, and KeePass makes all three of those things very easy to do.
Here's why Deb Fallows's account got compromised:
1. Get KeePass, preferably one of the portable versions that you can keep on your keyring.
2. Learn to use it.
The specific KeePass features you should be using are these:
1. When you create your password database, give it a name that makes it perfectly clear what it is (mine is always passwords.kdb) and secure it with a genuinely strong passphrase (if a copy of passwords.kdb falls into enemy hands, you don't want it cracked).
Personally I chose an 18 character random string of mixed letters and numbers for this, and trained my fingers to type it without thinking; you might prefer to go with the XKCD method linked above.
2. You will want several backups of passwords.kdb. So decide where the master copy is going to live (on your keyring? On some kind of server? On your phone or laptop or home PC?) and get in the habit of updating your working copy from the master copy before using it, and updating the master copy from your working copy after making changes.
If your working copy and master copy are the same thing (e.g. because they're on your keyring) and you don't want to rely on backing up onto whatever computers you're working with, get a second keyring drive to back up to. Losing passwords.kdb entirely will hurt.
3. Each entry in your KeePass database should include a secured (https:) URL that gets you to the login page for the service that the entry belongs to. For example, for Gmail the URL would be https://mail.google.com. You can usually find these by copying them from your browser's address bar right before clicking Log In.
When you want to use any web service requiring logon, get in the habit of doing that by opening KeePass first, right-clicking on the entry for the service you want and choosing "Open URL". That way, you won't find yourself entering genuine credentials into a fake site.
4. Only ever use the random passwords that KeePass generates for you. If you're making a KeePass entry for an existing service, don't put your existing password in KeePass; use the generated one instead, then save the KeePass database and back it up, then paste the generated password into your online service's password change page. Don't mess with the default KeePass password creation rules unless the service you're using needs you to do that in order to comply with a misbegotten password "strength" policy.
There is actually no reason why you should ever even have to look at any of the passwords you use to log in online. I certainly don't know any of mine. Just let KeePass paste or type them for you.
I like KeePass on a keyring much better than I like Google's two-factor auth because
1. It secures everything, not just Gmail.
2. I don't have to wait for a text message.
3. It works even when my phone battery has gone flat.
posted by flabdablet at 4:48 PM on January 21, 2012 [45 favorites]
Here's why Deb Fallows's account got compromised:
As in the great majority of hacking cases, my wife had been using the same password for her Gmail account as for some other, less secure sites, where her username was her Gmail address ... My wife’s password was judged as “strong” when she first chose it for use with Gmail. But it was a combination of two short English words followed by numbers, so if it didn’t leak from some other site, it might just have been guessed in a brute-force attack.Which is pretty much one of those "Doctor, it hurts when I do this" things. So how do you not do that?
1. Get KeePass, preferably one of the portable versions that you can keep on your keyring.
2. Learn to use it.
The specific KeePass features you should be using are these:
1. When you create your password database, give it a name that makes it perfectly clear what it is (mine is always passwords.kdb) and secure it with a genuinely strong passphrase (if a copy of passwords.kdb falls into enemy hands, you don't want it cracked).
Personally I chose an 18 character random string of mixed letters and numbers for this, and trained my fingers to type it without thinking; you might prefer to go with the XKCD method linked above.
2. You will want several backups of passwords.kdb. So decide where the master copy is going to live (on your keyring? On some kind of server? On your phone or laptop or home PC?) and get in the habit of updating your working copy from the master copy before using it, and updating the master copy from your working copy after making changes.
If your working copy and master copy are the same thing (e.g. because they're on your keyring) and you don't want to rely on backing up onto whatever computers you're working with, get a second keyring drive to back up to. Losing passwords.kdb entirely will hurt.
3. Each entry in your KeePass database should include a secured (https:) URL that gets you to the login page for the service that the entry belongs to. For example, for Gmail the URL would be https://mail.google.com. You can usually find these by copying them from your browser's address bar right before clicking Log In.
When you want to use any web service requiring logon, get in the habit of doing that by opening KeePass first, right-clicking on the entry for the service you want and choosing "Open URL". That way, you won't find yourself entering genuine credentials into a fake site.
4. Only ever use the random passwords that KeePass generates for you. If you're making a KeePass entry for an existing service, don't put your existing password in KeePass; use the generated one instead, then save the KeePass database and back it up, then paste the generated password into your online service's password change page. Don't mess with the default KeePass password creation rules unless the service you're using needs you to do that in order to comply with a misbegotten password "strength" policy.
There is actually no reason why you should ever even have to look at any of the passwords you use to log in online. I certainly don't know any of mine. Just let KeePass paste or type them for you.
I like KeePass on a keyring much better than I like Google's two-factor auth because
1. It secures everything, not just Gmail.
2. I don't have to wait for a text message.
3. It works even when my phone battery has gone flat.
posted by flabdablet at 4:48 PM on January 21, 2012 [45 favorites]
3. It works even when my phone battery has gone flat.
So does two-step auth -- Google gives you a small set of pre-generated codes you can print out and keep in your wallet for emergencies.
posted by vorfeed at 8:34 PM on January 21, 2012
So does two-step auth -- Google gives you a small set of pre-generated codes you can print out and keep in your wallet for emergencies.
posted by vorfeed at 8:34 PM on January 21, 2012
Or you could memorize them, if you're too hardcore for the wallet method...
posted by vorfeed at 8:35 PM on January 21, 2012
posted by vorfeed at 8:35 PM on January 21, 2012
Or you could keep them in KeePass, which means they're still secure even if your wallet or keyring gets jacked.
posted by flabdablet at 8:51 PM on January 21, 2012
posted by flabdablet at 8:51 PM on January 21, 2012
Something else to think about is password reset "security questions". Gmail has these, as do many other services, and they're usually way weaker than a randomly generated KeePass password and even more susceptible to being shared across services.
For services like Gmail that let you write your own security questions, I like to use "What is your password reset password?" and generate a second KeePass entry to use for the answer.
posted by flabdablet at 8:56 PM on January 21, 2012
For services like Gmail that let you write your own security questions, I like to use "What is your password reset password?" and generate a second KeePass entry to use for the answer.
posted by flabdablet at 8:56 PM on January 21, 2012
As far as Centrelink knows, my first pet's name was PLYsFdTikgYxNa69Ii43 (or something like that; I'd have to check to be sure). Which is probably why I lost him the first time I let him off the leash at the park.
posted by flabdablet at 9:04 PM on January 21, 2012 [2 favorites]
posted by flabdablet at 9:04 PM on January 21, 2012 [2 favorites]
Response by poster: Wow! Excellent responses! Please keep them coming.
I hear everyone talking about KeePass but not LastPass. Is there a reason for this? Arent they the same in terms of what they do or am I missing something?
posted by london302 at 4:48 AM on January 22, 2012
I hear everyone talking about KeePass but not LastPass. Is there a reason for this? Arent they the same in terms of what they do or am I missing something?
posted by london302 at 4:48 AM on January 22, 2012
KeePass is an open-source (free as in speech and as in beer) password manager that's available for a heap of different platforms (Windows, Linux, Mac, assorted smart phone OSes) that manipulates a password database stored in a file you keep your own copies of and back up in whatever way suits you.
LastPass is proprietary (there are free as in beer versions if you don't need to use it on a phone) and keeps a master copy of your password database in the cloud, automatically syncing it to your devices as needed.
Implementation details aside, LastPass is pretty much equivalent to KeePass + DropBox.
KeePass has been around for longer.
posted by flabdablet at 8:17 AM on January 22, 2012
LastPass is proprietary (there are free as in beer versions if you don't need to use it on a phone) and keeps a master copy of your password database in the cloud, automatically syncing it to your devices as needed.
Implementation details aside, LastPass is pretty much equivalent to KeePass + DropBox.
KeePass has been around for longer.
posted by flabdablet at 8:17 AM on January 22, 2012
This thread is closed to new comments.
posted by dfriedman at 12:05 PM on January 21, 2012