Friday, July 8, 2011

Hacked Again!

So yeah. Both my gmail and facebook accounts were hacked again. And this time they made sure to permanently delete any email received since the first compromise. After the last time, I obviously changed my password, and made sure it was a strong(er) password. I don't think they could have brute forced it in only 5 days.

That got me thinking about how they got access. There are few devices that I access my gmail account from, and it's possible that one of those devices is compromised and contains a keylogger. I've used some of these devices since the second attack, and haven't seen a third...yet.

In a fit of paranoia I uninstalled any new apps on my phone but the more I think about it the more I think that is not the avenue for the second attack. We shall see. I'm in a "hurry up and wait" state at the moment.

What I think happened is that for the first attack it was brute forced offline, either from the leak a couple of weeks ago, or from the massive Sony attack, but in that first attack if you remember, they got access to my facebook friends list. It just happens that my mom is a friend and her maiden name is listed. Well guess what my gmail password reset security question was. D'oh!

I've had my gmail account for many years and was a wee bit of a security newb not so long ago -- not that I know everything, but I have learned quite a bit over the past couple of years. I'm sure that way back when I set this account up I had no idea that someone one day could use information obtained from one web site to compromise my account on another.

This is all still speculation as I have not rooted my phone yet so I don't have access to exactly what each app is trying to access, nor do I have access to gmail log files. It could turn out to be a bad app that I downloaded, and they just haven't attacked me again yet, and that while my cell phone could have saved me from getting my identity stolen, it was also the attack vector. We'll just have to wait and see.

Lesson learned... Don't use any security questions/answers that can be easily obtained online by just about anyone, e.g. birth month, mother's maiden name, pet's/children's names, etc...

Wednesday, July 6, 2011

How my cell phone may have saved me from getting my identity stolen

I say may have because I'm not quite sure how much damage was done. I'm still cleaning up. Also I'm not sure what these a-holes wanted.



It all started on a Sunday afternoon. I was sitting at home getting ready to head over to a cookout with my family. I noticed that my cell phone had two "!" icons. I clicked on them and noticed that I was no longer syncing with gmail or Facebook. So I tried logging in again on my phone. . . No luck. WTF?!?

I then tried logging in to gmail on my laptop, still no luck. Well, I knew my password was correct, so I tried resetting my password, and was able to log in instantly. Once I logged in, there was a bright red bar at the top of the gmail layout stating that my account had been logged into from a questionable IP. I'm not sure of the algorithm that google uses to detect this, or even if they have a list, but sure enough, the IP was registered in Italy; and unless there had been a shift in the time-space continuum, I was not in Italy.

I then checked my gmail settings to ensure there were no forwarding rules set up, or any other settings out of the ordinary. Good-to-go.

Next, let's concentrate on what the hell happened to my Facebook account. Tried accessing it using what I thought was my "strong" (not a dictionary word, use different charcter sets, etc...) password, which is different from my gmail password. Sure enough, it had been changed. So I reset that password as well, and also ensured there were no odd email addresses associated with my account (Account Settings -> Email, Account Settings -> Security). Good-to-go.

So how did they hack my gmail account? I have a "strong" (not a dictionary word, use different character sets, etc...) password, so I'm not really sure. There was a breach of thousands of email addresses a few weeks back, but if I remember correctly, only a small percentage of them were gmail accounts. So maybe it was brute-forced. I'm not sure if gmail has an account lockout feature -- never needed to try or look into it. Either way, my accounts had been hacked. DAMMIT!

I checked my spam folder in gmail. . . nothing. Checked the deleted items folder. Hmmm. . . There were two deleted messages about a facebook account password reset. I don't remember doing that. WTF?!? Those sneaky bastards had hacked my gmail, changed the password, then sent a Facebook password reset to my gmail account. Since they now had my gmail password, they were able to reset my Facebook account with the link that was happily provided by Facebook, then delete those messages. Luckily, google never really deletes anything.

From the hacking of accounts to me getting "notified" by errors on my cell phone took about 10 minutes, and another 10 minutes for me to figure out what the hell happened and fix it.

All I know for sure is that they had access to my gmail address book and my facebook friends list for about 15-20 minutes. I have not heard from anyone getting spammed by me, and I haven't received any notifications about other account password resets, so for now I think I'm okay.

But what if I didn't have a smart phone that linked to gmail and Facebook? how long would it have taken me to find out my accounts had been hacked? Hours? Days if I was away from a computer or on vacation? My smart phone addiction paid off for once.

Lesson Learned? Change passwords often, make them long and full of different characters. Don't use dictionary words. And don't ever, ever, ever, use the same password for all of your online accounts. Oh, and keep the smart phone data plan!

Friday, April 1, 2011

Thieves now stealing kid's identities

An article on this website shows a study on theft and use of SSNs of minors. Horrible, but true. Not only are you as an adult, at risk, but your kids are too. The article does mention that some cases are parents using their kid's SSN to get stupid things like water and electricity, but that isn't always the case.

The author doesn't say if kids are more at risk, but the answer should be obvious. The bad guys are always looking for new ways to steal. When we catch on to something, they find a different avenue. Now that us adults have taken checking our credit into our own hands, thieves are targeting kids, who, well. . . let's face it, have no reason to even have a credit history, let alone check it. So, what's the answer?

Well, the web site provides a link to a site which says lookups are free, but registration is required, and it is a privately-owned "Identity Theft Protection" company, which means they may change their mind at any point and begin charging for this service, even though they say that it is free. Is there another solution?

Not sure. currently, we are allowed a free lookup of our credit history once per year, for all 3 credit bureaus. I'm assuming this is through an amendment to the Fair Credit Reporting Act (any lawyers out there?) Maybe another amendment is in order, allowing parents to perform credit lookups once per year on their credit history as well as the credit history of any dependents they may have. I think I'll be writing my congress representative this evening and hopefully putting the system to work for me.

Sunday, January 30, 2011

Might be a good idea to change your Amazon password

So, there' an alleged bug in Amazon's authentication mechanism. There's a fix in place. but the catch is you need to change your password to alleviate the problem. And, as the author states, please do not use the word password in your password. If you think the word 'password' is a secure password, well, then I've got more educatin' to do. Gotta go, there's password changin' to do.

Wednesday, January 12, 2011

Kama Sutra, Trojans, and I'm not talkin' bout the good kinds

So, apparently, there's a new trojan horse floating around in the form of a PowerPoint slide show, which promises to educate the user on the Kama Sutra. It may be called "Real kamasutra.pps.exe," but could have any name. While the slide show may actually have images of Kama Sutra positions, there is a malware program embedded inside the executable that allows an attacker to take control of your machine, at which point they can steal your info, or enlist your services in their botnet.

Attackers prey on weaknesses. People have two major weaknesses: money, and sex -- not necessarily in that order. Put them together (money-free sex) and it's the perfect storm of human weakness.

For some it may go without saying. For others, not so much. Just stay away from the "free sex." You may not pay for it now, but at some point, you will. And for g-d's sake, don't fool around with anything with a ".exe" extension, unless you know where it's been. . . and you've both been tested.

Safe Surfing!

Tuesday, January 11, 2011

Facebook scams hit mobile users

"What in the wide, wide world of sports is going on out there?"

In This post, the author cites statistics surrounding the percentage of scams on Facebook that hit mobile users. Approximately 24% of the hits to scam web pages came from mobile devices, e.g. Windows mobile phones, iPhones, Blackberrys, etc.. Unfortunately, scammers targeting mobile users will only increase as the number of people "going mobile" is increasing. Actually, it's not the "going mobile" aspect as much as it is the smart/droid/i phone aspect. More and more users are discovering the cool things that these powerful hand-held devices can do.

What's the fix? It's a simple one. Don't click on any links on your mobile device, which is easier said than done. It's very easy to hide a scam web page inside a HTML link that is legitimate. Here's an example:

I can say that I'm sending you to Google, but if you actually click on the link, it will take you to Microsoft's home page.