Untitled Document
     
Advertisement Click to advertise with us!
     

You've been pwned.

pete

Brassica Oleracea
Staff member
Administrator
#1
If you haven't heard, I'll go with the headline, "Hackers expose 773 million email addresses, 21 million passwords!"

As the computer guy, I was asked by a few people about this, more-or-less in the form of, "What am I supposed to do?" I read the news article and I'm actually impressed by Mr. Brnovich's comments, because they're sensible and are what you're supposed to do. I'm going to add a little extra in brackets [like this]. However, before I get to Mr. B's quote, I'll mention that if you haven't already, go to haveibeenpwned.com, enter all your e-mail addresses and check to see if any are pwned. If they are, first register your e-mail accounts at haveibeenpwned.com and sign up for alerts on the e-mail address(es). So, on to the comments!

• Be cautious when storing passwords. Don’t keep written passwords in plain sight. Consider using a password manager to store a long list. [haveibeenpwned.com recommends 1password.com. I have no experience using 1password's software. If you want totally free for personal use, you'll want LastPass. It's got some problems, but free is good.]
• Create strong passwords, update them often, and create unique and different passwords for each account [and each website. If you use a stand-alone password management program, this is extremely easy to do.]
• Immediately change passwords that have been exposed and consider changing other passwords, too. [Also, if the account is for something that you no longer use, change your password, then close out your account. Preferably, you want your password to be 16 or more characters long, containing at least three capital letters, at least three lowercase letters, three numbers, and three symbols, like #$%. Avoid words from dictionaries.]
• Enable two-factor authentication. Many websites now offer more than just a password (a single factor) to verify a user’s identity. Enabling these additional features or factors provides additional security for your online accounts. [This is also called "multi-factor authentication." Generally, this means that you have to type in your password then a number from a program on your phone, from a card specifically made for that purpose, via e-mail, via a voice call, via Carrier Pigeon, etc.]
• Monitor credit card and debit card activity closely. Immediately report any suspicious activity to the bank or card company.
• Limit the amount of personal or sensitive information posted on social media. This information, such as birthdays, can be used to authenticate an account.
• Remain vigilant and take proactive steps to ensure your online safety. [Note that you might be able to get free credit monitoring. If you've been pwned, you should read up on the breach.]

I should comment on writing down passwords. 1) Don't. 2) Taping them to the bottom of your keyboard isn't sneaky. It's the first place I'll look. 3) Don't create a file on your desktop called, "These are my passwords." Any person on your network that has administrative rights can see these.

I should also mention that if you don't use a password manager -- even the under-powered one built into your browser -- using a passphrase is the best thing you can do. Say, "It was a dark and stormy night. It was the first time I saw the fnords. abcABC123!@#. This password is for woodwindforum.com."
 

pete

Brassica Oleracea
Staff member
Administrator
#2
Another headline: 800 Million Emails Leaked. One of my private e-mail addresses was on the list. I believe that I'll have someplace between 10 and 20 websites I'll have to change passwords on. Yah. Not fun.
 

pete

Brassica Oleracea
Staff member
Administrator
#4
It's probably not even "when." It's more, "How many websites have you entered credentials on that have been hacked?"

Big companies are realizing -- or should have realized -- that the cost of giving users free credit monitoring and/or going through lawsuits isn't worth it. They're trying to beef up security. They'll never 100% succeed.

I used to hate having to do two-factor authentication on a lot of 'sites, just because it wastes time. I now love it. We do have that available here, but I haven't turned it on because all you need to sign up here is an e-mail address.
 
#6
We should all know, but worth repeating, never-ever click any link in your e-mail unless you are absolutely sure it's OK. Even if it looks like it's from your mom, wife, husband, significant other, or BFF.

I just got one from my bank a few weeks ago. Well it looked like it was from my bank. It had a link that had my bank's name on it plus some other characters (when I hovered over it), and a toll free phone number. It was one of those messages designed to initiate panic and a quick reaction.

Of course, I called my bank, NOT from the number in the e-mail, but from the number I have on file and verified it was a scam (it looked and smelled like a scam) and informed them about it so they could do whatever they can to either stop it or warn others. The security department rep on the bank asked for information about it and thanked me very much.

We're all in this together, if you get one, take the time to help.

------

Back on the topic of the thread: Another advantage about using a password manager is that in most cases you don't have to type your password in. You can copy and paste. That way if someone has put a keylogger on your system, your password will register as Ctrl+V

I do the same for the number of the credit card that I use only on the web. It's in the encrypted password manager and it gets typed in as Ctrl-V

And if you are smart, don't let your browser store your passwords and/or usernames. It's one more place to get them stolen from. It's really not much work to copy and paste from a password manager.

I read in PCMag that you shouldn't keep your password manager open when you aren't using it, as some hackers have figured out how to get the info when they are open.

And if possible, don't leave your credit card info at the places where you buy things. Don't opt in, if they opt you in, opt out, and if not go to your account and remove them. Amazon takes the most work to remove it, but it's only a minute when you have the routine down.

------

I run a business selling aftermarket products for Band-in-a-Box (styles and songs). My shopping cart gives me the option of downloading the orders with no credit card information on them - not even the last 4 numbers or the date. I took this option so that if someone hacks me, the hacker won't get my customers' credit card numbers. Repeat customers have to enter their card information in again, if they ask why, I tell them. So far nobody complains and I get mostly thanks for that.

Plus once the order is filled, I remove it from the computer that is on-line and transfer it via flash drive to a computer that is not on my network and not on the Internet, and is in an encrypted folder on the hard drive of that computer. So my customers e-mail addresses and other personal details are not available, even if someone comes in and steals my computer.

OK that seems paranoid, but I feel it's my responsibility to protect my customers information much more than I protect my own. If every business took a little extra time to do this, there would be fewer ID theft problems going around. Oh sure, it takes a few extra minutes, and a big corporation might even have to hire an extra person, but isn't it wort the security?

Insights and incites by Notes
 

pete

Brassica Oleracea
Staff member
Administrator
#7
> I read in PCMag that you shouldn't keep your password manager open when you aren't using it, as some hackers have figured out how to get the info when they are open.
Mmmm. I know what you're talking about, but it's really not as bad as articles make it sound.

First, most of the big name password managers have been patched. In LastPass' case -- and I'm singling them out only because I use their stuff -- the vulnerability only applied to their old app version. Second, this flaw is extremely difficult to exploit unless the bad guy already has access to your computer. And, if the bad guy does have access, there are easier ways of getting data from your password manager. So, this is mostly a case of, "Updates. Install them." (FWIW, LastPass 4.1 had the flaw. They're up to 4.26, now.)

Anyhow, I've only tried LastPass and Dashlane. You don't need to copy and paste. You can, if you want, but you don't need to: username and password fields get populated automatically or right-click on the "username" box and choose the account that you want to use :D.
 
#8
Thanks for the assurance.

I don't like the auto-fill feature. I just feel better having control and copy/paste is neither difficult nor time consuming.

I had an old password stolen, one that I used for a certain on-line forum (not this one) and now I get way to many phishing attacks telling me they used my camera to film me visiting porn sites. My computer doesn't even have a camera, when I bought it, it was an option, and since I had no use for it, I didn't purchase it.

It would seem than after a couple of dozen attempts, they would figure I'm not going to bite. Oh well, Shift+Delete works fine.

Notes
 

Gandalfe

Admin and all around good guy.
Staff member
Administrator
#9
I use LastPass as it was recommended when I worked at Amazon. It just works which means I don't think about it very much. But I have a backup system to just in case things go south. Had to change my Facebook password again (because of this). One of the options was to sign out of every other device which I happily accepted. I also removed the devices from the list of previous contact devices. My wife's list was over 30 devices, many of them dups.
 

pete

Brassica Oleracea
Staff member
Administrator
#10
> I get way to many phishing attacks telling me they used my camera to film me visiting porn sites.
https://www.usatoday.com/story/tech...not-fall-prey-latest-email-threat/1254679002/

These e-mails can actually be helpful. Hear me out:

Usually, the e-mail will list an old password (as you note {punny}) that you've used on a website. That website probably got hacked. You should go to https://haveibeenpwned.com and check ALL your e-mail addresses. On the websites that come up for your e-mail address, change your password. If you use the same password someplace else, change that password, too. You should use a different password on each website.

One of the fun variations of this scam is that it'll use "your" e-mail address to contact you, e.g. I'd get an e-mail from thesaxinfo@gmail.com to thesaxinfo@gmail.com.

LastPass and Dashlane allow you to export your username/password set, if you want a local backup. However, all those usernames and passwords are encrypted on LastPass'/Dashlane's server, so all you have to do to restore is to reinstall the extension/plug-in and log back in. Now, if you forget your password to LastPass/Dashlane, you're gonna be in for a world of hurt ...
 
#11
I quite facebook when I decided that their business practices were not anything I wanted to contribute my data for their profit. Deleted everything and glad I did. It was too much of a time waster anyway.

My passwords are in an app that encrypts them, and I keep an encrypted backup in a location I won't post onlline (just in case some bot is lurking).

Thanks for the advice. I've been to pwned a few times since I read about it, and have it on schedule for periodic checks.

I follow the advice to use a different password for every account. I know which account they got my old password from, it was a forum that is no longer even in existence. It went belly-up probably a decade ago. And yes, they are spoofing more than one of my e-mail accounts.

And yes I know to never-ever click on anything in my in box that I wasn't expecting, and to be careful even if I was expecting it. I remember a UPS phishing attack after I ordered something and was waiting for delivery. The e-mail mentioned a package was being held up due to an addressing problem, or something like that, and I should call immediately. Well I went to the official UPS site, tracked the package and found it scheduled to be delivered later that day.

I know I'm still learning and there are more savvy people than myself who have been tricked, so I continue learning and keep my eyes open. A adopt the strategy that everything online is suspicious. And since I don't have the training I probably overcompensate in some areas. But better safe than sorry.

It's easy to be fooled by some of the more well crafted attempts. There is a part of me that admires their cleverness as much as I disrespect their intentions.

It seems nothing really changes about human nature, the only thing that changes is the technology.

Notes
 
Top