You've been pwned.

pete

pete

Brassica Oleracea
Staff member
Administrator
If you haven't heard, I'll go with the headline, "Hackers expose 773 million email addresses, 21 million passwords!"

As the computer guy, I was asked by a few people about this, more-or-less in the form of, "What am I supposed to do?" I read the news article and I'm actually impressed by Mr. Brnovich's comments, because they're sensible and are what you're supposed to do. I'm going to add a little extra in brackets [like this]. However, before I get to Mr. B's quote, I'll mention that if you haven't already, go to haveibeenpwned.com, enter all your e-mail addresses and check to see if any are pwned. If they are, first register your e-mail accounts at haveibeenpwned.com and sign up for alerts on the e-mail address(es). So, on to the comments!

• Be cautious when storing passwords. Don’t keep written passwords in plain sight. Consider using a password manager to store a long list. [haveibeenpwned.com recommends 1password.com. I have no experience using 1password's software. If you want totally free for personal use, you'll want LastPass. It's got some problems, but free is good.]
• Create strong passwords, update them often, and create unique and different passwords for each account [and each website. If you use a stand-alone password management program, this is extremely easy to do.]
• Immediately change passwords that have been exposed and consider changing other passwords, too. [Also, if the account is for something that you no longer use, change your password, then close out your account. Preferably, you want your password to be 16 or more characters long, containing at least three capital letters, at least three lowercase letters, three numbers, and three symbols, like #$%. Avoid words from dictionaries.]
• Enable two-factor authentication. Many websites now offer more than just a password (a single factor) to verify a user’s identity. Enabling these additional features or factors provides additional security for your online accounts. [This is also called "multi-factor authentication." Generally, this means that you have to type in your password then a number from a program on your phone, from a card specifically made for that purpose, via e-mail, via a voice call, via Carrier Pigeon, etc.]
• Monitor credit card and debit card activity closely. Immediately report any suspicious activity to the bank or card company.
• Limit the amount of personal or sensitive information posted on social media. This information, such as birthdays, can be used to authenticate an account.
• Remain vigilant and take proactive steps to ensure your online safety. [Note that you might be able to get free credit monitoring. If you've been pwned, you should read up on the breach.]

I should comment on writing down passwords. 1) Don't. 2) Taping them to the bottom of your keyboard isn't sneaky. It's the first place I'll look. 3) Don't create a file on your desktop called, "These are my passwords." Any person on your network that has administrative rights can see these.

I should also mention that if you don't use a password manager -- even the under-powered one built into your browser -- using a passphrase is the best thing you can do. Say, "It was a dark and stormy night. It was the first time I saw the fnords. abcABC123!@#. This password is for woodwindforum.com."
 
Another headline: 800 Million Emails Leaked. One of my private e-mail addresses was on the list. I believe that I'll have someplace between 10 and 20 websites I'll have to change passwords on. Yah. Not fun.
 
It's probably not even "when." It's more, "How many websites have you entered credentials on that have been hacked?"

Big companies are realizing -- or should have realized -- that the cost of giving users free credit monitoring and/or going through lawsuits isn't worth it. They're trying to beef up security. They'll never 100% succeed.

I used to hate having to do two-factor authentication on a lot of 'sites, just because it wastes time. I now love it. We do have that available here, but I haven't turned it on because all you need to sign up here is an e-mail address.
 
We should all know, but worth repeating, never-ever click any link in your e-mail unless you are absolutely sure it's OK. Even if it looks like it's from your mom, wife, husband, significant other, or BFF.

I just got one from my bank a few weeks ago. Well it looked like it was from my bank. It had a link that had my bank's name on it plus some other characters (when I hovered over it), and a toll free phone number. It was one of those messages designed to initiate panic and a quick reaction.

Of course, I called my bank, NOT from the number in the e-mail, but from the number I have on file and verified it was a scam (it looked and smelled like a scam) and informed them about it so they could do whatever they can to either stop it or warn others. The security department rep on the bank asked for information about it and thanked me very much.

We're all in this together, if you get one, take the time to help.

------

Back on the topic of the thread: Another advantage about using a password manager is that in most cases you don't have to type your password in. You can copy and paste. That way if someone has put a keylogger on your system, your password will register as Ctrl+V

I do the same for the number of the credit card that I use only on the web. It's in the encrypted password manager and it gets typed in as Ctrl-V

And if you are smart, don't let your browser store your passwords and/or usernames. It's one more place to get them stolen from. It's really not much work to copy and paste from a password manager.

I read in PCMag that you shouldn't keep your password manager open when you aren't using it, as some hackers have figured out how to get the info when they are open.

And if possible, don't leave your credit card info at the places where you buy things. Don't opt in, if they opt you in, opt out, and if not go to your account and remove them. Amazon takes the most work to remove it, but it's only a minute when you have the routine down.

------

I run a business selling aftermarket products for Band-in-a-Box (styles and songs). My shopping cart gives me the option of downloading the orders with no credit card information on them - not even the last 4 numbers or the date. I took this option so that if someone hacks me, the hacker won't get my customers' credit card numbers. Repeat customers have to enter their card information in again, if they ask why, I tell them. So far nobody complains and I get mostly thanks for that.

Plus once the order is filled, I remove it from the computer that is on-line and transfer it via flash drive to a computer that is not on my network and not on the Internet, and is in an encrypted folder on the hard drive of that computer. So my customers e-mail addresses and other personal details are not available, even if someone comes in and steals my computer.

OK that seems paranoid, but I feel it's my responsibility to protect my customers information much more than I protect my own. If every business took a little extra time to do this, there would be fewer ID theft problems going around. Oh sure, it takes a few extra minutes, and a big corporation might even have to hire an extra person, but isn't it wort the security?

Insights and incites by Notes
 
> I read in PCMag that you shouldn't keep your password manager open when you aren't using it, as some hackers have figured out how to get the info when they are open.
Mmmm. I know what you're talking about, but it's really not as bad as articles make it sound.

First, most of the big name password managers have been patched. In LastPass' case -- and I'm singling them out only because I use their stuff -- the vulnerability only applied to their old app version. Second, this flaw is extremely difficult to exploit unless the bad guy already has access to your computer. And, if the bad guy does have access, there are easier ways of getting data from your password manager. So, this is mostly a case of, "Updates. Install them." (FWIW, LastPass 4.1 had the flaw. They're up to 4.26, now.)

Anyhow, I've only tried LastPass and Dashlane. You don't need to copy and paste. You can, if you want, but you don't need to: username and password fields get populated automatically or right-click on the "username" box and choose the account that you want to use :D.
 
Thanks for the assurance.

I don't like the auto-fill feature. I just feel better having control and copy/paste is neither difficult nor time consuming.

I had an old password stolen, one that I used for a certain on-line forum (not this one) and now I get way to many phishing attacks telling me they used my camera to film me visiting porn sites. My computer doesn't even have a camera, when I bought it, it was an option, and since I had no use for it, I didn't purchase it.

It would seem than after a couple of dozen attempts, they would figure I'm not going to bite. Oh well, Shift+Delete works fine.

Notes
 
I use LastPass as it was recommended when I worked at Amazon. It just works which means I don't think about it very much. But I have a backup system to just in case things go south. Had to change my Facebook password again (because of this). One of the options was to sign out of every other device which I happily accepted. I also removed the devices from the list of previous contact devices. My wife's list was over 30 devices, many of them dups.
 
> I get way to many phishing attacks telling me they used my camera to film me visiting porn sites.
https://www.usatoday.com/story/tech...not-fall-prey-latest-email-threat/1254679002/

These e-mails can actually be helpful. Hear me out:

Usually, the e-mail will list an old password (as you note {punny}) that you've used on a website. That website probably got hacked. You should go to https://haveibeenpwned.com and check ALL your e-mail addresses. On the websites that come up for your e-mail address, change your password. If you use the same password someplace else, change that password, too. You should use a different password on each website.

One of the fun variations of this scam is that it'll use "your" e-mail address to contact you, e.g. I'd get an e-mail from thesaxinfo@gmail.com to thesaxinfo@gmail.com.

LastPass and Dashlane allow you to export your username/password set, if you want a local backup. However, all those usernames and passwords are encrypted on LastPass'/Dashlane's server, so all you have to do to restore is to reinstall the extension/plug-in and log back in. Now, if you forget your password to LastPass/Dashlane, you're gonna be in for a world of hurt ...
 
I quite facebook when I decided that their business practices were not anything I wanted to contribute my data for their profit. Deleted everything and glad I did. It was too much of a time waster anyway.

My passwords are in an app that encrypts them, and I keep an encrypted backup in a location I won't post onlline (just in case some bot is lurking).

Thanks for the advice. I've been to pwned a few times since I read about it, and have it on schedule for periodic checks.

I follow the advice to use a different password for every account. I know which account they got my old password from, it was a forum that is no longer even in existence. It went belly-up probably a decade ago. And yes, they are spoofing more than one of my e-mail accounts.

And yes I know to never-ever click on anything in my in box that I wasn't expecting, and to be careful even if I was expecting it. I remember a UPS phishing attack after I ordered something and was waiting for delivery. The e-mail mentioned a package was being held up due to an addressing problem, or something like that, and I should call immediately. Well I went to the official UPS site, tracked the package and found it scheduled to be delivered later that day.

I know I'm still learning and there are more savvy people than myself who have been tricked, so I continue learning and keep my eyes open. A adopt the strategy that everything online is suspicious. And since I don't have the training I probably overcompensate in some areas. But better safe than sorry.

It's easy to be fooled by some of the more well crafted attempts. There is a part of me that admires their cleverness as much as I disrespect their intentions.

It seems nothing really changes about human nature, the only thing that changes is the technology.

Notes
 
I'm posting just to bring this post to the fore, again. Someone stole my wife's credit card number last night. Luckily the bank caught the purchases and denied them:

* If you haven't enabled multifactor authentication on ANY website where it's offered, you need to. If your bank/credit union/similar doesn't offer multifactor authentication, get a new bank/etc. I'm absolutely serious.
Outlook/Hotmail, Gmail, Reddit, Facebook, and a bunch of other sites do have multifactor options.
* Check your phone and/or tablet for updates early and often. If your phone or tablet, like the iPhone 6 and iPad 4th generation and older, are no longer supported by the most current updates, get a new device.
* If you get a text from USPS/UPS/FedEx/etc., make sure you check the link before clicking. The most common scam links are now [random numbers and letters].info, like 5AB697.info.
 
True
The amount of spam/phishing on the internet has increased (at least for me) 10 fold in the past year.
Some people are dumb to it......and click-away.
Just look at the email address as to where the message originated........and compare it to your credit card(s) email address.......
totally bogus
 
That's good advice, Pete.

Real-time anti-malware protection also helps, but it certainly isn't foolproof.

There is big money in it for the thieves, and spamming is at little cost to them.

I never-ever click a link to anything important in an e-mail (and almost never in non-important things).

If "my bank" sends me something, I go to my password manager, open the URL to the bank from there, enter my credentials and check to see if I have a message. Usually it's not, so I forward the message to abuse@my bank's domain, and hopefully they could stop it. The problem is that spam is like mosquitoes: you kill one and a dozen come to the funeral.

The other day I got an e-mail from a credit card company for a store I hold a MasterCard at. They started with "Dear Robert" - most spammers don't include my name. But I guess the bulk mailing bots are getting smarter because when I went to the card via my password manager, they had no message for me.

If a friend sends an attachment, I won't open it before I check with my friend first to see if they really sent it or if their e-mail address was spoofed.

It's sad, but you have to think that everything is under suspicion and somebody out there is out to get you. Because someone out there is out to get you.

Since I run an on-line business, I don't download my customer's credit card numbers. My shopping cart company and credit card approval company verifies the balance, approves the funds, and deposits them in my bank. After I have completed the order, I take the customer's non-payment information and move it to a computer that is never connected to the Internet. If it isn't on the net, a hacker can't get my customers' names or addresses or e-mails. The non-online computer also has an encrypted hard drive so if someone breaks into my office and steals the computer, they better know a very, very, very long password, or they get nothing. I'm more careful about my customer's data than my own. After all they are trusting me with it.

If you order from me twice, you will have to enter your card again. It's a small price to pay for additional security.

Be careful, suspect everyone, even what seems to come from friends and family, and stay safe.

Notes
 
So much to keep track of. I hafta say that although not perfect, running a whitelist (in which only email addies you've vetted get through to the inbox, everything else goes to junk) has been very helpful to me. I do expect sometime in the near future, there will be no secrets. Everyone's dearest info will be available to anyone willing to pay the price.
 
Since I run an on-line business selling aftermarket style e-disks and fake e-disks for Band-in-a-Box, a whitelist is of no use to me. A new or potential customer can't be rejected.

My web host has spam filtering which took the spams down from 400/day to half a dozen. They blacklist spams that people turn in.

So for me the answer is to be careful.

I also keep many months of backups (disk images) on disks that I keep not attached to the computer. If hit with something terrible like ransomware, I can go back to what it was over a year ago if I have to.

Notes
 
My ThinkPad computer has a slide shutter that blocks the camera. When the camera is blocked I see a red dot on the black slider.

You can also buy stick-on shutters at Amazon, B&H, and other outlets. I had one on my older computer.

Ever since I saw a documentary, I've kept my camera covered. Not that I have anything to hide by my less than tidy office ;)

Those "We've been watching you" spams have been around for years. I guess they must work, because they keep sending them en masse.

Notes
 
Bari Sax Guy! said:
> I get way to many phishing attacks telling me they used my camera to film me visiting porn sites.
https://www.usatoday.com/story/tech...not-fall-prey-latest-email-threat/1254679002/

I am setting up my new lap top, as my old one was on life support, and while driving it around the block, when I came across this post... it's kind of a low tech idea, but why not put a piece of tape over the camera when not in use?
Click to expand...
First thing is obvious: don't do anything embarrassing or illegal in front of a computer camera. You no longer have to worry!

BSG is right that this low tech approach or buying a cover, as NN mentions, will work and I've seen folks at 3 letter acronym US government entities do this. However, you have to remember to keep the camera covered when it's not in use. Sometimes, that's just not practical. Hey, I have bunches of Zoom meetings today. I'm probably not going to cover the camera for 15 minutes until my next meeting. Also, how many people put a cover on their mobile phone's cameras? And, for those of us that have a camera with an LED indicator that turns on when it's recording, cameras can record without the light turning on.

It's also probably a good idea to turn on the setting that blurs or replaces your background. While I don't think any of my co-workers would want to steal anything in my camera's background, it's possible.
 
"It's also probably a good idea to turn on the setting that blurs or replaces your background. While I don't think any of my co-workers would want to steal anything in my camera's background, it's possible."

I will have to check out that background setting. My home office isn't as tidy as it was before the pandemic (I have a small office off premises, aka "Covid City" that I check in to 1-2 x / week). I had to do a zoom, it was an important matter, so I moved some boxes on top of my bookcases and replaced them with some certificates that look like diplomas. I hope no one noticed that the books were music books and cook books :)

Thanks Pete, I just checked out that link, now I won't have to move the boxes!
 
You must log in or register to reply here.
Back
Top Bottom