A Little Warning To You All...

[Wolfie]

A friend of mine has just had all of his email addresses hacked, and all of the emails deleted (and downloaded by the hacker) - the hacker is now threatening to send all the confidential, sensitive and embarrassing emails to all his family, business contacts and clients/customers unless he pays X to an account by Thursday. The email addresses were both personal addresses and business addresses.

Looks like he was a little lax on PC security (spyware/malware/keyloggers) and also recorded his passwords in (what he thought was) a secure email account. Now all of his passwords have been changed, and he is unable to get into all of those accounts (except one, which remains open) - all the threats etc are being sent via his email accounts.

I'm not sure how far it will go, or if its just a prank or a hallow threat... sounds and looks fairly serious to me.

So a warning to you all, with some advice to boot.

Change your passwords regularly, use a strong password (that is a password with UPPER case and lower case letters, use numbers and symbols) and never, ever, under any circumstances, give your passwords to anyone. Not even family or friends. Always always ALWAYS keep your computer free of malware & viruses, there are many many products for sale and for free that can assist you with this, some are available in the ThaiVisa.com downloads section, some you can buy/download on the internet.

Most of us are blasé about internet security, taking a 'it wont happen to me' attitude or whatever, but this is a very real reminder that these things can happen, do happen and could happen to you.

Just want to help save you all some embarrassment!

[britmaveric]

What sort of embarrassing emails?

I'd call their bluff - tell them go ahead.

[Wolfie]

Well i'm not going to say... its not my place. I do have a copy of the 'threat' and there is some stuff in there that, if it were me, i'd prefer it not to be sent out.

I'm helping him recover from this right now, we have contacted the authorities and the hosting companies and gathering data right now. I just wanted to let you all know that these things can happen, do happen and with a little bit of thought and caution, we could slow down/prevent some of the cases from happening!

[Samuian]

What one doesn't want people to know about oneself, become public...avoid or better make sure, you don't leave any hardcopies, written or any other way recorded, flying around... simple as that!

NO password, no safe, no secret cave, Secrets are there to be detected and revealed!

Edited July 8, 2008 by Samuian

[Crushdepth]

One of the worst cases of password hijacking I've seen happened at a popular software forum, where a hacker with a grudge against the developers captured the database, and with it the hashes of all the member's passwords. Over the past few years he has cracked and abused literally dozens of forum accounts. Many members had used the same password across multiple websites/software projects and also to servers to which they had admin access. The worst thing was someone had reused their password on an admin account to the Sourceforge repository for the project. He put a hole in the code that let him break into any website that installed or was updated with the code from the repository. In short, it was a diabolical mess.

To get around the headache of remembering loads of strong passwords I like to use password safe (simple and free utility from the guy that wrote the Twofish encryption algorithm). Things it can do are:

* Organise and store your passwords in strongly encrypted form.

* Generate extremely strong random passwords of whatever length.

* Copy to clipboard/automatically clear the clipboard.

* Can be installed on a USB key.

Basically, I don't know any of my passwords anymore. They are all random junk and all my sites/logins are unique. I just have to remember the master password to the safe.

[A_Traveller]

Basically, I don't know any of my passwords any more. They are all random junk and all my sites/logins are unique. I just have to remember the master password to the safe.

My position too. By the by Wolfie, have you been able to find the technique used here?

Regards

[Gumballl]

Ho hum... I will just go about my day. Interesting reading... I will flush down the knowledge with another beer.

I could not imagine how a key logger or other malware application could be installed on my system. I browse the web all day long. Oh wait... maybe it is because I do not run windows??

I really have no sympathy for those who run into problems as described in the OP. The safest bet for the mentally challenged is to not use a computer. Do things the old fashioned way.

/rant.

[Wolfie]

Not yet, i'm hoping to get my hands on his laptop very soon. I suspect he got a keylogger or some such on his machine, which was used to gain access to his accounts. And then the hacker found some juicy stuff to use against him. Its originating from within Thailand, as the bank account number supplied is for a Thai bank. We are hoping the police/Cyber Crime division could be of some help to us here... if anyone has any contacts that might help us speed up the process, please PM me the details - thanks!

[Wolfie]

Personally i've used windows for over 15 years (Windows 3.1 was my first encounter with it) and in that time i've had one virus (which was my own stupid fault) - so with a bit of common sense these things can be avoided. All i am trying to do with this thread is give people some sound advice, sorry you dont seem to agree with that.

Edited July 8, 2008 by Wolfie

[A_Traveller]

To the witty GumBall, you are aware that, for example, keyloggers exist for all OS' and have been known to infiltrate systems other then just Windows.

Regards

[sbk]

And its not really the point here anyway, but thanks for the pointer gumball.

It is still a useful reminder to all of us.

[RonD]

To get around the headache of remembering loads of strong passwords I like to use password safe

I've used PasswordSafe for I think almost 2 years now, including the U3 (USB key version).

However, it doesn't mean your safe, by all means - you can have the most complex password in the world, but if it sent in cleartext and picked up by a 3rd party - they can still use it maliciously.

Combine it with a anti-spyware and anti-virus application (there are free available ones), and remember to browse safely whilst on any type of network, including Hot Spots: http://anchorfree.com/downloads/hotspot-shield.

I try to divide my browsing habits into 2 groups and divided by 2 browsers: 1 casual and 1 sensitive. I attach the "safe browser" with "safe policy" tactics which is an ongoing set of practises and tools which are evolving as threats change and new tools and practices are released.

But noone is safe, and there's no such thing as 100% secure. I have all sympathy for the guy that got all his accounts compromised, it could happen to anyone. I hope police will track him/them down...

But, so what if he sends old emails to his family or business clients? Just tell all contacts that a hacker has threatened to manipulate and *fake* his original email content, i.e. replacing original content with "juicy stuff" with the motive getting more money. There's no way the malicious guy can prove the authenticity of the original emails anyway in a simple way. He's playing on fears, guilt and shame feelings of the victim. Try not to play along on his terms....

[A_Traveller]

Just to be sensible about this, one issue that all computer users should be aware of irrespective of OS is that effective 'hacking' usually involves 2 separate activities, one technical one social. To explain, suppose an individual targets you, they may first try to infiltrate your system, for example using a 'drive by' infection method by routing you to a specific web page. This can work, primarily with older browsers IE 6 especially and under Windows, though Safari and Firefox are not 100% immune from this under the Windows platform.

However, the smart technique uses social engineering to prepare the target so that when a dialogue or even a warning is displayed the user is sufficiently assured that they click [OK]. This is one argument about Vista's nagging, it runs the risk of preconditioning people to click through rather than pause. In addition users of 'virus safe' environments are at even greater risk because they think that such an intrusion is not possible whereas in reality it should be viewed as not probable {drive by} but that perception plus judicious social engineering can engender a false sense of security.

For most users the key is to pause, just for a second or two and think why am I saying [yes] what am I installing, e.g. a free porn pass might be a trap, but if the groundwork is done properly the user may think they are installing an enhancement to their system.

Regards

[Crushdepth]

Not yet, i'm hoping to get my hands on his laptop very soon. I suspect he got a keylogger or some such on his machine, which was used to gain access to his accounts.

A few people have reported problems from use of public wifi hotspots in Thailand over the last year or two. The Oz government doesn't allow wifi on government laptops anymore (not sure that is the best way to solve their problems, but anyway).

[Guest Reimar]

Gumballl maybe is using Jungle Drums?

[Crushdepth]

what am I installing, e.g. a free porn pass smile.gif might be a trap, but if the groundwork is done properly the user may think they are installing an enhancement to their system.

Maybe two large silicon enhancements :-)

[A_Traveller]

^ Beat me to editing I was on the phone, suffice it to say it should read [the user may think they the software they are installing is a legitimate enhancement to their system].

Regards

PS on the WiFi point there have been rumours but nothing ever seems to get substantiated. I came across logging in a well known internet cafe and to be fair they let me work with them very quickly to kill it, though they didn't report it either.

Edited July 8, 2008 by A_Traveller

[LivinLOS]

A friend of mine has just had all of his email addresses hacked, and all of the emails deleted (and downloaded by the hacker) - the hacker is now threatening to send all the confidential, sensitive and embarrassing emails to all his family, business contacts and clients/customers unless he pays X to an account by Thursday. The email addresses were both personal addresses and business addresses.

Looks like he was a little lax on PC security (spyware/malware/keyloggers) and also recorded his passwords in (what he thought was) a secure email account. Now all of his passwords have been changed, and he is unable to get into all of those accounts (except one, which remains open) - all the threats etc are being sent via his email accounts.

I'm not sure how far it will go, or if its just a prank or a hallow threat... sounds and looks fairly serious to me.

So a warning to you all, with some advice to boot.

Change your passwords regularly, use a strong password (that is a password with UPPER case and lower case letters, use numbers and symbols) and never, ever, under any circumstances, give your passwords to anyone. Not even family or friends. Always always ALWAYS keep your computer free of malware & viruses, there are many many products for sale and for free that can assist you with this, some are available in the ThaiVisa.com downloads section, some you can buy/download on the internet.

Most of us are blasé about internet security, taking a 'it wont happen to me' attitude or whatever, but this is a very real reminder that these things can happen, do happen and could happen to you.

Just want to help save you all some embarrassment!

This person wouldnt be D.B. would it Wolfie ??

[Crushdepth]

If you managed to track down the perpetrator or get them busted by the cops please do tell us...I love a happy ending.

[phazey]

Bang the lappy on your network and let Wireshark do it's thing.

[regedit]

Its originating from within Thailand, as the bank account number supplied is for a Thai bank.

Yeah, must be Thailand if the guy told you to pay into his bank account !!!

[Veazer]

Sorry to point out the obvious, but if he's truly the victim of a keylogger then frequent password changes will merely amuse the other party.

[nikster]

To the witty GumBall, you are aware that, for example, keyloggers exist for all OS' and have been known to infiltrate systems other then just Windows.

Keep on bluffing, we're not buying ...

I take a pragmatic approach. As long as there are no viruses/keyloggers out there for my system, I don't worry. Once and if there are, I will take precautions. That day hasn't arrived yet though so I continue to completely ignore things like this.

regards...

I mean, if there were global statistics for this sort of thing... it would go something like this:

# Infections / day / OS: 1,000,000+ Windows; 2 Linux; 2 Mac OS X.

It's more likely that I get struck down by lightning on a sunny day than me contracting a virus on OS X. Do I worry about lightning on a sunny day? No.

To the OP: Thanks for the advice. There's no excuse to not have a strong password, I will update my Gmail now. I am wondering though - a strong password would not help me in the above described situation. If somebody manages to steal my passwords, it doesn't really matter how strong they are (or were, in that case...).

[nikster]

Sorry to point out the obvious, but if he's truly the victim of a keylogger then frequent password changes will merely amuse the other party.

I am not hot on password changes either. If you change frequently, then most likely you will do something else that compromises those passwords.

I just think of a really hard/weird one, and stick with it.

It would take inhuman discipline to remember lots of different really hard passwords. So when systems force the user to frequently update their pass, they will find a way around it. Use increasing numbers. Use easy passwords. Or write down the passwords.

[Crushdepth]

Or use Password Safe! It really is worth a look!

/advertisement :-)

[Veazer]

Or use Password Safe! It really is worth a look!

/advertisement :-)

Try KeePass Portable, a bit better imho. All the features of password safe, portable, generates very secure passwords based on your criteria, etc. My only complaint is that some of the default options are not what I would personally choose.

[LivinLOS]

To the witty GumBall, you are aware that, for example, keyloggers exist for all OS' and have been known to infiltrate systems other then just Windows.

Keep on bluffing, we're not buying ...

I take a pragmatic approach. As long as there are no viruses/keyloggers out there for my system, I don't worry. Once and if there are, I will take precautions. That day hasn't arrived yet though so I continue to completely ignore things like this.

regards...

I mean, if there were global statistics for this sort of thing... it would go something like this:

# Infections / day / OS: 1,000,000+ Windows; 2 Linux; 2 Mac OS X.

It's more likely that I get struck down by lightning on a sunny day than me contracting a virus on OS X. Do I worry about lightning on a sunny day? No.

To the OP: Thanks for the advice. There's no excuse to not have a strong password, I will update my Gmail now. I am wondering though - a strong password would not help me in the above described situation. If somebody manages to steal my passwords, it doesn't really matter how strong they are (or were, in that case...).

Lightning on a sunny day.. Not any more..

That was the case until recently... the new OSX keylogger (and trojan turn on the webcam etc) is spreading quite nicely even tho its only a tiny market share OS..

[surface]

As someone who had to train users on security issues, the best luck I have had with getting users to create complex passwords is as follows.

Yes, it's called a password, but it doesn't have to be made of a word. So to create your new password:

1) Use a line from a song, quote from book or movie, or anything with several words you can memorize easily.

2) Depending on how many words there are, choose the first letter, or first and last letter of each word to use in the new password.

3) Alternate using upper and lower case, or use some other method such as AAbbCCdd, AAAbbbCCCddd, etc.

4) Replace some letters with numbers and special characters. Easy choices are o = 0, e = 3, h = 4, L = 1, a = @. Using the upper case method from step 3, when you hold shift while pressing the number, you now have special characters added in as well.

5) The best part is, you can write down all of the ways you develop your password onto pieces of paper, store them in your office, your wallet, etc., as nobody will know what it's for anyway. Even if they do, they will not know the phrase you are using, or which letters of the words in the phrase you are using. Besides, you're usually trying to keep you password safe from people on the internet who don't have physical access to your house/office/computer, as if they do, they can easily install a keylogger into your OS, your keyboard, or between your keyboard and computer. Also feel free to write the actual phrases down on some other pieces of paper, perhaps along with some other "random notes" to make it blend in. If you have a safe in your house, that would be a good place to store either the phrases you are using or the methods used to create your password from the phrases, but not both!

After a few of days you will have the password(s) memorized just by typing them so you won't need to refer to your cheat sheets unless you've been away from your computer for ages.

Always best to use different passwords for different websites, bank accounts, email accounts, computers. Using the above methods, you shouldn't have to change them to frequently either.

Cheers

Edited July 9, 2008 by surface

[A_Traveller]

^ Sound advice thanks for taking the time to enunciate it.

I really don't want to get into the Apple/Windows debate here, after all I use many OS' depending on requirements, but if anyone doubts that key-loggers for Apple exist just search Apple Keylogger, for the publicly known ones. Secondly Apple Products do have vulnerabilities, including Safari drive by risks, Quick Time etc.. A reason for the lack of penetration is the enforced administration process, so the user has to agree to installation. As I noted above social engineering can lead to a case where users 'expose' themselves. This does happen, and one could argue the expectation that <insert OS here> is free from infection risk vectors can be a contributing factor to a misplaced sense of invulnerability. In other words I'll click [Yes] because I'm safe.

The reality of course, is that there are much better targets out there for the script kiddie, but for the professional {on either side if the law} no system is sacrosanct.

Regards

Edited July 9, 2008 by A_Traveller

[sjaak327]

Yep it is still kind of funny that people would really think that if they run OSX, that they are safe from things like keyloggers, people sniffing for passwords on connections that are not secured with SSL, and other things like that.

Time to wake up and take your head out of the sand. A nice thing to know in this light, is that by default Leopard has turned it's firewall off. So whatever you do on your safe Mac running Leopard, one thing to do once you got it installed is turn on that firewall.