Your Email Password is a Target

Interested in hacking into the Email account of Charlie Sheen, Rob Lowe, Sean Penn or Carson Daly?  You’ll want to know they attended Santa Monica High School. Want access to the CEO of a large retail corporation?  Keep reading.

 
Simple question used by Yahoo to verify your identity.
Truth is we’re all screwed but having good password habits will keep out the amateurs. It may save you from emailing people on your contact list to say, “I’ve been hacked, if you received email from me don’t click on the link.”
My security expert friends will advise you to use…

1) Strong Passwords
2) Unique passwords for each of your password protected websites
3) Two-step verification

Important Advice to Share From BillP
My most important tip to family and friends is “Use fake information when asked for answers to security questions.”

Example of making up your own unique answers to security questions.

I had plenty of time this summer to research malware and identify the first step in the infection process.  The most common way to get hacked is someone using the small amount of public information needed too reset your email password. Once they have one of your email addresses it’s not hard to receive a new password on other services.

I recommend creating easy to remember jokes to use when asked for answers to security questions.  Some examples may be “What high school did you attend?” Pick something like Jefferson High School (Happy Days) or Rydell High(Grease). I won’t tell you what it is but people often laugh out loud when they see what I use for my mothers maiden name. Yes, some company’s still use it.

Target’s Easy Target

Using real data is dangerous. In less than 15 minutes I was able to find information about “former” Target CEO Gregg Steinhafel. His mother’s maiden name was Schreindl. He graduated from Homestead High School.
His first job was at Steinhafel's Furniture and he attends Wayzata Community Church. Born in Milwaukee, Steinhafel graduated from Carroll University in 1977 and earned an MBA from Northwestern University two years later. I could say more but for the safety of his wife and three children I’ll stop here.

If Target had requested a BlueHat Hacker Report, they would have been warned.

When a high school kid gained access to Sarah Palin’s email he wasn’t a computer genius. He just looked up the answers to the security questions used by Yahoo. Even though that was way back in 2008 this method has continued to grow as the number one way to steal personal data.

I’ve also noticed a set of quizzes common on Facebook specifically designed to collect personal data used in security questions.  I am currently investigating the background of the companies who spread these quizzes. Most created their domain within the last 30 days. I will share any information in the future.

Some Security Advice May Be Outdated
Complicated passwords:
Some may recommend a complicated password like “hfY4df$dhEW_!cvrh3H7D&d.” It’s safer than 123456 but isn’t very easy to remember. A complicated password may be useful to beat programs which try every possible combination but most systems will lock you out after a handful of incorrect attempts.

Unique passwords:
Using different passwords on different services is good advice but unless you’re using a program that remembers your passwords it’s too easy to forget unique passwords. If you’re like me you’ll just end up resetting your password using security questions.

Two-Step Verification

The two step verification process is a step in the right direction For banking or any service where real harm could be done it’s worth the extra step. If someone gains access to your cell phone or one of your email accounts the benefit is lost. Unfortunately, you’re trusting that the company is not going to take advantage of having more of your personal data like your cell phone number or alternate email address.

Some Advice Will Never Change

As far as recent failures by Home Depot, Lowes and other large companies the advice hasn’t changed much in 20 years. When your bill comes, check all your charges and make sure they’re legitimate. Most likely you can access your credit card online and see charges as they come in. If you haven’t already, register an account connected to your credit card and review charges regularly.

Reviewing your bills doesn’t just apply to credit or bank cards. Keep an eye on any charges like your cable or phone bill. Legitimate companies have been known to add bogus charges. Verizon wireless added a monthly charge for ring tones on Cindi’s phone. They claimed she agreed to the monthly charge by not responding to a text message. They removed the charge when I explained her cell phone at the time didn’t support test messaging.

Where did my Spyware come from?

Most folks will immediately blame another family member using their computer especially if they have teens in the house. In most case, it’s nobody’s fault if a machine is infected with some kind of spyware/malware/virus/badware, what ever you call it. So how the heck did your computer turn into such a mess.

Social Engineering
The number one method the bad guys have used for years is to just plain trick you. I’m sure you know not to reply to Email from the former ambassador to Nigeria but what if you get an alert message from Microsoft that says they found three viruses on your computer and you must download ie_update.exe?

Recently, we’ve seen updates of Internet Explorer and news videos that claim to be from CNN and MSNBC. They’re all meant to trick users into downloading badware. Convicted hacker Kevin Mitnick tells how in the old days he’d leave a floppy disk laying around public areas of a company with the label “Employee Salaries”.

I recently spoke at a conference for the National Network to End Domestic Violence. A common trick discussed was how perps would send an online greeting card that includes an apology but comes laced with a keylogger so the abuser can spy on all future computer activity.

The use of social engineering to try and take over your computer will continue to be number one method and will certainly improve and get more sophisticated. You’re sure to see a lot of this type before holidays and anytime there’s a huge world wide event.

Software Vulnerability
You probably all know about those regular software updates from Microsoft, Apple, Adobe and others. I’m not a big fan of “auto”updates but downloading security patches isn’t a bad idea. I usually wait until they’ve been released for a week or so and have been tested by the rest of the world. After that I do recommend having your system software updated with any patches available.

A software vulnerability can install a program on your system without downloading or clicking on any suspicious links. Anytime you’re connected to the internet your computer is probed to see if it’s visible and if any vulnerabilities exist. If the right vulnerability exists when your system is polled it can become the property of the first bad guy to find you.

I experienced one years ago when MSBlaster suddenly appeared on my computer. Luckily, WinPatrol was on patrol and I was immediately asked if this was something I had installed. I didn’t know what MSBlaster was so I removed it. This was a brand new threat so none of the anti-spyware/virus programs had any information about msblaster in their signature files.

Music and Porn Sharing
Seriously, I don’t have a lot of first hand research on this particular segment but I do what I have to in the interest of knowledge.

While this may get much of the blame in many households its not as prevalent as it used to be. That’s not to say that surfing for music and porn isn’t a malware mine field, it’s just that infections are a little more obvious. You know you’re in trouble when the only way you can close the browser Window is to completely shut down the browser or reboot your machine.

You don’t really have Spyware
One of the main reasons people purchase new computers is because their old computer is slow due spyware. In many cases when I’ve been asked to clean up spyware I find the system is basically clean. Usually, the computer is old, and has had so many programs installed and uninstalled over the years that the version of Windows on their computer is just plain tired out. How’s that for a technical quote?

Windows is a collection of various programs and libraries. Over many years of installing new programs different versions of Window components may be installed. This can become a big hodgepodge of files and old drivers so that no two versions of Windows are the same. We used to joke that Windows 95 wasn’t the year it was released. It meant every 95 days you should reformat your machine and reinstall Windows from scratch.

My best advice for these machines would be clean up auto start programs, add memory, clear up as much disk space as possible, and especially clean up any temp files including the Internet Explorer cache. Others swear by defragging your disk or using registry cleaners but I’m not a big fan.

Additional References:

Windows Versions are like Snowflakes

AutoUpdates are Evil

Do I Need a Registry Cleaner?

Your PC is NOT old