Your Email Password is a Target

Interested in hacking into the Email account of Charlie Sheen, Rob Lowe, Sean Penn or Carson Daly?  You’ll want to know they attended Santa Monica High School. Want access to the CEO of a large retail corporation?  Keep reading.

 
Simple question used by Yahoo to verify your identity.
Truth is we’re all screwed but having good password habits will keep out the amateurs. It may save you from emailing people on your contact list to say, “I’ve been hacked, if you received email from me don’t click on the link.”
My security expert friends will advise you to use…

1) Strong Passwords
2) Unique passwords for each of your password protected websites
3) Two-step verification

Important Advice to Share From BillP
My most important tip to family and friends is “Use fake information when asked for answers to security questions.”

Example of making up your own unique answers to security questions.

I had plenty of time this summer to research malware and identify the first step in the infection process.  The most common way to get hacked is someone using the small amount of public information needed too reset your email password. Once they have one of your email addresses it’s not hard to receive a new password on other services.

I recommend creating easy to remember jokes to use when asked for answers to security questions.  Some examples may be “What high school did you attend?” Pick something like Jefferson High School (Happy Days) or Rydell High(Grease). I won’t tell you what it is but people often laugh out loud when they see what I use for my mothers maiden name. Yes, some company’s still use it.

Target’s Easy Target

Using real data is dangerous. In less than 15 minutes I was able to find information about “former” Target CEO Gregg Steinhafel. His mother’s maiden name was Schreindl. He graduated from Homestead High School.
His first job was at Steinhafel's Furniture and he attends Wayzata Community Church. Born in Milwaukee, Steinhafel graduated from Carroll University in 1977 and earned an MBA from Northwestern University two years later. I could say more but for the safety of his wife and three children I’ll stop here.

If Target had requested a BlueHat Hacker Report, they would have been warned.

When a high school kid gained access to Sarah Palin’s email he wasn’t a computer genius. He just looked up the answers to the security questions used by Yahoo. Even though that was way back in 2008 this method has continued to grow as the number one way to steal personal data.

I’ve also noticed a set of quizzes common on Facebook specifically designed to collect personal data used in security questions.  I am currently investigating the background of the companies who spread these quizzes. Most created their domain within the last 30 days. I will share any information in the future.

Some Security Advice May Be Outdated
Complicated passwords:
Some may recommend a complicated password like “hfY4df$dhEW_!cvrh3H7D&d.” It’s safer than 123456 but isn’t very easy to remember. A complicated password may be useful to beat programs which try every possible combination but most systems will lock you out after a handful of incorrect attempts.

Unique passwords:
Using different passwords on different services is good advice but unless you’re using a program that remembers your passwords it’s too easy to forget unique passwords. If you’re like me you’ll just end up resetting your password using security questions.

Two-Step Verification

The two step verification process is a step in the right direction For banking or any service where real harm could be done it’s worth the extra step. If someone gains access to your cell phone or one of your email accounts the benefit is lost. Unfortunately, you’re trusting that the company is not going to take advantage of having more of your personal data like your cell phone number or alternate email address.

Some Advice Will Never Change

As far as recent failures by Home Depot, Lowes and other large companies the advice hasn’t changed much in 20 years. When your bill comes, check all your charges and make sure they’re legitimate. Most likely you can access your credit card online and see charges as they come in. If you haven’t already, register an account connected to your credit card and review charges regularly.

Reviewing your bills doesn’t just apply to credit or bank cards. Keep an eye on any charges like your cable or phone bill. Legitimate companies have been known to add bogus charges. Verizon wireless added a monthly charge for ring tones on Cindi’s phone. They claimed she agreed to the monthly charge by not responding to a text message. They removed the charge when I explained her cell phone at the time didn’t support test messaging.

Tagged by Most Annoying Spam Yet

I’ve always been a little leery of Social Network sites. As an experiment, I did join LinkedIn and it doesn’t suck but I’m not a big fan of MySpace or Facebook. I especially don’t like sites who encourage users to enter the Email addresses of their friends and family.

The Email I received below is by far one of the most annoying I’ve received in a long time. I don’t know Kathie B and I was almost tempted to click on “No” just to show my disgust. Of course by doing so Tagged would now have a confirmation that my Email address was active. This same approach is sure to be copied by online phishers trying to get additional information.

I wandered over to Tagged.com to see what it was all about.

“Tagged.com was launched in 2004, and is an explosively growing social-networking portal developed specifically for teens aged 13 through 19. Emerging as the premier brand in the lucrative teen demographic, Tagged.com is rapidly becoming the number one teen site on the web.”

Tagged claims 30 million registered users and they also acknowledge that 63% are 18 or older. Site Advisor hasn’t flagged this site yet even though its members don’t have a lot of good things to say.

I was able to trace Kathie B’s Email address to a WinPatrol customer from 2004 who apparently had support@WinPatrol.com in her address book. Just how all the names from her address book were obtained by Tagged.com is a mystery for now. I do thank Kathie for giving me something to write about and will update y’all if we find out more.