NORMAN — We looked last week at a few ways that someone’s email account could have been hacked. They were fake verification emails and fake login pages, fake “Vote for me” emails, “man-in-the-middle” attacks, using untrusted computers and/or forgetting to logoff, and virus infections.
Here are some more ways that the bad guys can hack an email account.
· Easy-to-answer security questions. Online accounts are easy to hack if you can answer the “security” questions that let you access “lost password” accounts. You know those questions you answered when you first set up the account, such as, “What is your mother’s maiden name?” “What is your favorite restaurant?” or “Who was your first-grade teacher?”
If this information is public knowledge or is on a website like Facebook, the account hacking chore is that much easier. This is how Sarah Palin’s Yahoo email account was hacked (see my column titled “Sarah Palin email hack another wakeup call,” 9-21-08, on my website).
I suggest using phony answers to security questions, i.e., “What is your mother’s maiden name?” Answer: “cheeseburger.”
· Lost or stolen devices. Zillions of laptop computers, cell phones and other portable electronic devices are lost or stolen every year. Do not store passwords or security question answers in an unencrypted file on these devices; just don’t.
· Using crummy passwords. Contrary to what you might see in the movies or on TV, computer criminals do not sit around trying to guess passwords; that’s what computers are for.
The bad guys use automated hacking programs to crack passwords; these programs are very fast and thorough. As a defense against these methods, remember that a good password will not resemble any word found in any dictionary on earth. Pass “phrases” are OK, too. See my column titled “Crummy passwords = hacked email accounts,” 6-24-12, on my website.
· Using the same password for everything. Well, surprise, surprise: You use the same password for email, eBay, Facebook and your bank account. The bad guys crack your Facebook password. Guess what else they have?
· Insecure browsers, websites, programs and operating systems. Insecure websites lead to insecure transactions. Use HTTPs for everything. Read my column titled “Batten down the hatches with encryption, Part One,” 5-24-09, on my website. After reading that column, consider using HTTPs Everywhere (eff.org/https-everywhere) in combination with the Firefox browser (mozilla.com).
In addition, everything in a computer requires frequent updating. That’s just the way it is. Updating plugs security holes. Microsoft Windows, Apple Mac OS X, Flash, Java, Adobe Reader, Microsoft Office, iTunes, QuickTime, Windows Media Player, Firefox, Google Chrome, Internet Explorer and Safari all require, as Star Trek’s Mr. Spock would say, “monitoring and periodic adjustment.” Maybe it’s a hassle, but that’s just the way it is; update and be safe.
· Computer security breaches and “leaks.” Government agencies, educational institutions and businesses get hacked every day. Sometimes huge, stupid, accidental information “leaks” occur, compromising the security and privacy of thousands, even millions of people at once.
For example, the passwords to 10,028 Hotmail accounts, all beginning with the letters A and B, were “somehow” posted to an online forum used by software developers on Oct. 1, 2009. This breach was witnessed and reported by journalists from the BBC. Speculation about hacked Microsoft servers flew around the Web.
Naturally, Microsoft insisted that it couldn’t be their fault. After much harrumphing and negotiating, Microsoft caused the website to delete the list and promised a swift investigation. Now, four years later, the results of that investigation are still unknown. BBC reporters postulated that since the list was only comprised of accounts beginning with A and B, the actual list, including the letters C through Z, could be much larger.
The bad guys of the Internet are sitting on huge stacks of leaked and breached information, potentially compromising the privacy and financial security of millions upon millions of people. God only knows if and when they will decide to exploit what they have. Until then, we wait.
Dave Moore has been performing computer consulting, repairs, security and networking in Oklahoma since 1984. He also teaches computer safety workshops for public and private organizations. He can be reached at 919-9901 or www.davemoorecomputers.