Password Hackers Do Big Business With Ex-Lovers

Hugh Pickens writes "The Washington Post reports that disgruntled lovers and spouses considering divorce are flocking to services like YourHackerz.com that boast they have little trouble hacking into Web-based e-mail systems like AOL, Yahoo, Gmail, Facebook and Hotmail. The services advertise openly, and there doesn't appear to be much anyone can do about it because while federal law prohibits hacking into e-mail, without further illegal activity, it's only a misdemeanor, says Orin Kerr, a law professor at George Washington University. 'The feds usually don't have the resources to investigate and prosecute misdemeanors,' says Kerr. 'And part of the reason is that normally it's hard to know when an account has been compromised, because e-mail snooping doesn't leave a trace.' It's not clear where YourHackerz.com is located, but experts suspect that most password hacking businesses are based overseas."

RTFS

[SanityInAnarchy]

Actually, web-based, free emails could be remarkably secure, if people weren't such morons about passwords.

Re:RTFS

Actually, web-based, free emails could be remarkably secure, if people weren't such morons about passwords.

I'd imagine it has more to do with those damn required "Security Questions", many of which use publicly available information.
Even the services which allow you to specify the question and answer are probably no match for a cracker working in conjunction with an Ex.

I'd be more worried about what the crackers do with the knowledge they acquire as far as your other accounts are concerned, sure they may hack the e-mail account for you, but they're just as likely to clear out your bank account afterwords.

Re:RTFS

[anagama]

With respect to security questions, I'm more concerned about companies gathering needlessly private info about me. So I make up answers and record those along with my username and password in my encrypted password list.

Re:RTFS

[houghi]

Sure. That is what people tell me all the time to use a secure password. http://maord.com/ can easily help you with that. So now I have a secure password like cJQKUG4P generated by that website.
Obviously like most people I have a bunch of different logins, many where I was not able to select my own login. To be secure I must use several ones. e.g. one for work, one for the bank, one for mail and one for websites.
9b3MHDHz
m4YBn3t8
vMSLs44e
CsQnP5Fy

These four I must remember and change every month. And that is if I only use four and group my logins. If I want to be really secure, I will use a different one for each login I am able to change the password (17 of them, not calculating the many websites):
UVvCUmE3
Snip 15 random passwords
Lameness filter encountered. Post aborted!
Filter error: That's an awful long string of letters there.
qAv9qZHR

I am not allowed to save them. I must memorize them. Yes, there are other options, like using the first letters of a sentence, but due to the sheer number of logins it becomes impossible.

It is a known fact that people are stupid. If you make something that proves that fact, then the problem is not the moron users, but the designers. I have no clear answer on how to solve it, but I would start with removing the forceful changing of passwords every month. That WILL lead to weaker passwords.

Re:RTFS

[houghi]

Nonsense. While Chrome doesn't seem to have this yet, Firefox and Konqueror come with encrypted password stores out of the box.

There are some computers that are under my control. There are some that are NOT under my control. I cn not install software on those systems. I can not add anything on those systems. Further not all logins are weblogins and some that are only work on very locked down IE machines where I can not even do a 'save password'.

Finally, there is the option to use client-side certificates and/or OpenID, with services that support them. This would allow you to choose whatever means of authentication you like, passwords or otherwise.

Almost none have this option. Those are the ones I use privately from my own box, so no issue there. The ones that bother me are all the different systems I need to access remotely. The worst I ever had to work with was a forced password change every 5 days.
I now have several digipasses laying around for different systems.

One is for a company where I first have to enter a login and then the digicode with a pincode, then the same login with a password, then a different login with a different password.
So what I have done is against all security. We have a dedicated machine just for that application (was also a requirement. We needed to install their closed source software, so we decided not to use a standard machine for it.) I have placed a text file on the PC I use it on with all the details AND I have connected the code generator thing to the keyboard AND have the login and password on the monitor so people can login both as user and as admin.
Yes I know it is extremely bad practice. I need the machine perhaps once every two weeks and then I need it fast. I then do not have the time looking what the logins where and where that stupid key was again.

So by increasing the security on their side by doing all the things that are possible, they actually have decreased it in the end. The main difference is that if something goes wrong, they can blame me. So to me that means this is not about security, but about pointing fingers and placing the blame on somebody else.

Some others are not that bad, but still pretty awefull. What I actually do is have the same password, but often I have to guess the login, because I have not chosen them myself and they are various variations on first name, last name, company, numbers and whatever they can think of is logical to THEM.

These are third parties where my company works for and makes money from, so the only option not to use it is taking another job where I most likely would be in a similar situation, unless I would change my sort of job I do.

No, the right approach is to increase the ease with which someone could use the system properly, and how far "properly" extends.

Yes, unfortunately many systems are not under my control. Actually most systems are not under my control. They are third parties or for some other reason beyond my control. The most known reason is that instead of understanding that people have many, many logins nowadays, the sole interest is that they can show that they have done what needs to be done. By doing that, they will cause that people write logins and passwords down. I know that a lot of people use other peoples passwords and logins on some systems, because 'security' is so tight getting a new password is too much of a hassle and takes sometimes two days.

So if after say 20 years of intensive computer usage by non-geeks what we do now does not work, I would suggest we should start looking for something else.

compromised

[Korbeau]

And part of the reason is that normally it's hard to know when an account has been compromised, because e-mail snooping doesn't leave a trace

Simply do like most client systems and put in big red bold: "someone tried to connect to your account 32 times from w.x.y.z ...", and keep something like a 30 days log of connection history browsable somewhere. I'm sure modern techniques can also be used to highlight strange connection patterns and/or unusual connection location. Although it's far from perfect it at least gives some basic tools to be aware and deal with this situation. And if the hackers know their address is not only logged in an obscure web log but also available to the user (with a nice helpful tips page about what to do and who to contact when you're a victim) it would probably intimidate part of them.

Re:compromised

[girlintraining]

Simply do like most client systems and put in big red bold: "someone tried to connect to your account 32 times from w.x.y.z ...", and keep something like a 30 days log of connection history browsable somewhere.

Yeah, because the average person is going to know what subnet or network they're coming in from. And they'll remember that time they logged in from the coffee house. No -- the information is useless to the average person because they don't know how to interpret it. It'd be like me telling you that the R0 of variola vera is about 6.5. Meaningless to you in this context.

Re:compromised

[ScrewMaster]

No -- the information is useless to the average person because they don't know how to interpret it.

So? Help them interpret it. That's what computers are for. You can't tell me that that raw data can't be presented in some way that does make sense to Average Joe and at least gives him the idea that somebody is screwing with him.

Re:compromised

Are you saying the average person will have trouble interpreting something like this:

"The last time you logged in was yesterday at 3:15 P.M."

And some people actually gave you +Insightful for this?

The context is simple. You are presented the date and time of your last login. Don't remember logging in at that time? Deduction, someone else did.

There is nothing useless about simple information we all understand. Why jump to the technical details of subnets etc.?
That kind of information you keep in the logs, obviously. Give th client the information they can use.

Re:compromised

[darthflo]

"Since the last successful login Yesterday at 7:13, 48 attempts to log into your account with a wrong password have been made from 3 locations. [details]"

Simple as that. More detail wouldn't help most users, so let them know something potentially bad is happening. If they care about their account, they'll have a techie friend look into it.

Re:So wait...

[linhares]

You mean people actually still think that web-based, free emails are secure?

As opposed to a client-based email, where you can simply get it all through the filesystem? Physical access is game-over. So if you have 30min with your ex's machine, that's pretty much game over, if residing in clients.

Re:Blaming the tools, instead of the behaviour...

[PIBM]

GMail has a nice line at the bottom, telling you from which other computer you are connected, when you last took any action, and then some more details. Anyone can take a look at it, but I don't expect much of their users to know what that is for, nor to check it everytime they login ...

Go to jail AND lose your divorce case

[davidwr]

Sure, you may uncover evidence of unfaithfulness in your divorce case, but your winnings in divorce case will be offset when you go to jail for computer trespass and the victim [your ex] sues the invader [you] for mega-bucks.

Oh, and if you tell your lawyer where you got the goods, it will trigger HIS ethical obligations. Yes, lawyers have ethical obligations, even those with no ethics.

How to secure against this

[MaraDNS]

There are two ways an advisory can obtain one's password:

• They can have a machine on the same LAN sniff their password
• The advisory can use dictionary attacks, based on the person's personal information, to obtain the password.

The first attack can be countered by using Gmail with things set up to always use https for connections (near the bottom of the "settings" page).

The second attack can be countered by using a secure password that is easy to remember but hard to guess. For example, "MaraDNS.org" would not be a very good password for this account, however "otif10md" ("One time I fell 10 meters down") would be a good password. Or, in my case, I use a secure hashing algorithm where a common secret is concatenated with the name of the website I visit to get a secure password, akin to using the Md5 sum of "This is secret;slashdot.org" to get a password.

Re:How to secure against this

[fiendishfish]

Yes, but you have to take into consideration that if the company was real, they wouldn't be operating locally. They'd be operating remotely. Which pretty much rules the former situation out.

Also, I was convinced that SSL was the de-facto standard for GMAIL and other web-mail services...

As I said in my previous post, it has been reported that the 'hackers' are merely scamming peoples money (as expected) and not delivering the service.

Re:Blaming the tools, instead of the behaviour...

[Hrdina]

The problem with that little notice is that if you have a lot of email in your inbox, you have to make an effort to scroll down to see it.

Most people don't make efforts.

Maybe if the last activity notice were in the sidebar or near the top of the screen it might be more effective.

I also love how the lead-in to the story discusses a woman who apparently became jealous because her "married boyfriend" was cheating on her...

Re:Trivial.

[geminidomino]

That's what I'm wondering, actually. As a Gmail user with a relatively long and complicated password, how would these services go about hacking into my Gmail account? All connections in and out are SSL'd, I don't use public WiFi without a VPN, my home WiFi is secured relatively well... Short of e-mailing me a trojan, what options do these guys have?

Your password may be long and complicated, but examine closely at your "security questions." If the client has been lubing your junk, odds are that she knows your dog's name is Archibald and your favorite color is mauve.

"Forgot my password" indeed.

Re:Trivial.

Actually, my favorite colour is 'spaghetti' and my dog's name is 'A Winter's Tale'.

Re:Moo, moo.

[bickerdyke]

That, and most guys just want to be done with the drama and suffer in silence when it ends.

we save that for the next common cold...

Re:Crime for profit a misdemeanor?

And the difference this makes to someone operating out of a woodshed in Novosibirsk is...?