Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Hackers Do Big Business With Ex-Lovers

Posted by ryuzaki0 on from the time-to-get-sneakier dept.

Hugh Pickens writes "The Washington Post reports that disgruntled lovers and spouses considering divorce are flocking to services like YourHackerz.com that boast they have little trouble hacking into Web-based e-mail systems like AOL, Yahoo, Gmail, Facebook and Hotmail. The services advertise openly, and there doesn't appear to be much anyone can do about it because while federal law prohibits hacking into e-mail, without further illegal activity, it's only a misdemeanor, says Orin Kerr, a law professor at George Washington University. 'The feds usually don't have the resources to investigate and prosecute misdemeanors,' says Kerr. 'And part of the reason is that normally it's hard to know when an account has been compromised, because e-mail snooping doesn't leave a trace.' It's not clear where YourHackerz.com is located, but experts suspect that most password hacking businesses are based overseas."

13 of 197 comments (clear)

  1. RTFS by SanityInAnarchy · · Score: 4, Insightful

    Actually, web-based, free emails could be remarkably secure, if people weren't such morons about passwords.

    --
    Don't thank God, thank a doctor!
    1. Re:RTFS by Anonymous Coward · · Score: 5, Insightful

      Actually, web-based, free emails could be remarkably secure, if people weren't such morons about passwords.

      I'd imagine it has more to do with those damn required "Security Questions", many of which use publicly available information.
      Even the services which allow you to specify the question and answer are probably no match for a cracker working in conjunction with an Ex.

      I'd be more worried about what the crackers do with the knowledge they acquire as far as your other accounts are concerned, sure they may hack the e-mail account for you, but they're just as likely to clear out your bank account afterwords.

    2. Re:RTFS by anagama · · Score: 3, Insightful

      With respect to security questions, I'm more concerned about companies gathering needlessly private info about me. So I make up answers and record those along with my username and password in my encrypted password list.

      --
      What changed under Obama? Nothing Good
    3. Re:RTFS by houghi · · Score: 4, Insightful

      Sure. That is what people tell me all the time to use a secure password. http://maord.com/ can easily help you with that. So now I have a secure password like cJQKUG4P generated by that website.
      Obviously like most people I have a bunch of different logins, many where I was not able to select my own login. To be secure I must use several ones. e.g. one for work, one for the bank, one for mail and one for websites.
      9b3MHDHz
      m4YBn3t8
      vMSLs44e
      CsQnP5Fy

      These four I must remember and change every month. And that is if I only use four and group my logins. If I want to be really secure, I will use a different one for each login I am able to change the password (17 of them, not calculating the many websites):
      UVvCUmE3
      Snip 15 random passwords
      Lameness filter encountered. Post aborted!
      Filter error: That's an awful long string of letters there.
      qAv9qZHR

      I am not allowed to save them. I must memorize them. Yes, there are other options, like using the first letters of a sentence, but due to the sheer number of logins it becomes impossible.

      It is a known fact that people are stupid. If you make something that proves that fact, then the problem is not the moron users, but the designers. I have no clear answer on how to solve it, but I would start with removing the forceful changing of passwords every month. That WILL lead to weaker passwords.

      --
      Don't fight for your country, if your country does not fight for you.
  2. compromised by Korbeau · · Score: 5, Insightful

    And part of the reason is that normally it's hard to know when an account has been compromised, because e-mail snooping doesn't leave a trace

    Simply do like most client systems and put in big red bold: "someone tried to connect to your account 32 times from w.x.y.z ...", and keep something like a 30 days log of connection history browsable somewhere. I'm sure modern techniques can also be used to highlight strange connection patterns and/or unusual connection location. Although it's far from perfect it at least gives some basic tools to be aware and deal with this situation. And if the hackers know their address is not only logged in an obscure web log but also available to the user (with a nice helpful tips page about what to do and who to contact when you're a victim) it would probably intimidate part of them.

    1. Re:compromised by girlintraining · · Score: 4, Insightful

      Simply do like most client systems and put in big red bold: "someone tried to connect to your account 32 times from w.x.y.z ...", and keep something like a 30 days log of connection history browsable somewhere.

      Yeah, because the average person is going to know what subnet or network they're coming in from. And they'll remember that time they logged in from the coffee house. No -- the information is useless to the average person because they don't know how to interpret it. It'd be like me telling you that the R0 of variola vera is about 6.5. Meaningless to you in this context.

      --
      #fuckbeta #iamslashdot #dicemustdie
    2. Re:compromised by ScrewMaster · · Score: 3, Insightful

      No -- the information is useless to the average person because they don't know how to interpret it.

      So? Help them interpret it. That's what computers are for. You can't tell me that that raw data can't be presented in some way that does make sense to Average Joe and at least gives him the idea that somebody is screwing with him.

      --
      The higher the technology, the sharper that two-edged sword.
    3. Re:compromised by darthflo · · Score: 3, Insightful

      "Since the last successful login Yesterday at 7:13, 48 attempts to log into your account with a wrong password have been made from 3 locations. [details]"

      Simple as that. More detail wouldn't help most users, so let them know something potentially bad is happening. If they care about their account, they'll have a techie friend look into it.

  3. Re:So wait... by linhares · · Score: 4, Insightful

    You mean people actually still think that web-based, free emails are secure?

    As opposed to a client-based email, where you can simply get it all through the filesystem? Physical access is game-over. So if you have 30min with your ex's machine, that's pretty much game over, if residing in clients.

  4. Re:Blaming the tools, instead of the behaviour... by PIBM · · Score: 4, Insightful

    GMail has a nice line at the bottom, telling you from which other computer you are connected, when you last took any action, and then some more details. Anyone can take a look at it, but I don't expect much of their users to know what that is for, nor to check it everytime they login ...

  5. Go to jail AND lose your divorce case by davidwr · · Score: 4, Insightful

    Sure, you may uncover evidence of unfaithfulness in your divorce case, but your winnings in divorce case will be offset when you go to jail for computer trespass and the victim [your ex] sues the invader [you] for mega-bucks.

    Oh, and if you tell your lawyer where you got the goods, it will trigger HIS ethical obligations. Yes, lawyers have ethical obligations, even those with no ethics.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  6. How to secure against this by MaraDNS · · Score: 4, Insightful

    There are two ways an advisory can obtain one's password:

    • They can have a machine on the same LAN sniff their password
    • The advisory can use dictionary attacks, based on the person's personal information, to obtain the password.

    The first attack can be countered by using Gmail with things set up to always use https for connections (near the bottom of the "settings" page).

    The second attack can be countered by using a secure password that is easy to remember but hard to guess. For example, "MaraDNS.org" would not be a very good password for this account, however "otif10md" ("One time I fell 10 meters down") would be a good password. Or, in my case, I use a secure hashing algorithm where a common secret is concatenated with the name of the website I visit to get a secure password, akin to using the Md5 sum of "This is secret;slashdot.org" to get a password.

    --
    MaraDNS is an open-source DNS server.
  7. Re:Blaming the tools, instead of the behaviour... by Hrdina · · Score: 3, Insightful

    The problem with that little notice is that if you have a lot of email in your inbox, you have to make an effort to scroll down to see it.

    Most people don't make efforts.

    Maybe if the last activity notice were in the sidebar or near the top of the screen it might be more effective.

    I also love how the lead-in to the story discusses a woman who apparently became jealous because her "married boyfriend" was cheating on her...