Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Hackers Do Big Business With Ex-Lovers

Posted by ryuzaki0 on from the time-to-get-sneakier dept.

Hugh Pickens writes "The Washington Post reports that disgruntled lovers and spouses considering divorce are flocking to services like YourHackerz.com that boast they have little trouble hacking into Web-based e-mail systems like AOL, Yahoo, Gmail, Facebook and Hotmail. The services advertise openly, and there doesn't appear to be much anyone can do about it because while federal law prohibits hacking into e-mail, without further illegal activity, it's only a misdemeanor, says Orin Kerr, a law professor at George Washington University. 'The feds usually don't have the resources to investigate and prosecute misdemeanors,' says Kerr. 'And part of the reason is that normally it's hard to know when an account has been compromised, because e-mail snooping doesn't leave a trace.' It's not clear where YourHackerz.com is located, but experts suspect that most password hacking businesses are based overseas."

16 of 197 comments (clear)

  1. RTFS by SanityInAnarchy · · Score: 4, Insightful

    Actually, web-based, free emails could be remarkably secure, if people weren't such morons about passwords.

    --
    Don't thank God, thank a doctor!
    1. Re:RTFS by Mooga · · Score: 4, Funny

      I just post my Username and Password on Bugmenot so I don't need to worry about ever forgetting it.

      --
      ~ Mooga
    2. Re:RTFS by Anonymous Coward · · Score: 5, Insightful

      Actually, web-based, free emails could be remarkably secure, if people weren't such morons about passwords.

      I'd imagine it has more to do with those damn required "Security Questions", many of which use publicly available information.
      Even the services which allow you to specify the question and answer are probably no match for a cracker working in conjunction with an Ex.

      I'd be more worried about what the crackers do with the knowledge they acquire as far as your other accounts are concerned, sure they may hack the e-mail account for you, but they're just as likely to clear out your bank account afterwords.

    3. Re:RTFS by houghi · · Score: 4, Insightful

      Sure. That is what people tell me all the time to use a secure password. http://maord.com/ can easily help you with that. So now I have a secure password like cJQKUG4P generated by that website.
      Obviously like most people I have a bunch of different logins, many where I was not able to select my own login. To be secure I must use several ones. e.g. one for work, one for the bank, one for mail and one for websites.
      9b3MHDHz
      m4YBn3t8
      vMSLs44e
      CsQnP5Fy

      These four I must remember and change every month. And that is if I only use four and group my logins. If I want to be really secure, I will use a different one for each login I am able to change the password (17 of them, not calculating the many websites):
      UVvCUmE3
      Snip 15 random passwords
      Lameness filter encountered. Post aborted!
      Filter error: That's an awful long string of letters there.
      qAv9qZHR

      I am not allowed to save them. I must memorize them. Yes, there are other options, like using the first letters of a sentence, but due to the sheer number of logins it becomes impossible.

      It is a known fact that people are stupid. If you make something that proves that fact, then the problem is not the moron users, but the designers. I have no clear answer on how to solve it, but I would start with removing the forceful changing of passwords every month. That WILL lead to weaker passwords.

      --
      Don't fight for your country, if your country does not fight for you.
    4. Re:RTFS by xaxa · · Score: 5, Funny

      "Hello, Student Loans Company, do you have a reference number?"
      "Yes, L238BNM"
      "Could you tell me the fourth letter of your mother's maiden... hmm... I'm sorry sir, I think there's a problem with the system, please--"
      "Is it a hash symbol?"
      "Er... yes. And the first letter of your first pet's name?"
      "The number 8"
      "That's correct."

  2. compromised by Korbeau · · Score: 5, Insightful

    And part of the reason is that normally it's hard to know when an account has been compromised, because e-mail snooping doesn't leave a trace

    Simply do like most client systems and put in big red bold: "someone tried to connect to your account 32 times from w.x.y.z ...", and keep something like a 30 days log of connection history browsable somewhere. I'm sure modern techniques can also be used to highlight strange connection patterns and/or unusual connection location. Although it's far from perfect it at least gives some basic tools to be aware and deal with this situation. And if the hackers know their address is not only logged in an obscure web log but also available to the user (with a nice helpful tips page about what to do and who to contact when you're a victim) it would probably intimidate part of them.

    1. Re:compromised by girlintraining · · Score: 4, Insightful

      Simply do like most client systems and put in big red bold: "someone tried to connect to your account 32 times from w.x.y.z ...", and keep something like a 30 days log of connection history browsable somewhere.

      Yeah, because the average person is going to know what subnet or network they're coming in from. And they'll remember that time they logged in from the coffee house. No -- the information is useless to the average person because they don't know how to interpret it. It'd be like me telling you that the R0 of variola vera is about 6.5. Meaningless to you in this context.

      --
      #fuckbeta #iamslashdot #dicemustdie
    2. Re:compromised by moonbender · · Score: 4, Informative

      Google Mail gives you an activity log: http://mail.google.com/support/bin/answer.py?ctx=gmail&answer=45938

      It's pretty damn cool.

      --
      Switch back to Slashdot's D1 system.
  3. Re:So wait... by linhares · · Score: 4, Insightful

    You mean people actually still think that web-based, free emails are secure?

    As opposed to a client-based email, where you can simply get it all through the filesystem? Physical access is game-over. So if you have 30min with your ex's machine, that's pretty much game over, if residing in clients.

  4. Moo, moo. by girlintraining · · Score: 4, Interesting

    Yeah, well I'd say it's a big reason why I get phone calls. I hung my shingle out a long time ago about being a computer geek. People usually come to me for one of three reasons: First, their computer's suddenly running slow. "But I've tried everything." Malware is the main reason. Second is "It won't turn on anymore." Coffee spill on laptop, or HDD failure without error message. And the third most common reason: "I want to ruin someone's life! You're a hacker, right?"

    Of course, these are my friends, not strangers. I usually oblige them by asking if they knew what common passwords their ex used, any websites they frequented, the full spelling of their name, date of birth, and social security number. And the strange part is: They usually know all of these things. You know what I do then? Nothing. Not a damn thing. I sit down and have a long talk with them about personal security and how just like we don't go out alone at night (I'm a girl. Most of my friends are girls -- I know most of you are dudes and don't think about it much), we also need to take precautions online! This is usually said while saying what a bastard the guy was. And I give them a pat on the head, some candy I keep around for this purpose, and send them on their way.

    I'm a white hat (eh, most of the time). But a lot of people just like me know this about others because they've hung their shingle out too and announced they're a geek. And not all of them are going to have an ethical hangup about sucking up all your personal data, hacking your accounts, and leaving "I have a small penis" written to all your friends. Because really... The average person if you do go through all the effort to get them access just sits there feeling all powerful for a minute and then does something incredibly juvenile that'll make you wish you'd done your laundry instead of wasted two hours at the keyboard.

    My advice to you people: Love your partner. But do not give them the root password!

    P.S. Only once ever have I done a spot of sleuthing that I felt was worth it -- when I discovered a friend-of-a-friend was dating a terrorist. No, I don't mean the fluffy-bunny kind that the media portrays either (everything is terrorism these days). No, I mean the guy came overseas, setup shop over here, and was doing serious criminal enterprise and had cases open with a half-dozen agencies. A few days later, a police officer informed her that if she valued her life, she should cease contact with him immediately. Fun times. Everything else though? Boring as shit.

    --
    #fuckbeta #iamslashdot #dicemustdie
  5. Re:Blaming the tools, instead of the behaviour... by PIBM · · Score: 4, Insightful

    GMail has a nice line at the bottom, telling you from which other computer you are connected, when you last took any action, and then some more details. Anyone can take a look at it, but I don't expect much of their users to know what that is for, nor to check it everytime they login ...

  6. Go to jail AND lose your divorce case by davidwr · · Score: 4, Insightful

    Sure, you may uncover evidence of unfaithfulness in your divorce case, but your winnings in divorce case will be offset when you go to jail for computer trespass and the victim [your ex] sues the invader [you] for mega-bucks.

    Oh, and if you tell your lawyer where you got the goods, it will trigger HIS ethical obligations. Yes, lawyers have ethical obligations, even those with no ethics.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  7. Password hints by PPH · · Score: 5, Funny

    What is your girlfriend's name? Let's see the wife try to guess that one.

    --
    Have gnu, will travel.
  8. Double Standards... by fiendishfish · · Score: 5, Interesting

    Quite a ingenius scam really. The following link - http://www.complaintsboard.com/complaints/yourhackerzcom-c141692.html [complaintsboard.com] - suggests that they take your 'hard earned money' and then blackmail you. Saying that they will tell the person you are trying to 'hack' if you don't send them $1000. It made me lol.

  9. How to secure against this by MaraDNS · · Score: 4, Insightful

    There are two ways an advisory can obtain one's password:

    • They can have a machine on the same LAN sniff their password
    • The advisory can use dictionary attacks, based on the person's personal information, to obtain the password.

    The first attack can be countered by using Gmail with things set up to always use https for connections (near the bottom of the "settings" page).

    The second attack can be countered by using a secure password that is easy to remember but hard to guess. For example, "MaraDNS.org" would not be a very good password for this account, however "otif10md" ("One time I fell 10 meters down") would be a good password. Or, in my case, I use a secure hashing algorithm where a common secret is concatenated with the name of the website I visit to get a secure password, akin to using the Md5 sum of "This is secret;slashdot.org" to get a password.

    --
    MaraDNS is an open-source DNS server.
  10. How do they work? by Anonymous Coward · · Score: 5, Interesting

    If you're curious how these things work, here's a write-up of a typical example of one of these services.