Password Hackers Do Big Business With Ex-Lovers 197
Hugh Pickens writes "The Washington Post reports that disgruntled lovers and spouses considering divorce are flocking to services like YourHackerz.com that boast they have little trouble hacking into Web-based e-mail systems like AOL, Yahoo, Gmail, Facebook and Hotmail. The services advertise openly, and there doesn't appear to be much anyone can do about it because while federal law prohibits hacking into e-mail, without further illegal activity, it's only a misdemeanor, says Orin Kerr, a law professor at George Washington University. 'The feds usually don't have the resources to investigate and prosecute misdemeanors,' says Kerr. 'And part of the reason is that normally it's hard to know when an account has been compromised, because e-mail snooping doesn't leave a trace.' It's not clear where YourHackerz.com is located, but experts suspect that most password hacking businesses are based overseas."
RTFS (Score:5, Insightful)
Actually, web-based, free emails could be remarkably secure, if people weren't such morons about passwords.
compromised (Score:5, Insightful)
And part of the reason is that normally it's hard to know when an account has been compromised, because e-mail snooping doesn't leave a trace
Simply do like most client systems and put in big red bold: "someone tried to connect to your account 32 times from w.x.y.z ...", and keep something like a 30 days log of connection history browsable somewhere. I'm sure modern techniques can also be used to highlight strange connection patterns and/or unusual connection location. Although it's far from perfect it at least gives some basic tools to be aware and deal with this situation. And if the hackers know their address is not only logged in an obscure web log but also available to the user (with a nice helpful tips page about what to do and who to contact when you're a victim) it would probably intimidate part of them.
Re:So wait... (Score:5, Insightful)
You mean people actually still think that web-based, free emails are secure?
As opposed to a client-based email, where you can simply get it all through the filesystem? Physical access is game-over. So if you have 30min with your ex's machine, that's pretty much game over, if residing in clients.
Re:Blaming the tools, instead of the behaviour... (Score:5, Insightful)
GMail has a nice line at the bottom, telling you from which other computer you are connected, when you last took any action, and then some more details. Anyone can take a look at it, but I don't expect much of their users to know what that is for, nor to check it everytime they login ...
Go to jail AND lose your divorce case (Score:4, Insightful)
Sure, you may uncover evidence of unfaithfulness in your divorce case, but your winnings in divorce case will be offset when you go to jail for computer trespass and the victim [your ex] sues the invader [you] for mega-bucks.
Oh, and if you tell your lawyer where you got the goods, it will trigger HIS ethical obligations. Yes, lawyers have ethical obligations, even those with no ethics.
How to secure against this (Score:4, Insightful)
There are two ways an advisory can obtain one's password:
The first attack can be countered by using Gmail with things set up to always use https for connections (near the bottom of the "settings" page).
The second attack can be countered by using a secure password that is easy to remember but hard to guess. For example, "MaraDNS.org" would not be a very good password for this account, however "otif10md" ("One time I fell 10 meters down") would be a good password. Or, in my case, I use a secure hashing algorithm where a common secret is concatenated with the name of the website I visit to get a secure password, akin to using the Md5 sum of "This is secret;slashdot.org" to get a password.
Re:RTFS (Score:5, Insightful)
Actually, web-based, free emails could be remarkably secure, if people weren't such morons about passwords.
I'd imagine it has more to do with those damn required "Security Questions", many of which use publicly available information.
Even the services which allow you to specify the question and answer are probably no match for a cracker working in conjunction with an Ex.
I'd be more worried about what the crackers do with the knowledge they acquire as far as your other accounts are concerned, sure they may hack the e-mail account for you, but they're just as likely to clear out your bank account afterwords.
Re:compromised (Score:5, Insightful)
Simply do like most client systems and put in big red bold: "someone tried to connect to your account 32 times from w.x.y.z ...", and keep something like a 30 days log of connection history browsable somewhere.
Yeah, because the average person is going to know what subnet or network they're coming in from. And they'll remember that time they logged in from the coffee house. No -- the information is useless to the average person because they don't know how to interpret it. It'd be like me telling you that the R0 of variola vera is about 6.5. Meaningless to you in this context.
Re:How to secure against this (Score:2, Insightful)
Yes, but you have to take into consideration that if the company was real, they wouldn't be operating locally. They'd be operating remotely. Which pretty much rules the former situation out.
Also, I was convinced that SSL was the de-facto standard for GMAIL and other web-mail services...
As I said in my previous post, it has been reported that the 'hackers' are merely scamming peoples money (as expected) and not delivering the service.
Re:Blaming the tools, instead of the behaviour... (Score:3, Insightful)
Most people don't make efforts.
Maybe if the last activity notice were in the sidebar or near the top of the screen it might be more effective.
I also love how the lead-in to the story discusses a woman who apparently became jealous because her "married boyfriend" was cheating on her...
Re:RTFS (Score:4, Insightful)
Comment removed (Score:5, Insightful)
Re:compromised (Score:4, Insightful)
No -- the information is useless to the average person because they don't know how to interpret it.
So? Help them interpret it. That's what computers are for. You can't tell me that that raw data can't be presented in some way that does make sense to Average Joe and at least gives him the idea that somebody is screwing with him.
Re:Trivial. (Score:3, Insightful)
That's what I'm wondering, actually. As a Gmail user with a relatively long and complicated password, how would these services go about hacking into my Gmail account? All connections in and out are SSL'd, I don't use public WiFi without a VPN, my home WiFi is secured relatively well... Short of e-mailing me a trojan, what options do these guys have?
Your password may be long and complicated, but examine closely at your "security questions." If the client has been lubing your junk, odds are that she knows your dog's name is Archibald and your favorite color is mauve.
"Forgot my password" indeed.
Re:Trivial. (Score:1, Insightful)
Actually, my favorite colour is 'spaghetti' and my dog's name is 'A Winter's Tale'.
Re:Moo, moo. (Score:3, Insightful)
That, and most guys just want to be done with the drama and suffer in silence when it ends.
we save that for the next common cold...
Re:compromised (Score:1, Insightful)
Are you saying the average person will have trouble interpreting something like this:
"The last time you logged in was yesterday at 3:15 P.M."
And some people actually gave you +Insightful for this?
The context is simple. You are presented the date and time of your last login. Don't remember logging in at that time? Deduction, someone else did.
There is nothing useless about simple information we all understand. Why jump to the technical details of subnets etc.?
That kind of information you keep in the logs, obviously. Give th client the information they can use.
Re:compromised (Score:4, Insightful)
"Since the last successful login Yesterday at 7:13, 48 attempts to log into your account with a wrong password have been made from 3 locations. [details]"
Simple as that. More detail wouldn't help most users, so let them know something potentially bad is happening. If they care about their account, they'll have a techie friend look into it.
Re:Crime for profit a misdemeanor? (Score:1, Insightful)
And the difference this makes to someone operating out of a woodshed in Novosibirsk is...?
Comment removed (Score:3, Insightful)