5817379
story
Comments: 197 +- IT: Password Hackers Do Big Business With Ex-Lovers on Monday September 07, @11:46AM
background: url(//a.fsdn.com/sd/topics/topicsecurity.gif); width:59px; height:78px;
security
background: url(//a.fsdn.com/sd/topics/topicit.gif); width:75px; height:61px;
it
Hugh Pickens writes "The Washington Post reports that disgruntled lovers and spouses considering divorce are flocking to services like YourHackerz.com that boast they have little trouble hacking into Web-based e-mail systems like AOL, Yahoo, Gmail, Facebook and Hotmail. The services advertise openly, and there doesn't appear to be much anyone can do about it because while federal law prohibits hacking into e-mail, without further illegal activity, it's only a misdemeanor, says Orin Kerr, a law professor at George Washington University. 'The feds usually don't have the resources to investigate and prosecute misdemeanors,' says Kerr. 'And part of the reason is that normally it's hard to know when an account has been compromised, because e-mail snooping doesn't leave a trace.' It's not clear where YourHackerz.com is located, but experts suspect that most password hacking businesses are based overseas."
Related Stories
: by
One person's error is another person's data.
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2010 Geeknet, Inc.
Blaming the tools, instead of the behaviour... (Score:2, Informative)
"normally it's hard to know when an account has been compromised, because e-mail snooping doesn't leave a trace."
Well that's incorrect. I'd be fairly confident that most web-based email services have a way of telling when you logged into your account last (otherwise how would they know when to deactivate your account after X months of inactivity?) - they simply choose not to allow Joe Average to access this information.
Re:Blaming the tools, instead of the behaviour... (Score:5, Insightful)
GMail has a nice line at the bottom, telling you from which other computer you are connected, when you last took any action, and then some more details. Anyone can take a look at it, but I don't expect much of their users to know what that is for, nor to check it everytime they login ...
Parent
Re: (Score:3, Insightful)
Most people don't make efforts.
Maybe if the last activity notice were in the sidebar or near the top of the screen it might be more effective.
I also love how the lead-in to the story discusses a woman who apparently became jealous because her "married boyfriend" was cheating on her...
compromised (Score:5, Insightful)
And part of the reason is that normally it's hard to know when an account has been compromised, because e-mail snooping doesn't leave a trace
Simply do like most client systems and put in big red bold: "someone tried to connect to your account 32 times from w.x.y.z ...", and keep something like a 30 days log of connection history browsable somewhere. I'm sure modern techniques can also be used to highlight strange connection patterns and/or unusual connection location. Although it's far from perfect it at least gives some basic tools to be aware and deal with this situation. And if the hackers know their address is not only logged in an obscure web log but also available to the user (with a nice helpful tips page about what to do and who to contact when you're a victim) it would probably intimidate part of them.
Re:compromised (Score:5, Insightful)
Simply do like most client systems and put in big red bold: "someone tried to connect to your account 32 times from w.x.y.z ...", and keep something like a 30 days log of connection history browsable somewhere.
Yeah, because the average person is going to know what subnet or network they're coming in from. And they'll remember that time they logged in from the coffee house. No -- the information is useless to the average person because they don't know how to interpret it. It'd be like me telling you that the R0 of variola vera is about 6.5. Meaningless to you in this context.
Parent
Re:compromised (Score:4, Insightful)
No -- the information is useless to the average person because they don't know how to interpret it.
So? Help them interpret it. That's what computers are for. You can't tell me that that raw data can't be presented in some way that does make sense to Average Joe and at least gives him the idea that somebody is screwing with him.
Parent
Re:compromised (Score:4, Insightful)
"Since the last successful login Yesterday at 7:13, 48 attempts to log into your account with a wrong password have been made from 3 locations. [details]"
Simple as that. More detail wouldn't help most users, so let them know something potentially bad is happening. If they care about their account, they'll have a techie friend look into it.
Parent
Re:compromised (Score:5, Informative)
Google Mail gives you an activity log: http://mail.google.com/support/bin/answer.py?ctx=gmail&answer=45938 [google.com]
It's pretty damn cool.
Parent
Re: (Score:2)
for websites, it's super easy to see who's visited, with many online services providing this.
why isn't there a way to attach a counter to your inbox (i'm looking at gmail)? could it be embedded in a custom theme?
Text of the Article (Score:3, Funny)
Password Hackers Are Slippery To Collar
By Tom Jackman
Washington Post Staff Writer
Monday, September 7, 2009
When Elaine Cioni found out that her married boyfriend had other girlfriends, she became obsessed, federal prosecutors say. So she turned to YourHackerz.com.
And for only $100, YourHackerz.com provided Cioni, then living in Northern Virginia, with the password to her boyfriend's AOL e-mail account, court records show. For another $100, she got her boyfriend's wife's e-mail password. And then the passwords of at least one other girlfriend and the boyfriend's two children. None had any clue what Cioni was doing, they would later testify.
Cioni, however, went further and began making harassing phone calls to her boyfriend and his family, using a "spoofing" service to disguise her voice as a man's. This attracted the attention of federal authorities, who prosecuted Cioni, 53, in Alexandria last year for unauthorized access to computers, among other crimes. She was convicted and is serving a 15-month sentence.
But such services as YourHackerz.com are still active and plentiful, with clever names like "piratecrackers.com" and "hackmail.net." They boast of having little trouble hacking into such Web-based e-mail systems as AOL, Yahoo, Gmail, Facebook and Hotmail, and they advertise openly.
And, experts said, there doesn't appear to be much anyone can do about it.
"This is an important point that people haven't grasped," said Peter Eckersley, a staff technologist for the Electronic Frontier Foundation in San Francisco. "We've been using e-mail for years, and it's been insecure all that time. . . . If you have any hacker who is competent and spends the time and targets you, he's going to get you."
Federal law prohibits hacking into e-mail, but without further illegal activity, it's only a misdemeanor, noted Orin Kerr, a law professor at George Washington University and a former trial attorney in the Justice Department's computer crime section.
"The feds usually don't have the resources to investigate and prosecute misdemeanors," Kerr said. "And part of the reason is that normally it's hard to know when an account has been compromised, because e-mail snooping doesn't leave a trace."
Every state has laws roughly similar to the federal computer laws, Kerr said, and rate the offenses as misdemeanors.
Not long after Gov. Sarah Palin of Alaska was named the Republican nominee for vice president last year, someone hacked into her personal Yahoo e-mail accounts. And as the election neared, someone at George Mason University hacked into the e-mail of the school's provost and sent a schoolwide e-mail saying the election date had been changed.
"Web Based email password hacking or cracking is one of our all time favourite and unique hobby," write the folks at YourHackerz.com. It's not clear where YourHackerz.com is located, but experts suspect that most of the businesses are based overseas. "We will provide you with the original Passwords. No questions asked whatsoever. Payment only after you are CONVINCED. 100% guarantee of Cracking. Total privacy of your information. No legal hassles."
At SlickHackers.com, they boast, "We are professionals interested in helping serious people for whom an email password would mean saving their marriage, knowing the truth, preventing a fraud, protecting their family/job/interests only when conventional ways and normal procedures do not work."
All the services advertise that they will e-mail a screenshot of the target's in-box or even send an e-mail from the target's e-mail as proof that they've cracked the password. The customer then sends payment. One service, whose fee is only 20 British pounds (about $33), then responds with the script from a scene from a Shakespeare play, with the stolen password hidden in the copy.
E-mail inquiries to several of these services did not elicit any responses.
The FBI cannot police the Internet, a spokesman said. "The FBI is aware of these illegal services," spok
Moo, moo. (Score:5, Interesting)
Yeah, well I'd say it's a big reason why I get phone calls. I hung my shingle out a long time ago about being a computer geek. People usually come to me for one of three reasons: First, their computer's suddenly running slow. "But I've tried everything." Malware is the main reason. Second is "It won't turn on anymore." Coffee spill on laptop, or HDD failure without error message. And the third most common reason: "I want to ruin someone's life! You're a hacker, right?"
Of course, these are my friends, not strangers. I usually oblige them by asking if they knew what common passwords their ex used, any websites they frequented, the full spelling of their name, date of birth, and social security number. And the strange part is: They usually know all of these things. You know what I do then? Nothing. Not a damn thing. I sit down and have a long talk with them about personal security and how just like we don't go out alone at night (I'm a girl. Most of my friends are girls -- I know most of you are dudes and don't think about it much), we also need to take precautions online! This is usually said while saying what a bastard the guy was. And I give them a pat on the head, some candy I keep around for this purpose, and send them on their way.
I'm a white hat (eh, most of the time). But a lot of people just like me know this about others because they've hung their shingle out too and announced they're a geek. And not all of them are going to have an ethical hangup about sucking up all your personal data, hacking your accounts, and leaving "I have a small penis" written to all your friends. Because really... The average person if you do go through all the effort to get them access just sits there feeling all powerful for a minute and then does something incredibly juvenile that'll make you wish you'd done your laundry instead of wasted two hours at the keyboard.
My advice to you people: Love your partner. But do not give them the root password!
P.S. Only once ever have I done a spot of sleuthing that I felt was worth it -- when I discovered a friend-of-a-friend was dating a terrorist. No, I don't mean the fluffy-bunny kind that the media portrays either (everything is terrorism these days). No, I mean the guy came overseas, setup shop over here, and was doing serious criminal enterprise and had cases open with a half-dozen agencies. A few days later, a police officer informed her that if she valued her life, she should cease contact with him immediately. Fun times. Everything else though? Boring as shit.
Re:Moo, moo. (Score:4, Interesting)
But maybe these different patterns relate to the fact that I am male?
More likely it's that girls have a lot more aqaintances and casual contacts than men do... And that we gossip so that people who know of us extends beyond a few close friends and coworkers but into the friend-of-a-cousin-of-a-friend's boyfriend scope. That, and most guys just want to be done with the drama and suffer in silence when it ends. Girls don't usually skip the part of the process that entails great amounts of fire and brimstone. Of course, in the end it's all a tempest in a teapot, but that doesn't stop them from beating a path to my door and getting Lecture #46.
Parent
Re: (Score:3, Insightful)
That, and most guys just want to be done with the drama and suffer in silence when it ends.
we save that for the next common cold...
Re: (Score:3, Interesting)
(hey, don't look at me, I'd love to see female engineers and scientists just as much as you do).
Then stop treating them as sex objects when they show up for work!
That is actually a lot harder than people realize. We The People are animals first and foremost, and then everything else. Whenever most people see a person of the opposite gender, the first thing they see is that they are of the opposite gender. This is biology, at which most people have more experience than at their culture, education and work ethics.
The better and broader your education and culture, the faster they kick in to cushion the action of pure animal instinct, but do not be fooled, its there and
Go to jail AND lose your divorce case (Score:4, Insightful)
Sure, you may uncover evidence of unfaithfulness in your divorce case, but your winnings in divorce case will be offset when you go to jail for computer trespass and the victim [your ex] sues the invader [you] for mega-bucks.
Oh, and if you tell your lawyer where you got the goods, it will trigger HIS ethical obligations. Yes, lawyers have ethical obligations, even those with no ethics.
Password hints (Score:5, Funny)
What is your girlfriend's name? Let's see the wife try to guess that one.
Double Standards... (Score:5, Interesting)
How to secure against this (Score:4, Insightful)
There are two ways an advisory can obtain one's password:
The first attack can be countered by using Gmail with things set up to always use https for connections (near the bottom of the "settings" page).
The second attack can be countered by using a secure password that is easy to remember but hard to guess. For example, "MaraDNS.org" would not be a very good password for this account, however "otif10md" ("One time I fell 10 meters down") would be a good password. Or, in my case, I use a secure hashing algorithm where a common secret is concatenated with the name of the website I visit to get a secure password, akin to using the Md5 sum of "This is secret;slashdot.org" to get a password.
Re: (Score:2, Insightful)
Yes, but you have to take into consideration that if the company was real, they wouldn't be operating locally. They'd be operating remotely. Which pretty much rules the former situation out.
Also, I was convinced that SSL was the de-facto standard for GMAIL and other web-mail services...
As I said in my previous post, it has been reported that the 'hackers' are merely scamming peoples money (as expected) and not delivering the service.
Re: (Score:2)
Or, in my case, I use a secure hashing algorithm where a common secret is concatenated with the name of the website I visit to get a secure password, akin to using the Md5 sum of "This is secret;slashdot.org" to get a password.
I'm curious. Assuming your attacker knows that you use a common hash (and can easily guess which one), what do you gain over just using "secretpassword;slashdot.org?" If the attacker was going to use a dictionary attack, it would require the same number of guesses with and without the hash (or perhapse a measily 5 or 10x if the attacker has to try several hashing algorithms).
Re: (Score:2)
Because if someone finds that your slashdot password is "25bf4e9796" it doesn't really help them work out that your amazon password is "ebf97d7aa8".
But you only need to remember one password, hopefully a slightly better one than that example...
And of course you would not usually use the actual md5 sum hex output, you'd use an encoding that gives you more than 4 bits per byte and manages meet the usual password restrictions.
ha (Score:2, Funny)
How do they work? (Score:5, Interesting)
If you're curious how these things work, here's a write-up of a typical example of one of these services [mcgrewsecurity.com].
I don't like snoopers! (Score:2)
RTFS (Score:5, Insightful)
Actually, web-based, free emails could be remarkably secure, if people weren't such morons about passwords.
Parent
Re:RTFS (Score:4, Funny)
Parent
Re:RTFS (Score:5, Insightful)
Actually, web-based, free emails could be remarkably secure, if people weren't such morons about passwords.
I'd imagine it has more to do with those damn required "Security Questions", many of which use publicly available information.
Even the services which allow you to specify the question and answer are probably no match for a cracker working in conjunction with an Ex.
I'd be more worried about what the crackers do with the knowledge they acquire as far as your other accounts are concerned, sure they may hack the e-mail account for you, but they're just as likely to clear out your bank account afterwords.
Parent
Re:RTFS (Score:4, Insightful)
Parent
Re:RTFS (Score:5, Funny)
"Hello, Student Loans Company, do you have a reference number?"
"Yes, L238BNM"
"Could you tell me the fourth letter of your mother's maiden... hmm... I'm sorry sir, I think there's a problem with the system, please--"
"Is it a hash symbol?"
"Er... yes. And the first letter of your first pet's name?"
"The number 8"
"That's correct."
Parent
Re: (Score:3, Funny)
If I ever found a female customer service rep that knew what a "hash" is I'd drop a marriage proposal on the spot.
What if she knew what an octothorpe was?
Re:RTFS (Score:4, Funny)
Here is a sample of the kinds of answers that I am thinking about using. Of course, those are not the actual imaginary answers which I will be using. I will not tell any of my future girlfriends or my imaginary answers. These are roughly the types of answers that I might decide to use.
My mother's maden name was Van Bopeep-Tinkerbell.
I was born on Booth Island in Antartica.
I graduated from Elephant Island Prep School in Antartica.
My favorite place is Needles, California.
My first dog was a pitbull/timberwolf mix named Fluffy-foofoo Jr.
My first car was a 1923 model E Doble Steam car.
My favorite food is road-kill packrat stew.
My favorite color is infra-red.
Of course passwords should not be something too easy to guess. Personally, I prefer to use the first letter from each word in a short sentence, to create a pass phrase. To make the pass phrase easier to memorize, I try to make the sentence as humorous or bizarre and easy to visualize as possible. If it rhymes, so much the better. If punctuation is allowed in the password, I have also found an easy to remember trick on how to include a few punctuation symbols, as well as mixing in both upper and lower case letters. Just in case I ever forget, I keep a short backup list of those in my safety deposit box at the bank.
By the way, I still use an old-fashioned pop type email account instead of an web-based email account.
Parent
Re: (Score:3, Funny)
So, if you forget your password, you recover it with another password that you can't remember?
Re: (Score:3, Informative)
and that's a good point.
It seems that passwords are kind of a terrible way to secure things.
Needs more OpenID, client certificates, and HTTPS
Re: (Score:2)
Re: (Score:3, Funny)
... a good reason to keep your lover gruntled.
Re: (Score:3, Interesting)
What I'd like to see would be more ability to use a standardized keyfob (such as RSA's SecurID), a smart card that has one's client certificate, or perhaps both in one device like the Aladdin eToken NG-OTP. Combine this with some type of decentralized but usable authentication system like OpenID, and this would go a long way to making bad or guessed passwords a thing of the past.
Smart cards go a long way to ease authentication hassles, but they bring their own issues, such as card lockouts due to too many
Re:RTFS (Score:4, Interesting)
Several UK banks use the EMV card (branded as "Chip+PIN" here (wiki it), a debit/credit card with a chip) for authentication with online banking. The readers don't connect to a computer, and getting the PIN wrong three times in the portable reader only means you need to reset the card by using it in an ATM.
The trouble is, it's been done cheaply, and has some *big* problems. Ignoring problems with encryption, the biggest one is a social problem: I have a small card reader. I can put one of my debit/credit cards in, press "Identify", type in my PIN, and get the message "PIN OK" and a code. Fine, I can put the code in the online banking website to authenticate.
The problem is, if I get the PIN wrong, the message says "PIN incorrect", and no code is produced. Argh! Introducing the chips has drastically cut face-to-face (shop, ATM) fraud in the UK, and means criminals now want a PIN to go with a card. They sometimes install a tiny camera in an ATM and steal the card when you walk away, but ATMs are in "safe" places, and have CCTV around them etc -- or at least, people don't use them if they don't feel safe.
So instead, they steal your card somewhere more private:
*thump* *thump* "Tell me the PIN!"
"5-2-9-1! Let me go!"
*"Identify"* *tap-tap-tap-tap* *schking* "Tell me the real PIN, or else!"
Parent
Re:RTFS (Score:5, Insightful)
Sure. That is what people tell me all the time to use a secure password. http://maord.com/ [maord.com] can easily help you with that. So now I have a secure password like cJQKUG4P generated by that website.
Obviously like most people I have a bunch of different logins, many where I was not able to select my own login. To be secure I must use several ones. e.g. one for work, one for the bank, one for mail and one for websites.
9b3MHDHz
m4YBn3t8
vMSLs44e
CsQnP5Fy
These four I must remember and change every month. And that is if I only use four and group my logins. If I want to be really secure, I will use a different one for each login I am able to change the password (17 of them, not calculating the many websites):
UVvCUmE3
Snip 15 random passwords
Lameness filter encountered. Post aborted!
Filter error: That's an awful long string of letters there.
qAv9qZHR
I am not allowed to save them. I must memorize them. Yes, there are other options, like using the first letters of a sentence, but due to the sheer number of logins it becomes impossible.
It is a known fact that people are stupid. If you make something that proves that fact, then the problem is not the moron users, but the designers. I have no clear answer on how to solve it, but I would start with removing the forceful changing of passwords every month. That WILL lead to weaker passwords.
Parent
Re: (Score:3, Interesting)
I am not allowed to save them. I must memorize them.
Nonsense. While Chrome doesn't seem to have this yet, Firefox and Konqueror come with encrypted password stores out of the box.
That is, you enter one master password, and it then remembers all your passwords for you.
I also have a friend who wrote a Firefox extension, which I'm seriously considering replicating (or finding, if he ever published it), which would take one master password that he'd remember, combine it with the domain, and computer a hash. Thus, nothing is ever stored, but there's still only on
Re: (Score:3, Insightful)
There are some computers that are under my control. There are some that are NOT under my control. I cn not install software on those systems. I can not add anything on those systems. Further not all logins are weblogins and some that are only work on very locked down IE machines where I can not even do a 'save password'.
Re:So wait... (Score:5, Insightful)
You mean people actually still think that web-based, free emails are secure?
As opposed to a client-based email, where you can simply get it all through the filesystem? Physical access is game-over. So if you have 30min with your ex's machine, that's pretty much game over, if residing in clients.
Parent
Re: (Score:2)
Well, if you have 2 minutes with your ex's machine, chances are either they're already logged into their webmail, or their password is saved.
Re:So wait... (Score:4, Informative)
Parent
Re: (Score:3, Informative)
And of course, this is missing the obvious point that a) most people have never heard of truecrypt, and b) most girlfriends/boyfriends/spouses won't know that such a thing as a keylogger exists. It's true that either situation *could* change (the girlfriend gets a new boyfriend, or just a friend, who teaches her about keyloggers, for example).
Still, I suspect setting up a TC volume for your email is better than nothing. I've done this on my laptop - mostly just to protect my files in case of theft/loss; I t
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
No, they just have to visit Slashdot, where geeks brag about their "unbreakable" passwords.
(Note: to avoid any unsightly "whoosh" moments, I know that that isn't really his password. It's a joke, people!)
Re: (Score:2)
That's what I'm wondering, actually. As a Gmail user with a relatively long and complicated password, how would these services go about hacking into my Gmail account? All connections in and out are SSL'd, I don't use public WiFi without a VPN, my home WiFi is secured relatively well... Short of e-mailing me a trojan, what options do these guys have?
Re: (Score:3, Insightful)
That's what I'm wondering, actually. As a Gmail user with a relatively long and complicated password, how would these services go about hacking into my Gmail account? All connections in and out are SSL'd, I don't use public WiFi without a VPN, my home WiFi is secured relatively well... Short of e-mailing me a trojan, what options do these guys have?
Your password may be long and complicated, but examine closely at your "security questions." If the client has been lubing your junk, odds are that she knows your dog's name is Archibald and your favorite color is mauve.
"Forgot my password" indeed.
Re: (Score:3, Informative)
Heh, you're over estimating the level of skill involved.
There are some interesting discussions of how these services work here:
crackpal.com [mcgrewsecurity.com]
crackmails.net [mcgrewsecurity.com]