Announcement

Collapse
No announcement yet.

Hacker attacks are coming in...

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    http://en.wikipedia.org/wiki/E-mail_spoofing

    Explains it way better then I can.
    Last edited by Mytical; 12-20-2010, 09:47 AM.
    Engaged to the amazing Marmalady. She is my Silver Dragon, shining as bright as the sun. I her Black Dragon (though good honestly), dark as night..fierce and strong.

    Comment


    • #17
      Quoth Mytical View Post
      No password is hacker proof. You can make the most complicated one, heck even somehow use Egyptian Hieroglyphics, and if somebody gets a keylogger on your computer..oops. However to make it more effective here are some simple rules.

      1) Use passwords that nobody would associate with you. Things that have nothing to do with you in any aspect. No, not something you hate (this would still be associated with you), but things that don't even have six degrees of separation.

      2) Use alphanumeric, with special characters. 10 is good, 15 is better. Random upper and lower case for the letter part of it is even better.

      3) Make it something that you remember, but keep rule number 1 in mind.

      4) Do not write it down, anywhere. Bad idea. (Especially not right next to the computer ).

      5) Change it frequently. Even slight changes can help, but complete changes (ie none of the letters, numbers, or symbols of the old one used in the new one) are better.

      6) Don't use the same one for multiple places. If somehow somebody gets a hold of one, you don't want them to get access to EVERYTHING.
      This all sounds very reasonable and safe, but how do you REMEMBER all these passwords when its a different one for every site, and 10-15 characters each? How do you deal with sites that only allow a certain number of characters, and/or only allow letters & numbers but not symbols?
      The large print giveth, and the small print taketh away.

      Comment


      • #18
        Heh, it is not easy . As for sites that have certain limits, use the maximum of their limits. IE if it is 9 characters alpha/numeric only..then use ALL 9. Of course if they won't let you use special characters, you will have to not use them.

        Edit : Also for things that contain nothing to much (say forums, etc) then using the same password wouldn't be too bad. As long as you don't fill out your profile with name, address, etc etc.
        Engaged to the amazing Marmalady. She is my Silver Dragon, shining as bright as the sun. I her Black Dragon (though good honestly), dark as night..fierce and strong.

        Comment


        • #19
          Quoth Taboo View Post
          The Deviantart one was through something secondary that works through Deviantart, I believe, and did not effect most users - but it's always a good idea to change your passwords every so often anyway, not only for security but also for your own peace of mind. =)
          Furaffinity is down as well.

          Comment


          • #20
            Quoth blas View Post
            What does spoofing mean?
            Basically, the return address on an email doesn't have to be the actual address of the sender.

            For example, my gmail sends out mail that says it's from another provider's address entirely. Of course, I own that second email address, but I wouldn't have to to still send out mail claiming to be from there.

            The best way to determine if your account was hacked vs spoofed is to check your mail sent folder. If there is mail there that you didn't send, then you were hacked. If not, then it's likely the spammers spoofed your email address and you're just getting bounces from bad addresses.

            However, since you mention that it's people on your contact list that got the messages, that points to it likely being a hack.

            Quoth Mytical View Post
            5) Change it frequently. Even slight changes can help, but complete changes (ie none of the letters, numbers, or symbols of the old one used in the new one) are better.
            I have yet to hear a convincing argument that this is a useful thing to do.

            If you have a strong password, then I don't think there's not a lot of reason to change it unless you believe it's been compromised.

            ^-.-^
            Faith is about what you do. It's about aspiring to be better and nobler and kinder than you are. It's about making sacrifices for the good of others. - Dresden

            Comment


            • #21
              I keep a GPG-encrypted text file on a network drive that has my passwords in it, in case I forget any of them. Something like that is probably a bit too much work for somebody who's not technically inclined, but it's pretty quick and easy if you are.

              One way of making complex but easy-to-remember passwords is to use a simple form of two-factor authentication where you create a complex password, write it down, and keep it somewhere convenient (in your wallet, maybe), then create simpler passwords for different situations and combine them.

              For example, let's say my complex password is "2_5eSuS+". That's kind of hard to remember, so I'll keep it written down and on me. Then I'll decide my password for Amazon.com is "b@con" and my password for customerssuck.com is "w4lm4rt", and both of those only stay in my head. My actual password for logging in to Amazon.com will be "2_5eSuS+b@con", which is practically uncrackable, and my password for customerssuck.com is "2_5eSuS+w4lm4rt". Even if somebody gets ahold of my written password, there's still no way they'll be able to guess the "b@con" on the end of that.

              Of course, that doesn't work so well for sites that don't let you use special characters, or enforce a maximum length on passwords... but web masters who do that really need a good talking-to about security.

              Comment


              • #22
                Quoth Andara Bledin View Post
                Basically, the return address on an email doesn't have to be the actual address of the sender.
                Correct. The email address that appears on the "From:" line in the email is optional, and can be trivially forged to be anything at all.

                Quoth Andara Bledin View Post
                For example, my gmail sends out mail that says it's from another provider's address entirely. Of course, I own that second email address, but I wouldn't have to to still send out mail claiming to be from there.
                This depends on the anti-spamming protections put in place by gmail and by the recipient. The email, coming from gmail, contains sufficient information that the receiving server can determine that gmail sent it (check the headers, the info is there). If the From: line contains something like example.com, but the headers claim to be from gmail, some systems will reject the email.

                In addition, if example.com uses SPF records or DomainKeys (and does not state that gmail is allowed to send email from that domain), and the receiving server uses that information, then the email will be rejected.

                Antispam measures can make life difficult when using that setup that you have described. So far, it sounds like you have not yet been hit. Here's hoping it stays that way.

                Quoth Andara Bledin View Post
                The best way to determine if your account was hacked vs spoofed is to check your mail sent folder. If there is mail there that you didn't send, then you were hacked. If not, then it's likely the spammers spoofed your email address and you're just getting bounces from bad addresses.
                Actually, your advice tells how to determine if her computer has gotten malware on it that has infected her email client, not if her account was hacked. It could also have malware on it that reads from her email client and generates the email message directly, bypassing the email client entirely.

                As for how the email got through the ISP's firewalls, many providers now use variations on SMTP Auth to determine who is allowed to send email using their servers. SMTP Auth can be configured to restrict to a range of IP addresses, require a successful login before sending, and other options. Reading sufficient information from the email client on the machine would allow a malicious program to send email using her ISP without ever writing a single thing in her sent mail folders.

                Also, since her account is actually on another server, the only way to tell definitively if the account was hacked is to contact the maintainers of the server (likely the ISP), and ask them to review all accesses to the account, both sending and receiving. They can validate that the incoming data came from the correct computer, at least.

                Quoth Andara Bledin View Post
                However, since you mention that it's people on your contact list that got the messages, that points to it likely being a hack.
                It could be malware on the machine, could be a hack, could be someone doing some clever social engineering to get a list of contacts from her, and then use that claiming to be her.

                Quoth Andara Bledin View Post
                I have yet to hear a convincing argument that this is a useful thing to do.
                How about this, then: Your specific password (about one dozen characters long, according to you) has an entropy of about 24 bits. This translates to about 16,777,216 possible passwords. With modern hardware and programming techniques, this is crackable by a password guesser in well under a day (likely only needing one or two hours, with a fair chunk of that being spent setting up) using a simple single core computer.

                If you extend your password out to 20 characters, this only takes you up to 36 bits of entropy, or about 68,719,476,736 possible passwords. This is crackable in under a week using a quad core computer and well made code.

                Convincing enough yet?

                Quoth Andara Bledin View Post
                If you have a strong password, then I don't think there's not a lot of reason to change it unless you believe it's been compromised.
                Smart security practice assumes that your password is compromised within seconds of your entering it somewhere that you do not completely control. Since you don't control all of the routers between you and any site, you should assume that your password is compromised before it reaches the server you're communicating with.

                Comment

                Working...