Monthly Archives: June 2012

How Did My Email Account Get Hacked?

Concerns over hacked email accounts seem to have increased as of late, mostly because, well, the number of hacked emails seem to have increased as of late.

Recently I covered how to proceed when you receive an email from a contact who obviously did not send it and might be the victim of a hack attack. But how do these attacks succeed and how many ways are there to perpetrate them? Knowing the answer would give you an understanding of what to do to stay safe.

So, I’m glad you asked. I’ll try to keep the answers simple. First, it wouldn’t hurt to understand how email works.

When you look at the simplest way to break it down, an email account’s password can only be hacked at two different points: 1) At the point where the user handles emails (his/her computer, phone, tablet, etc) and at the server, where all the information on usernames and passwords are kept.

The common user does not have control over his/her email server, so if a hack attack occurs at the server, there’s not much he/she can do about it. Pray maybe, or be careful as to what email provider he/she chooses. A definite measure he/she can take is change his/her password periodically, and of course make sure they’re all strong passwords.

Unfortunately, much too often a) Users don’t change their passwords periodically, b) The passwords are weak and c) The same password is used for many things, including their online banking identity and whatnot! The reason for these three factors is the basic drive of the user to remember his password. a) Changing it periodically makes it hard to remember which is your current one b) Using familiar words or numbers make a password weak but easy to remember and c) Who wants to remember 10 passwords when using the same password for everything is so much easier?

We’ll circle back to that. The point is, the server-side aspects of things is not much under the control of the normal user, and that’s a potential hack attack point. How those attacks occur become irrelevant, so we’ll leave it at that.

The second point at which the password can be hacked is more under the control of the user, mostly because is within arm’s lengths and he/she is for the most part in control of it. This is of course  his/her computer/phone/tablet.

So now, how many ways are there to figure out a password? Exactly two:

The first one is under the category of guessing. A specific type of a “brute force attack”. This consists mainly of feeding passwords from a list, often a dictionary. A computer program can do this very fast, so if the password is weak, the probabilities of guessing it that way are not too bad.

the second one is under the category of stealing/sniffing/recording. Basically a tool is installed in your computer that will record key strokes, or steal your password from known stored locations and transmit it over the internet to a place the hacker has access to. So in this case, changing your password, making it complex and unique will not accomplish anything, since the moment you use your computer to change it, it will be stolen/sniffed/recorded again.

Therefore when one’s email account has been hacked, one should

a) Change the password to a strong, TEMPORARY one. This is just in case the way it was figured out was a brute force attack and not just stolen. Then

b) You have to make sure there is no malicious software in your computer that is stealing/sniffing/recording your passwords. That is, of course, easier said than done. But it must be done. Ask an expert for help as needed. Finally,

c) Once there’s an assurance that there is no data leak active, the password should be changed again to a strong, more permanent one. Even if there is no malicious software found, it never hurts to change the password again, so it should be done regardless.

Hope I’ve been able to increase your understanding of the subject.

Facebook Don’t

With over 150 million users in the US alone, Facebook boasts a vast amount of personal data, which some users seem to be willing to give away, publicly.

Check out this website: http://www.weknowwhatyouredoing.com/

The website is powered by a tool that shows some of the public status updates users post on Facebook.

The point is, if you are a Facebook user, you should have you privacy control setting set to anything but “public” or you risk being featured in websites like the above.

To do that, go to https://www.facebook.com/settings/?tab=privacy and make sure your privacy control is set to anything but “public” and if it is set to “public”, change it to “Friends” or “Custom”.

Hope this helps.