Good reminder regarding online security

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
Topic Author
Auream
Posts: 503
Joined: Thu Mar 20, 2008 1:07 pm
Location: Raleigh, NC

Good reminder regarding online security

Post by Auream »

If you don't follow tech news you probably missed this:

http://www.wired.com/gadgetlab/2012/08/ ... n-hacking/

Great reminder about how important it is to keep your online accounts properly secured, and to make regular backups of your data. Even this tech-savvy journalist lost a whole bunch of irreplacable photos and documents and got several of his accounts hacked due to lax security both on his part and Amazon and Apple.

Prompted me to go in and turn on two-factor authentication for my gmail account and remove all my saved credit cards from Amazon and iTunes.
nonnie
Posts: 1944
Joined: Thu Mar 13, 2008 8:05 pm
Location: Northern California

Re: Good reminder regarding online security

Post by nonnie »

This is really scary stuff. I just read another version of it with lots and lots of tips on how to avoid this situation:

http://www.slate.com/articles/technolog ... ingle.html

It also exposes gaping holes in Apple and Amazon security.

Nonnie
This post may be monitored for quality assurance purposes.
chaz
Posts: 13604
Joined: Tue Feb 27, 2007 2:44 pm

Re: Good reminder regarding online security

Post by chaz »

Online insecurity.
Chaz | | “Money is better than poverty, if only for financial reasons." Woody Allen | | http://www.bogleheads.org/wiki/index.php/Main_Page
User avatar
TF Hutch
Posts: 121
Joined: Sat Sep 12, 2009 12:57 am
Location: Florida

Re: Good reminder regarding online security

Post by TF Hutch »

I am trying Roboform for free with 30 day trial. http://www.roboform.com/everywhere
So far I'm not happy with my login info on the cloud.
Hutch | A fool and his funds are soon parted! - Thomas Tusser (English Farmer and Writer. 1524-1580)
Topic Author
Auream
Posts: 503
Joined: Thu Mar 20, 2008 1:07 pm
Location: Raleigh, NC

Re: Good reminder regarding online security

Post by Auream »

TF Hutch wrote:I am trying Roboform for free with 30 day trial. http://www.roboform.com/everywhere
So far i'm not happy with my login info on the cloud.
I've been using 1Password for a couple years now and I love it. By default, it does not save your data in the cloud, although it has dropbox integration available as an option. Even if someone were to hack your dropbox, the file that saves your passwords is 256-bit encrypted.
nonnie
Posts: 1944
Joined: Thu Mar 13, 2008 8:05 pm
Location: Northern California

Re: Good reminder regarding online security

Post by nonnie »

TF Hutch wrote:I am trying Roboform for free with 30 day trial. http://www.roboform.com/everywhere
So far I'm not happy with my login info on the cloud.
I've been using Roboform for a couple years on my laptop and have been very pleased with it. I hesitated before I bought RF Everywhere yesterday for us on my Nexus for the same reason. I don't even really like having my Dropbox stuff in the cloud (I live with a techie who does most of this stuff so forgive my syntax). I'd welcome other recommendations in addition to 1Password--reviews say it doesn't work very well for Android which is what I'm interested in.

Nonnie
This post may be monitored for quality assurance purposes.
User avatar
TF Hutch
Posts: 121
Joined: Sat Sep 12, 2009 12:57 am
Location: Florida

Re: Good reminder regarding online security

Post by TF Hutch »

Here are ten 2012 reviews for password manager softwear. http://password-management-software-rev ... views.com/

If RoboForm is number 1 then this stuff has a long way to go, in my opinion.

I really would like to have a conservation regarding on line security with those who know what they are talking about. I trust folks on this forum for guidence about investment advice, perhaps a few may also know about where to find actionable information about Cyber Security, with appropriate references of course.
Hutch | A fool and his funds are soon parted! - Thomas Tusser (English Farmer and Writer. 1524-1580)
Topic Author
Auream
Posts: 503
Joined: Thu Mar 20, 2008 1:07 pm
Location: Raleigh, NC

Re: Good reminder regarding online security

Post by Auream »

TF Hutch wrote:Here are ten 2012 reviews for password manager softwear.

If RoboForm is number 1 then this stuff has a long way to go, in my opinion.
Those "TopTenReviews" sites are all scams, basically they put up random content and try to game google searches for ad revenue. Basically a "content farm." I wouldn't put any stock into what one of those type of sites says.

In fact, you might want to edit your post to remove the link, as the more sites that link to that garbage, the more likely it'll come up high on Google, confusing even more people.
AndroAsc
Posts: 1240
Joined: Sat Nov 21, 2009 7:39 am

Re: Good reminder regarding online security

Post by AndroAsc »

Good article, even I learnt some stuff. I even created a new google 2FA account today, which I plan to move all my finance-related emails to. In that way, if my personal email is compromised, the hacker won't (in theory) have access to my finances.
lightheir
Posts: 2534
Joined: Mon Oct 03, 2011 11:43 pm

Re: Good reminder regarding online security

Post by lightheir »

AndroAsc wrote:Good article, even I learnt some stuff. I even created a new google 2FA account today, which I plan to move all my finance-related emails to. In that way, if my personal email is compromised, the hacker won't (in theory) have access to my finances.
I did exactly this. I have a separate, 'secret' google docs account with double authentication, that stores all my finances and other records. I never access it unless I'm at home on my own computer.

All my passwords are Keepass encrypted with a good strong master password - I'd trust this over any commercial solution as it's been well reviewed and is open-source so the algorithms have been checked out and passed.

That article is a good reminder of how much damage the loss of a email password can do. While I used to think such situations were extreme and rare, truth is that in today's cloud connected world, it's becoming a serious, and possibly commonplace issue. The author of the article is dead correct when saying that the only barrier between you and identity theft is often your email password, so to avoid this, it's a good idea to activate the double-authentication on Gmail as he recommends which requires a code from an authorized cell phone. (It works even if you don't have cell access as there's an app that works without it.)

My general email account for sure has enough personal info on it given that I send emails from it every single day that you could trace large parts of my existence just by following my email trail. Not something I want somebody who's trying to impersonate me online to have access to.
User avatar
Kenkat
Posts: 6862
Joined: Thu Mar 01, 2007 11:18 am
Location: Cincinnati, OH

Re: Good reminder regarding online security

Post by Kenkat »

Interesting to note that as much talk as there is about strong passwords, this attack had nothing to do with password hacking. It instead relied on social engineering, cross-linked accounts and security flaws with the service providers themselves. Scary and definitely gave me pause...
Mudpuppy
Posts: 6597
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Good reminder regarding online security

Post by Mudpuppy »

We had lots of good discussions and suggestions about password management in general, and password management tools in particular, in the thread I started about the LinkedIn password database breach. Prepare to settle in for a while because it's 201 posts (and counting) of password and security discussions: http://www.bogleheads.org/forum/viewtop ... 11&t=97664
User avatar
daytona084
Posts: 881
Joined: Mon Feb 01, 2010 10:47 pm

Re: Good reminder regarding online security

Post by daytona084 »

A couple points:

1. The motive for the hacker was the victim's three-letter twitter handle. Apparently that's a big deal.
2. Amazingly, the victim did not keep a local backup of his data, including all photos of his child.

The hacker used Amazon to get the last 4 digits of a credit card number, which he then used to get into the victim's email. Hopefully Amazon will take notice and upgrade its procedures.
User avatar
linuxuser
Posts: 1107
Joined: Mon Jan 24, 2011 9:15 pm

Re: Good reminder regarding online security

Post by linuxuser »

wjwhitney wrote:A couple points:

1. The motive for the hacker was the victim's three-letter twitter handle. Apparently that's a big deal.
2. Amazingly, the victim did not keep a local backup of his data, including all photos of his child.

The hacker used Amazon to get the last 4 digits of a credit card number, which he then used to get into the victim's email. Hopefully Amazon will take notice and upgrade its procedures.
The victim seems to be a big Apple-head so he trusted his photos to their cloud.
The notion that if you go Apple nothing can go wrong mentality.
Topic Author
Auream
Posts: 503
Joined: Thu Mar 20, 2008 1:07 pm
Location: Raleigh, NC

Re: Good reminder regarding online security

Post by Auream »

linuxuser wrote: The victim seems to be a big Apple-head so he trusted his photos to their cloud.
The notion that if you go Apple nothing can go wrong mentality.
Actually no, Apple doesn't have a cloud-based photo backup solution. They only store the last 1000 photos you took (called a "Photo Stream") on iCloud. They don't make any representations whatsoever that you'll have access to all of your photos, or that it is permanent in any way. So really, this guy was just completely negligent when it comes to backups.
lightheir
Posts: 2534
Joined: Mon Oct 03, 2011 11:43 pm

Re: Good reminder regarding online security

Post by lightheir »

kenschmidt wrote:Interesting to note that as much talk as there is about strong passwords, this attack had nothing to do with password hacking. It instead relied on social engineering, cross-linked accounts and security flaws with the service providers themselves. Scary and definitely gave me pause...
While this is true, it's also true that this entire fiasco would have been stopped dead in its tracks had the author used the double-authentication feature on his gmail account (which he clearly admits.) Given that email is the hub of a lot of adult online communication, it's a pretty good idea to lock it down as reasonably as possible.

The social engineering bit is real, though, and adds a whole layer of complexity to identity theft. At the same time, think of how many times you use your credit card at restaurants, etc., and how easy it would be for an unscrupulous person to just simply copy the info right off of it.
TA_Lurker
Posts: 202
Joined: Mon Nov 03, 2008 10:41 pm

Re: Good reminder regarding online security

Post by TA_Lurker »

lightheir wrote:Given that email is the hub of a lot of adult online communication, it's a pretty good idea to lock it down as reasonably as possible.
Hey, how do you know what I do online? Have you been spying on my e-mail??? :D
Mudpuppy
Posts: 6597
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Good reminder regarding online security

Post by Mudpuppy »

lightheir wrote:
kenschmidt wrote:Interesting to note that as much talk as there is about strong passwords, this attack had nothing to do with password hacking. It instead relied on social engineering, cross-linked accounts and security flaws with the service providers themselves. Scary and definitely gave me pause...
While this is true, it's also true that this entire fiasco would have been stopped dead in its tracks had the author used the double-authentication feature on his gmail account (which he clearly admits.) Given that email is the hub of a lot of adult online communication, it's a pretty good idea to lock it down as reasonably as possible.
It could have also been shut down if Amazon had better policies in place. Being able to add a credit card number WITHOUT knowing the login credentials for an account, then using said credit card number to get the password reset for the account is a blatantly, glaringly, astoundingly bad security practice. Yet another example to put in the book of bad security practices that I would write if I had the time to write a book....
lightheir
Posts: 2534
Joined: Mon Oct 03, 2011 11:43 pm

Re: Good reminder regarding online security

Post by lightheir »

Mudpuppy wrote:
lightheir wrote:
kenschmidt wrote:Interesting to note that as much talk as there is about strong passwords, this attack had nothing to do with password hacking. It instead relied on social engineering, cross-linked accounts and security flaws with the service providers themselves. Scary and definitely gave me pause...
While this is true, it's also true that this entire fiasco would have been stopped dead in its tracks had the author used the double-authentication feature on his gmail account (which he clearly admits.) Given that email is the hub of a lot of adult online communication, it's a pretty good idea to lock it down as reasonably as possible.
It could have also been shut down if Amazon had better policies in place. Being able to add a credit card number WITHOUT knowing the login credentials for an account, then using said credit card number to get the password reset for the account is a blatantly, glaringly, astoundingly bad security practice. Yet another example to put in the book of bad security practices that I would write if I had the time to write a book....
Again, def agree with you here, but there's bound to be crafty back-door low-tech exploits very similar to this one occurring again and again in the future, no doubt. All we can do is lock down what we can and try to stop a small exploit from ballooning into a massive one like what happened to that author. Given that email is often the key to the kingdom, it's worth paying special attention to locking that down.
chaz
Posts: 13604
Joined: Tue Feb 27, 2007 2:44 pm

Re: Good reminder regarding online security

Post by chaz »

This link was found in another thread:

http://www.wonderoftech.com/a-true-and- ... ng-to-you/
Chaz | | “Money is better than poverty, if only for financial reasons." Woody Allen | | http://www.bogleheads.org/wiki/index.php/Main_Page
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Good reminder regarding online security

Post by Epsilon Delta »

Mudpuppy wrote: It could have also been shut down if Amazon had better policies in place. Being able to add a credit card number WITHOUT knowing the login credentials for an account, then using said credit card number to get the password reset for the account is a blatantly, glaringly, astoundingly bad security practice. Yet another example to put in the book of bad security practices that I would write if I had the time to write a book....
While Amazon's system leaves something to be desired Apple is fundamentally to blame. A security system has to rely on the behavior by the principles (e.g. Apple and Matt Honan). It should not rely on the behavior of third parties, such as Amazon. If you could rely on arbitrary third parties you could just ask them not to steal and no other security would be required.

That's why using things like SSN as passwords is broken. My SSN, and probably yours, is legitimately know to dozens if not hundreds of people and companies, some of which are thieving scum.
Post Reply