Interesting article (http://www.theatlantic.com/magazine/archive/2011/11/hacked/8673/1/?single_page=true). This could happen to you.

Lessons:

1. If you use Gmail, enable the two-factor authentication system (it's under Account Settings -> Use two-step verification system) that sends a verification code to your mobile if you log on from any machine other than the one you usually use.

2. Use a pass *phrase* for important accounts, not a password. The common "proper noun plus a couple of digits" form of password is weak against automated attack.

See http://xkcd.com/936/.

My M/card got hacked last week via the pro com engineering website. (was ordering an igniter for the scrambler).
Card services notifyed me next morning. Appears some dirty smelly frogs tried to used the details 2am that morning.

I rang pro com in the states, and apparently I was the third to report it.
Hackers need their digits slowly removed with a blunt hacksaw.
(they never got a cent, this time........:confused:)

If someone wants in to break in to your email account, nothing will stop them. You can have the most complicated password in the world and it'll still get hacked. Making it as difficult as possible only delays the inevitable.

My newest "smart" phone came hard installed with telecom rubbish, and google cloud everything.

I managed to hack it to the root level, despite reservations I might brick my phone, but now I've removed all that crap and there should be no more cloud.

If someone wants in to break in to your email account, nothing will stop them. You can have the most complicated password in the world and it'll still get hacked. Making it as difficult as possible only delays the inevitable.

No. We're not talking about focused attacks here, actual attempts to get your password over and above anybody else's. None of you, much as your egos might prefer otherwise, are likely to ever be the targets of industrial espionage or international intrigue.

These hackings are crimes of opportunity - it's like buying a burglar alarm, not because it will make it impossible to steal stuff, but because it'll cause the criminals to go somewhere else.

No. We're not talking about focused attacks here, actual attempts to get your password over and above anybody else's. None of you, much as your egos might prefer otherwise, are likely to ever be the targets of industrial espionage or international intrigue.

These hackings are crimes of opportunity - it's like buying a burglar alarm, not because it will make it impossible to steal stuff, but because it'll cause the criminals to go somewhere else.

not a focussed attack but attempts to get your password :blink: ... leave my ego alone, what's she ever done to you.

Fair point, time is money etc... I guess it depends on how badly they want in.

My Mum had her Credit card details taken and used online to buy shit for Facebook. Something like 150$ was used, in a lot of 5-12$ purchases. The only thing that sucks, is that she only used her card online once, to buy Hell's pizza when they had some special for online purchases only.

Its so easy to get access to peoples details online if you have even the basic hacking knowledge. I'm going to stick with paying for things in cash, until I'm forced to use a card. And it I want to buy things online, Just use one of those Prezzy card things. You lose stuff all if someone finds out the card details.

These hackings are crimes of opportunity ...

I needed a web server at home, so got Telecom to give me a fixed I.P. address and got my router to forward port 80 to an XP machine, with IIS, I had spare.

Had a look in the Windows Firewall log the other day, and saw a couple of sets of scans, from different I.P. addresses. All looking for what seemed to be admin pages for PHP based servers, and a few other similar things (which my server just gave 404's for).

My home I.P. isn't "advertised" anywhere, but already I've got scum scanning my server for known vulnerabilities.

So yeah. It's not that hard to program up something to scan for easy wins.


... - it's like buying a burglar alarm, not because it will make it impossible to steal stuff, but because it'll cause the criminals to go somewhere else.

Yep, decent passwords, open up only what's needed at a minimum etc. Make it harder.

I had a workmate whose hotmail got hacked he has no idea how it happened took a while to get control back. I have no idea how they managed it - how is it possible to launch a dictionary attack on an online email account? Isn´t there some sort of timeout on failed attempts to access hotmail/gmail accounts to determine if its a real person or a dictionary attack from a computer? Hard to believe they randomly chose both his email address and password purely by luck. Even harder to believe the hotmail/gmail servers sat there processing thousands of failed logons to the same account without locking it out. Surely they could use some sort of exponential time delay like BIOS/Car Stereo passwords use? the more failed attempts the longer you have to wait before trying again.

No. We're not talking about focused attacks here, actual attempts to get your password over and above anybody else's. None of you, much as your egos might prefer otherwise, are likely to ever be the targets of industrial espionage or international intrigue.

These hackings are crimes of opportunity - it's like buying a burglar alarm, not because it will make it impossible to steal stuff, but because it'll cause the criminals to go somewhere else.

Exactly, if they can hack Stratfor/Amazon successfully the only reason they haven´t hacked your email/home server is because they haven´t bothered.

Exactly, if they can hack Stratfor/Amazon successfully the only reason they haven´t hacked your email/home server is because they haven´t bothered.

Then again, Stratfor was an unexpectedly weak target, and I don't recall the details of historical Amazon issues, other than the vague idea that it was a DDOS rather than an actual intrusion?

Then again, Stratfor was an unexpectedly weak target, and I don't recall the details of historical Amazon issues, other than the vague idea that it was a DDOS rather than an actual intrusion?

Me either, they got Sony good and proper though. Stratfor global intelligence who kept customer credit cards on a text spreadsheet :laugh:

Stratfor global intelligence who kept customer credit cards on a text spreadsheet :laugh:

I'm not sure why people expect geopolitical analysts to know how to set up a web server.

Post hack they've clearly stated that they made the mistake of not investing in their infrastructure as the business grew. Someone would've chucked that shit together for them years ago and they just wouldn't have understood its limitations. It still worked, after all. It's easy to laugh at them in hindsight, but there but for the grace of God, etc.

I've been talking to this chick that i brought motorcycle fairings off via msn for just over a year now and she has always been polite and professional. Well last
week she logged on with a half naked asian chick as her profile pic asking me to cam with her... thank fuck i couldn't get the webcam mic working.. shes
back to normal now.

I'm not sure why people expect geopolitical analysts to know how to set up a web server.

Post hack they've clearly stated that they made the mistake of not investing in their infrastructure as the business grew. Someone would've chucked that shit together for them years ago and they just wouldn't have understood its limitations. It still worked, after all. It's easy to laugh at them in hindsight, but there but for the grace of God, etc.

Yeah but they promote themselves as global political and security analysts, painted a pretty big target on their heads with that title.

Yeah but they promote themselves as global political and security analysts

Security security. Guns and bombs and border fences. Not website hacking.

Then again, George Friedman did write a piece on the Anonymous campaign against the Mexican cartels recently. I expect that got Stratfor some attention in new circles.

Amazon-owned retailer Zappos.com hacked (http://www.itpro.co.uk/638323/amazon-owned-retailer-zappos-com-hacked) ... "Up to 24 million customers are affected in one of the bigger hacks of the past 12 months."

One of my employees had her email hacked. Her password was '12345678' :brick:
My cousin had his email account hacked. His password was 'letmein' :facepalm:

I'm surprised neither of these computer illiterate people were using 'password11' :bash:

One of my employees had her email hacked. Her password was '12345678' :brick:
My cousin had his email account hacked. His password was 'letmein' :facepalm:

I'm surprised neither of these computer illiterate people were using 'password11' :bash:

I like 'no_password'.
There is a number of computer literate people that use disposable passwords for accounts like Gmail, hotmail etc. These are relatively simple, easy to remember passwords that aren't used elsewhere. the idea being that the public email providers are such hacker targets that they aren't worth the effort of a really secure password and it is certainly too risky to use one that you have used elsewhere like your bank :argh:

If someone wants your hotmail\gmail\yahoo details etc, they are asking for trouble and wasted time by attacking those servers.

Instead it is quite simple to create an application which simply provides that information for you (i.e. virus on your computer to send details back home).

Sure password strength may deter the opportunist but the real risk to your details is your own computer security.

The amount of half arsed attempts at security on the home PC that I have found is appalling!

If someone wants your hotmail\gmail\yahoo details etc, they are asking for trouble and wasted time by attacking those servers.

Instead it is quite simple to create an application which simply provides that information for you (i.e. virus on your computer to send details back home).

Sure password strength may deter the opportunist but the real risk to your details is your own computer security.

The amount of half arsed attempts at security on the home PC that I have found is appalling!

Possibly but the guy in question is a bit of a MAC fanboy I scanned his Macbook for keyloggers "viruses" nothing, his wifi is secure and hasn´t used an internet cafe or hotspot. Bizarre.

Being on a Mac doesn't mean squat as far as security wise, in the past there was very little in the way of attacks on the Mac OS platform simply because it was such a minority and not really worth the time (why make a virus to attack 10 people when you can attack 100?).

And scanned it with what application? Was it up to date? Do they have a friend\spouse\etc that may know the details for the account? Is the Macbook the only device on that network? What method of encryption was used on the wireless network? etc? etc? etc?

Essentially what I'm trying to say is: You could try and safeguard against everything but something will always get you but in the case of a lot of average users its an issue of no security or completely inadequate.

Meh...

Essentially what I'm trying to say is: You could try and safeguard against everything but something will always get you but in the case of a lot of average users its an issue of no security or completely inadequate.


You have kind of said it all there. If you try to guard against everything and are still going to get hit why not save you time and energy and just get on with life. I bit like worrying about the big one in Wellington or a volcano in Auckland, you live and turn a blind eye to the risk.
What isn't said is how hard and annoying it is to keep up a good security position. You can't just rely on Norton or some other suite. Who is going to bother with that when all they want to do is tell their FaceFriends where they are going for lunch, implied lack of physical security in case you non-burglar types missed it.

My M/card got hacked last week via the pro com engineering website. (was ordering an igniter for the scrambler).
Card services notifyed me next morning. Appears some dirty smelly frogs tried to used the details 2am that morning.

I rang pro com in the states, and apparently I was the third to report it.
Hackers need their digits slowly removed with a blunt hacksaw.
(they never got a cent, this time........:confused:)

You too? Same thing happened to my mate, traced back to a "logistics" company in France. $4000!

I had a workmate whose hotmail got hacked he has no idea how it happened took a while to get control back. I have no idea how they managed it - how is it possible to launch a dictionary attack on an online email account? Isn´t there some sort of timeout on failed attempts to access hotmail/gmail accounts to determine if its a real person or a dictionary attack from a computer? Hard to believe they randomly chose both his email address and password purely by luck. Even harder to believe the hotmail/gmail servers sat there processing thousands of failed logons to the same account without locking it out. Surely they could use some sort of exponential time delay like BIOS/Car Stereo passwords use? the more failed attempts the longer you have to wait before trying again.


If someone wants your hotmail\gmail\yahoo details etc, they are asking for trouble and wasted time by attacking those servers.


Hotmail (until couple days ago) was susceptible to brute force hacking, in-fact the latest theory behind the 360 hacking is hackers are finding a gamer name, goggling the windows LIVE ID/email associated with it, then preforming a brute force hack on hotmail (Now hackers are limited to 20 attempts)


"Before it would just let you try over and over," "But now ... they handle the sign in request on the server in a way that it will stop replying after about 20 attempts."

Hotmail (until couple days ago) was susceptible to brute force hacking, in-fact the latest theory behind the 360 hacking is hackers are finding a gamer name, goggling the windows LIVE ID/email associated with it, then preforming a brute force hack on hotmail (Now hackers are limited to 20 attempts)

20 attempts from a farm of zombies? what happens after the 20 attempts and what is the timeout on what ever it is. For concerns like hotmail they don't want to deal with users requesting account unlocks so if they use account locking after 20 attempts then they probably also use account unlocking after a preset time. Still makes them a good target to farm more zombies from.

That's some seriously shit house security on Microsoft's behalf that it took them that long to implement basics, which coincidently they teach degree level papers on network security, etc which goes well beyond all this.

Perhaps they should read their own books once in a while, wait maybe they got bored reading the EULA? LOL

Well in a way I'm kind of glad that a large proportion of users out there don't know a thing about security.... keeps people like me in a job :innocent:

That sounded dodgy, I meant as far as repairing their systems and implementing security measures lol :sweatdrop

That's some seriously shit house security on Microsoft's behalf that it took them that long to implement basics, which coincidently they teach degree level papers on network security, etc which goes well beyond all this.

Perhaps they should read their own books once in a while, wait maybe they got bored reading the EULA? LOL

Well in a way I'm kind of glad that a large proportion of users out there don't know a thing about security.... keeps people like me in a job :innocent:

You are talking of the company that originally thought that you should be able to hit esc on the log on screen and pass through to full access.
This is why there is an underlying feeling that Macs and Unix based (incl linux) have better security. Unix based machines the you always had to have a valid log on to get access. They (Unix developers) understood from day 1 that security meant getting unauthorised people out. Whereas MS have always focused on usability at the expense of security, make it easy for the CEO to use so he will buy them for the company.

20 attempts from a farm of zombies? what happens after the 20 attempts and what is the timeout on what ever it is. For concerns like hotmail they don't want to deal with users requesting account unlocks so if they use account locking after 20 attempts then they probably also use account unlocking after a preset time. Still makes them a good target to farm more zombies from.

the 20 attempts is based on the LIVE ID (so number of computers will only help to achieve lockout sooner) once that has been tried 20 times the server will stop responding, previous to this it was unlimited attempts at 8 try bursts

In google/gmails defense I was pleasantly surprised when overseas attempts were made on my account. Soon as I logged in again, it checked where my account was last attempted access (it failed by the way) and asked me if I happened to be in Africa or China (happened twice). I ticked the 'no' and it then prompted me to change my password.

Handy little feature.

Turned out 1 attempt was a netcafe I went to 5 years ago, still had some of my details, and the other was a android tablet I sold on trademe. So not real hackers - but I thought it was a nice attempt of simple security.

As I have said before to a workmate......solid bricks of security are only as strong as the plaster holding them together. Someone can always hack your password - he'll they can read a few 802.11g packets via wireshark, nek minit your facebook photo is of goatse.
(not that I have ever done such a thing)

Someone can always hack your password - he'll they can read a few 802.11g packets via wireshark, nek minit your facebook photo is of goatse.
(not that I have ever done such a thing)

People like you are why I connect to Facebook via SSL.

<img src="http://i41.tinypic.com/ielbw3.png"/>

Being on a Mac doesn't mean squat as far as security wise, in the past there was very little in the way of attacks on the Mac OS platform simply because it was such a minority and not really worth the time (why make a virus to attack 10 people when you can attack 100?).

And scanned it with what application? Was it up to date? Do they have a friend\spouse\etc that may know the details for the account? Is the Macbook the only device on that network? What method of encryption was used on the wireless network? etc? etc? etc?

Essentially what I'm trying to say is: You could try and safeguard against everything but something will always get you but in the case of a lot of average users its an issue of no security or completely inadequate.

Meh...

True that MAC users feel a little too secure and a wee bit smug but this guy is usually pretty aware of risks in free wifi hotspots etc. Network is as secure as it can be, not many users on it all trusted people, untangle firewall, wireless doesn't reach far off a ship. Clam Xav was used to scan, nothing found and since we got control back of his account no problems.

Security security. Guns and bombs and border fences. Not website hacking.

Then again, George Friedman did write a piece on the Anonymous campaign against the Mexican cartels recently. I expect that got Stratfor some attention in new circles.

We have security teams onboard for certain trips - these are the front line guys and they are all fully aware that hacking and cracking is the new phone tapping/bugging they might not be IT experts but they are aware and have consultants. Sure the Stratfor IT team were aware as well, maybe management weren´t listening who knows.