Defending The Kingdom

In the previous post I said that I thought there were only two possible ways that a hacker could have gained entry to my Hotmail account: mind-reading or brute force.

There is actually a third possibility I failed to mention. I used to log in to my Hotmail account via this page:

I should have been using this page:

Notice the difference?

The page I should have been using has been verified by VeriSign to be an authentic Microsoft website (hence the green banner in the ULR bar) and it is also a “secure page” that will protect my username and password from “eavesdroppers“. I know this because the URL for the second page starts with https rather than just http.

The reason the second page is deemed secure is that when I enter my username and password, that information is passed along to Microsoft’s servers through an encrypted tunnel. The concept is very similar to VPN security, which I’ve written about before.

The upshot is that the second website will prevent eavesdropping and man in the middle attacks, both of which can be a problem if you are sending important information (like username and password details) through the internet while using a wi-fi hotspot.

Perhaps my email account got hacked last year because I logged on through the unsecure site while using a public wi-fi network somewhere. Don’t make that mistake.

Dear Hotmail…

If you’re listening, please remove your unsecured log in page from the web!

Last year, I was annoyed (and, admittedly, impressed) that someone hacked into my Hotmail account. There were only two ways someone could have got in: they read my mind or they set a machine to guessing for a very long time and the machine eventually guessed right.

At the time, I implored Hotmail to change their security system so that guessers would have to enter a CAPTCHA with every few wrong guesses. That would slow them down enough to make it nearly impossible to brute force their way into any account with a reasonably strong password.

I doubt the Hotmail folks read this blog and decided pull up their socks as a result, but I was delighted to see, upon my most recent Hotmail login attempt, a similar change to the one I recommended (see picture below). My account is obviously still under siege, and Hotmail is preventing too many password guesses. The only downside is that they won’t let me into my account, either.

So I feel satisfied that Hotmail now has security features that will keep my account safe, even without the strongest possible password. Just in case, though, I’ve updated my password to be ultra-strong. It’s more than 16 characters long (I don’t want to say exactly how long, because that would make it easier for a hacker to guess), contains numbers, letters, and freaky characters. It looks something like this: gA4wL[l0iX+yJ$j1. Hackers, I wish you good luck .

An old and out of use Hotmail account, which I log into every couple of months just to prevent Hotmail from letting my account expire, was hacked in late May. Whoever or whatever (I suspect it was a machine) hacked into my account didn’t do anything terribly malicious. They simply borrowed my address for a month and sent out loads of spam to everyone on my contact list and many more who were not. Sorry! And thanks to the friend who I inadvertently spammed and gave me the heads up about the problem.

What Went Wrong

I have no way of knowing how my account was compromised, but I suspect a brute force attack. Hotmail doesn’t lock accounts or insert any other barrier after a few (or even many) unsuccessful password entry attempts, so a machine could go on happily guessing at least one password per second for as long as it took to find the right one. Unfortunately, I made that process easier by having a password that was all lowercase and lacked special characters. Worse, even though I change most passwords every three or four months, I hadn’t changed that password since I opened the account. It wasn’t a giveaway password – it was 8 digits long and had a combination of letters and numbers – but I could have and should have done more.

Thankfully, the hackers didn’t change the locks while they were making use of my little piece of online real estate, and I was able to log in and reclaim full possession of the account. I set the new password to be extra robust.

Dear Hotmail…

And if anybody from Hotmail stumbles across this post: please consider asking people and machines who get their passwords wrong, say, five times in a row to pass a captcha test. Gmail does it. You should, too.

Suppose you found out that a Russian hacker was selling access to hacked Facebook accounts for a mere $0.025 – $0.045 each, and that the hacker had 1,500,000 accounts to hawk. Should you be worried?

Risk vs. Effort

As it happens, this threat seemed plausible at one point last month. Now it appears that the danger was probably exaggerated (although that’s what the Facebook folks would say, isn’t it?):

Facebook’s assessment of Killros is that he is a low-level player and that he had nowhere near the 1.5 million accounts he advertised. Most likely, he had a few hundred accounts most of which he likely created himself. Through some interesting and impressive forensic work, the Facebook security team identified the real Facebook accounts owned by Kirllos, reset the passwords, and notified the account owners.

But for fun, let’s take the hacker’s advertising at face value. How big of a risk is it to you, the average Facebook account holder? Well, to start with, there are over 400 million Facebook accounts, so the chances that yours is among the 1.5 million currently on sale are less than half of one percent.

I’ve written before that the prices criminals are willing to pay to get your account details are good magnitude of risk indicators. In this case, if the value of each Facebook account is less than 5 cents, criminal buyers must not be expecting much more than the value of their time as a return on hacking into accounts.

You should be much more concerned about your bank account login details getting stolen, as that information apparently sells for about 1% of the account balance. In other words, buyers of this information expect a reasonable payoff in exchange for their investment and the risks they are taking.

So my take on the Facebook news is that it was initially alarming, but probably nothing to get worked up about. Of course, there’s no harm in updating and/or upgrading your Facebook password if you haven’t done so in a while.

Read this list of commonly used passwords and see if you get a little nervous. Double twangs of deserved nervousness if you use the same password for every account.

The post has some solid advice about making and managing great passwords, too.