The Hacked Effect

August 17th, 2008 · 2 Comments · Articles, The Web

Introduction

The following series aims to cover some basics on how to improve the security of your email address. Inside, I will try to cover some good ways with which to protect the most important part of your online presence, ie. your email address; following that will be some good password suggestions, advice on how to prepare for a disaster beforehand, and dealing with it after it has happened.

Please do leave a comment and let me know what you think!

Introduction

Having an email address hacked can elicit different responses from different people. Some just think it’s a terrible inconvenience to not have their name as their email anymore, while some may worry about who hacked in the first place. The fact of the matter is that not many people realize the significance of their personal email address and the implications of it getting hacked, for any and all intents, whether criminal or just amusement.

An email address – especially if it’s the only one you have – can potentially contain a timeline of what you do online. Website registration emails, personal and even business dealings, newsletters and subscriptions can all be pieced together to develop a sufficiently accurate description of who you are.

While that is in itself adequate motive to be careful with your email address, it’s not the only reason to be cautious. If stolen, your personal information can be misused heavily, with you bearing the price. For many people, the email address is the chink in the online armor, and once a hacker has access to that, he or she can potentially access other online resources which you keep information with. The “forgotten password” feature can be used maliciously to gain access to another databank once the hacker has your email address.

Your email address is one of the most important things to protect online. If the thought of a pimply script-kiddy in a far away land snooping through your email sends a chill up your spine, following are some tips and advice to help you secure your email address and keep it private.

Preventive Measures

Passwords

The password is the key that unlocks your email address. Unfortunately, many users tend to try and keep this simple as possible so it’s easier for them to remember. However, one thing to note is that this also makes it very easy for a hacker to guess or crack it. A surprisingly large number of people just use their email address as their password as well, and other common choices include names and birthdays which are also quite easy to crack.

As a general rule, your password should be at least 7 characters long. Inserting a few capital letters, numbers, or special characters such as @ and # in your password to make something like: pAss678wOrds will make it very difficult for a hacker to crack. And since online services tend to have a limit to the number of login attempts, it is likely that the hacker will not be able to guess successfully.

However, passwords with alpha-numeric and upper-case/lower-case combinations can be hard to remember; pAss678wOrds is quite forgettable!

So one way of creating good passwords is to combine a single baseword with different combination of letters and numbers that correspond with the site you’re making the password for. Your baseword would be constant throughout all your passwords (to make it easy to remember), but the end section would change with every site. For example, if I choose as my baseword joota1990 (joota means shoe in Urdu) and the site I’m making this password for is Facebook, may password would become: joota1990facebook.

Joota: Shoe, in the Urdu language

So the password structure is this: <baseword> + <website’s name>

To further obscure my password, I could make my baseword joota@1990 so my password would become joota@1990facebook. If I want another password for Gmail, it can be joota@1990gmail or joota@1990googlemail. For additional obscurity, you can use alternative names of the site you’re making the password on; for example, using stock symbols — so a password for Google could be joota@1990goog, and one for Amazon could be joota@1990amzn.

Now, my password structure has become: <baseword> + <(symbols) / (punctuation)> + <(website’s name) / (other unique string that identifies the site for you)>

An added advantage to having a baseword in Roman Urdu is that it adds millions of other possible combinations the hacker must take into account. Moreover, Urdu being our first language, it might be easier to remember an Urdu baseword. You might even use any other language that you might know to make a good baseword. Or even combinations of different languages — go wild!

You only need to memorise the baseword, and even if you can’t, writing it down somewhere won’t hurt because no one would understand what joota@1990 means; no one would be able to use this because they don’t know where it applies and won’t know what the other section of the password is (even if they do realize its a part of a password).

Some good choices for a baseword are a combination of your name, an obscure word and your date of birth. Use your favorite roman Urdu word and number; or even the initials of your mother’s complete maiden name along with her birthday.

Of course, the above tips are generalized, and I strongly recommend you use them only as guidelines in creating your own password structure. The trick is to create a string that looks complex to strangers, but is easy to remember for you. Try to think of a password structure for yourself – one that you think is unique to you.

You might then want to check the strength of your password at Microsoft’s Password Strength Checker to see how it might fare against a dictionary attack.

Backup

In preparing for the worst, data backup is the first thing you should think about. Email is an integral part of everything we do online, and losing so much information can be disastrous. So backup your emails (or at least the ones from your primary account), even if you don’t think you’ll ever need it!

If you’re running a POP email account with Outlook or Thunderbird, your mail is (most likely) already being downloaded on to your computer. Microsoft has a support article on how to backup email in Outlook, and here’s another article that walks you through the process.

For Mozilla Thunderbird, you can either do it manually, or use MozBackup to back things up.

If you’re using a web-based email service (such as Yahoo! Mail, Gmail, Windows Live Mail or Hotmail), things might not be so easy, because these services don’t offer a “download your email” option.

Gmail is the only provider that offers POP3 and IMAP access for free, and that makes things very easy. if you’re a Gmail user, Lifehacker has a post that rounds up on how to backup Google Apps data, including your emails from Gmail — methods include using Thunderbird (and POP3) or fetchmail.

Yahoo! Mail users were out of luck until a few weeks ago, when the Yahoo! Zimbra Desktop (YZD) application was launched. YZD is the first time Yahoo! Mail (free) users are able to use an IMAP-like service for offline access to thier email. If you have a Mail Plus account ($20/yr) however, you have access to IMAP and mail forwarding as well; you can use Thunderbird to backup email, or forward your mail to another address.

Windows Live Mail (And Hotmail) also does not provide POP3 or IMAP access to free users, but they do give an option of forwarding email to another address, which can be used to set up a backup archival system. Here’s an article that will walk you through how to automatically forward mail from Windows Live account. With this setup, you can forward your mail to a Gmail account (1 copy), and to download it to your computer, use the methods to backup mail from Gmail (see above).

Alternatively, you can use a program like MailStore to backup your email from multiple POP/IMAP accounts. MailStore can also back up to external media, such as a thumbdrive or DVDs.

Other Tips

Never give your password to anyone: this includes your best friend, the email service provider, and especially emails that claim to be from a banking service! No website will ever ask for your password apart from making you enter it into a form because there is simply no reason to. Even if an email that appears to be from your email service provider threatens you that your email address will be canceled if you don’t reply with your password, do not listen to it because it is most definitely a scam designed to scare you into giving up your identity without a fight. One such scam involved people receiving email from Gmail address with the username of google-accounts (which a malicious person had registered) and telling them to reply with their username and password to “win” 2 extra gigabytes of storage for Gmail — a hacked email address is what they got instead. Never believe this sort of stuff!
Be careful of where you store your passwords: Do not write your passwords in a text file and put them on your desktop, because you never know who might see it. In fact, try to keep your passwords inside your head, because that’s the safest place they can be. If you really do have a problem with memory, use a password manager that can save and encrypt your passwords so they aren’t in plain view. You can try KeePass, which is a free program that can hide your passwords from prying eyes with strong encryption. There is also Passwords Plus by DataViz which is available for $30.
Clean up your act online: This is a whole othet topic in itself, and I think warrants a separate post, but for now think of all the things in your email address and social network profiles – go take a look right now, I’ll wait. Do you really feel safe with all this online? Will you be able to handle it if someone gets their hands on this information and misuses it? It’s almost a given that people you come into contact, especially your employers will search for traces of you online. Be careful with the kind of information you make available on the internet and always try to protect your personal information. Lifehacker has a great post on how to manage your online identity, and why its important, which is a good read if you want to manage your online reputation.
If you really must forward chain letters, use the “BCC” (Blind Carbon Copy) field instead of “To” so that your contacts’ email addresses are not exposed. Be careful with the “Reply-All” feature because you never know how many people might read what you send out.

Next: After you’ve been hacked

After you’ve been hacked

Recovery

Not all hackers will get into your account and lock you out. In fact, he or she may snoop around and then leave to come back a few days later, and you would never know someone else has been in there.
The first thing to do is verify somehow whether you have been in fact hacked. Here are a few things to check.

Do you have email that’s marked as read but that you’ve never seen before? This happens when the hacker reads your email and then forgets to mark it as unread.
Have your contacts received any strange email supposedly from you? If you save all your sent email, you can also check your “Sent Items” folder for any mail that you didn’t send.

If you find the answer to either of the two above ‘yes’ then change your password immediately. Use a strong password that the hacker will not be able to guess or crack again. That should eliminate your problem for now.

However, if the answer to the above was ‘no’ and if you still suspect someone has been poking around, you can set up an intruder alarm in your inbox that can alert you if anybody reads it. You can read more about this trick at makeuseof.com.

Many hackers though, tend to lock the original owners out once they’re in and if that has happened to you, there’s a different path to take. If you’ve noticed this recently, there is still a chance that your alternate email address or secret question/answer has not been changed by the hacker. Try to recover your password via the “forgotten password” feature and if it works, you’re lucky. Change your password to lock the hacker out and you’re good to go again.

If that doesn’t work, however, this means the hacker has changed the password recovery methods and you can no longer get in that way. In this case, the first thing to do is inform as many people in your contacts as you can that your email address has been hacked. For this, it’s a good idea to keep a backup copy of your online contacts list on your computer – most services allow exporting the contacts list in CSV format that is cross-compatible.

The next thing you have to do is contact your email service provider about your problem. Include as many details as you can and be ready to verify your identity by any means possible. Whether or not you’ll get your email address back depends on how accurately you provide ownership details such as emails of a few of your contacts, date of account creation, last successful login etc., so you might want to take a note of these now if you ever need them.
Below I will cover the three most popular web mail services and how to recover an email address that has been compromised.

GMAIL: If the hacked address was a Gmail account, there is a page where you can contact Gmail Support about the issue; they will try to verify ownership and if that is done, give the account back to you. Some things they might ask are:
- Which Google services you use with the account in question (Orkut, Blogger, Google Apps, AdWords, YouTube, etc.) and the dates you started using them.
- Last successful login date
- Account creation date
The Official Google Blog has a series on online security that’s also great reading. One post of special mention is some things they advise you to do if you can’t access your webmail.
HOTMAIL/WINDOWS LIVE: If your account is Hotmail or Windows Live, you can report about the issue to Microsoft and they will try to help you recover it.
YAHOO! MAIL: For Yahoo users, visit their help center and try to get your password recovered by answering a few questions like your birthday, zip code, etc. that you had provided to them when signing up.

It’s important to note, though, that there is no guarantee that the service provider will be able to hand the email address back to you — and that is mainly because they have to make certain you are who you are, and that you are, in fact, the original owner of that address.

When you get your account back, change your password, be thankful and start to be more careful.

If however, you’re unable to have your account recovered, it would be safe to say that your account is gone and won’t come back. I’m sorry. If you get to this stage, the best thing to do is start afresh, inform everyone of the incident and proceed to edit all your other information with other online services to reflect the change.

If you did not have a backup of the data in your email, I’m sorry again. You can read the Backup section on the previous page to set up a system so this does not happen to you again.

Identify

The next step is to identify what caused the problem. Was it a genuine hacking where the person cracked your password or did they exploit some other weakness to extract the password from you? Different techniques involving identity theft include social engineering and phishing. Sometimes, you’re lured into clicking a link from an email and taken to a fake website which looks genuine (known as phishing). The page that opens looks exactly like your email service providers login page and might say something like “Your session has expired. Please login again.” But when you submit your email address and password, instead of logging you in, the fake form mails them to the creator of that page and you are then “hacked.”

Phishing attacks usually occur via email and as a general rule, cannot “hijack” an actual website (though that is possible). So if you type yahoo.com directly into your browser address bar, there is a very little chance that the resulting page is a fake, and you can proceed normally.

The best way to protect yourself from phishing is to be very careful when clicking on links in emails. If a link must be accessed, it is best to copy and paste directly into the browser instead of clicking it. Emails that claim to be from legitimate companies often result in a compromise. Phishing emails can also be identified by images that do not load, incorrect grammar and typos.

Here’s a bonus article that gives you 9 ways to detect phishing scam emails.

Newer versions of web browsers can detect a phishing attack most of the time, but to be absolutely sure, make sure the login page is SSL (Secure Socket Layer) protected and that the Security Certificate is properly signed and verified (web browsers can do this). Most online services provide SSL encryption to their login pages, including most email service providers. Browsers identify a secure page by a small yellow padlock that shows it is SSL verified.

Another way to have your passwords stolen is by a keylogger installed in your computer. Make sure your Operating System (Windows, Mac, Linux, etc.) is updated with the latest security patches and always keep updated copies of a reliable anti-virus and anti-spyware software on your computer to run regular scheduled scans for malicious software. A firewall is another tool to add to your arsenal. Some reliable vendors for free computer security software include

Be very careful at public computers where you are not the only person with access such as libraries, internet cafes, etc. These types of computers are especially prone to being infested with spyware (intentional and accidental) that can steal your login information. You can use simple programs such as Neo’s Safekeys which is an on-screen mouse based keyboard that can bypass keyloggers and enter your password safely. It is a very lightweight stand-alone utility that can make you feel a bit more secure. If you carry a USB drive, you can use a combination of portable software like Neo’s Safekeys and malware scanners that can alert you of a security risk.

When you’re done using the computer make sure you’ve logged out of all services; delete web history, cache and cookies from your browser’s menu so that a snooper can’t access your information.

Next: Conclusion

Conclusion

Over the last few pages, I’ve tried to cover the basics of email security. We looked at some preventive measures such as good passwords and backing up. We then went over ways in which we can try to recover if something does happen, and also some more tips on protecting yourself, such as common sense, anti-malware etc.

In my opinion, online security will always remain a threat to a certain degree or another — mainly because there will always be people trying to crack it and get a hold of information they are not meant to see! But that certainly does not mean we can stop worrying about it and give up!

Online privacy is an existing concern, and people need to realize the implications of identity theft. The above guidelines are meant to help people secure themselves better online and also as a call to raise awareness when it comes to online security and best practices. The ramifications of personal information getting into the wrong hands are terrifying and enough to make you want to scream.

With the advent of more and more advanced technology in the online World, it’s becoming increasingly difficult to safeguard one’s self from such threats. From Facebook to Amazon, Geni to Mint – an increasing amount of day-to-day activity can now take place over the Internet, where it is arguably much less secure (and private) than it is offline.

What choice does one have in the matter? Do we simply give up the utility and stop using these services altogether? Or should we push for a more secure Internet where we don’t have to be constantly looking over our backs to feel safe?

The next page contains a list of all the URLs mentioned in this article.

Next: Links

Double U Blog

personal site and portfolio of Waleed Zuberi