Retelling a password nightmare in the wake of the linkedin passwordleak – China Dual Sim Quad Band Unlocked Phone

Today’s news of over 6 million passwords to LinkedIn being potentially compromised has caused ripples through thesecurity community. Beyond access to innocent bystanders’ LinkedInaccounts, the bigger danger is the fact that many people use thesame passwords over and over again. So any site that uses email asa username (as LinkedIn does) with the same password you have usedfor LinkedIn is also at risk of being hacked into. This is exactly why I have been advocating and speaking out for theuse of password managers for years, ever since I myself was avictim of password hacking. My password nightmare happened about 6 or 7 years ago.

I had justreturned home from a trip to the Black Hat conference in Las Vegas.I received a call early in the morning from one of the parents onmy son’s Little League team that I coached. They said that they hadjust received an “interesting” email from my email account that hadsome Yiddish/Hebrew words in the subject line and contained somereally vile, disgusting pornographic images. They didn’t think theemail was in character for me (thank goodness for that) and wantedto let me know. I said thank you and set out to look into it.

RELATED: LinkedIn investigating compromised passwords MORE: The Best Tweets in Response to LinkedIn’s Password Leak The first thing I did was try to log into my Yahoo mail account.Funny thing, my password wouldn’t get me into my system. I was sureI was using the right password, after all I used the same passwordfor almost all of my online accounts. In the meantime, I pulled upmy personal ashimmy.com blog and was horrified at what I saw. Therewere more disgusting porno pictures all over my blog and a bunch ofanti-Semitic posts all over the place. Wifi Tv Mobile Phone

I went to log into my blogprovider account and you guessed it, couldn’t log in there either.Funny, same password I used everywhere else too. I couldn’t leave that web site up, so I went to my GoDaddy domainaccount and figured I would point the DNS to a parking page. Youknow the answer. I could not get in there either. Same thing for myGoogle account, Skype, Hotmail, etc. China Dual Sim Quad Band Unlocked Phone

This was very serious indeed.Then I was made aware that the hack of my accounts was part of aseries of hacks against known security folks as a “statement” bysome hackers. They made their announcement on one of the popularsecurity mailing lists, along with some personal information theyhad pilfered from my mail account. So this was turning into a nightmare and quickly. I had to do somedamage control and get this situation right. Wristwatch Mobile Phone Manufacturer

First thing was toregain control of my accounts. I followed the normal channels andquickly realized that this was a form of torture. You couldn’t getanyone from these large web properties on a phone to discuss this.You could write an email to some anonymous email address and waitfor them to respond. With my reputation being killed second bysecond, that wasn’t going to work. Luckily, as a result of being in the security community, I reachedout to some friends for help.

It pays to have friends. At almostall of the companies that I was locked out of my account at, I knewor was introduced to someone higher up who I was able to go to andget some help. Without that help I am not sure how or what I wouldhave done. But I will tell you that within a day or two, I hadregained control of every one of my accounts with the exception ofSkype, which to this day I never was able to unlock.

I wound upjust making a new account. Another good thing about having friends in security is that theywere able to backtrack and find out who the culprits were.Unfortunately, because I couldn’t prove the requisite dollar sum indamages, I could not get the authorities to prosecute. I also foundout that filing cybercrime reports with local authorities waslargely a waste as well. Suffice to say we had to take some mattersinto our own hands in the security industry to deal with thesefolks.

I don’t know if this situation has gotten any better sincethen. Anyway, I learned my lesson. After this I installed a passwordmanager. Since then I have tried several and use them religiously.I not only store all of my passwords, but have them generate aunique, strong password every time I need one (I probably have over100 passwords, all told).

I have no idea what my passwords are. Ionly remember my master password which gets me into my passwordmanager. If someone did get my LinkedIn password, my damage islimited to LinkedIn only. That password won’t work at any othersite. I sleep easy.

The lesson is clear. Don’t wait until after you are a victim. Goinstall and use a password manager today. Many are free and do thejob. Weak, repetitive passwords are one of the biggest weak spotsin our security profile.

Learn from my mistakes.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s