Email Security

[cmpm]

Someone has found my email and password with my Gmail account.
And used my account to send spam.
Changing the password fixed it though.

From searching for answers I found some do this for spamming your contacts.
Which they did, until Gmail blocked the account for suspicious activity.
Rightfully so, and I'm glad they did.

I'm wondering how they did it.

One thing I learned was to not use the same password for forums that you use for email or other things.
This is possibly how they got my info. And the best answer I could find.

I have no virus' or any spyware on my computer that I know of.
Still I ran full scans of Nod, SAS, and mbam-still nothing.

I know it was not DC, but I suspect another forum.
Question - How can I find out who done it? Is it possible?
Reading what others said, only turned up China based outfits engaged in this activity....
?
I'm not in China or a Chinese forum.

I am in a few forums though...5 or 6 I think.

[mouser]

One thing I learned was to not use the same password for forums that you use for email or other things.

this is really critical -- do not use the same password on multiple sites, and never use the same password for an online service as you do for your email or financial institutions.

[cmpm]

Yes, very critical.

Kind of funny in a way though.
Since I have my other email address accounts in my contacts.
I spammed myself.
That's part of how I figured out what was happening.

I apologize if you received this spam.

[J-Mac]

Another thing you have to be careful about: The extremely stupid concept most financial institutions have of requiring you to have "security questions and answers". I don’t know who dreamed this up but it is very dangerous IMO. The questions commonly put forth for this are ones whose answers can easily be derived with a little searching around. For example, it wouldn’t be difficult for me to obtain the name of the high school someone attended, the city they were born in, married in, etc. Especially with the social network profiles so easily viewed today.

Once I gather enough of that trivial data on someone I could go to a site requiring login and claim I am you and that I forgot my password - or just enter an incorrect password. Then answer appropriately when they ask for the answers to the security questions and they will give me a new password. Some will only email it to a backup email address you supply but many people use Hotmail or other free accounts for the backups and then let them lapse.

Whenever you are required to provide answers for so-called security questions, give nonsensical answers and be sure to make a note of what you give as answers. Use the "Secure Note" feature of Roboform, LastPass, or Keepass. Because someday you will need to remember those answers. I use a completely random series of numbers and letters for, say, the name of my high school. Anyone who discovers the actual high school I attended will be disappointed if they try and give that as a security answer. Do the same for all the questions. No human reads them; only a computer. So no one should question how you attended a high school named, "23dkic4ls89".   

Jim

[f0dder]

Another thing you have to be careful about: The extremely stupid concept most financial institutions have of requiring you to have "security questions and answers". I don’t know who dreamed this up but it is very dangerous IMO.

-J-Mac (October 09, 2010, 01:58 PM)

Yeah, and extremely silly - especially if they require you to fill this info. I always choose "mother's maiden name" and fill in "byggemand bob" - which is obviously not her maiden name.

[mouser]

Whenever you are required to provide answers for so-called security questions, give nonsensical answers and be sure to make a note of what you give as answers.

agreed.

[4wd]

Yeah, and extremely silly - especially if they require you to fill this info. I always choose "mother's maiden name" and fill in "byggemand bob" - which is obviously not her maiden name.

-f0dder (October 09, 2010, 04:55 PM)

I always choose "Name of your first pet?" and put "never had one"

Also, I use multiple email address - for "I don't give a sh!t about about" forums (for lurking for info), I use the one GMail account accessed by IMAP, (because I'm not particularly insterested in anything other than headers).  Too much spam and I just drop it and create another.

Another for purely financial transactions, (ebay/paypal/etc), and a few more besides, (7 at last count), which are used depending on what interest I have in the site.

I used to use SpamMotel which let you create perpetual email addresses that forwarded to your real email account.  No limit on addresses, do one per forum and when you started getting spam from a particular email you knew which forum had been compromised.

[Renegade]

There's a problem though... Remembering all the passwords and accounts. You can rely on your browser, but you're linked to 1 computer. You can use something like the ALTools toolbar and ALPass Online, but then you're linked to Windows and Internet Explorer.

You can try to come up with a system that lets you generate a password that uses the domain name as the deterministic seed, but then you run into sites that put low limits on password lengths. e.g. Shift fingers right 1 and up 1 on the keyboard then type the domain name ignoring numbers.

It's a difficult problem to conclusively solve.

[4wd]

There's a problem though... Remembering all the passwords and accounts. You can rely on your browser, but you're linked to 1 computer.

-Renegade (October 09, 2010, 06:49 PM)

I do rely on my browser, more specifically Firefox because it's the only browser, (well I haven't tried Opera lately), that allows you to encrypt your logins with a master passphrase.

Then it's just a matter of using either: Firefox Sync, PortableFirefox or carrying the relevant signon files on a flash drive.

EDIT: Digressing a little more away from the original topic, for those sites that ask standardised security questions - answer truthfully....with a twist

%96 4@CC64E 2?DH6C 2AA=:65 H:E9 #~%`b @C #~%cf \ G6CJ D:>A=6 3FE 2=D@ G6CJ 67764E:G6 7@C E9:D <:?5 @7 E9:?8] ¹

Firefox addon - Quick ROT Ciphers

1. The correct answer applied with ROT13 or ROT47 - very simple but also very effective for this kind of thing.

[nudone]

or store all your logins with something like RoboForm. there's a java applet thingy you can run from almost anywhere, e.g. you're at someone's house and unexpectedly need one of your logins and don't have your usb stick with you. that kind of thing.

that's what i use - but then, my PayPal account was "broken into" not long back. maybe this RoboForm applet was to blame (i have absolutely no idea).

[housetier]

I do not trust firefox to keep my sensitive information secure so I told to never store passwords or even form data. (I also disabled history for the address bar.)

Instead I use a command line tool that can put username and password into my clipboard. So I go to a website wher eI have to login; if I don't know the password I turn to my password safe and have put the pass into the clipboard. It watches the clipboard as well, so as soon as I have pasted the passwod into the form (or somewhere else) it erases the memory.

This is a complicated process, but it is the only one I find security acceptable. The password safe itself is strongly encrypted, even when it is loaded into memory. Only for a short time is the password in cleartext, and there is no way to avoid that.

When I am certain that no one else can use a program I also let the program store credentials, but only if I am certain is uses good encryption for this data.

Security is a process, so at any given time I might find it necessary to use a different password safe or never have any program store credentials. Security is also a lot about the user's mindset: you should be careful and aware, but never paranoid.

There is no 100% security, there is only the amount of time, effort, and money it takes to get to your data. Hence you cannot buy "Security" like a remedy for headaches. Personally I believe just by being more aware you can greatly decrease the risk to losing control over your data.

Oh yeah, like it was mentioned in the OP, I never never never use the same password twice. Not even for the smallest most unimportant throw-away account. There might be good reasons to reuse passwords, but they are most likely bad reasons. And doing something (or not doing something) for a bad reason is not being careful.

OK back to topic: If an email service does not provide TLS I do not use it.

[f0dder]

OK back to topic: If an email service does not provide TLS I do not use it.

-housetier (November 11, 2010, 12:24 PM)

Sounds a bit pointless, since transport between SMTP servers isn't TLS'ed.

(But OK, if you're un an unprotected wifi, at least other people in the coffee shop can't snoop on the mails you're reading).