Welcome Guest.   Make a donation to an author on the site August 29, 2014, 07:08:23 AM  *

Please login or register.
Or did you miss your validation email?


Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.


You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
 
Learn about the DonationCoder.com microdonation system (DonationCredits).
   
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: [1]   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: Email Security  (Read 3164 times)
cmpm
Charter Member
***
Posts: 2,025

View Profile Give some DonationCredits to this forum member
« on: October 09, 2010, 10:16:25 AM »

Someone has found my email and password with my Gmail account.
And used my account to send spam.
Changing the password fixed it though.

From searching for answers I found some do this for spamming your contacts.
Which they did, until Gmail blocked the account for suspicious activity.
Rightfully so, and I'm glad they did.

I'm wondering how they did it.

One thing I learned was to not use the same password for forums that you use for email or other things.
This is possibly how they got my info. And the best answer I could find.

I have no virus' or any spyware on my computer that I know of.
Still I ran full scans of Nod, SAS, and mbam-still nothing.

I know it was not DC, but I suspect another forum.
Question - How can I find out who done it? Is it possible?
Reading what others said, only turned up China based outfits engaged in this activity....
?
I'm not in China or a Chinese forum.

I am in a few forums though...5 or 6 I think.
Logged
mouser
First Author
Administrator
*****
Posts: 33,285



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #1 on: October 09, 2010, 10:20:53 AM »

Quote
One thing I learned was to not use the same password for forums that you use for email or other things.

this is really critical -- do not use the same password on multiple sites, and never use the same password for an online service as you do for your email or financial institutions.
Logged
cmpm
Charter Member
***
Posts: 2,025

View Profile Give some DonationCredits to this forum member
« Reply #2 on: October 09, 2010, 10:39:08 AM »

Yes, very critical.

Kind of funny in a way though.
Since I have my other email address accounts in my contacts.
I spammed myself. smiley
That's part of how I figured out what was happening.

I apologize if you received this spam.
Logged
J-Mac
Supporting Member
**
Posts: 2,851


see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #3 on: October 09, 2010, 01:58:17 PM »

Another thing you have to be careful about: The extremely stupid concept most financial institutions have of requiring you to have "security questions and answers". I don’t know who dreamed this up but it is very dangerous IMO. The questions commonly put forth for this are ones whose answers can easily be derived with a little searching around. For example, it wouldn’t be difficult for me to obtain the name of the high school someone attended, the city they were born in, married in, etc. Especially with the social network profiles so easily viewed today.

Once I gather enough of that trivial data on someone I could go to a site requiring login and claim I am you and that I forgot my password - or just enter an incorrect password. Then answer appropriately when they ask for the answers to the security questions and they will give me a new password. Some will only email it to a backup email address you supply but many people use Hotmail or other free accounts for the backups and then let them lapse.

Whenever you are required to provide answers for so-called security questions, give nonsensical answers and be sure to make a note of what you give as answers. Use the "Secure Note" feature of Roboform, LastPass, or Keepass. Because someday you will need to remember those answers. I use a completely random series of numbers and letters for, say, the name of my high school. Anyone who discovers the actual high school I attended will be disappointed if they try and give that as a security answer. Do the same for all the questions. No human reads them; only a computer. So no one should question how you attended a high school named, "23dkic4ls89".   Wink

Jim
Logged

"I am getting so tired of slitting the throats of people who say that I am a violent psychopath."
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #4 on: October 09, 2010, 04:55:00 PM »

Another thing you have to be careful about: The extremely stupid concept most financial institutions have of requiring you to have "security questions and answers". I don’t know who dreamed this up but it is very dangerous IMO.
Yeah, and extremely silly - especially if they require you to fill this info. I always choose "mother's maiden name" and fill in "byggemand bob" - which is obviously not her maiden name.
Logged

- carpe noctem
mouser
First Author
Administrator
*****
Posts: 33,285



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #5 on: October 09, 2010, 05:20:52 PM »

Quote
Whenever you are required to provide answers for so-called security questions, give nonsensical answers and be sure to make a note of what you give as answers.


agreed.
Logged
4wd
Supporting Member
**
Posts: 3,289



see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #6 on: October 09, 2010, 06:39:53 PM »

Yeah, and extremely silly - especially if they require you to fill this info. I always choose "mother's maiden name" and fill in "byggemand bob" - which is obviously not her maiden name.

I always choose "Name of your first pet?" and put "never had one" smiley

Also, I use multiple email address - for "I don't give a sh!t about about" forums (for lurking for info), I use the one GMail account accessed by IMAP, (because I'm not particularly insterested in anything other than headers).  Too much spam and I just drop it and create another.

Another for purely financial transactions, (ebay/paypal/etc), and a few more besides, (7 at last count), which are used depending on what interest I have in the site.

I used to use SpamMotel which let you create perpetual email addresses that forwarded to your real email account.  No limit on addresses, do one per forum and when you started getting spam from a particular email you knew which forum had been compromised.

« Last Edit: October 09, 2010, 06:52:51 PM by 4wd » Logged

Four wheel drive: Helping you get stuck faster, harder, further from help...........and it's no different on this forum Evil
Renegade
Charter Member
***
Posts: 11,171



Tell me something you don't know...

see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #7 on: October 09, 2010, 06:49:37 PM »

There's a problem though... Remembering all the passwords and accounts. You can rely on your browser, but you're linked to 1 computer. You can use something like the ALTools toolbar and ALPass Online, but then you're linked to Windows and Internet Explorer.

You can try to come up with a system that lets you generate a password that uses the domain name as the deterministic seed, but then you run into sites that put low limits on password lengths. e.g. Shift fingers right 1 and up 1 on the keyboard then type the domain name ignoring numbers.

It's a difficult problem to conclusively solve.
Logged

Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker
4wd
Supporting Member
**
Posts: 3,289



see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #8 on: October 09, 2010, 06:54:14 PM »

There's a problem though... Remembering all the passwords and accounts. You can rely on your browser, but you're linked to 1 computer.

I do rely on my browser, more specifically Firefox because it's the only browser, (well I haven't tried Opera lately), that allows you to encrypt your logins with a master passphrase.

Then it's just a matter of using either: Firefox Sync, PortableFirefox or carrying the relevant signon files on a flash drive.

EDIT: Digressing a little more away from the original topic, for those sites that ask standardised security questions - answer truthfully....with a twist smiley

%96 4@CC64E 2?DH6C 2AA=:65 H:E9 #~%`b @C #~%cf \ G6CJ D:>A=6 3FE 2=D@ G6CJ 67764E:G6 7@C E9:D <:?5 @7 E9:?8] 1

Firefox addon - Quick ROT Ciphers

1. The correct answer applied with ROT13 or ROT47 - very simple but also very effective for this kind of thing.
« Last Edit: October 09, 2010, 08:41:14 PM by 4wd » Logged

Four wheel drive: Helping you get stuck faster, harder, further from help...........and it's no different on this forum Evil
nudone
Cody's Creator
Columnist
***
Posts: 4,116



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #9 on: October 10, 2010, 04:27:38 AM »

or store all your logins with something like RoboForm. there's a java applet thingy you can run from almost anywhere, e.g. you're at someone's house and unexpectedly need one of your logins and don't have your usb stick with you. that kind of thing.

that's what i use - but then, my PayPal account was "broken into" not long back. maybe this RoboForm applet was to blame (i have absolutely no idea).
Logged
housetier
Charter Honorary Member
***
Posts: 1,321


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #10 on: November 11, 2010, 12:24:00 PM »

I do not trust firefox to keep my sensitive information secure so I told to never store passwords or even form data. (I also disabled history for the address bar.)

Instead I use a command line tool that can put username and password into my clipboard. So I go to a website wher eI have to login; if I don't know the password I turn to my password safe and have put the pass into the clipboard. It watches the clipboard as well, so as soon as I have pasted the passwod into the form (or somewhere else) it erases the memory.

This is a complicated process, but it is the only one I find security acceptable. The password safe itself is strongly encrypted, even when it is loaded into memory. Only for a short time is the password in cleartext, and there is no way to avoid that.

When I am certain that no one else can use a program I also let the program store credentials, but only if I am certain is uses good encryption for this data.

Security is a process, so at any given time I might find it necessary to use a different password safe or never have any program store credentials. Security is also a lot about the user's mindset: you should be careful and aware, but never paranoid.

There is no 100% security, there is only the amount of time, effort, and money it takes to get to your data. Hence you cannot buy "Security" like a remedy for headaches. Personally I believe just by being more aware you can greatly decrease the risk to losing control over your data.

Oh yeah, like it was mentioned in the OP, I never never never use the same password twice. Not even for the smallest most unimportant throw-away account. There might be good reasons to reuse passwords, but they are most likely bad reasons. And doing something (or not doing something) for a bad reason is not being careful.

OK back to topic: If an email service does not provide TLS I do not use it.
Logged
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #11 on: November 11, 2010, 01:13:05 PM »

OK back to topic: If an email service does not provide TLS I do not use it.
Sounds a bit pointless, since transport between SMTP servers isn't TLS'ed.

(But OK, if you're un an unprotected wifi, at least other people in the coffee shop can't snoop on the mails you're reading).
Logged

- carpe noctem
Pages: [1]   Go Up
  Reply  |  New Topic  |  Print  
 
Jump to:  
   Forum Home   Thread Marks Chat! Downloads Search Login Register  

DonationCoder.com | About Us
DonationCoder.com Forum | Powered by SMF
[ Page time: 0.129s | Server load: 0.01 ]