Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • December 06, 2016, 12:03:13 AM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Email Security  (Read 3940 times)

cmpm

  • Charter Member
  • Joined in 2006
  • ***
  • default avatar
  • Posts: 2,025
    • View Profile
    • Donate to Member
Email Security
« on: October 09, 2010, 10:16:25 AM »
Someone has found my email and password with my Gmail account.
And used my account to send spam.
Changing the password fixed it though.

From searching for answers I found some do this for spamming your contacts.
Which they did, until Gmail blocked the account for suspicious activity.
Rightfully so, and I'm glad they did.

I'm wondering how they did it.

One thing I learned was to not use the same password for forums that you use for email or other things.
This is possibly how they got my info. And the best answer I could find.

I have no virus' or any spyware on my computer that I know of.
Still I ran full scans of Nod, SAS, and mbam-still nothing.

I know it was not DC, but I suspect another forum.
Question - How can I find out who done it? Is it possible?
Reading what others said, only turned up China based outfits engaged in this activity....
?
I'm not in China or a Chinese forum.

I am in a few forums though...5 or 6 I think.

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 36,406
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Email Security
« Reply #1 on: October 09, 2010, 10:20:53 AM »
Quote
One thing I learned was to not use the same password for forums that you use for email or other things.

this is really critical -- do not use the same password on multiple sites, and never use the same password for an online service as you do for your email or financial institutions.

cmpm

  • Charter Member
  • Joined in 2006
  • ***
  • default avatar
  • Posts: 2,025
    • View Profile
    • Donate to Member
Re: Email Security
« Reply #2 on: October 09, 2010, 10:39:08 AM »
Yes, very critical.

Kind of funny in a way though.
Since I have my other email address accounts in my contacts.
I spammed myself. :)
That's part of how I figured out what was happening.

I apologize if you received this spam.

J-Mac

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 2,913
    • View Profile
    • Donate to Member
Re: Email Security
« Reply #3 on: October 09, 2010, 01:58:17 PM »
Another thing you have to be careful about: The extremely stupid concept most financial institutions have of requiring you to have "security questions and answers". I don’t know who dreamed this up but it is very dangerous IMO. The questions commonly put forth for this are ones whose answers can easily be derived with a little searching around. For example, it wouldn’t be difficult for me to obtain the name of the high school someone attended, the city they were born in, married in, etc. Especially with the social network profiles so easily viewed today.

Once I gather enough of that trivial data on someone I could go to a site requiring login and claim I am you and that I forgot my password - or just enter an incorrect password. Then answer appropriately when they ask for the answers to the security questions and they will give me a new password. Some will only email it to a backup email address you supply but many people use Hotmail or other free accounts for the backups and then let them lapse.

Whenever you are required to provide answers for so-called security questions, give nonsensical answers and be sure to make a note of what you give as answers. Use the "Secure Note" feature of Roboform, LastPass, or Keepass. Because someday you will need to remember those answers. I use a completely random series of numbers and letters for, say, the name of my high school. Anyone who discovers the actual high school I attended will be disappointed if they try and give that as a security answer. Do the same for all the questions. No human reads them; only a computer. So no one should question how you attended a high school named, "23dkic4ls89".   ;)

Jim

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,029
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Email Security
« Reply #4 on: October 09, 2010, 04:55:00 PM »
Another thing you have to be careful about: The extremely stupid concept most financial institutions have of requiring you to have "security questions and answers". I don’t know who dreamed this up but it is very dangerous IMO.
Yeah, and extremely silly - especially if they require you to fill this info. I always choose "mother's maiden name" and fill in "byggemand bob" - which is obviously not her maiden name.
- carpe noctem

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 36,406
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Email Security
« Reply #5 on: October 09, 2010, 05:20:52 PM »
Quote
Whenever you are required to provide answers for so-called security questions, give nonsensical answers and be sure to make a note of what you give as answers.


agreed.

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 4,474
    • View Profile
    • Donate to Member
Re: Email Security
« Reply #6 on: October 09, 2010, 06:39:53 PM »
Yeah, and extremely silly - especially if they require you to fill this info. I always choose "mother's maiden name" and fill in "byggemand bob" - which is obviously not her maiden name.

I always choose "Name of your first pet?" and put "never had one" :)

Also, I use multiple email address - for "I don't give a sh!t about about" forums (for lurking for info), I use the one GMail account accessed by IMAP, (because I'm not particularly insterested in anything other than headers).  Too much spam and I just drop it and create another.

Another for purely financial transactions, (ebay/paypal/etc), and a few more besides, (7 at last count), which are used depending on what interest I have in the site.

I used to use SpamMotel which let you create perpetual email addresses that forwarded to your real email account.  No limit on addresses, do one per forum and when you started getting spam from a particular email you knew which forum had been compromised.

« Last Edit: October 09, 2010, 06:52:51 PM by 4wd »

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,220
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Email Security
« Reply #7 on: October 09, 2010, 06:49:37 PM »
There's a problem though... Remembering all the passwords and accounts. You can rely on your browser, but you're linked to 1 computer. You can use something like the ALTools toolbar and ALPass Online, but then you're linked to Windows and Internet Explorer.

You can try to come up with a system that lets you generate a password that uses the domain name as the deterministic seed, but then you run into sites that put low limits on password lengths. e.g. Shift fingers right 1 and up 1 on the keyboard then type the domain name ignoring numbers.

It's a difficult problem to conclusively solve.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 4,474
    • View Profile
    • Donate to Member
Re: Email Security
« Reply #8 on: October 09, 2010, 06:54:14 PM »
There's a problem though... Remembering all the passwords and accounts. You can rely on your browser, but you're linked to 1 computer.

I do rely on my browser, more specifically Firefox because it's the only browser, (well I haven't tried Opera lately), that allows you to encrypt your logins with a master passphrase.

Then it's just a matter of using either: Firefox Sync, PortableFirefox or carrying the relevant signon files on a flash drive.

EDIT: Digressing a little more away from the original topic, for those sites that ask standardised security questions - answer truthfully....with a twist :)

%96 4@CC64E 2?DH6C 2AA=:65 H:E9 #~%`b @C #~%cf \ G6CJ D:>A=6 3FE 2=D@ G6CJ 67764E:G6 7@C E9:D <:?5 @7 E9:?8] 1

Firefox addon - Quick ROT Ciphers

1. The correct answer applied with ROT13 or ROT47 - very simple but also very effective for this kind of thing.
« Last Edit: October 09, 2010, 08:41:14 PM by 4wd »

nudone

  • Cody's Creator
  • Columnist
  • Joined in 2005
  • ***
  • Posts: 4,117
    • View Profile
    • Donate to Member
Re: Email Security
« Reply #9 on: October 10, 2010, 04:27:38 AM »
or store all your logins with something like RoboForm. there's a java applet thingy you can run from almost anywhere, e.g. you're at someone's house and unexpectedly need one of your logins and don't have your usb stick with you. that kind of thing.

that's what i use - but then, my PayPal account was "broken into" not long back. maybe this RoboForm applet was to blame (i have absolutely no idea).

housetier

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 1,321
    • View Profile
    • Donate to Member
Re: Email Security
« Reply #10 on: November 11, 2010, 12:24:00 PM »
I do not trust firefox to keep my sensitive information secure so I told to never store passwords or even form data. (I also disabled history for the address bar.)

Instead I use a command line tool that can put username and password into my clipboard. So I go to a website wher eI have to login; if I don't know the password I turn to my password safe and have put the pass into the clipboard. It watches the clipboard as well, so as soon as I have pasted the passwod into the form (or somewhere else) it erases the memory.

This is a complicated process, but it is the only one I find security acceptable. The password safe itself is strongly encrypted, even when it is loaded into memory. Only for a short time is the password in cleartext, and there is no way to avoid that.

When I am certain that no one else can use a program I also let the program store credentials, but only if I am certain is uses good encryption for this data.

Security is a process, so at any given time I might find it necessary to use a different password safe or never have any program store credentials. Security is also a lot about the user's mindset: you should be careful and aware, but never paranoid.

There is no 100% security, there is only the amount of time, effort, and money it takes to get to your data. Hence you cannot buy "Security" like a remedy for headaches. Personally I believe just by being more aware you can greatly decrease the risk to losing control over your data.

Oh yeah, like it was mentioned in the OP, I never never never use the same password twice. Not even for the smallest most unimportant throw-away account. There might be good reasons to reuse passwords, but they are most likely bad reasons. And doing something (or not doing something) for a bad reason is not being careful.

OK back to topic: If an email service does not provide TLS I do not use it.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,029
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Email Security
« Reply #11 on: November 11, 2010, 01:13:05 PM »
OK back to topic: If an email service does not provide TLS I do not use it.
Sounds a bit pointless, since transport between SMTP servers isn't TLS'ed.

(But OK, if you're un an unprotected wifi, at least other people in the coffee shop can't snoop on the mails you're reading).
- carpe noctem