update passwords/secure accounts

[vontar]

Just a reminder for anyone that hasn't in a while, confirm you are using secure/strong passwords.

 

Last night I found my ebay account had been hijacked

 

I got on the phone with Ebay , no waiting to talk to a rep either.  She sounded like she was from India but had a very nice voice with no heavy accent.  She was a treat to work with and got me fixed up.

 

Long story short, I opened ebay to check on some items I had won the day before.  Thanks to internet Cookies my computer just opened ebay.

 

I found messages from ebay in my inbox inside ebay that my account password had been changed and my a second one that my email address had been changed.  Neither of which was done by me.

 

I try to keep as many account separated and different passwords as I can

 

Also I had checked my email for the address that was linked to Ebay and I didn't have those emails there.  I knew from the past any changes like that ebay and others will commonly send copies to the current address in case of fraud.

 

After I was done talking with email and I had changed both my Comcast and Ebay passwords, both different, I checked the trash can in my Comcast, it was empty as well.  I then checked the Recover deleted items inside the trash can and found those emails from Ebay had been deleted and trash can emptied.  Thus proof someone had been inside my Comcast Email.

 

I don't really use that address for anything, no banking or anything like that.

 

So my Comcast\Ebay\Palpay passwords have all been reset, even my TGO account which is on a separate email account outside of Comcast has been reset.

 

As an IT person, it pains me to say that the password on my Comcast account email hasn't been changed in years and certainly wasn't up to what is considered strong or secure.  Well it is now.

 

Also what I set as passwords last night I am going to change again today, even though they are strong, I am going to make them very strong.

 

I did call Comcast and report it as well

 

Lesson learned, they always gets in though the weak point.  Appears they got access to my Comcast email account, then requested to change my ebay account information

 

Also ebay added some extra security on their side with my account.  We found no activity on my account, it is like they took over but had not got around to trying to buy or sell anything.  also no activity on my paypal account. 

 

I didn't have anything else linked to my Comcast address, but I will be checking my other accounts as well.

 

Links

https://howsecureismypassword.net/

 

https://www.youtube.com/watch?v=IPphyjkXnPc

Edited April 10, 2015 by vontar

[A.J. Holst]

Use a passphrase...like "My wife is a gun nut"

Spaces are "symbols" and a letter can be replaced by a number.

My w1fe 1s a gun nut

[vontar]

I have never used spaces and often wondered if they would count as symbols.  I believe spaces would certainly make them more secure.

 

1 @m @ m@st3r @7 U5ing numbers in place of L3773rs.

 

 

By the way, I tested "My w1fe 1s a gun nut" at the password test site,

It would take a desktop PC about A sextillion years to crack your password

• Length: 20 characters
• Character Combinations: 81
• Calculations Per Second: 4 billion
• Possible Combinations: 147 undecillion

Edited April 10, 2015 by vontar

[Monkeyman2500]

I've had this happen too. Apparently I was selling a corvette cheep! Lol.

[Jonnin]

the world needs to move on toward synced passcodes.   Your phone or whatever produces a code that is good for like 30 seconds or so -- they can't steal it, they have to reverse engineer the specific hash and timer used to create the codes which is an NP-complete difficulty problem (in otherwords, it can't be done in a reasonable amount of time, like hundreds of years).  If they did steal it, they would have to USE it while you were actively online, which means you should catch them (most systems warn you when you log in twice at the same time...).

 

I have that on several systems now, first one was diablo 3 which sent me a keychain that generates the passcodes.   Hopefully more software will move this direction as time goes on.

[vontar]

the world needs to move on toward synced passcodes.   Your phone or whatever produces a code that is good for like 30 seconds or so -- they can't steal it, they have to reverse engineer the specific hash and timer used to create the codes which is an NP-complete difficulty problem (in otherwords, it can't be done in a reasonable amount of time, like hundreds of years).  If they did steal it, they would have to USE it while you were actively online, which means you should catch them (most systems warn you when you log in twice at the same time...).

 

I have that on several systems now, first one was diablo 3 which sent me a keychain that generates the passcodes.   Hopefully more software will move this direction as time goes on.

  Where I work we use RSA Secure Keyfob and recently started upgrading to RSA Software tokens.  Very good and secure.  A person has a PIN that they pick, plus the randomly generated token.  The hardware ones last 60 seconds, the software ones last 30 seconds. 

 

As we have been using them for over 10 years, I thought by now my bank would at least have them as an option. Heck I would pay for that type of security.

 

I even had one for My online Starwars game.

[Jonnin]

the crackable password thing is a crock too by the way.

Hackers either lift your password from you or from the target server, they don't brute force things anymore in general.   Because most servers can detect brute force... hey, this user just failed to log in 800000 times in a row...  derp ...   fail more than 10 times in a row in short succession and real servers lock you out.   3 times on more important stuff.    You don't need 20 char passwords, 5 or so chars is unbreakable when you get locked out after 3 tries.  

[vontar]

the crackable password thing is a crock too by the way.

Hackers either lift your password from you or from the target server, they don't brute force things anymore in general.   Because most servers can detect brute force... hey, this user just failed to log in 800000 times in a row...  derp ...   fail more than 10 times in a row in short succession and real servers lock you out.   3 times on more important stuff.    You don't need 20 char passwords, 5 or so chars is unbreakable when you get locked out after 3 tries.  

 

My first thought was someone at comcast, however Ebay captured the IP address of where it came from,    I traced it and it went to North of South Carolina.  But as IP's change it might or might not be the person.  I don't suppect brute force either since they had to gain access to my comcast.  Also I don't use that password for anything else and barely used comcast email.  I had been using it more in the past week then in the past 6 months though.

 

 

Been checking my PC for virus' and spyware, so far, clean.

[wawoodwa]

My favorite xkcd comic




Sent from my iPhone using Tapatalk

[analog_kidd]

I'm a big fan of KeePass for storing my passwords in an encrypted file. It has a cool feature where you include the URL of the logon page for whatever web site you are storing a password for. When you click on the entry inside KeePass the URL is displayed, and will take you to the page if you click it. Then You right-click the KeePass object and select Autotype, and it will fill in the username / password for you.

 

I've started going through my passwords and making them very strong. If the site supports it, I'll use 16 to 20 characters, with upper / lower/ number / specials. I don't care what the password is, and I never have to remember it.

 

For work, I store my password file on an IronKey secure USB thumbdrive, so it is twice encrypted.

[vontar]

I had a guy at work also recommend KeePass.

 

I can't come up with any wahy someone got my account password for my email.  I am glad it was a different username/password combo then anything else I use.

 

I will admit that password had not been changed in years since I barely ever used the Comcast email

 

I read that some Comcast accounts got compromised in Feb 2014, it is possible mine was among them and someone just got around to trying it.

 

I had my wife reset hers as well just in case.

Edited April 11, 2015 by vontar

[NoBanStan]

Where I work we use RSA Secure Keyfob and recently started upgrading to RSA Software tokens. Very good and secure. A person has a PIN that they pick, plus the randomly generated token. The hardware ones last 60 seconds, the software ones last 30 seconds.

As we have been using them for over 10 years, I thought by now my bank would at least have them as an option. Heck I would pay for that type of security.

I even had one for My online Starwars game.

Dual factor Auth is great. I prefer it for things like initiating VPN connections, etc. Sadly, it's not foolproof. RSA was breached several years ago and if memory serves, their algorithm for passcode generation was stolen.

My employer has been screaming "we need more security!" For a few years but when we present them things like dual factor auth, they shoot it down because "you mean I can't just use my same password?"

Lazy and security don't mix.

We try to make their lives simple. I configured Active Directory Federated Services to allow them single sign-on for our HR platform. What did they do with it? They give the corporate presentation by getting asking the VP of marketing for his password...which he gave... then gave the corporate training using his account on an overhead projector!!!!! Then they got angry when we disabled his account until he agreed to change his password.

You hire us to be professionals but don't respect the professional opinion. It's silly.
But that's IT.

[vontar]

 

RSA was breached several years ago and if memory serves, their algorithm for passcode generation was stolen.

 

 

They did and they replaced all the keyfobs that had been affected.  Were I worked, we had a part in redistributing about 10k worth of RSA tokens.  I understand was all provided by RSA at no cost, but I can't prove that as that is handled in another department, in another state.

[Jonnin]

Nothing is foolproof, of course.    Even with the algorithm, they still have to get the seed for the individual account and, again, if it locks down after a few bad attempts...  

 

its not perfect, but its a lot more trouble to break  than just installing a keylogger on someone's PC to lift the passwords, or using a packet sniffer, or the other basic hax that work on so many simple systems.  Or the end all of hax... just trick the person into telling you how to get in ... "hi, im from Microsoft and I need your account and password..." 

[vontar]

lets see, our VPN locks with only 3 failed attempts, our NT locks at 6 attempts.

 

So brute force isn't getting though.

[analog_kidd]

I really like RSA for VPN authentication, but for server authentication, it's just a pain in the neck. It does not make one bit of difference for connecting to a server via a UNC path, or remote management, both of which give you full Admin access of the server. So if I can gain an admin password, bypassing RSA is trivial. Plus, if I can get physical access to the server, I can boot it with a utility disk of some sort, like DART, and one or two easy registry edits later, I have RSA turned off and the admin password reset.

 

We use RSA on our servers, and its just more of a hindrance than anything else. Having to look at your fob a hundred times a day and enter the token+pin is time consuming and annoying. Especially when followed up by a 16 character password.

Edited April 13, 2015 by analog_kidd