| Sign in: |
| Members log in here with your user name and password to access the your admin page and other special features. |
|
|
|
|
|| SportsShooter.com: Member Message Board
DO NOT SEND MONEY!
Ian L. Sitren, Photographer
 |
Palm Springs | CA | USA | Posted: 9:31 PM on 02.03.11 |
->> Sorry folks this morning my e-mail and facebook accounts were hacked. As some of you may know, me giving out a password or falling for some scam giving it out is something that would never happen. Nor would any phantom key-logging software get installed across my computers.
It looks to me at the moment that it was what is called a "brute force" attack across random facebook accounts. Sadly my facebook password was the same as my e-mail account. My facebook account has now been suspended but not after a long day.
Facebook even has a special help section for this type of hack and money scam so apparently it happens often. Facebook is a great resource but also a target for those seeking to do bad in the world.
On second thought... about that sending money part... ok never mind :) |
|
Chuck Liddy, Photographer
|
Durham | NC | USA | Posted: 9:53 PM on 02.03.11 |
->> damn! I had a quarter I was going to email you! 8)
sorry to hear this. |
|
Jason Heffran, Photographer
|
Tarentum | PA | United States | Posted: 10:00 PM on 02.03.11 |
->> +1 on that...
Having owned a large web hosting company with a TON of customers, these "brute force" attacks are so frequent it would amaze you. It's not as difficult for someone to compromise an account if they are determined enough.
Ian, you did what a lot of folks do. Having the same password for different things is hard to avoid, but a big security risk. I'm guilty and from what I am about to say - should know better.
After a successful string of hacks, we did an audit. Nearly 100,000 accounts had the same password for their ADMINISTRATIVE email account and FTP. We immediately started not allowing that to happen.
I'm not assuming that everyone who reads this is an idiot, but it is REALLY a good idea to use passwords that are NOT words in ANY dictionary. Simply using tactics like replacing the letter "E" with a "3" may seem like a strong password idea, but that is one of the first things that these guys do is pattern match for that. Most "brute force" attacks are automated software programs. Example... "apple" is changed to "@pp13".
The minimum requirements for passwords became: 8 characters, at least one upper, one lower, one letter, one number, one "symbol" and couldn't match anything in their account information. Plus, it had to be changed every 6 months.
After this policy took effect, albeit a little inconvenient for our customers who could no longer use their dog's name, not one successful password hack for the remaining two years I owned the company. There were many, many attempts - especially with the email servers.
I know I might be stating the obvious, but I know we get so busy that we tend to have an "it won't happen to me" mentality when it comes to these things. |
|
Scott Morgan, Photographer
|
Rockford | IL | United States | Posted: 10:42 PM on 02.03.11 |
->> Facebook aslo has a setting where it will email you if a new computer or device has logged into your account. I know this probably would not have saved you, since they got both passwords with one shot, but for the rest of you it might.
Go to the Account tab >Account Settings > Account Security and check the boxes. |
|
Scott Serio, Photo Editor, Photographer
|
Colora | MD | USA | Posted: 1:16 AM on 02.04.11 |
| ->> Albany Time-Union photog Skip Dickstein also had his account hacked yesterday. Awesome. But I knew he wouldn't lead off an email writing, "I writing this with a tear in my eye..." |
|
Mike Huffstatler, Photographer, Assistant
|
Rancho Cucamonga | Ca | United States | Posted: 3:11 AM on 02.04.11 |
->> @jason...100,000 accounts with the same password! Wow. Would you mind sharing what percentage that was of your clients? You mentioned "owned" as in the past-tense, so maybe you'd be willing to divuldge. Just curious really.
This is a good reminder to me to do a password review. I tend to mix things up pretty well but I know it could be better. |
|
Mike Janes, Photographer
|
Attica | NY | USA | Posted: 3:35 AM on 02.04.11 |
->> If this is the scam that says you are in trouble in another land needing money to get out, I've had a few of those sent to my inbox. The first one was when I got home from working a game with the guy and it said he was overseas in need of help, must have been a quick trip since I just left him 15 minutes prior!
I thought nobody was stupid enough to fall for this, until a few months later I was having dinner with another photographer who's friend had it happen to him. He logged into his email to an array of answers asking about the trouble and then he realized one friend had sent him 5K!! It was too late, the money was gone and this guys friend had sent it to some hacker. The photographer I was having dinner told him "at least you know you have one friend" since all of them refused to send money, besides the one guy!
Received the message on FB & regular email before. Oh, and I had my online banking & paypal account hacked last year, same password. Somebody got a lot of free porn and video games in the United Kingdom though, he even had some mailed to him, but never did hear the final results and just got my money back. |
|
Jason Heffran, Photographer
|
Tarentum | PA | United States | Posted: 12:28 PM on 02.04.11 |
->> @ Mike - They didn't all have the same pw, they were web hosting accounts from different customers where those 2 matched each other, exposing their files and email potentially. I was just pointing out how frequent it was and that what some folks think "protects" them, actually does nothing. I lost count of how many used "admin" as their password.
I'm sure if we only audited 1,000 accounts the percentage would have still been around 50%.
As far as your curiosity... at the time, that was probably about half of the web hosting and email accounts on our servers. In those days, everyone ("mom and pops") HAD to have a website and would point 5 domains to a really simple site. Not anything like todays high-speed, connect from anywhere, interactive "Flash" world we live in.
I'm not sure exactly how many times the company has merged and sold since 2000 (a few for sure) but it now operates as Hosting.com. Needless to say, in hindsight, I should have held on to it ;-) |
|
Israel Shirk, Photographer, Assistant
|
Boise | ID | US | Posted: 2:43 PM on 02.04.11 |
->> One of the most common ways that this happens is that you'll have a computer on your network that gets a virus... The virus then switches the system's network card into promiscuous mode - so that any data going across the network can be read by the compromised computer. Then, when someone logs into Facebook (or whatever else), without using SSL (which is when there's the https:// in the address instead of just http://) - the virus can just capture the user name and password you're using to log in. It's almost the same attack that the Tunisian government used to gain control over protesters' facebook and twitter accounts - only they did it while the data was passing through the ISP rather than on a home network.
So, that said, one of the things you can do to keep your facebook, gmail, etc, secure is to use https://gmail.com and https://facebook.com, so that your username and password are encrypted before being sent across the net. |
|
Ian L. Sitren, Photographer
|
Palm Springs | CA | USA | Posted: 8:33 PM on 02.14.11 |
| ->> Good news! My Facebook page was restored today. I sure did not want to lose the 3700+ friends. So look for me on Facebook! Thanks! |
|
Bryan Hulse, Photographer
|
Nashville | Tn | USA | Posted: 9:30 PM on 02.14.11 |
->> Ian: That completely stinks. I feel your pain. I recently had my Sprint account hacked and have spent countless hours on the phone with the fraud department trying to clean up a quick $2600 of international calling charges, which happened AFTER I told Sprint it had been hacked and to not allow such charges. What really stinks is that I have NO idea how it happened!
Jason: Computer security seems to be a no win situation. If we use the same passwords, one hack gets them all. But if we created individual passwords for every account, and make them truly unique and not dictionary words, we then need to maintain a list of passwords somewhere. I keep such a list on my Mac. I just quickly counted over 50 passwords: Bank accounts, software license registration, website passwords, email, on and on. Then we have the risk of getting that list stolen (stolen computer or a backup drive) and are in an even worse predicament.
yes, there are iPhone apps, Blackberry apps, Mac apps, etc to maintain passwords via a password protected 'vault'. But these solutions are cumbersome in their own right, and I find myself not using them like I should.
What to do, what to do |
|
Phil Hawkins, Photographer
|
Fresno | ca | usa | Posted: 1:57 PM on 02.15.11 |
->> Bryan,
Good luck with Sprint on that. I had the same thing happen to me with my wife's phone, and they could care less. It cost me $700. I will not have a cell phone if it means I have to use Sprint. There are not words in the English language to express how much animosity I have for them. They were rude, ignored me and obviously were not going to do anything to solve the problem. They are the worst cell phone company anywhere.
As for your passwords, I have my passwords listed in my address book as hints or abbreviations. Anyone that gets my address book will not have the actual passwords... Good luck deciphering my hints and abbreviations. |
|
Return to --> Message Board Main Index
|