Thursday, June 6, 2013

Scary hypothetical: Your email account just got hacked

Ouch, your email account just got hacked. Sorry this is happening to you. We live in an age of computer security where the spammers and scammers have the upper hand. Hopefully the wind will turn soon.

Very possibly, the spam the hacker sent went to all sort of people, not just to your contact. Very possibly they also emailed to a list of targets the spammers have grabbed from around the web, and from other hacks. They merely used your account as a conduit to make their email fly with artificial legitimacy, so they wouldn't trip the recipient's spam filter. That sucks, I know.

Here's what you need to do, from most urgent first:
  1. Change your password at Gmail or Yahoo, or whichever service you used. Hopefully you already did this. Preferably, change your password from a different computer than your usual one: In the worse case, there is an attack virus on your computer watching you enter the password updates. That would be bad.
  2. Change your password on all sites where you have used the same password, or a derivative of the password, or a similar password-generation scheme.
  3. Turn on two-factor authentication on your account. This will be a huge win in securing your account going forward. Lifehacker describes the feature in details.
  4. Start using Keepass to generate and store securely a different password for every website you have a password with. Every password will be super random and super long, and thus super secure. See my blog post on this topic here.
  5.  Do a thorough scan of your computer for viruses and trojans. Follow the instructions here. If that seems intimidating, bring your computer to a friendly local computer repair shop.
If you find Keepass intimidating, the alternative is to change all your passwords to fresh passwords generated using XKCD's excellent (and fun!) schema. Then you write them down on a sheet that you keep by your computer. Then make some copies and store them in different secure places, such as where you keep your tax information and what not.

It might seems counterintuitive, but these days, physical security is vastly stronger than online security, so while this practice isn't exactly as strong as using Keepass, and not as convenient, it is sufficiently strong for most purposes. Petty thieves are just not known for rooting around people's house for printed password lists, and if they found the list they wouldn't know what to do with it.

When choosing passwords, adding a punctuation mark doesn't nearly work as well as it used to. The reasons are two-folds:
  1. Most hacks don't actually involve breaking the password. They get in by defeating the security of either the website itself, or that of your computer, or through a phishing email. That's where two-factors authentication really shines. http://en.wikipedia.org/wiki/Phishing
  2. Hacks made by breaking passwords involve a website being hacked and its users password list getting stolen. The thief then cracks as many passwords as they can, offline, using massing supercomputers rented by the hour. They then proceed to attempt to login into other websites using those credentials. You can read the story the devilish effectiveness of this technique in this fantastic long-form article at the always top-notch publication Ars Technica
Thus my recommendations in support of two-factor auth and Keepass.

And in case you are asking, yes, Macs are just as vulnerable. Now that everything has moved online, it doesn't matter much which kind of machine you are running. The more prominent attack vectors I was describing, breaking into the website and phishing, don't involve your machine at all. An attack into your laptop most likely would involve your browser, and those are largely the same across platforms. I know plenty of Macs who have been hacked, and in some ways, getting your Mac hacked is worse, since Apple controls the machine so deeply. A salient story here is that of the famous technology reporter at Wired, Mat Honan, who had his Mac hacked and destroyed remotely.

To end on an up-note, I do feel the wind is turning. This new two-factor authentication feature many websites have began implementing is a huge breakthrough for everyone's security online. As two-factor become popular and widely used, I have great hope that we will see a stunning decrease in the number of people affected by hacks and hackers. Plus, at this point we can more or less trust that hardly no one clicks on the links sent by these attacks, which demonstrate how far we've come along educating each other about this new topic of online computer security that was imposed onto everyone a few years ago. This too, deserves to be celebrated and it bodes well for the future.

Good luck.