Hacking Prevention

loltsundere

I don't mean to sound like a total computer-ignorant moron here, but my family's having a little net-drama and I want to try and help them.

Basically, my brother got into a fight with a douche. Douche threw bottles at some of his friends, my brother called him names, douche threatened him with a baseball bat. Douche goes home, finds my brother on Facebook, "hacks" his account, gets his password and thereby passwords to his email and other personal BS. My brother changed his passwords and the douche was back into his account in a minute, they tell me. Genius that he is, my brother gets on my sister's Facebook account to chat with the douche and get him to stop... exposing her account to probable douchery.

My mom knows nothing of computers, and asked me for help. I know very little myself, and all I could tell them was to contact the Facebook administrators and alert them. Is there any way to prevent the douche from continuing to obtain my brother's passwords? Changing them doesn't do anything. He knows who this person is IRL, his name, etc. I read that what he's doing is against the law, but nothing can be done without physical evidence that the password was stolen (and I would love to know what the hell this physical evidence would be).

I think it would be delightful to go to the douche's house and pummel him, but that would only create further internetz vengeance, I'm sure. Past behavior shows that the douche is obviously unhinged.

My brother is a douche too. I'm asking you guys for advice only because this is yet another thing he's doing to make my Mom and sister's lives difficult.

Sail

The most common method of Facebook "hacking" is when people unknowingly add applications that masquerade as other applications, then direct to pages that imitate the Facebook login page where the user dimwittedly submits their account info. It's a trick as old as the internet itself, but it still gets people and it would probably be the simplest and most plausible way for someone to get your brother's account information. The only other methods I can think of involve keyloggers or having physical access to the computer. Other people here probably know more than me, though.

WindUpBird

Uninstall all the junk Facebook apps he's added, change every password he has. Change the email address he uses to access Facebook. Change security questions, remove birthdays, interests, anything particularly revealing. Chances are that your brother used the same couple security questions, Antagonist Douche guessed them, and eventually got all the way down to your brother's email. Which is really, really bad, considering the personal things one receives via email and the ease of simply getting in and changing the security question and password for someone who was able to grab the passwords in the first place. Antagonist Douche doesn't sound too bright, though.

If your brother cares to, he could figure out Antagonist Douche's IP Address and attack it with Metasploit. This suggestion is only half in jest.

...

What Sail said. Another method of obtaining credentials is by going through account recovery. Since you cannot know whether there are any keyloggers on the computer easiest way would be to nuke it and then change all information related to logging in, passwords and recovery. And of course make sure there's no PEBKAC.

Churba

If your brother cares to, he could figure out Antagonist Douche's IP Address and attack it with Metasploit. This suggestion is only half in jest.

If he uses g-mail, he can see the last few IP addresses that logged into the account - pick the one that doesn't match the computers he accesses from, and go for it.

Apreche

1) The computer has stupid crap installed on it. Erase the entire computer, and install a clean OS. Never use IE except to install all Windows updates. Make sure you have a NAT firewall (router). Don't install stupid shit.

2) Don't install any weird Facebook apps and such. Remove all stupid shit. Don't do anything that isn't 100% on the up and up. Trust nothing. If it isn't from a huge and smart tech company or site you know, like Google, Amazon Microsoft, Valve, Apple, etc. and it isn't trusted open source things like Ubuntu, Firefox, OpenOffice, etc. then you should avoid it completely. No weather widgets, no toolbars, no online poker, no dancing babies, no nothing.

3) Use a very complicated password. Most likely these people are just smart and are guessing the password. Your password should be something complicated like z6Ve1u1O8c. You should never write it down, and never tell it to any other human being on earth, even someone you trust 100% completely. It should exist only in your brain. Even if you are married to someone for 50 years, you should not share passwords. The other person shouldn't even know it, or ask it. Even if you have a Google password, you shouldn't even tell it to Google, if they ask. Google doesn't know it, they don't need to know it, they don't want to know it. Same goes for Amazon, the cable company, nobody. Your password should live entirely in your brain, and never leave it, except when you are typing it. Never say it. Never write it. Period.

This is the bare minimum of what is required to stay safe on an Internet connected computer. Really, I don't have any pity left for people who can't handle it. The Internet is the Wild West. People who can't handle it really just deserve what they get.

WindUpBird

Never say it. Never write it. Period.

I agree with you, but I'm curious as to your opinion on password managers from trusted companies. It's difficult to keep a billion different passwords of extreme complexity memorized.

Apreche

I agree with you, but I'm curious as to your opinion on password managers from trusted companies. It's difficult to keep a billion different passwords of extreme complexity memorized.

This can handle most of them. http://supergenpass.com/

Sail

I agree with you, but I'm curious as to your opinion on password managers from trusted companies. It's difficult to keep a billion different passwords of extreme complexity memorized.

This can handle most of them.http://supergenpass.com/

What if the website goes down and you can't get into any of your accounts because now you don't know the passwords for any of them?

lackofcheese

I agree with you, but I'm curious as to your opinion on password managers from trusted companies. It's difficult to keep a billion different passwords of extreme complexity memorized.

This can handle most of them.http://supergenpass.com/

What if the website goes down and you can't get into any of your accounts because now you don't know the passwords for any of them?

Simple. Have a copy of the mobile version.

Sail

While my hosting service is generally very reliable, there are rare outages. If you use the Firefox / Safari / Opera version, outages will not affect your use of SuperGenPass. If you use the Internet Explorer version and you are concerned about outages, the “Customize SuperGenPass” page allows you to specify a different location for the hosted JavaScript file—your own server, the Coral cache, or the Google Code repository. I also recommend that you save a copy of the mobile version to your hard drive in case you need to generate a password while offline.

Well there I have it.

WindUpBird

See, I keep my passwords on a thumbdrive on a key chain, locked down with a complex master password. Reconsidering all that, though, in light of Scott's suggestion.

Sail

I've never had any problem with remembering passwords, so I've never even considered writing them down or storing them somewhere. I have about 5+ different passwords, all used for different tiers of important information.

WindUpBird

I have about 5+ different passwords, all used for different tiers of important information.

Different strokes, I suppose.

Apreche

See, I keep my passwords on a thumbdrive on a key chain, locked down with a complex master password. Reconsidering all that, though, in light of Scott's suggestion.

The problem with this method is that if someone gets your thumbdrive, they have all your passwords. Encrypting with a complex master password doesn't matter. It's a symmetric key, and can be trivially brute-forced. Then someone will have access to everything, quite possibly before you can change all the passwords.

Doing a has of a master password and some SALT (SGP defaults to using the domain) makes it mathematically impossible to derive the master password from the generated password. This is good because many web sites are very bad security-wise. Some of them store passwords in their database as plain text. You can't trust the site owner, be they me or Google, not to get your password. And if you are using the same password on multiple sites, now it's even worse. If you encrypt all your passwords using a symmetric key, then it is mathematically possible for me to take the one password you use on my site, and figure out all of your passwords for all of your sites. With a hash like supergenpass, that is not possible.

Remember, you're not just protecting against people who want your facebook. You're protecting your Google from Facebook and so-forth.

WindUpBird

The problem with this method is that if someone gets your thumbdrive, they have all your passwords. Encrypting with a complex master password doesn't matter. It's a symmetric key, and can be trivially brute-forced. Then someone will have access to everything, quite possibly before you can change all the passwords.

I know. I was just thinking about how easy it would be to do so.

Alright, I'll work on a fucking incredible password and switch to SGP, and then nuke the thumbdrive.

Apreche

Also, for people who have bad memory, here is a trick. Remembering 10 unrelated letters and numbers is hard. What you can do is remember two words and a number. That's only three things to remember. So you can have a password like

scott5waterfall

It's complex enough to be secure, it has a number in it, and it's easy to remember.

And, no, I'm not a moron. That's not even remotely close to my password, nor do I use this method.

Josh Bytes

This has got me thinking about security questions. Would it be wise to make up a fake answer for your security questions? Or is it safe to assume a would be hacker can't guess them?

Dr. Timo

This has got me thinking about security questions. Would it be wise to make up a fake answer for your security questions? Or is it safe to assume a would be hacker can't guess them?

Yes! "Security" questions should be answered with another password like "eR5djk#p2".

Also, seeing as no-one has suggested this yet, call the police. Unauthorized access of computer systems carries significant penalties (see recent members of anonymous getting one year prison sentences).

Victor Frost

This thread should listen to Security Now!.

Churba

This thread should listen toSecurity Spinrite Now!.

lackofcheese

I think this might've been mentioned on the FRC Forums before, but there is an unfortunate vulnerability in SuperGenPass (or, more appropriately speaking, JavaScript running on webpages). To put it simply, basically, because SGP is just JavaScript code, and JavaScript doesn't really have any reasonable notion of encapsulation, SGP is pretty much being run as part of the webpage, and hence the webpage could have access to whatever it is you're doing inside it.

You can see it at work in these demos.

The solution is to do one of the following:
1) Run SGP in a blank tab
2) Use a browser extension instead of the bookmarklet.

Apreche

I think this might've been mentioned on the FRC Forums before, but there is an unfortunate vulnerability in SuperGenPass (or, more appropriately speaking, JavaScript running on webpages). To put it simply, basically, because SGP is just JavaScript code, and JavaScript doesn't really have any reasonable notion of encapsulation, SGP is pretty much being run as part of the webpage, and hence the webpage could have access to whatever it is you're doing inside it.

You can see it at work in these demos.

The solution is to do one of the following:
1) Run SGP in a blank tab
2) Use a browser extension instead of the bookmarklet.

This is true, but the web-site itself has to target SGP specifically to take advantage of this. Personally I've been using more password card and less SGP.

Omnutia

Still using SGP but in extension form due to it having not worked in Chrome.

lackofcheese

Day-to-day security is all about staying above the low-hanging fruit.

Omnutia

Depends on the size of your fruit. If you've got really big fruit then you want to keep them well out of reach of anyone trying to grab them.

lackofcheese

Depends on the size of your fruit. If you've got really big fruit then you want to keep them well out of reach of anyone trying to grab them.

I should've used a better term than "day-to-day" - the point was to imply that the fruit were indeed small.

Bronzdragon

If you consider your desktop computer secure, would there be any reason not to use firefox's built in password manager?

Apreche

If you consider your desktop computer secure, would there be any reason not to use firefox's built in password manager?

If you're wrong about your desktop being secure.

Dr. Timo

If you consider your desktop computer secure, would there be any reason not to use firefox's built in password manager?

Accessing stuff from other computers than your own?

LastPass + Yubikey + strong master password.

dsf

I remember a time when I used to use patterns on the keyboard for passwords. I just remembered the pattern.