Posts Tagged ‘Email address’

How to stop your Gmail account being hacked

Published by pratyushkp on June 3rd, 2011 - in Social, Technology

Image via CrunchBase

Original Post from Sophos. Author – Graham Cluley

As has been widely reported, high profile users of Gmail – including US government officials, reporters and political activists – have had their email accounts hacked.

This wasn’t a sophisticated attack against Google’s systems, but rather a cleverly-crafted HTML email which pointed to a Gmail phishing page.

Victims would believe that they had been sent an attachment, click on the link, and be greeted by what appeared to be Gmail’s login screen. Before you knew it, your Gmail username and password could be in the hands of unauthorised parties.

So, what steps should you take to reduce the chances of your Gmail account being hacked?

  1. Set up Two step verification
  2. Check if your Gmail messages are being forwarded without your permission
  3. Where is your Gmail account being accessed from?
  4. Choose a unique, hard-to-crack password
  5. Secure your computer
  6. Why are you using Gmail anyway?

1. Set up Two step verification

The hackers who broke into high profile Gmail accounts grabbed usernames and passwords. So, an obvious thing to do would be to make Gmail require an extra piece of information before allowing anybody to access your account.

Google provides a facility called “two step verification” to Gmail users, which provides that extra layer of security. It requires you to be able to access your mobile phone when you sign into your email account – as they will be sending you a magic “verification” number via SMS.

The advantage of this approach – which is similar to that done by many online banks – is that even if cybercriminals manage to steal your username and password, they won’t know what your magic number is because they don’t have your phone.

Google has made two step verification easy to set up.

Once you’re set up, the next time you try to log into Gmail you’ll be asked for your magic number after entering your username and password. Your mobile phone should receive an SMS text message from Google containing your verification number.

Let’s just hope the bad guys don’t have access to your mobile phone too..

Here’s a video from Google where they explain two step verification in greater detail:

You can also learn more about two step verification on Google’s website.

By the way, note that two step verification doesn’t mean that your Gmail can’t ever be snooped on by remote hackers. They could, for instance, install spyware onto your computer which could monitor everything that appears on your screen. But it’s certainly a good additional level of security for your Gmail account, and one which will make life much more difficult for any cybercriminal who might be targeting you.

2. Check if your Gmail messages are being forwarded without your permission

Gmail gives you the ability to forward your emails to another email address. There are situations where this might be handy, of course, but it can also be used by hackers to secretly read the messages you receive.

Go into your Gmail account settings, and select the “Forwarding and POP/IMAP” tab.

If your emails are being forwarded to another address, then you will see something like the following:

That’s fine if you authorised for your emails to be forwarded to that email address, but a bad thing if you didn’t.

If your messages are not being forwarded you will see a screen more like this:

Hackers want to break into your account not just to see what email you’ve received up until their break-in. Ideally, they would like to have ongoing access to your email, even if you change your password or enable two step verification. That’s why it’s so important to check that no-one has sneakily asked for all of your email to be forwarded to them.

3. Where is your Gmail account being accessed from?

At the bottom of each webpage on Gmail, you’ll see some small print which describes your last account activity. This is available to help you spy if someone has been accessing your account at unusual times of day (for instance, when you haven’t been using your computer) or from a different location.

Clicking on the “Details” option will take you to a webpage describing the type of access and the IP address of the computer which logged your email account. Although some of this data may appear nerdy, it can be a helpful heads-up – especially if you spot a computer from another country has been accessing your email.

4. Choose a unique, hard-to-crack password

As we’ve explained before, you should never use the same username and password on multiple websites. It’s like having a skeleton key which opens every door – if they grab your password in one place they can try it in many other places.

Also, you should ensure that your password is not a dictionary word, and is suitably complex that it’s hard to break with a dictionary attack.

Here’s a video which explains how to choose a strong password, which is easy to remember but still hard to crack:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Don’t delay, be sensible and make your passwords more secure today

And once you’ve chosen a safer password – keep it safe! That means, don’t share it with anyone else and be very careful that you’re typing it into the real Gmail login screen, not a phishing site.

5. Secure your computer

It should go without saying, but this list would be unfinished without it. You need to properly secure your computer with up-to-date anti-virus software, security patches and so forth. If you don’t, you’re risking hackers planting malicious code on your computer which could spy upon you and, of course, your email.

You always want to be certain that your computer is in a decent state of health before you log into a sensitive online account, such as your email or bank account. That’s one of the reasons why I would always be very nervous about using a computer in a cybercafe or hotel lobby. You simply don’t know what state the computer is in, and who might have been using it before.

6. Why are you using Gmail anyway?

Okay, I don’t really mean that. But I do mean, why are you storing sensitive information in your Gmail account?

The news headlines claim that senior US political and military officials were being targeted by the hackers. Surely if they had confidential or sensitive data they shouldn’t have that in their webmail account? Shouldn’t that be on secure government and military systems instead?

Always think about the data you might be putting on your web email account – because if it’s only protected by a username and password that may actually be less security than your regular work email system provides.

  • How to stop your Gmail account being hacked (nakedsecurity.sophos.com)
  • The Truth Behind Gmail “Hack” (fastcompany.com)
  • Even Gmail Can Get Hacked (webpagefx.com)
  • Chinese Gmail Attack Targets ‘Senior’ U.S. Officials (techland.time.com)
  • Top 10 Things You Can Do to Protect Your Gmail Account (blogs.wsj.com)
  • Google: Gmail Attack from China Affects ‘Senior U.S. Government Officials’ (techland.time.com)

35 million Google profiles were *already* exposed on the internet

Published by pratyushkp on June 2nd, 2011 - in Social, Technology

Image by ginatrapani via Flickr

Do you have a Google Profile? Did you find yourself getting cobbywobbles when you read the headlines in the security press?

Here’s just a handful of the many headlines that have appeared in the last few days:

“35 Million Google Profiles Captured In Database”, Information Week

“35m Google Profiles dumped into private database?”, The Register

“Entire Google Profile database acquired by a user”, ARN

Matthijs R. Koot, a PhD student at the University of Amsterdam, was able to create a database of 35 million Google Profiles, scooping up real names, email addresses, biographical information, Twitter feeds, links to Picasa photos, etc.

Sound scary to you? If so, maybe you’re one of those people who has populated your Google Profile with a large amount of private information that you wouldn’t like to fall into the hands of ne’er-do-wells.

At first glance the headlines might appear worrying. But there’s one important thing you need to know.

All of this information was already available to anyone on the internet.

You may remember that last year security researcher Ron Bowes conducted a similar experiment with Facebook, creating a database of 100 million Facebook users who had left their profiles open for anybody to view.

Koot has done something similar – but with Google Profiles. He wrote a relatively simple script (which he published on the net for others to try out) that harvests Google Profile data – and in the process, revealed that many users were potentially being careless with their personal information.

So, Koot hasn’t actually exposed any new information. He’s just written a script to collect together data which was already out there.

Google Profile allows you to choose the nature of the url to your profile. You can either have a random-looking number, or the username they use for Google Gmail.

For instance, Matthijs R. Koot has the option of using:

https://profiles.google.com/115572197788225218471

or

https://profiles.google.com/mrkoot

However, Google Profile users are explicitly warned that if they choose to customise their URL with their GMail username, they will be making their email address publicly discoverable.

Koot says that he conducted the test to expose how careless people were being with Google Profile, and in particular that they were exposing their email addresses.

He discovered that approximately 40% of the 35 million Google Profiles he accessed exposed the owner’s username and hence their @gmail.com address. That’s 15 million exposed email addresses.

There’s an obvious potential for spear phishing and malware campaigns when you have access to such a hoard of legitimate email addresses. Especially when they can be combined with other personal information shared on your Google Profile.

Google Profile users can adjust their settings to not allow their profiles to be indexed by search engines. But that’s not really fixing the main problem.

Wouldn’t it be better to choose not to post personal information in the first place?

One problem, of course, is that you may not actually realise that you already have a Google Profile.

After all, Google freely admits that “if you’ve been writing reviews on Google Maps, posting buzz on Google Buzz, creating articles on Google Knol, sharing Google Reader items, or adding books to your Google Book Search library, you may already have a profile.”

Maybe now is the time to check if you have a Google Profile, and – if you do – that you’re comfortable with the information you’re sharing through it.

Ultimately, though, remember the golden rule. If you don’t want a piece of information to fall into the hands of hackers/your boss/your mother-in-law then maybe it’s best not to post it on the internet in the first place.

Source :- http://nakedsecurity.sophos.com/

  • 35 million Google profiles were *already* exposed on the net (nakedsecurity.sophos.com)
  • Google Profiles: Is Easy Aggregation An Invasion Of Privacy? (blogs.forbes.com)
  • 35 Million Google Profiles Captured In Database (informationweek.com)
  • 35m Google Profiles dumped into private database (go.theregister.com)
  • 35 Million Google Profiles Collected (tech.slashdot.org)
  • Infosec Island: Researcher Nabs Details from 35 Million Google Profiles (boxofmeat.net)
  • Google Business Profiles? (googlesystem.blogspot.com)
  • Delete your [Google.com] profile (thebloggingpath.com)
Tags: Doctor of Philosophy, , , , , InformationWeek, Knol, , University of Amsterdam

TimeSpentHere rogue app spreads virally on Twitter

Published by pratyushkp on June 2nd, 2011 - in Social, Technology

Original Post from Sophos . Author – Graham Cluley

Some Twitter users have fallen for yet another rogue application, tricking them into believing that they will discover how many hours they have spent tweeting their little hearts out.

A typical message reads:

WOW --> I have spent 38.1 hours on Twitter! See how much you have: [LINK]

If you are curious enough to click on the link, which – of course – you might do, seeing as it will appear as if one of your Twitter friends has posted it, then you will be asked to authorise a third party app’s request to access your Twitter account.

The app is called TimeSpentHere, and it can only cause a problem for you if you grant it permission to access your Twitter account. If you do, then it will be able to read your Tweets, post in your name, and even change your profile. I’m sure you can imagine the potential for abuse there.

Of course, the very first thing it will do is post a tweet in your name, encouraging your Twitter followers to also click on the link:

Not that you’ll necessary notice that, of course, as it posts the message silently, taking your browser to a webpage of the bad guys’ own creation.

When I tested the scam on a test account, the webpage was reluctant to tell me how many hours I had spent on Twitter (as you can see in the following graphic) but had no qualms in dreaming up an imaginary number to tweet in the hope that it could tempt unsuspecting onlookers.

You’ll notice, however, that they do ask if I wouldn’t mind entering my email address “as a security precaution”. Well, I certainly do mind! And so should you.

Possibly this is an attempt to harvest email addresses, which could be used later for a phishing campaign or malware attack.

It could – of course – be weeks or months before the scammers use any information they grab for criminal purposes, but if you want to find out more follow me on Twitter, and I’ll let you know if there are any developments.

Rogue applications are popping up more and more on Twitter, whereas previously they were mostly seen only by Facebook users.

If you were unfortunate enough to grant a rogue applications access to your Twitter account, revoke its rights immediately by going to the Twitter website and visiting Settings/Applications (it used to be called Settings/Connections but it seems that Twitter has changed it) and revoking the offending app’s rights.

Don’t make it easy for scammers to make money in this way, and always exercise caution about which third party apps you allow to connect with your social networking accounts.

Update: Del Harvey of Twitter’s security team has told me (in her own inimitable style) that the TimeSpentHere rogue application has now been killed off.

@gcluley
Graham Cluley

@delbius Details of another “Time spent on Twitter” rogue app: http://bit.ly/mdeNmL
about 15 hours ago via EchofonReplyRetweetFavorite
@delbius
Del Harvey

@gcluley d-e-d dead.
about 15 hours ago via Twitter for MacReplyRetweetFavorite

I wonder how long until the next rogue app pops up on Twitter though..

  • TimeSpentHere rogue app spreads virally on Twitter (nakedsecurity.sophos.com)
  • Beware the bogus ‘TimeSpentHere’ Twitter app (news.cnet.com)
  • Unfollowed Me rogue application spreads virally on Twitter (pratyushkp.wordpress.com)
  • Lord Gaga video banned? Twitter rogue app spread by scammers (pratyushkp.wordpress.com)
  • Banned Lady Gaga video attack spreads on Twitter via rogue app (pratyushkp.wordpress.com)
  • Twilight Breaking Dawn FB Scam Spreads Virally (pratyushkp.wordpress.com)

Eidos confirms website hack, email addresses and resumes stolen

Published by pratyushkp on May 14th, 2011 - in Social, Technology
Eidos Interactive

Image via Wikipedia

Eidos has revealed that resumes of job hunters and email addresses of video game fans have been stolen by hackers in an attack on the Eidos and “Deus Ex: Human Revolution” websites.

Square Enix, the parent company of Eidos, confirmed the hack in a PDF press release. (Why do companies publish their press releases as PDFs, anyway? That’s just daft.)

Here’s part of the statement from Square Enix:

Square Enix can confirm a group of hackers gained access to parts of our Eidosmontreal.com website as well as two of our product sites. We immediately took the sites offline to assess how this had happened and what had been accessed, then took further measures to increase the security of these and all of our websites, before allowing the sites to go live again.

Eidosmontreal.com does not hold any credit card information or code data, however there are resumes which are submitted to the website by people interested in jobs at the studio. Regrettably up to 350 of these resumes may have been accessed, and we are in the process of writing to each of the individuals who may have been affected to offer our sincere apologies for this situation. In addition, we have also discovered that up to 25,000 email addresses were obtained as a result of this breach. These email addresses are not linked to any additional personal information. They were site registration email addresses provided to us for users to receive product information updates.

There are two main risks here.

One threat is that if your email address is one of the 25,000 that has been stolen, you could receive a scam email (perhaps containing a malicious link or attached Trojan horse) that pretends to come from a video game company. After all, the hackers know that you’re interested enough in video games to give your email address to Eidos.

Secondly, the resumes from job hunters. This is a more serious problem. Just think of all the personal information you include on your CV: full name, date of birth, email and home address, telephone number, job history. This kind of information is a god-send to identity thieves interested in defrauding internet users.

So, it seems Sony is not the only video game company to be having problems with its computer security.

Lets hope the continuing stream of stories of companies having customer data stolen from them makes them take security more seriously in the future.

More information about the hack can be found on the KrebsOnSecurity blog.

Source :- http://nakedsecurity.sophos.com

  • Eidos confirms website hack, email addresses and resumes stolen (nakedsecurity.sophos.com)
  • “Hacker attack breaches Square Enix Deus Ex: Human Revolution and Eidos web-sites” and related posts (videogamesblogger.com)
  • E-Mails and Resumes Stolen in Eidos Website Hacking (1up.com)
  • Fauxnonymous Strikes Again? Eidos Site Hacked, User Info Snatched (techland.time.com)
  • Eidos Hacked: Thousands of E-Mails, Resumes at Risk (wired.com)
  • Anonymous Hacks Eidos, Deus Ex Websites (escapistmagazine.com)
  • Report: Eidos and Deus Ex websites hacked, user information obtained (joystiq.com)
  • Games maker Square Enix hacked (bbc.co.uk)
  • Cyberwar continues: another game company hacked, info compromised (dvice.com)
  • Eidos servers hacked, was Deus Ex source code taken? (geek.com)
Tags: deus-ex-human-revolution, Eidos, Eidos Interactive, , Portable Document Format, Square Enix, ,

Free Subway gift card spam spreading on Facebook

Published by pratyushkp on May 12th, 2011 - in Social, Technology

Sophos  received a number of questions from Facebook fans of Sophos regarding messages that have spread across the social network claiming to offer a $100 gift card for the Subway sandwich chain.

Here’s a typical message:

Subway Facebook message

Free Subway Gift Cards - Limited Time

Get Your Free Subway Gift Card Now! Click for Details

So, what’s going on here? Well, the first thing to realise is that it’s not something endorsed by Subway.

Although the link you click through to has no qualms about using Subway’s logo, and images of meals you can purchase at Subway, it’s actually from an independent third party company.

Subway gift card webpage

Many people will probably be so keen to receive $100 worth of Subway meals that they won’t read the small print at the bottom of the page:

The above listed merchants or brands in no way endorse or sponsor FreeGiftCardSon.us's offer and are not liable for any alleged or actual claims related to this offer. The above listed trademarks and service marks are the marks of their respective owners.

FreeGiftCardSon.us is solely responsible for all Gift fulfillment. In order to receive your gift you must: (1) Meet the eligibility requirements (2) complete the rewards bonus survey (3) complete a total of 5 Sponsor Offers as stated in the Gift Rules (4) not cancel your participation in more than a total of 2 Sponsor Offers within 30 days of any Sponsor Offer Sign-Up Date as outlined in the Gift Rules (the Cancellation Limit) and (5) follow the redemption instructions.

The pages ask you some simple and apparently harmless questions: are you male or female, which age group do you fall into, etc.. before asking for your email address.

Subway gift card spam wants your email address

At this point the page tells you that you must post the message onto your Facebook page in order to qualify for the free $100 Subway gift card.

In this way the message is spread virally to your Facebook friends.

But there’s still no sign of your free Subway gift card, because the site now wants you to hand over much more personal information, including your name, address, email address, full date of birth, cellphone and telephone number etc.

Form asks for your personal details

Again, notice that the webpage doesn’t seem to have any issue with using the Subway logo – despite not being affiliated with Subway. Clearly this is done in an attempt to trick Facebook users into believing that they are talking directly to the high street brand.

According to the small print, you’ll have to complete multiple “sponsor offers” before they will even consider sending you a gift card – which may cost you both in time and money, but also the sheer treasure trove of personal information you will have handed over.

Sophos advice? Avoid these “offers” as they’re unlikely to ever prove fruitful, and may result in you handing over a wealth of data about yourself to complete strangers. When you agree to post a message about such gift cards on Facebook, you are putting your online friends at risk of having their privacy damaged too.

Source :- http://nakedsecurity.sophos.com

  • WIN A $50 Gift card to Earth Fare! (agourmetcupboard.wordpress.com)
  • AMP 150 $25 Gift Card Giveaway (agourmetcupboard.wordpress.com)
  • Win a $100 CVS/pharmacy Gift Card and Taylor Swift’s Album! (ellen.warnerbros.com)
  • Win a $25 Amazon Gift Card Today Only! (blisstree.com)
  • Ask The Readers: Do You Buy In Bulk? (wisebread.com)
  • Gift cards are so impersonal. (ask.metafilter.com)
  • Plum District, get at $10 Target gift card today! (wholesomedeals.wordpress.com)
  • Plum District: FREE $20 Target Gift Card – HURRY (alaskasbestgrocerydeals.blogspot.com)
  • Hipsters Are Destroying New York, Claims Subway Rag (theawl.com)
  • Free Subway gift card spam spreading on Facebook (nakedsecurity.sophos.com)
Tags: , , , , , , Sponsor (commercial), Subway
© Social Media Blog

Ad Plugin made by Free Wordpress Themes