8 years ago
25
Hacked!
Early on the morning of April 2, 2015, I received a text message from a number with the country code +91: Hi sir… I just figured it was SMS spam, and I ignored it. Eight hours later, I got another message from the same number: U know.. Who I am??
Continue Reading
https://stories.californiasunday.com
Join the Discussion
That's a little weird. Did it not occur to him that his hacker may have been collecting his personal info to do some actual harm?
Had the same thought. But I guess the hacker had already proved he could get into his accounts so that might not have been a big deal to him.
Yes, but specifics about how he's paid aren't the kind of things you can steal from a facebook account. Absolutely looks like the hacker was planning an actual attack rather than proving his skills.
Stockholm syndrome?
More like general curiosity. A kid tried to pick pocket me in the subway station once. Emphasis on tried.
Long story short we ended up talking for a good 15 minutes.
What an offbeat story. I once had my main gmail account hacked and used to send out spam to literally EVERYONE I had emailed ever and it was a strangely terrifying experience (and embarrassing too). After that I went on a password spree, giving all of my online accounts unique, very long passwords. My main gmail account has the most difficult password of all and it also has the 2-step verification. I hope that's enough!
I would not have felt comfortable texting someone who'd broken into my facebook account.
This reminds me of the "online harassment" talk John Oliver had on his show. We all love our internet anonymity because at least it keeps the illusion of protection, but it's really the law that should protect us against acts like these.
I don't support what I'm about to say, but I feel like it's worth discussing: If people were forced to identify themselves whenever they access anything online, and get charged accordingly for any felony they commit, would this sort of stuff still happen?
I think it would still happen, because of the problem of jurisdictions. Short of having a worldwide internet police, how would one deal with a hacker from India breaking into American Facebook accounts? Sounds like a heck of a lot of bureaucracy to me...
Definitely would be a big issue.
What I had in mind as a "law" was the idea of countries signing open agreements to investigate fraud / felonies on each other's territories - which does sound like a worldwide internet police. And I don't even know how I'd feel about that, with surveillance and all that still being a touchy matter.
The main reason why I'd accept it is because the US feels like it's already abusing the privilege and assuming control, as seen in Kim Dotcom's Megaupload affair, when FBI seized his offshore goods.
However, different countries have far different rules about the internet in their own countries. It's one thing to have the US and NZ working to seize Kim Dotcom's goods - those are both western, developed countries. I think it would be far more difficult to get every country on the same page. China and its Great Firewall is one example that springs to mind, but many other countries in Asia and the Middle East also have moratoriums on content that the US and other western countries wouldn't bat an eye at. Not to mention the issues that deep web, VPN use, Tor, etc. would cause.
Never mind that governments use hacking and malware to disrupt the inner workings of nations with whom they don't see eye-to-eye. It just seems like a big can of worms.
You'll have to also keep in mind the right to be forgotten thing that's been going on in France.
I haven't seen that John Oliver talk you mentioned, so keep that in mind.
That being said, in response to your hypothetical situation, if people were forced to identify themselves, I don't think we'd see nearly as many incidents of 'hacking' and so on (but perhaps more issues with stolen identities?). However, it's sort of the "nuke everything" method of criminal deterrence in my mind. For example, if the government were to put cameras into every room of every home, I imagine there would be a LOT less crime in general, but I think the quality of life would be so much lower that any benefits in crime levels would be quickly negated.
Besides, it's very rare to be truly anonymous on the internet - just look at the efforts people make with TOR and VPNs, and how even those methods aren't perfectly anonymous.
lol, on another note, as a person who knows how to hack into others' accounts, heres a fun tip on how to not get hacked by some indian like this guy:
1. use a different password for every account that uses the same e-mail address (this is THE way of never getting hacked)
2. the password must have more than 4 numbers, and cannot be something common like 1234, moreso something like 4827 (having a strong password means you can't get bruteforced if you don't use the same passwords)
remember guys, most hackers just feed your e-mail address and run it through a bunch of unprotected sites' sql databases to check for your passwords, and that's how they hack you. as long as you don't use the same password for any account, and all your passwords are very "strong", you'll be in the clear
Why should it have more than 4 numbers? An alphanumeric passphrase with 4 numbers or less can be secure given enough entropy.
EDIT: Also, things like PBKDF2 + unique salts + hashing reduce the attack vectors and increase the amount of time required to carry out such attacks.
Agreed, it seems rather arbitrary advice. Though complex passwords are good, and mixing normal characters with numbers helps that, I'm starting to strongly believe that for passwords humans need to remember long passwords or even passphrases are the more appropriate answer.
But still, I'd wager that these breaches are rarely due to weak passwords getting brute-forced and more bad password hygiene otherwise (e.g. sharing passwords across sites, falling prey to social engineering/phising or having that happen to the service provider).
I'm sure there are opportunistic attacks on the few most common passwords (or even few hundred) but I'd imagine such attacks to generally get identified & blocked by the service providers. This of course assumes a certain level of competency and scale on their part. :)
Although I concur with the need for the service provider's(') diligence in securing the site and its resources, social engineering is hard to carry out once preventative methods are put in place.
Social engineering requires one of the following:
-physical access to the user's machine
-remote access to the user's machine
-user's assistance via revealing the password(s)
-user's assistance via revealing confidential information
-access via server's(') employees
-access to the server's(') machine(s)
The first two requirements on the list are mostly preventable. Physical access is basically the point of no return. Remote access utilizes the functionality of malware. The next two are preventable assuming the user analyzes emails from the service carefully and enters URLs properly. The last two are not preventable from the user's side, thus it should be the only attack vector if the user prevents the first four criteria from being met.
Agreed, social engineering from the user's point of view is usually moderately easily preventable with vigilance, however a weak moment (e.g. not properly checking or verifying information) or insufficient education may still allow it to happen. And one way for malware to gain access in the first place is social engineering as well (e.g. e-mails with malicious attachments), so it doesn't need to be the end all way of access but can also be a part in the chain.
But this guy didn't get the password for his facebook account. The "hacker" had Harvard send him a reset password email for the poster's alumni address, which was associated with his facebook. While having strong passwords helps, it wouldn't have mattered in this case.
Ah, social engineering, probably the most efficient way of doing targeted hacking. :)
But still, strong and more importantly unique passwords (I'm bad at this too, but starting to use something like KeePass or LastPass helps) are probably quite a good deterrent to more passive/large scale breaches so it's still good advice. Even if it hadn't helped in this case! ;)
I'm not seeing it listed here so I will explain the really simple way that most people's accounts get hacked - the security questions.
Most websites ask really dumb security questions. Let's take Valve as a great example because while they force multiple layers of security on their users, they have yet to fix the gaping hole that is their Security Questions.
1. What city were you born in? 2. What is the name of your school? 3. What is your favorite team? 4. What is your mother's maiden name? 5. What is the name of your pet? 6. Who was your childhood hero?
Really, all but the last question can be solved by adding someone on Facebook and monitoring who they interact with. The mother's maiden name could be difficult if she doesn't make it obvious (many people put their maiden name as a middle name.) But because of how many places use the mother's maiden name, if you are digging into someone's life, you're going to need to solve that one rather early on.
Edit: No idea why the formatting isn't working.
So the only thing I have to do to get a famous person's attention and friendship is to hack their accounts?
What.
If hacking them gets you friendship, imagine what punching them must get you
I think we're onto something, my Jazzy friend. Shall I bring the boxing gloves?
Haha really great article, I enjoyed reading it very much. It is nice to see that such changes of relationship can occur if you just get to know your "enemies" a little more closely.
I have had my local bank drained because of hackers, I have had Facebook hacked and the likes. Why? Because my ex-wife wanted to get to know a hacker. Thanks for that!