Hackers Stole My Website(medium.com)
medium.com
Hackers Stole My Website
https://medium.com/@ramshackleglam/hackers-stole-my-website-and-i-pulled-off-a-30-000-sting-operation-to-get-it-back-143d43ee3742
143 comments
Yeah so about that 2FA. I have a local email client, which uses IMAP and hence cannot do 2FA. What now? I've always thought this is rather a gaping hole. Of course i use app-specific passwords which presumably won't allow access to webmail or changing the account password, but still, if someone got my app password for IMAP, they could still siphon out password reset emails for all my other services.
What do the rest of you do? Only use webmail with 2FA, disable all other access? That seems onerous.
What do the rest of you do? Only use webmail with 2FA, disable all other access? That seems onerous.
If you simply don't use webmail, you're about 99% less likely to accidentally type your password into a website that happens to look like your webmail login page (which doesn't exist).
Sure. FWIW i avoid using webmail as much as i can, but that's just because i love my mu4e. Still though, i wonder about what would happen in the (admittedly very unlikely) event that someone compromised my secrets file. (example off the top of my head: seized backup disk at border control)
Yeah, depends on what your threat model is. You'll go crazy treating every possible threat as "guaranteed to happen; must defend" though. If you're worried about border control, at least you'll know if they search your stuff and can revoke access after the fact, which puts it in a slightly different category than day to day surreptitious password theft.
Depends on your underlying email service provider. If it is gmail, for example, then they provide one-time use passwords for exactly his purpose.
What this means is if you enable 2FA for your gmail account, you can generate a one-time password to authorize any client which does not support a 2FA auth flow. This password is then destroyed by both parties.
If you run your own email server, I think you are at low risk of being attacked in a more general phishing net. An attacker targeting you personally still has many options but that is much less likely.
What this means is if you enable 2FA for your gmail account, you can generate a one-time password to authorize any client which does not support a 2FA auth flow. This password is then destroyed by both parties.
If you run your own email server, I think you are at low risk of being attacked in a more general phishing net. An attacker targeting you personally still has many options but that is much less likely.
> This password is then destroyed by both parties.
I don't quite understand this. Won't the email client need the need the password every time to auth with IMAP?
I don't quite understand this. Won't the email client need the need the password every time to auth with IMAP?
Some IMAP providers like Gmail use a more sophisticated auth mechanism where a secret token is shared over the encrypted link after the first password auth. This token typically has a long lifetime and is used for future sessions.
I have never heard of that, do you have any sources?
Step #2 is to use unique passwords for your main email addresses. These passwords should be unique in the universe. You must not use them with another account or to encrypt a file etc. Nowhere!
And step #3 is to keep all your softwares up to date; OS, antivirus, browser, your WordPress, its plugins, your Notepad++, WinRAR, firmware of your ADSL modem, other computers on the network, BIOS, smart TV etc. Everything should be updated to the latest version.
And step #3 is to keep all your softwares up to date; OS, antivirus, browser, your WordPress, its plugins, your Notepad++, WinRAR, firmware of your ADSL modem, other computers on the network, BIOS, smart TV etc. Everything should be updated to the latest version.
And step #4 is to throw up your hands and shout "Fuck it!" the Nth time you lost everything because you can't find your master copy of your password manager, your back up has drifted out of sync, and you just accidentally spilled your coffee on the flash drive that holds your backup-backup--destroying it.
Hyperbolic sarcasm aside, keeping on top of security is starting to feel like Alice and the Red Queen -- it takes as fast as you can run just to remain in place. I'm starting to feel a bit more sympathy for those who give up on good practices and start using the same password/pin everywhere and pray that ill will never befall them.
Hyperbolic sarcasm aside, keeping on top of security is starting to feel like Alice and the Red Queen -- it takes as fast as you can run just to remain in place. I'm starting to feel a bit more sympathy for those who give up on good practices and start using the same password/pin everywhere and pray that ill will never befall them.
Except 2fa doesn't work in practice unless you're an expert.
See eg gmail: you can't set up 2fa without supplying a cell (you will be allowed to remove it later, but how many know to do this?) Your phone number is trivially stealable -- see eg youtube video of people just stealing phone numbers with a crying baby and a sob story. https://youtu.be/F78UdORll-Q?t=133
Also, lots and lots of places have trivial routes around 2fa because people losing their password and/or 2fa is an order of magnitude more common than theft.
See eg gmail: you can't set up 2fa without supplying a cell (you will be allowed to remove it later, but how many know to do this?) Your phone number is trivially stealable -- see eg youtube video of people just stealing phone numbers with a crying baby and a sob story. https://youtu.be/F78UdORll-Q?t=133
Also, lots and lots of places have trivial routes around 2fa because people losing their password and/or 2fa is an order of magnitude more common than theft.
Google actually lets you use a physical key to protect your account.
https://support.google.com/accounts/answer/6103534?hl=en&ref...
https://support.google.com/accounts/answer/6103534?hl=en&ref...
2FA works in practice against people who don't have physical contact with you. For most people, that's the only threat vector they're worried about.
It hardly makes your life more difficult, and it does help at least a little bit. So it's worth setting up.
It hardly makes your life more difficult, and it does help at least a little bit. So it's worth setting up.
Not really; sms as 2fa has regularly enabled people to steal accounts they otherwise couldn't have gotten by allowing password resets by stealing your phone number.
See eg @deray getting hacked.
See eg @deray getting hacked.
If a password reset is allowed by pin that's not two factor authentication, that's SINGLE factor authentication. I know we tend to think of 2FA as anything involving a pin sent to your phone, but it does require two factors.
GMail, for instance, will not allow a password reset with just a phone pin.
GMail, for instance, will not allow a password reset with just a phone pin.
I wonder why you cant get a pre-paid at a kiosk. Use a burner phone. Yes, you need some time and effort but if you need good security you will suffer some inconvenience. BTW register the SIM with your spouse or parents name so that there cannot be an easy connection to _any_ of you accounts. Remember also to top-up your prepaid SIM occasionally.
An non-contracted burner phone in your spouses name that is used to send cryptic looking messages.
That seems like the kind of thing that'd get you on an intelligence agencies watch-list..though these days it's rather hard to find something that wouldn't.
That seems like the kind of thing that'd get you on an intelligence agencies watch-list..though these days it's rather hard to find something that wouldn't.
Your preaching but some ears cant hear you.
I want to turn on 2FA but I dont know when will that day will come.
It also happened to me to loose a smartphone without PIN, and I never thought it would happen and I kept postponing that simple step.
Maybe this time I should listen.
It also happened to me to loose a smartphone without PIN, and I never thought it would happen and I kept postponing that simple step.
Maybe this time I should listen.
I keep backup codes for my account in two places: My wallet (which I always have on me, so I won't be locked out if I'm traveling), and at home. If you're really paranoid, you could also give backup codes to a friend or relative, or put them in a bank safe or something like that.
2FA isn't hard to use, and is barely inconvenient. How often do you log into your email, anyway?
Also, if you lose your phone, you can make use of your recovery code.
Also, if you lose your phone, you can make use of your recovery code.
The reason I mentioned about loosing phone was not related to email recovery but the fact that I did not learn the security lesson of not using a PIN to protect my data.
After I have read this post I wanted to actually enable 2FA right now, but then I discovered that breaking news, terror attack, and again I postponed, the same like I postponed securing my phone with a PIN.
After I have read this post I wanted to actually enable 2FA right now, but then I discovered that breaking news, terror attack, and again I postponed, the same like I postponed securing my phone with a PIN.
Have you enabled 2FA yet?
> 1. Have a really, really good password, and change it often.
Even better, use a password manager.
> 2. If possible, use a separate computer (an old one or a cheap one purchased for this purpose) for things like banking; if your family computer is the same one that you use for bank transactions you risk having your kids click on a bad link that results in a hacking.
Not necessary, use an up to date computer with Windows defender turned on and create a non-admin account for your kids.
> 4. Have antivirus software on your computer
Only use Windows defender, which is what the security community recommends.
Also use 2FA on all services which offer it.
Regarding the domain registrars, I would recommend Namecheap. They have a great support team and also offer 2FA, but I think it's only SMS based 2FA.
Even better, use a password manager.
> 2. If possible, use a separate computer (an old one or a cheap one purchased for this purpose) for things like banking; if your family computer is the same one that you use for bank transactions you risk having your kids click on a bad link that results in a hacking.
Not necessary, use an up to date computer with Windows defender turned on and create a non-admin account for your kids.
> 4. Have antivirus software on your computer
Only use Windows defender, which is what the security community recommends.
Also use 2FA on all services which offer it.
Regarding the domain registrars, I would recommend Namecheap. They have a great support team and also offer 2FA, but I think it's only SMS based 2FA.
I really wish domain registers offered a Google Authenticator option for 2FA. All of the ones I have seen that offer 2FA are SMS based.
www.nearlyfreespeech.net (mainly a host but you can register domains with them) offers Google Authenticator 2fa and control over what recovery options are allowed, including none, which is something I wish anyone that supports 2fa would offer.
NFS also emails you if someone tries an incorrect password on your account. Kind of a nice feature.
Just another happy customer giving those guys a big thumbs-up!
https://www.name.com lets you use Google Authenticator for 2FA.
https://www.gandi.net/ does as well and has been pretty great in my (somewhat limited) experience.
https://www.dynadot.com offers both Google 2fA and SMS, with a big push toward the Google solution. Dynadot has been a great all-around solution in my experience. Gandi is also excellent.
http://www.namecheap.com offers their own 2fa service, as well.
Yeah, that's the point. Everyone tries to re-invent 2FA or use SMS, both of which are bad for the end user. Even 2FA companies like Duo use some non-standard protocol which only their client can implement.
Of my registrars, Namecheap does not but Gandi.net and Hover.com both offer the standard TOTP option.
SMS is far better than nothing. Your average script kiddie is not going to be able to intercept your SMS messages. If you are specifically targeted by sophisticated attackers, maybe.
My biggest gripe with SMS 2FA is that it is prone to locking me out of my accounts on travel, if I suddenly need to log in to something and my phone number isn't the same abroad.
is it such a pain taking a small burner phone? Alternately, you can install 2FA app in your smartphone. And if you traven that frequently you need to revisit your security choices. There is no security without any efforts from _you_. Google/MS/Apple can only do so much.
[deleted]
They'll just social engineer your carrier into the transfer of your phone number to a different SIM card
Is it only me who is surprised that in the US no one has the notion of buying pre-paid SIM cards - which are unconnected to your SSN or credit card or bank account?
PairNIC (https://pairnic.com) now offer TOTP 2FA (use Google Authenticator or whatever else you want).
name.com offers a choice between Google Authenticator and SMS for 2FA.
Hover supports 2FA with authenticator apps.
[deleted]
hover.com offers both SMS and TOTP (authenticator).
Amazon does ..
[deleted]
siteground.com
Is there an industry favorite password manager these days? Every time I read something like this I re-commit to getting a manager, but then I can never decide on a product. I just want something that's secure and preferably non subscription-based.
I use iCloud Keychain. Works well as long as you use safari, which is admittedly uncommon.
Yeah, I tried really hard to make Safari my default browser in order to use keychain. Keychain itself was great, but safari just didn't cut it for me. Their devtools equivalent is terrible, and I didn't like running two browsers. I was bummed to lose keychain, though.
Huh, I find safari's devtools much more useful than Chrome's, though I admit I am more used to it. What annoys you about Safari's dev tools?
I like keepassx. It just works and no need for any online account. You use a good master key/password and rest of the passwords, don't even remember.
And keepass has also (some sort of) 2FA via a local key file. While it's of course not as good as a real token generator, it helps against password sniffing and makes cracking much harder.
+1 for keepassx. I use it on all platforms (well, keepass droid too). All passwords are randomly generated except the one for the keepassx db (and that also needs the key file).
How do you personally handle passwords on multiple devices? Just host it somewhere publicly accessible and use a really strong master?
My setup is to store the database itself in a cloud storage service that supports 2FA like Dropbox, and encrypt it with a file/password combo key. The key file I manually copy to every device I use, and the master password is stored in my head.
This way it's safe to store the database in the cloud without having to worry about attackers trying to brute force my master password if Dropbox gets compromised (since they'd also need the key file, which is only stored locally), and even if the key file is stolen the attacker would still need my master password to access the database.
This way it's safe to store the database in the cloud without having to worry about attackers trying to brute force my master password if Dropbox gets compromised (since they'd also need the key file, which is only stored locally), and even if the key file is stolen the attacker would still need my master password to access the database.
I use Tresorit (https://tresorit.com) to sync across machines and phones.
At least in the security circles I'm in, 1Password is the favorite.
KeePassX is recommended sometimes too, but is definitely for the more technically-minded.
There's a low level of distrust for Lastpass.
KeePassX is recommended sometimes too, but is definitely for the more technically-minded.
There's a low level of distrust for Lastpass.
I'd love to use 1password still, but they have no Linux client (even cli), the web client is long gone, and the Android app is awful.
It's really great software, but I don't feel valued as a customer at all.
It's really great software, but I don't feel valued as a customer at all.
Web client absolutely exists for subscribers to their syncing service.
Really? That's great news, I only found information about the ancient one that was special-cased in dropbox. I can't even see mention of it on the 1Password website, but as there's a free trial it seems low risk.
Did they really get rid of the web client? Last I checked they were moving toward the subscription base model and I thought that was more web-centric than the buy-once-and-forget-it version that I'm using.
I use KeePassX, no complaints, no 'official' browser extensions not that I'd use one if there where.
What about KeePass2?
KeePass is an open-source password manager. There are many compatible programs, many with confusingly-similar names, like KeePassX. KeePass2 is the new version of KeePass, which uses a new file format. Most KeePass-compatible programs, including KeePassX, support the old file format and the new one.
Sure, but why prefer say KeePassX over KeePass2?
Unless they know something I don't, I assume people recommending KeePassX are not Windows users.
Just a data point: 1Password, in the standalone native app version, is the only password manager I recommend.
The other popular one here seems to be keepass. Do you have technical concerns with it, or is it just too user-unfriendly compared to 1Password?
I migrated from lastpass to https://www.enpass.io/
It is a cross platform PW manager with Browser extensions (i only use it on macOS with FF and Chromium, though), which does NOT store your passwords in the cloud.
You can sync the database via Cloud storage providers/webdav/usb stick. I really like to be in control of where my passwords are stored.
Sharing of passwords (business usecases!?) is not supported afaik.
It is a cross platform PW manager with Browser extensions (i only use it on macOS with FF and Chromium, though), which does NOT store your passwords in the cloud.
You can sync the database via Cloud storage providers/webdav/usb stick. I really like to be in control of where my passwords are stored.
Sharing of passwords (business usecases!?) is not supported afaik.
See I was all for 2FA, but there were a number of high profile heists that actually used 2FA to gain control first of your mobile number, then email, then anything else they valued. Since mobile operators care even less then hosting companies, I am not sure having 2FA with sms code to be a good security practice.
I do have yubikey keyfob but sites that are supporting it are very few unfortunately. Gmail being one, which is great.
I do have yubikey keyfob but sites that are supporting it are very few unfortunately. Gmail being one, which is great.
Many don't consider mobile phone two-factor authentication as real two factor authentication. The reason being is that while the phone looks like "something you posess" it is really just an interface for another "something you know" which is your phone account information. As you said, this info can be compromized to intercept or take control of your SMS.
Real 2FA uses a token generator device or an app like google authenticator which does the same thing. This is a real "something you possess" as it can't be compromized without getting access to the device.
Real 2FA uses a token generator device or an app like google authenticator which does the same thing. This is a real "something you possess" as it can't be compromized without getting access to the device.
The article is sparse in details. Which email service did she use? did she get any phishing emails?
> > 4. Have antivirus software on your computer
> Only use Windows defender, which is what the security community recommends.
Just don't use windows.
> Only use Windows defender, which is what the security community recommends.
Just don't use windows.
>3. Turn off your computer and personal devices when they’re not in use.
This article reads like an AOL scare from 1995 directed at my grandma.
This article reads like an AOL scare from 1995 directed at my grandma.
> 3. Turn off your computer and personal devices when they’re not in use.
Even Bruce Schneier recommends you do that[1]. The idea is that if your machine is a spambot and you don't know it, there are fewer windows of time where your machine can be blasting the Internet with spam. Or if there's some network-based exploit, you're not vulnerable while your device is off.
1. https://www.schneier.com/blog/archives/2004/12/safe_personal...
Even Bruce Schneier recommends you do that[1]. The idea is that if your machine is a spambot and you don't know it, there are fewer windows of time where your machine can be blasting the Internet with spam. Or if there's some network-based exploit, you're not vulnerable while your device is off.
1. https://www.schneier.com/blog/archives/2004/12/safe_personal...
> Turn off the computer when you're not using it, especially if you have an "always on" Internet connection.
How old is that article? Sounds like this is from the days back when dial-up was still popular.
I guess there may be some marginal increase in security by turning off your computer like this, but I don't think it's the kind of thing most users should be worried about.
> if your machine is a spambot and you don't know it, there are fewer windows of time where your machine can be blasting the Internet with spam
If your machine is part of a botnet, you're already compromised and turning it off when you're not using it isn't going to fix that. It might marginally help _other_ people getting DDoSed or spammed by your PC, but it won't improve your own security.
> Or if there's some network-based exploit, you're not vulnerable while your device is off
I guess. But unless you become aware of the exploit and take measures to mitigate it before turning your PC on and connecting it to the internet, leaving it off when you're not using it is unlikely to help with this - you'll just be compromised as soon as you turn your PC on. Not to mention that the kind of zero-day that would allow compromising a fully up-to-date PC with nothing more than network access to it is extremely rare.
I'd argue the security benefits of leaving your computer on so it can auto-install security updates while you're away probably outweighs any marginal benefits you might get from turning it off when not using it. (Though either way the difference is extremely minor.)
How old is that article? Sounds like this is from the days back when dial-up was still popular.
I guess there may be some marginal increase in security by turning off your computer like this, but I don't think it's the kind of thing most users should be worried about.
> if your machine is a spambot and you don't know it, there are fewer windows of time where your machine can be blasting the Internet with spam
If your machine is part of a botnet, you're already compromised and turning it off when you're not using it isn't going to fix that. It might marginally help _other_ people getting DDoSed or spammed by your PC, but it won't improve your own security.
> Or if there's some network-based exploit, you're not vulnerable while your device is off
I guess. But unless you become aware of the exploit and take measures to mitigate it before turning your PC on and connecting it to the internet, leaving it off when you're not using it is unlikely to help with this - you'll just be compromised as soon as you turn your PC on. Not to mention that the kind of zero-day that would allow compromising a fully up-to-date PC with nothing more than network access to it is extremely rare.
I'd argue the security benefits of leaving your computer on so it can auto-install security updates while you're away probably outweighs any marginal benefits you might get from turning it off when not using it. (Though either way the difference is extremely minor.)
The article is from 2004. Keep in mind it's geared towards being very simple. I don't think some of the advice is good, such as deleting cmd.exe and command.com.
Except if you have a computer with Intel Management Engine or the AMD equivalent. Then it can be accessed when off. And mobile devices can be turned on remotely as well. You'd have to pull the plug or remove the battery to be truly off but nobody goes through that hassle.
While currently it would take a state actor to do this eventually this will trickle down into to the hackers.
While currently it would take a state actor to do this eventually this will trickle down into to the hackers.
I guess if your computer is already a spambot, just limiting the amount of time you are spamming isn't really solving the problem. What is the real advantage to spamming for eight working hours vs 24. For you, no advantage. Disadvantage goes to the spam operator, but again, who really cares at that point?
And yet many people who were born in 1995 are still using crappy passwords, downloading crappy files from crappy sites with no protection. This stuff may be obvious to us, but it seems we're in a minority.
I think the point is that "Turn off your computer and personal devices when they’re not in use." is not an effective security measure. (What are you worried about? Malware? Malware can steal your account just as easily when you _are_ using your computer as when you aren't.)
Some of the other advice in that section is also rather questionable. (E.g. "Your password should not contain “real” words".)
Some of the other advice in that section is also rather questionable. (E.g. "Your password should not contain “real” words".)
EDIT: If you're going to downvote me, did you even read the article?
Also, go look at the submitter's history: https://news.ycombinator.com/submitted?id=vezycash
- - -
But should it be on the front page of Hacker News? Why did vezycash take the effort to share this when it has little value for the HN audience?
The author nevers explain how their domain was stolen, nor do they tell us if the "sting" operation (asking to stop a wire transfer, hardly a sting) was successful. It's a long-winded rant about HostMonster and GoDaddy being shitty. We already knew these things. If the article was just focused criticism on GoDaddy or clear advice on web security, I wouldn't be so hash. Whatever educational benefits there were in article are lost with the writing.
This has got to be on the front page because of some shilling.
Also, go look at the submitter's history: https://news.ycombinator.com/submitted?id=vezycash
- - -
But should it be on the front page of Hacker News? Why did vezycash take the effort to share this when it has little value for the HN audience?
The author nevers explain how their domain was stolen, nor do they tell us if the "sting" operation (asking to stop a wire transfer, hardly a sting) was successful. It's a long-winded rant about HostMonster and GoDaddy being shitty. We already knew these things. If the article was just focused criticism on GoDaddy or clear advice on web security, I wouldn't be so hash. Whatever educational benefits there were in article are lost with the writing.
This has got to be on the front page because of some shilling.
The link to a Traveler's Insurance page with advice to purchase cyber risk insurance (delivered with the same gravity as the advice about changing your passwords) definitely made me ask the same questions. I thought the next line was going to be about X product the author is selling that would prevent this problem for you.
> EDIT: If you're going to downvote me, did you even read the article?
I think the downvotes are because you're accusing the submitter and the people upvoting this article of shilling based on nothing but circumstantial evidence, not because of your opinion on the quality of the linked article.
I think the downvotes are because you're accusing the submitter and the people upvoting this article of shilling based on nothing but circumstantial evidence, not because of your opinion on the quality of the linked article.
Fair point on the upvoters, but I still stand by my point on the submitter. Who has the time to submit an article to HN every day?
Quite a lot of people? I mean, I don't myself (because I don't come across enough articles I feel people here wuld be interested in), but it wouldn't be too much of a hassle if I did.
People have time to constantly use Twitter/Facebook/YouTube/Reddit/Tumblr/internet forums in general, they can easily post an article on Hacker News once a day.
People have time to constantly use Twitter/Facebook/YouTube/Reddit/Tumblr/internet forums in general, they can easily post an article on Hacker News once a day.
It's obvious, isn't it? It's here because this is Hacker News and the theft of the website was done by hackers so this is news for our consumption. </sarc> (an HTML5 compliant tag, since </s> has been repurposed)
Pretty much. I wonder how many people actually read the article.
I found it an interesting story to share with non-techie people about why they need to worry about security.
Also, HN Guidelines ask you not to suggest people haven't read the article. If you don't like the article, flag it or make a constructive comment (which I think you did) and move on.
Also, HN Guidelines ask you not to suggest people haven't read the article. If you don't like the article, flag it or make a constructive comment (which I think you did) and move on.
Cheers, thanks.
I think the mere fact that they leveraged her email to steal her domain is interesting. You generally don't think of a domain as something people steal
Leveraging an email to steal anything is nothing new. If this is arguably a revelation, I should start asking this as an interview question. Also, the author never explicitly mentions to secure your email address.
In the 2000s, domain hijackings were very common (as tedunangst mentioned):
http://www.metafilter.com/3789/Adobecom-gets-hijacked http://archive.wired.com/politics/law/news/2000/04/35674?cur...
Later on, it became short Twitter accounts:
https://medium.com/@N/how-i-lost-my-50-000-twitter-username-...
https://www.wired.com/2016/06/deray-twitter-hack-2-factor-is...
If your metric is how informative an article is, the above two links about Twitter accounts being hijacked are much more educational than original blogpost.
In the 2000s, domain hijackings were very common (as tedunangst mentioned):
http://www.metafilter.com/3789/Adobecom-gets-hijacked http://archive.wired.com/politics/law/news/2000/04/35674?cur...
Later on, it became short Twitter accounts:
https://medium.com/@N/how-i-lost-my-50-000-twitter-username-...
https://www.wired.com/2016/06/deray-twitter-hack-2-factor-is...
If your metric is how informative an article is, the above two links about Twitter accounts being hijacked are much more educational than original blogpost.
No? There have been any number of high profile domain hijacks. sex.com being pretty infamous.
I think it is valuable to be reminded of the depth of ignorance of even "tech savvy" people.
The author is a lifestyle blogger, not a tech savvy person.
Since she owns and operates a blog, an average person would consider her highly tech savvy.
More like sympathy, I think.
Agree. No mention of turning on 2FA as a security measure or using a password manager to help create those "total nonsense" passwords.
I'm a skeptic and stuff like this always seems like marketing to me. This happened back in/before 2014 and her article on mashable from april 2, 2014 is almost the same:
http://mashable.com/2014/04/02/ramshackle-glam-hacking/#j.mb...
Looks like it got a good number of shares and good velocity so makes sense to keep milking it for what it's worth i suppose.
Btw, GoDaddy's response: http://news.softpedia.com/news/GoDaddy-Defends-Itself-in-Ram...
Looks like it got a good number of shares and good velocity so makes sense to keep milking it for what it's worth i suppose.
Btw, GoDaddy's response: http://news.softpedia.com/news/GoDaddy-Defends-Itself-in-Ram...
The most surprising thing is how helpful (and immediate) the FBI was. Wouldn't have guessed that.
Can you really stop a wire transfer? I thought the whole point of wires is that they are immediate and irreversible?
Also, couldn't the FBI track the bank account info back to the thief? Or I guess it's possible the bank account is opened through a stolen identity. I guess the smartest thing the thief could do is then use that money to buy crypto and eventually funnel that back to his real identity.
Can you really stop a wire transfer? I thought the whole point of wires is that they are immediate and irreversible?
Also, couldn't the FBI track the bank account info back to the thief? Or I guess it's possible the bank account is opened through a stolen identity. I guess the smartest thing the thief could do is then use that money to buy crypto and eventually funnel that back to his real identity.
Money was wired to an escrow service who was informed of the situation ahead of time and expecting the incoming wire.
And then I called the wire transfer company and placed a stop on the payment.
How do you place a stop on a wire transfer? I thought irreversibility was the whole point of wire transfers.
How do you place a stop on a wire transfer? I thought irreversibility was the whole point of wire transfers.
The whole point of wire transfers is traceability. The banks can watch it very closely. I've been able to reverse wire transfers the next day, with a back-date (ie. pretend it never happened).
However, author seems to know wire transfers as well as she knows internet security - which is not very well. You can trace the wire into the destination account, but if that person moves it immediately and eventually withdraws it out of the banking system, then it's gone. The hacker wouldn't release the domain unless they had control of the funds. I doubt her claims that the hacker doesn't have the money.
However, author seems to know wire transfers as well as she knows internet security - which is not very well. You can trace the wire into the destination account, but if that person moves it immediately and eventually withdraws it out of the banking system, then it's gone. The hacker wouldn't release the domain unless they had control of the funds. I doubt her claims that the hacker doesn't have the money.
Yeah, I think there's either missing details regarding the attorneys, etc (which is possible) or this is really "How I Paid $30,000 for My Website." Either way the lack of customer protection from the host and registrar is appalling to me.
I was thrown by this too. If the destination account had the funds deposited, which set the domain transfer process in motion, I don't think a stop payment works.
What I do think works is reporting that the money was involved in fraud and freezing the money in the destination account, subject to the destination banks cooperation with the source bank and FBI.
https://www.quora.com/Can-wire-transfers-be-reversed-in-case...
What I do think works is reporting that the money was involved in fraud and freezing the money in the destination account, subject to the destination banks cooperation with the source bank and FBI.
https://www.quora.com/Can-wire-transfers-be-reversed-in-case...
I as well had this thought... I feel like we're not getting all the details on this particular point.
Anyone who uses godaddy add 2FA now and i mean now.
This is my story
I enabled 2FA i don't why. I think i read somewhere, how someone got there domains stoled.
Last month ago, I got a text message out of the blue, I googled the number and it was godaddy service.
So this person had got my username and password in godaddy and hit the 2FA, godaddy uses customer IDs and the password i use was a old password but one i didn't use in any other service.
So someone is running through all the customers Id numbers with a password dictonary because i knew this password was on one of those leaked password dictionaries.
They can do this because the godaddy site doesn't lock the account out for 24 hours after 5 wrong times. The hacker can try different combinations multiple times.
This is a major flaw on there site.
This is my story
I enabled 2FA i don't why. I think i read somewhere, how someone got there domains stoled.
Last month ago, I got a text message out of the blue, I googled the number and it was godaddy service.
So this person had got my username and password in godaddy and hit the 2FA, godaddy uses customer IDs and the password i use was a old password but one i didn't use in any other service.
So someone is running through all the customers Id numbers with a password dictonary because i knew this password was on one of those leaked password dictionaries.
They can do this because the godaddy site doesn't lock the account out for 24 hours after 5 wrong times. The hacker can try different combinations multiple times.
This is a major flaw on there site.
Want to share a strange experience I had: in the year 2014, I was looking for buy a .io domain and was surprised to find that citi.io was available, so I bought it in domains.google.com with an expiration date in 5 years and I also noticed that there was a website called citi.io that I could still visit. I didn't change the DNS settings of the new domain I bought and didn't use the domain.
Then sometime in 2016, I noticed that the domain didn't belong to me. I tried to look up my history of purchase, there was no such purchase record in my account.
Unless my memory fooled me (which I just can't believe), the whole experience made me really confused.
Then sometime in 2016, I noticed that the domain didn't belong to me. I tried to look up my history of purchase, there was no such purchase record in my account.
Unless my memory fooled me (which I just can't believe), the whole experience made me really confused.
>I’ve heard of identity theft, and of cyber hacking, but honestly, my attitude... was “it could never happen to me.”
>I didn’t exactly understand why it was such a huge deal.
>Couldn’t you just explain to people what had happened, prove who you were, and sort it all out?
>it seemed completely impossible to me that someone could actually get away with pretending to be someone else with any real consequences beyond a few phone calls and some irritation.
I have nothing to hide...
"The only thing necessary for the triumph of evil is for good men to do nothing." - Edmund Burke
>I didn’t exactly understand why it was such a huge deal.
>Couldn’t you just explain to people what had happened, prove who you were, and sort it all out?
>it seemed completely impossible to me that someone could actually get away with pretending to be someone else with any real consequences beyond a few phone calls and some irritation.
I have nothing to hide...
"The only thing necessary for the triumph of evil is for good men to do nothing." - Edmund Burke
So let me get this straight, her domain got hacked, transferred to a hacker, who proceeded to sell it.
Then, she contacted the FBI, who gave her an interview and basically did not much, and then she got her domain back by paying for it and then putting a stop on the money transfer? And this is worthy of a Sandra Bullock movie?
Yeah, real nail biter there.
This is just content hacking to get me to read more of the article so she can make more money on medium. I feel a bit cheated.
Then, she contacted the FBI, who gave her an interview and basically did not much, and then she got her domain back by paying for it and then putting a stop on the money transfer? And this is worthy of a Sandra Bullock movie?
Yeah, real nail biter there.
This is just content hacking to get me to read more of the article so she can make more money on medium. I feel a bit cheated.
Not to mention this was written up by her on mashable back in 2014.... (I commented elsewhere in the thread about it). But yes, I agree completely.
> I don’t have my money back yet, but the man who stole my site from me doesn’t have it, either, and won’t be getting it, ever.
How did she found out it was a man?
How did she found out it was a man?
I had a boss who had a domain stolen from him too and never got it back. I realize its handy to be able to easily move registrars whenever you want but can we have it more difficult? Eg it would be nice if a registrar would only transfer a domain if it gets a signed letter which it follows up with a phone call then a 3 month delay. With the cut throat competition out there I'd have thought this would be available by now.
After the loss I moved my own domains to google domains which at least has 2fa to access.
After the loss I moved my own domains to google domains which at least has 2fa to access.
Crazy experience --very surprised the FBI was as helpful as you described. I definitely wouldn't have considered that move but I'm glad the author mentions it.
Pardon my cynicism but is there any actual verifiable third party evidence for this.
Most important security measure : Enable 2FA on all your accounts.
Her password advice is literally the opposite of the classic https://xkcd.com/936/.
Whom should I trust?
Well, I am not very well informed on this topic, however, I tend to believe that the math checks out in the "correct horse" principle. This is a vast oversimplification, but basically longer passwords are better - the brute force complexity of additional length is in the exponent, the character diversity (special chars/numbers/upper+lower case) is in the base. Therefore, make your passwords as long (and randomly chosen - i.e. selection method should not be easy to guess!) as you possibly can.
There has been lots of discussion surrounding that comic. I have read a few articles over time and ultimately landed, one way or another, on considering it bad advice.
Here is some info from a quick search: https://security.stackexchange.com/questions/6095/xkcd-936-s...
Here is some info from a quick search: https://security.stackexchange.com/questions/6095/xkcd-936-s...
Cool thanks for the link! Were you meaning to say that you consider the "correct horse" password selection principles bad advice? Or that the advice given by the author of the article is bad advice?
I feel the "correct horse" method is bad advice. Though, certainly not terrible. I actually followed it for a while and it works amazingly well for memory, but over time I was convinced that the best route is a password manager with randomly generated passwords.
That doesn't make it bad advice.
The comic advises using correct-horse style passwords rather than tr0ubaDour-style. That is good advice.
The comic advises using correct-horse style passwords rather than tr0ubaDour-style. That is good advice.
I agree, I think a manager with randomly generated (and long) passwords is the way to go in terms of security + ease of use sweet spot. edit: in addition to 2FA/yubikey type measures.
What do you use to unlock your password manager?
A 7 word diceware passphrase would be a good idea.
A 7 word diceware passphrase would be a good idea.
[deleted]
As others have noted, her advice seems to be a little suspect. I took issue with the following:
> Your password should not contain “real” words (and definitely not more than one real word in immediate proximity, like “whitecat” or “angrybird”), and should contain capital letters, numbers and symbols. The best passwords of all look like total nonsense.
Isn't it generally accepted that the XKCD-style "correct horse battery staple" passwords are more secure?
> Your password should not contain “real” words (and definitely not more than one real word in immediate proximity, like “whitecat” or “angrybird”), and should contain capital letters, numbers and symbols. The best passwords of all look like total nonsense.
Isn't it generally accepted that the XKCD-style "correct horse battery staple" passwords are more secure?
One downside of xkcd style passwords is that they are not accepted everywhere. Many websites have a list of characters you must and must not include in your password.
Right, but a good password manager (like 1pass) will have both options available to generate so you can do XKCD-style where possible and randomly generated characters elsewhere.
You would be correct. The plausibility that algos are geared towards one word/phrase with different variants and small additions are higher than the combination of seemingly random words.
As far as I can tell, xkcd passwords are the securest way to generate memorable passwords but it's usually better to use a password manager to generate a random string of characters.
Great job, FBI!
> If possible, use a separate computer (an old one or a cheap one purchased for this purpose) for things like banking; if your family computer is the same one that you use for bank transactions you risk having your kids click on a bad link that results in a hacking.
So true! A $100 unrooted Android tablet is almost infinitely more secure than the windows/mac, even with the best antivirus. Or if you like physical keyboard (I do), get a $300 Chromebook and do all your banking there. Just don't login with your primary google account, or someone may install evil chrome extension on it.
So true! A $100 unrooted Android tablet is almost infinitely more secure than the windows/mac, even with the best antivirus. Or if you like physical keyboard (I do), get a $300 Chromebook and do all your banking there. Just don't login with your primary google account, or someone may install evil chrome extension on it.
If you want to go down this route, I'd just use qubes os to run each set of apps in its own vm. Sure, you have issues with vm escapes but it's a lot more convenient than switching devices.
Well, qubes requires technical expertise, and a lot of people have a tablet anyway.
My point is, if you want to check online banking, your tablet (ipad|android) is much more secure than your (windows|linux|mac) laptop. For example, here is how I would explain Android security to someone non-technical: "Do not ever enable 'unknown sources' setting, and always refuse if it asks you something about installing a keyboard". Try doing the same for full-featured laptop.
My point is, if you want to check online banking, your tablet (ipad|android) is much more secure than your (windows|linux|mac) laptop. For example, here is how I would explain Android security to someone non-technical: "Do not ever enable 'unknown sources' setting, and always refuse if it asks you something about installing a keyboard". Try doing the same for full-featured laptop.
So the #1 step to reducing your risk of an attack like this would be setting up 2FA on your email account. The industry standard is password resets via email. If an attacker has access to your email, they have access to every online account you own.
Stealing email passwords is easy. So easy. No matter how complicated your password is or how often you change it. 2FA is an easy, reliable way to make it orders of magnitude harder for any attacker to breach your account.
I know I'm preaching to the choir here on HN but I'm just flabbergasted this didn't make it into the article.