CyberTheft Alert: STOLEN Credentials
The Market Ticker - Commentary on The Capital Markets
Logging in or registering will improve your experience here
Main Navigation
Display list of topics
Sarah's Resources You Should See
Sarah's Blog Buy Sarah's Pictures
Full-Text Search & Archives
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.


The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be sent unmodified to lawmakers via print or electronic means or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media, to republish full articles, or for any commercial use (which includes any site where advertising is displayed.)

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.

Considering sending spam? Read this first.

2018-08-09 15:05 by Karl Denninger
in Technology , 127 references Ignore this thread
CyberTheft Alert: STOLEN Credentials
[Comments enabled]

Someone has one or more "older" discussion forum or similar systems out there that have had their password file stolen, said file was not hashed, it was in "unix" format (e.g. "login:password") and it's circulating.  I've been getting a series of spam emails that all are of the form "I turned your webcam on and recorded you watching porn; send me $x to this bitcoin address or I'm going to release it" bull****.  Oh well, I don't watch porn...... so sorry, so sad for the fear merchants.  But recently a few of them included in Unix format my email address and a very old, only-used-for-insecure-forums, password -- in plain text.

If you have used the same password on various online forums in the past if that same password is in use anywhere else change it right now.

The Market Ticker has always hashed passwords (using the internal Postgres functions to do so, which have gotten stronger over time as their algorithm support has improved.)  But there are more than a few out there that do not hash, but instead store passwords!  Most of those have been fixed by now, but it used to be trivial to know if that was the case because you could ask the system to send you your password to your email address and instead of getting a link to reset it (since the system doesn't know what it is -- only the hash of a correct entry) you'd get the password in your email!

In addition you should be extraordinarily skeptical of any browser plug-in or alleged "VPN" provider; anything that can "get in the middle" of your communications can be very bad news.  Browser plug-ins are especially dangerous since they can potentially hook the input and steal passwords, as are "custom" keyboards and similar on phones (which by definition must process what you type.)

Good "digital hygiene" is to never use "external" sign-on (e.g. use your Twatter account to log in somewhere else) and always generate a random, high-quality password for each place you log into.  You cannot control the security of some third-party site so the best you can do is make damn sure that if or when they screw the pooch the damage stops with that one site and can not propagate somewhere else.

This means you need some sort of good "password safe" (because there's no possible way for you to remember a dozen or more good, secure passwords) and its security is paramount.

I personally like KeePass because it can use a composite key -- both a key file and a password, and it is multi-platform.  Steal either the password or the key file and you have nothing; you need both.  It is of course very, very important that the key file never be put on any sort of "cloud" storage, EVER -- you must physically copy it to the devices that need it, and only the devices that need it.  If you suspect any of those devices are compromised you re-generate it and replace it.  Of course the risk with this approach is that you had damn well better never lose the key file yourself but the risk with the key file being lost is easily remedied by putting it on a USB key and then sticking THAT in your safe deposit box at the bank.  Now if you manage to lose your operating copy (e.g. your computer's disk crashes) you still have it.

In any event if you're like 90% of the people out in cyberspace you use only a couple of passwords and you use them in multiple places.  If you're one of those folks stop that right now, because there are plenty of poorly-engineered storage locations out there on various back end systems and penetrations of said sites is not unusual at all.

View with responses (opens new window)