CyberTheft Alert: STOLEN Credentials
The Market Ticker - Commentary on The Capital Markets
Logging in or registering will improve your experience here
Main Navigation
Display list of topics
Sarah's Resources You Should See
Sarah's Blog Buy Sarah's Pictures
Full-Text Search & Archives
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.

NO MATERIAL HERE CONSTITUTES "INVESTMENT ADVICE" NOR IS IT A RECOMMENDATION TO BUY OR SELL ANY FINANCIAL INSTRUMENT, INCLUDING BUT NOT LIMITED TO STOCKS, OPTIONS, BONDS OR FUTURES.

The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be sent unmodified to lawmakers via print or electronic means or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media, to republish full articles, or for any commercial use (which includes any site where advertising is displayed.)

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.

Considering sending spam? Read this first.

2018-08-09 15:05 by Karl Denninger
in Technology , 128 references Ignore this thread
CyberTheft Alert: STOLEN Credentials
[Comments enabled]

Someone has one or more "older" discussion forum or similar systems out there that have had their password file stolen, said file was not hashed, it was in "unix" format (e.g. "login:password") and it's circulating.  I've been getting a series of spam emails that all are of the form "I turned your webcam on and recorded you watching porn; send me $x to this bitcoin address or I'm going to release it" bull****.  Oh well, I don't watch porn...... so sorry, so sad for the fear merchants.  But recently a few of them included in Unix format my email address and a very old, only-used-for-insecure-forums, password -- in plain text.

If you have used the same password on various online forums in the past if that same password is in use anywhere else change it right now.

The Market Ticker has always hashed passwords (using the internal Postgres functions to do so, which have gotten stronger over time as their algorithm support has improved.)  But there are more than a few out there that do not hash, but instead store passwords!  Most of those have been fixed by now, but it used to be trivial to know if that was the case because you could ask the system to send you your password to your email address and instead of getting a link to reset it (since the system doesn't know what it is -- only the hash of a correct entry) you'd get the password in your email!

In addition you should be extraordinarily skeptical of any browser plug-in or alleged "VPN" provider; anything that can "get in the middle" of your communications can be very bad news.  Browser plug-ins are especially dangerous since they can potentially hook the input and steal passwords, as are "custom" keyboards and similar on phones (which by definition must process what you type.)

Good "digital hygiene" is to never use "external" sign-on (e.g. use your Twatter account to log in somewhere else) and always generate a random, high-quality password for each place you log into.  You cannot control the security of some third-party site so the best you can do is make damn sure that if or when they screw the pooch the damage stops with that one site and can not propagate somewhere else.

This means you need some sort of good "password safe" (because there's no possible way for you to remember a dozen or more good, secure passwords) and its security is paramount.

I personally like KeePass because it can use a composite key -- both a key file and a password, and it is multi-platform.  Steal either the password or the key file and you have nothing; you need both.  It is of course very, very important that the key file never be put on any sort of "cloud" storage, EVER -- you must physically copy it to the devices that need it, and only the devices that need it.  If you suspect any of those devices are compromised you re-generate it and replace it.  Of course the risk with this approach is that you had damn well better never lose the key file yourself but the risk with the key file being lost is easily remedied by putting it on a USB key and then sticking THAT in your safe deposit box at the bank.  Now if you manage to lose your operating copy (e.g. your computer's disk crashes) you still have it.

In any event if you're like 90% of the people out in cyberspace you use only a couple of passwords and you use them in multiple places.  If you're one of those folks stop that right now, because there are plenty of poorly-engineered storage locations out there on various back end systems and penetrations of said sites is not unusual at all.

Go to responses (registration required to post)
 

 
Comments.......
User: Not logged on
Login Register Top Blog Top Blog Topics FAQ
User Info CyberTheft Alert: STOLEN Credentials in forum [Market-Ticker]
Wifi
Posts: 691
Incept: 2013-02-13

Seagrove Beach
Report This As A Bad Post Add To Your Ignored User List
Only forum posting to is here:

As for porn? Did you say porrrn

----------
Hurricane Evacuation Plan
1.Grab Beer
2.Run Like Hell
Gable
Posts: 815
Incept: 2009-07-04

Retired in NC Mountains
Report This As A Bad Post Add To Your Ignored User List
I assume using Firefox "saved logins" which is protected by a master password, but saves your passwords is a bad thing as well for important sites. Norton also has a password safe, but I never used it because I thought the passwords would be saved on Norton's servers.

I use the old fashion notebook on my desk to store passwords for any site of importance(banking,IRA...).

----------
In all of history, no government became more honest, less corrupt, or respected its citizens' rights more as it grew in size. E.L. 2016
Ckaminski
Posts: 4786
Incept: 2011-04-08

Mass-Hole!
Report This As A Bad Post Add To Your Ignored User List
****, anyone who wants to see my ugly O face is welcome to it.

God help them.

That said, 100% - never reuse a password, anywhere.
Eaandkw
Posts: 20
Incept: 2014-11-22

Now in Texas
Report This As A Bad Post Add To Your Ignored User List
I know for myself I have been reducing my overall footprint on the internet. I'm slowing deleting accounts. Unsubscribing to various accounts and generally just not signing up for anything anymore. I should consider adding websites to the host file and I do use pi-hole with the raspberry pi. Unfortunately, while I was in the military I used all of the typical social media sites. That was long before I learned just how bad they could and have gotten. I have a couple of emails that have been active for at least ten years. With all of the data breached it is safe to assume that everyone has been compromised at least once if not several times over. So I think that I may just start from scratch with new emails and everything. It is just a process that will take a couple of months.
Smacktle
Posts: 1871
Incept: 2009-01-20

Texas
Report This As A Bad Post Add To Your Ignored User List
I got that email. Had a really old simple password. I don't have any external cameras. The one on the laptop is covered up. Ready to toss all my electronics out the window!

----------
The faults of the burglar are the qualities of the financier.
- George Bernard Shaw
Tinman
Posts: 326
Incept: 2008-02-16

Report This As A Bad Post Add To Your Ignored User List
I reduced attack surface about five years ago. Before abandoning accounts I scrambled their data on me. Changed every field they would allow me to, changed my email to a throw away alias, deleted (if allowed) and never went back. Data rarely gets "deleted", it gets archived. Now they have archived trash. Social media... your never going to delete any of that.

Something I tell everyone I'll put here if I never mentioned it: You know those hint questions for getting back into your account? Don't put the real answers, anyone can see your mother's maiden name on genealogy.com or whatever and a trip to your face-book might tell them how many sisters you have. From now on your father's name is Big Red and you have 256 brothers. Put it in a separate password Db.
Ahhz
Posts: 243
Incept: 2011-06-12


Online
Report This As A Bad Post Add To Your Ignored User List
Here is an easy site to check to see if you have any account breaches:

https://haveibeenpwned.com/

Website info wrote..

';--have i been pwned?

Check if you have an account that has been compromised in a data breach


100% accurate? Dunno, but they did list some of my old accounts that I know had been breached due to company side data breaches.

Xorbe
Posts: 182
Incept: 2009-06-23

Bay Area, CA
Report This As A Bad Post Add To Your Ignored User List
I think I saw that same spam on the gcc (compiler) dev mailing list last week, hah.
Nitrium
Posts: 58
Incept: 2010-05-21

New Zealand
Report This As A Bad Post Add To Your Ignored User List
I've had about 5 of them already in the last 3 days. I've been trying to figure which website got hacked, since it is an older password. Still not sure, but maybe Toms Hardware UK? They're clearly doing a shotgun approach, since I don't use (and never have) any of the services "Messenger, Outlook, Facebook" they're attempting to blackmail with.
Here is the message in full, for those interested in how these folks try to extort money:


"It seems that, (*****), is your password. You may not know me and you are probably wondering why you are getting this e mail, right?

actually, I setup a malware over the adult videos (porno) web-site and guess what, you visited this site to have fun (you know very well what I mean). Whilst you were watching videos, your internet browser started off functioning as a RDP (Team Viewer) which gave me accessibility to your screen and web camera. and then, my software program obtained your complete contacts from the Messenger, Outlook, Facebook, along with emails.

What did I really do?

I produced a double-screen video. First part shows the video you were seeing (you have a good taste haha . . .), and 2nd part shows the recording of your webcam.

exactly what should you do?

Well, in my opinion, $1500 is a fair price for our little secret. You'll make the payment by Bitcoin (if you do not know this, search "how to buy bitcoin" in Google)."

Bitcoin Address: 1FRGrH6SDGTyPhwdedyLdxfdo3wPKJG4wW
(It's case sensitive, so copy and paste it)

Important:
You've got few days in order to make the payment. (I've a special pixel within this e mail, and at this moment I am aware that you have read this email message). If I do not get the BitCoins, I will certainly send out your videos to all of your contacts including family, co-workers, and so forth. Having said that, if I get the payment, I'll destroy the recording immidiately. If you need evidence, reply with "Yes!" and i'll undoubtedly send out your video recording to your 6 contacts. It is a non-negotiable offer, that being said don't waste my personal time and yours by answering this message."
Gonewest
Posts: 41
Incept: 2015-02-26

PacificNW
Report This As A Bad Post Add To Your Ignored User List
I've received two of these in the last two weeks, both to my company email. That account is used only for business-related web sites (and no e-commerce), stuff like partner web sites, technical downloads (we are a software company), and other interactions that require a company email address.

Message was similar to but not exactly like the Nitrium's message.

Sent it to the junk folder as I have nothing to hide in my internet interactions. Too bad for the bad guys.
Mangymutt
Posts: 625
Incept: 2015-05-03

Vancouver WA
Report This As A Bad Post Add To Your Ignored User List
Gonewest - If you have gotten one of these emails at your work account and it is only used for business, I am guessing you work for the SEC.
Vernonb
Posts: 2164
Incept: 2009-06-03

East of Sheol
Online
Report This As A Bad Post Add To Your Ignored User List
Quote:
Gonewest - If you have gotten one of these emails at your work account and it is only used for business, I am guessing you work for the SEC.


smiley

Too bad it wasn't the NYT.

----------
"Mass intelligence does not mean intelligent masses."
Snowmizuh
Posts: 1767
Incept: 2009-03-18

Alabama
Report This As A Bad Post Add To Your Ignored User List
I suggest LastPass and turn on 2FA everywhere you can. I just got one of these little YubiKeys this week and have been very impressed with it. Yubikey integrates tightly with LastPass (Keepass too, though I haven't tested that). I got the Yubikey NEO because it does NFC and works with my phone.
Tickerguy
Posts: 153900
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Beware using passive NFC as authentication...

----------
Winding it down.
Radiosity
Posts: 141
Incept: 2009-03-05

Sunny UK
Report This As A Bad Post Add To Your Ignored User List
Nice to know you also use Keepass. Switched to that years ago and never looked back, I love the dual protection of password AND key file.

Someone I know called it trash because she couldn't get to her passwords online (she uses LastPass now iirc).

Needless to say, I brought out my Picard Facepalm pictures for that one.
Attilahooper
Posts: 2895
Incept: 2007-08-28

New York, by way of Montreal Canada.
Report This As A Bad Post Add To Your Ignored User List
keepass db in onedrive/dropbox works for me.

----------
I've retired and bought Shecky's - Welcome, have fun, **** **** up, let's get this party started
https://www.youtube.com/watch?v=ykZbxFub....

Tickerguy
Posts: 153900
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
That's okay but use the key file too and don't have that on the cloud

----------
Winding it down.
Attilahooper
Posts: 2895
Incept: 2007-08-28

New York, by way of Montreal Canada.
Report This As A Bad Post Add To Your Ignored User List
Although I'm using pw only right now, I'm gonna start using the key file on devices as well, to your advice. Thanks. btw, to others, Keepass passed an independent european review of it's integrity w no issue.

----------
I've retired and bought Shecky's - Welcome, have fun, **** **** up, let's get this party started
https://www.youtube.com/watch?v=ykZbxFub....

Login Register Top Blog Top Blog Topics FAQ