How can I figure out which account was hacked?

[strantor]

Facebook kicked me offline and gave me this message:


I've already changed my password and my passwords on all my other critical accounts. I'm now using a different password on every website/account, each a string of random characters. But I would like to know what account was hacked exactly. I take the warning to mean that somewhere on the internet my login and password to some account/website is posted in public. I would like to know what website it's posted on, and what account it was that got compromised.


I tried searching pastebin.com for my email address and there were 5000+ hits, none of which contains my email address (???). I tried searching pastebin.com for my various website usernames and got 0 results for everything. I do not understand this pastebin.com search engine and there does not seem to be any advanced search options.

 

[Tony Stewart]

Looks like a bogus phishing attack. What OS are you running?
Can you run (Win&R) MSinfo32 ((enter)... save as anyname.nfo then send to me or use pastebin?

 

[strantor]

that was on my phone, generated by the official facebook app.
I tried logging into facebook from my PC as well and was given the same error. It is legit.

http://www.forbes.com/sites/amitcho...t-if-your-passwords-were-stolen/#1922d63e1d39

[facebook] specifically looks at websites where hackers leak e-mail addresses and passwords. Facebook built a tool that actively looks for public postings on websites like Pastebin.com containing login credentials and notifies account owners if their information has been compromised.

 

[shortbus=]

Facebook kicked me offline

Sounds like they did you a big favor. Hate Facepoke

 

[Tony Stewart]

They track device ID from which each login is created. Google has a workbench for reviewing all your logons locations and devices. FB may not, but they do warn you if you have used different new devices.

 

[strantor]

Ok folks, my own independent research uncovered the following:

When hackers hack a website (ex: twitter, electronics forum, Sony, Experian, etc.) they either sell the account info (incl. password) on the black market or they post it publicly (on a paste site like pastebin.com usually) to gloat. Facebook security crawls these paste websites looking for your email/username and if it finds one of your accounts, it compares your password for that account with your facebook password and if the passwords match, you get the message that I got.

There are a few directories to find the latest password dumps, including https://twitter.com/PasswordsLeaks.

I sought out all the places that I could find where hackers typically post up their password dumps, and I could not find any password dumps that included my info from any website, however I did find https://www.leakedsource.com/. LeakedSource is a database of password and personal data dumps that are collected from various dump sites across the web. You can search for yourself (or anyone else) by name, email, IP address, phone number, etc. and if there are any hacked (and publicly exposed) accounts in LeakedSource's database, you will be able to see them there. If you pay $4, you can see the entire contents of the hacked data dump, including plain text passwords. I had 3 hacked accounts, two of which are from long defunct forum logins. My passwords for these websites have been available to the public since February of this year.

I searched several friends and family on that website and uncovered passwords to handful of loved ones' old myspace accounts, forum accounts, and my brother in law's porn account. I found an unsettling amount of information about my dad and my uncle (deceased) which had been hacked from Experian.

Note that my two hacked accounts were VBulletin accounts. My loved ones' forum accounts were also VBulletin accounts. I went in search of more info about these hacked VBulletin accounts and found this:
http://www.zdnet.com/article/hacker...reds-of-verticalscope-car-tech-sports-forums/

A hacker has stolen tens of millions of accounts from over a thousand popular forums, which host popular car, tech, and sports communities.

The stolen database contains close to 45 million records from 1,100 websites and forums hosted by VerticalScope [VBulletin], a Toronto-based media company with dozens of major properties, including forums and sites run by AutoGuide.com, PetGuide.com, and TopHosts.com.

You all might want to check and see if your forum logins are compromised.



Unfortunately my account (whatever account it is/was) that shared a password with my facebook account was not in the LeakedSource database and I could not find it anywhere else either. I assume it must be pasted to the deep web somewhere on a Tor/Onion site but I'm not going down that rabbit hole to find out. It would be really useful if the Facebook alert had given some clue as to where their crawler uncovered my password. The password that I used for Facebook is one that I had been using on all my sensitive accounts (lots of personal info or financial info) so I'm still not comfortable not knowing what account it was or where it's posted. It had to have been a pretty high-level account, like from my bank or one of my guarded email accounts. I've changed all the passwords for all the websites I can think of. I'm 99% sure I've taken care of it but there's an uneasiness in the back of my head like I'm forgetting something. Adding to the uneasiness is that, whatever account I used this password on was a reasonably trustable (big name, high security) website and there hasn't been any reported breaches in the last week from any websites that I frequent. So I wonder if it was obtained by some other means, some hole in my defenses that I haven't plugged, and if it won't just happen again.

more info:
http://www.makeuseof.com/tag/passwords-leaks-happening-time-heres-protect/
http://www.makeuseof.com/tag/heres-much-identity-worth-dark-web/

 

[Tony Stewart]

Excellent Review of leak databases.
We really can trust no one to secure our private information and passwords, so it requires that we understand, never to use duplicate passwords or ones which can be easily figured out. I have used unique PW's for about 10 years and the former year PWs are benign and no longer used on critical domains, so I dont worry about those.

Given that the brilliant hacker from Tehran ( Comodo Dragon CD) has demonstrated his reach to DigiNotar in creating Google certs, +500 of his own or accessing other sites entire databases even some blocked to internal employees in Ultra-secure off-line internal servers, we have a lot to learn about prudent security measures. He (CD) is not motivated by money or government or bias, but real emotional experiences of threats or bias to his family and countrymen from banks and CIA tactics. He promised to create a global botnet to attack big institutions.

It really does sound like the Hatfields and McCoys.

Hopefully Google's acquisition of LinkedIn will improve their security too.

But I think if the Hatfields and McCoys, North and South Irish can find peace, there is hope for web security to improve, but we will have wait along time for this to happen. It will take the best minds until the weakest links are hardened to be defined by trusted leaders like Bruce Schneier, Steve Gibson, Eric Snowden, Mark Russinovich. But beware of those with purely Religious, Political, Financial or Government agenda to make it happen. It must come from the good will of the voters and performed by the best minds... and I do not expect this to happen in my lifetime, because greed and resentments run deep in a small ruling minority. Along with a desire for secret back doors in cryptology by the certain organizations and ignorance in others.

The Russian hackers , they are motivated my money and sell personal information in bulk for a fee on places like Paltalk, which is a centralized anon. network for chat, video and voice with file transfer.

By definition, nothing can be defined as "totally secure" until the last person has tried to crack it. Security can only be defined by the known tests, to determine the weakest links.

For those who feel insecure, the best bet is to consult with trusted security company like the one bought by IBM from a famous American cryptologist of BlowFish and Twofish, Bruce Schneier. or DIY follow Steve Gibson on "Security Now" TWIT podcast and watch some of previous hundreds of episodes.

Excellent question and research strantor
Tony near Toronto

 

[killivolt]

I find building a password out of Acronyms is affective. You make random sentences like " Two Shakes Of A Rats Tail " > TSOARA and add Im In > IITSOARA and if you need more characters put numbers in-between I1I2T3S4O5A6R7T.

This string would require a few Million Computers working full time for 25 years to figure out.

kv

 

[Tony Stewart]

I find building a password out of Acronyms is affective. You make random sentences like " Two Shakes Of A Rats Tail " > TSOARA and add Im In > IITSOARA and if you need more characters put numbers in-between I1I2T3S4O5A6R7T.

This string would require a few Million Computers working full time for 25 years to figure out.

kv

GRC computes your PW I1I2T3S4O5A6R7T as follows;
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second)

72.30 years
----------------------------------

I tested my fake pw .S2t2e2w2a2r2t. with symbols , upper / lower case . number with 15 characters

Offline Fast Attack Scenario:
(Assuming only one hundred billion guesses per second)

1.49 billion centuries

https://www.grc.com/haystack.htm

 

[killivolt]

GRC computes your PW I1I2T3S4O5A6R7T as follows;
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second)

72.30 years
----------------------------------

I tested my fake pw .S2t2e2w2a2r2t. with symbols , upper / lower case . number with 15 characters

Offline Fast Attack Scenario:
(Assuming only one hundred billion guesses per second)

1.49 billion centuries

https://www.grc.com/haystack.htm

I figured 25 was enough since I'll be near death by then. 72.30 years? unless they come up with cyborg technology or clone, it won't matter much Same with my data they wanna steal, useless

kv

 

[Tony Stewart]

security is like a ratchet lock.

'tis impossible to prove it is strong enough nor fool proof. Each time a vulnerability is found or it is broken, or someone smarter figures out how to break it. Then idiot politicians add expensive ineffective bandaids, instead of hiring the best security expert to propose a more effective solution.

 

[strantor]

idiot politicians add expensive ineffective bandaids, instead of hiring the best security expert to propose a more effective solution.

Well I can provide an article showing they are now hiring the best security experts to stay in front of the cyber terrorism problem. But I'm not convinced that their new hiring methods are anything more than yet another expensive, ineffective bandaid.

To sum up the article, the Navy wants to enlist/commission computer nerds directly into the E-7 (Chief) and O-6 (Captain) ranks immediately after boot camp in order to rapidly develop cyber terrorism units. The (massive) leap from recruit to senior supervisor is supposed to be incentive for bright people to join the program I guess.

But the problem as I see it is that E-7 is upper management for enlisted personnel. E1 thru E-3 are typically peons who fetch wrenches (or keyboards in this case). E-4 thru E-6 are typically the skilled & experienced technicians who get the job done. Once you graduate out of E-6 and into E-7, that is a promotion out of a highly skilled/ highly technical position into an almost exclusively managerial position. In my experience, managers don't necessarily need to be superior technicians to those that they manage. In some cases, they don't need any of the technical knowledge that their underlings have. They just need to be able to manage them. Management and computer nerdery are two very different skill sets and seem to be oil and water. It makes sense to me to provide incentive to the country's best and brightest to join an elite team, but it does not make sense to hire people with no military management experience into military management roles. Even if the person in question has civilian management experience, it's not the same. It typically takes ~15 years to groom someone into an effective military manager. Taking people off the street (no matter how bright they are) and putting them into senior roles is a recipe for disaster IMO. I think that E-5 (maybe E-6) is the highest rank they should let people come in as.

I've addressed the enlisted side because that's the only side that remotely makes any sense to me. Inviting people in as an officer, in the O-6 rank? WTF? that's absolutely bonkers in my book. I have no idea what they are thinking. An O-6 is the rank of a ship captain. My Captain of the submarine I served on was an O-6. He spent a couple decades working up to a position where he could be entrusted with a billion dollar asset and the lives of 150 men. To think of someone being hired into this rank just because they are a good hacker is, well, unthinkable. Officers are exclusively upper management. An O-1 with zero days on the job already trumps an E-7 with 20 years on the job (on paper, functionally not so much). So why hire them on in an advanced rank? They're being hired for their tech skills, right? so why hire them on as upper management where they won't be sitting at a terminal? If it makes any sense at all, maybe it makes sense at the O-2 level, but no higher in my book.

 

[JoeJester]

I read the Navy Times article when I was in Michigan for a couple of weeks recently. E-7 and O-6 is a stretch for freshly minted boots.

I've seen shake and bakes in the 70s at the E-5 and E-6 levels, never an E-7. However, the advancement process minimums allowed some of those E-6's to advance to E-7 during their first four years, making them slick armed Chiefs (no service stripes indicating 4 years of service),

I met one shake and bake E5 when I was an E4, who couldn't troubleshoot.

I'll bet those shake and bake E-7's through O-6s will be viewed like the shake and bakes in the seventies. Those junior would respect the rate/rank, but personal respect is earned. Every day will be a test. Some will succeed and some will fail.

 

[JoeJester]

instead of hiring the best security expert to propose a more effective solution.

Security is a never ending game. If it were not, we would not have anti-virus software since the dawning of the computer age.

Grace Hopper, Admiral, USN(ret) was troubleshooting a computer code problem when they discovered the "bug". Here is their maintenance log entry:

 

[Tony Stewart]

Schneirer has led the path with his White Paper on security at the Black Hat's conventions.he I have worked with the brightest software people in my life from many companies and none have the skills even close to Bruce Schneirer. Snowden is also extrmely bright but still does not have the depth of security skills and broad perspective that he has in ALL walks of life. If you read even one of his hundreds of monthly Counterpane articles you might get the idea that has more wisdom than can be found in the library of Congress. His first White paper to the Black Hat convention was before he developed the best encryption code and defined all the mechanisms in open source which can be compiled for for any computer or uC chip. The reason IMHO his algoritm, TWOFISH came in seond for the AES2000 leads me to think the NSA want a back door with the winning code that no one else can afford to open. Not because of their supercomputer networks but because they found a way to hack it so hard that no one else could.

"good security is hard" and and nothing is secure by Schneirer's definition becuase it can only be tested until they give up and if they fail, they say it is good enough. Then if broken it can be downgraded. Schneirer takes a different approach and he has written many books on it. Others consider something secure until a brighter person breaks it. Bruce only considers managed dynamic systems to be the best solution, for security violations or mitigation of collatoral damage or excessive cost with little improvement. Sometimes the best security scenario is to draw the least attention without shields than have armored tanks.

I disagree you need military experience or intelligence to define how to implement good security. I firmly believe from many personal experiences, that title it is an oxymoron. They have many intelligent people and some with technical greatness. But none have demonstrated the skills of Schneirer. It akes creative genius and decades of broad technical, political, social and economic experience to achieve the wisdom that Schneirer has. Not just cryptography and not just his business now bought by IBM for secure networks, but a deep understanding of how to define all the weakest links to security by a comprehensive audit, determine every branch of Murphy's Law and define a probability and cost effectiveness of probable solutions for each method of attack. Including braindead Senators who use their own mail servers and tons of government departments and commercial enterprises, who have been hacked for personal and intellectual property.

I admire Snowden for his values to protect the public, his honesty and tactful delegation of relaese thru a responsible press agent. He is also admired by the best in the security biz and Schneirer usually leads the video conferences he has with Ivy League campuses on security, because Schneirer is a master of diplomacy and security. He would be my best choice and was on Bushes Presidential advisory at one time with others, but not given any authority so the politcal mess followed aith useless expensive security bandaids. It would have been far safer to not blatently attack evil-doers than antognize them for instance, all the while stealing the public's privacy illegally and then swiftly passing laws without debate to legalize them.

 

[spec]

Informative and interesting threads about security

Can someone (Tony) explain a few things for me about computer security:

We had a password generator at work that issued a new password at regular intervals. The passwords were pseudo phrases to aid memory: 'Suloy tallloon spacter osleene 109', for example. You were only allowed three login attempts. After that the password was revoked. Of course, you were not allowed to write your password down anywhere.

My questions are:
(1) Why on earth are unlimited attempts to login permitted. If login attempts were limited all of the maximum combination computer generated attacks would be stymied overnight. Or am I missing something.
(2) I understand that it is trivial to install a key logger an any computer connected to the net. As, by definition, all data entered on the keyboard is in plain, how can any password, never mind how complicated or long, be secure?
(3) Is there a good password generator hardware package available for the general public (for my bank account access I have to use a little hardware code generator which generates a new code for every login).
(4) There are password software applications available that generate and store passwords for you- which is the best and how can they be secure? I understand that some of these packages use a USB key.

The trouble with security is that it is a pain with no performance benefits, a bit like backups, so there is no motivation, apart from fear, to attend to it, at least in my case.

spec

 

[Tony Stewart]

spec .. go to GRC dot com and look for free security info to answer (---) some of your questions and http://www.Lastpass.com has an effective password generator and repository. ( free for individuals)

Steve Gibson was the inventor of the term "Malware" and is a computer + network security expert on weekly Podcasts ... Security Now. ( over 500 episodes now.. good stuff)

Nothing is totally secure, not your car, your home or even the White House.
But there are effective solutions to reduce the probability to acceptable risk.

 

[spec]

spec .. go to GRC dot com and look for free security info to answer all your questions and Lastapass has an effective password generator and repository. ( free for individuals)

Nothing is totally secure, not your car, your home or even the White House.
But there are effective solutions to reduce the probability to acceptable risk.

Many thanks Tony- I thought somehow you might have a good answer.

spec

 

[spec]

Another area that worries me is that all of our data is now stored on Network Access Storage (NAS) which is connected to the router which is obviously is connected to the internet. As both the NAS and router are permanently on doesn't this constitute a massive security risk?

spec

 

[spec]

Nothing is totally secure

I am not arguing just interested. Is it absolutely a fact that nothing is 100% secure?

spec