rockyou, a service that offers up applications to social networking sites, has been hacked. 30 million user passwords along with the associated e-mail address has been compromised and some has been reportedly been leaked on the net. rockyou has apps in facebook and myspace. if you run applications made by rockyou they highly recommend that you change your password in rockyou and other online accounts that use that e-mail/password combination (presumably associated with rockyou). now.
it seems that hacking passwords for webmail services is getting some attention. and money. people are actually paying someone to get people’s webmail passwords so they can take a peek at people’s private e-mails.
naughty. santa does not like that.
there is a trend here. people get paid to hack into a webmail account–not to mess it up–but to take a look at what the account contains. they don’t even change anything–not even the password–so the user is unaware that his/her account has been compromised. on one occasion, i got my hands on a compromised e-mail account and all the hacker did was to add another e-mail account, supposedly so that they can send spam using the original e-mail address.
what to do. like i said before, use a passphrase instead of a password. a phrase is longer than a word and is therefore harder and take longer to crack. it would be better not to use any english words or phrases if you can. french. german. tagalog. japanese. whatever. as long as you can remember them. but not english.
change your password. now.
i have been preoccupied of late with security stuff. the first one is what they’re calling conficker.c which will activate on the first of april. no one knows what it will do but i would bet a beer that its not entirely good. symantec has a removal tool for this and previous versions of conficker (aka downadup).
+ + +
another news item that has been in that particular corner of my brain is the network bluepill aka psyb0t botnet. its a new botnet targeting routers/modems instead of pcs. these router/modems are the gadgets that give you access to the internet. imagine what bad things can happen when that’s been compromised. you can’t scan for the botnet either because the botnet code is not on your pc. according to dronebl–a real-time tracker of abusable ips–you are vulnerable if:
- Your device is a mipsel (MIPS running in little-endian mode, this is what the worm is compiled for) device;
- Your device also has telnet, SSH or web-based interfaces available to the WAN, and
- your username and password combinations are weak, OR the daemons that your firmware uses are exploitable.
the best way to ensure that you don’t get infected (or reinfected) is to perform a hard reset of the device, update the device’s firmware to the latest and change the administrative passwords to stronger ones, maybe use a passphrase instead.
+ + +
and then there’s the next version of ubuntu–jaunty jakalope or version 9.04–coming out by april (2009.04). that’s something to look forward to. at the same time i’ve been studying/ evaluating the server version of ubuntu as a replacement for some (or all my server installations).
i have taken on a new project making a new website which will act much like a repository of information about a famous person. this will replace another project that i had to let go. its another php/mysql/apache install (spelled as web 2.0). this should prove interesting.
a couple of years ago one of my hard disks crashed. it wasn’t a major crash but i lost a good number of files nonetheless. i do have backups but since then i have tried to offload most of my files from my desktop and/or laptop to the internet.
at the time, one of my fast growing files was my e-mail. i used outlook express and it fit my needs then. but as more mail slowly crept in i realized that i was hitting outlook express’ limits and the space being occupied by my mail was getting uncomfortably bigger.
so i decided, off with the pop mail and go with web-based e-mail. there are definite advantages to this move:
- i can access my mail from anywhere and on any computer with an internet connection.
- i would think that all my mails would occupy approximately 3 gigabytes of space. maybe 4. i get plenty of pictures, videos and documents and i do not delete them. that’s a lot of space for just e-mails and none of that is occupying space in my local system. outlook’s (not the express version’s) default capacity is 2 gigabytes.
- should my local hard drives or system fail my e-mail data is still safe and i can still access them.
- should i refresh or change my system i do not have to worry about restoring my mail setup and files from backup.
- no internet. no e-mail. i will not be able to access even the one’s that i’ve read already.
- security is dependent on the service provider and strength of the password. so i use several passphrases and rotate them regularly and i got (i think) a pretty good webmail service provider — yahoo!
i would think that the advantages outweigh the disadvantages. if you want more info on service providers there is a comparison of webmail providers from the wiki.
this topic has been taken up time and time again its still worth repeating.
change your passwords.
that string of letters and numbers that you call a password is what protects your online identity.
websites that asks you to register a user name and password usually recommend creating a password that’s at least eight (8) characters long using a combination of numbers and letters. this is still good advice but i’d recommend using a convoluted phrase — a passphrase, if you will — instead. better yet, think of several passphrases and rotate them every few months.
i am aware that this may cause some problems but those problems will seem miniscule when someone guesses your password and takes over your online life.