Gawker Hack

User avatar
BobH
UraniumLounger
Posts: 9534
Joined: 13 Feb 2010, 01:27
Location: Deep in the Heart of Texas

Gawker Hack

Post by BobH »

Sometimes I feel like a 6-year old: big enough to play outside but too naive and uneducated to know what is dangerous.

The news this week of the Gawker hack made me realize how little I know about what happens to one's identifying data when one visits websites. The more I read, the more I realize I don't know and the more confused I become. Out of an abundance of caution, I cancelled a couple of gmail accounts I've had. I even found out that there is a web site where one can check to see if one's email addy or user name was compromised (http://www.didigetgawkered.com/; mind that I don't know how safe it is to use this but came across the information from an Infoworld article).

So, because I don't know, there just might be others out there who are in the boat with me; therefore I thought I'd ask some of the cognoscenti here to help us understand what happened in the Gawker hack and what steps one should take to safeguard - as much as one can - one's identity and passwords whilst web surfing. For example, I read that the Gawker database contained (or might have contained, I'm not sure) multiple usernames, email addresses, and passwords for a user, though how it got them I don't understand. (Just one point of my ignorance.) If that information were compromised, it could be used by anyone who had access to the information to represent themselves as me. OK, I use 5 or 6 different identities (email addys, usernames, passwords, etc.) on different sites. Although I'm open here (BobH stands for Bob Hutchins and my signature indicates the town I live in), there are other sites - mostly news sites where I comment and editorialize (no smut)- where I use noms de surfing :innocent: . Is it possible that if I signed into one of those sites and it logged my id data (including IP address), that other identities could be discovered and stored in that database? Surely they could not discover my usernames and passwords from other sites using just an IP address, could they?

One of the things I don't understand at all is third party cookies. I presume that this is a cookie that one acquires through unsafe computing or some such. My guess is that if I buy something through, say Amazon, which then passes me to another website to enter the order, I get cookies from Amazon and whomever they send me to. Given our thread about corrupted cookies, I'd prefer not to go to Chicago, as it were. Therefore, I went into my browser (Firefox) and changed the options to disallow third party cookies. But I don't know what effect that action has, if any. Again, I'm demonstrating my ignorance in the hope that some of you kind souls will help me overcome it.

In addition to the answers to the admittedly broad questions above - how do sites garner multiple groups of identifying data and what is going on with third party cookies - I'd like to see a well written article that takes users through what nodes in the Internet might be doing with data each time one visits a sight and more specifically what data - at a minimum - might be stored when one registers on a web site (realizing that much of it depends on what the user chooses to provide). IOW, I'd like to know how to practice safe computing. What prophylaxis - by way of browser settings, caution in using pw's, userids, etc - is/are effective but still allow one to enjoy web surfing? Maybe theirs a "? for Dummies" book I need to read or someone might recommend a good web article - or better yet, one of you cognoscenti might write one.

Ignorantly, but with highest regards,
I remain yr obt svt,
Bob H
Bob's yer Uncle
(1/2)(1+√5)
Dell Intel Core i5 Laptop, 3570K,1.60 GHz, 8 GB RAM, Windows 11 64-bit, LibreOffice,and other bits and bobs

User avatar
HansV
Administrator
Posts: 79447
Joined: 16 Jan 2010, 00:14
Status: Microsoft MVP
Location: Wageningen, The Netherlands

Re: Gawker Hack

Post by HansV »

If I understand the news correctly, Gawker operates several popular sites. So when their servers were hacked, investigators could match several membership databases which contain usernames, passwords, IP addresses etc. and analyze the overlap. Reasonably well-known methods were used to decrypt the passwords (but keep in mind that you have to hack the servers before you can get at the data!).

It turned out that a surprisingly large number of people use the same username and password for all sites, and that many of the passwords were very simple.

So if they know that you're registered at LifeHacker and Gizmodo (sites operated by Gawker) as User123 with password 12345, they can try logging in to, say, Twitter, as User123 with password 12345, and have a reasonable chance of getting in. If they just have a username (not all passwords were decrypted), they can still try to log in to other sites with that username and the ten most popular passwords.

If you don't have a username on one of the Gawker sites, you're probably safe.

Apart from that: don't use the same username/password combination on different sites, and don't use a password that is easy to guess.
Best wishes,
Hans

User avatar
StuartR
Administrator
Posts: 12808
Joined: 16 Jan 2010, 15:49
Location: London, Europe

Re: Gawker Hack

Post by StuartR »

HansV wrote:...don't use the same username/password combination on different sites, and don't use a password that is easy to guess.
The method they used to find people's passwords would only work if you had a reasonably simple password.

To make a properly secure password you should NOT use dictionary words, even if you combine them with couple of digits and punctuation marks. For example a pasword such as banana23 would be cracked in just one or two minutes using standard tools.

Think of a phrase that you can remember, use the initial letters, capitalize some letters you will remember and then added digits and punctuation marks. For example

I think Eillen's lounge is the best web site on the internet
Take initial letters = itelitbwsoti
Capitalize vowels = ItElItbwsOtI
Add some digits = 9ItElItbwsOtI4
Add some punctuation= !9ItElItbwsOtI4?

And there you have a highly secure 16 character password that is fairly easy to remember but would be almost impossible to decrypt.

It is also absolutely essential to use a different password on every web site. One very common scam is for a hacker to set up a convincing looking site that requires people to register. They can then capture your username, password, and email address, and try these details on common sites such as hotmail, gmail, facebook etc.

If you can't remember all the passwords then store them in an encrypted form that is easy to access. Even a password protected word document is better than nothing.
StuartR


ChrisJakarta
StarLounger
Posts: 97
Joined: 05 Feb 2010, 11:06
Location: Jakarta, Indonesia

Re: Gawker Hack

Post by ChrisJakarta »

StuartR wrote:...It is also absolutely essential to use a different password on every web site...
Get idea Stuart, but...

I have 164 places where I need a username and password. My addled brain has no chance at all of remembering 164 usernames and 16-character passwords. I think we all know it is absolutely essential, but we all know that it is absolutely impractical.

I think we do need to decide on a hierarchy of risk. With respect, the risk to me if my username/password for Eileen's Lounge is cracked is fairly low. The risk comes if I ALSO use this combination for my bank. I tend to use a standard username/password combination for all such low-risk situations, which covers about 80% of the web sites I access. Then I take much greater care with the remaining 20% where there is a real risk.

This is certainly more practical. Is it really a risk?

Chris

User avatar
HansV
Administrator
Posts: 79447
Joined: 16 Jan 2010, 00:14
Status: Microsoft MVP
Location: Wageningen, The Netherlands

Re: Gawker Hack

Post by HansV »

As long as you don't use the same password for your bank as for "low-risk sites" it's OK. And don't use the same password for two "high-risk" sites.
Best wishes,
Hans

User avatar
StuartR
Administrator
Posts: 12808
Joined: 16 Jan 2010, 15:49
Location: London, Europe

Re: Gawker Hack

Post by StuartR »

ChrisJakarta wrote:...This is certainly more practical. Is it really a risk?...
Your approach is certainly a reasonable compromise.

The trouble with the idea of the "low risk" category is that many sites store your full name, address, email address and possibly credit card details.

I find it easy enough to store all my passwords in a single encrypted document, and to have a different password for each site. The same document includes the URL for the site and other helpful information, so it is quite convenient for me to decrypt it when I need to.
StuartR


User avatar
HansV
Administrator
Posts: 79447
Joined: 16 Jan 2010, 00:14
Status: Microsoft MVP
Location: Wageningen, The Netherlands

Re: Gawker Hack

Post by HansV »

I use an encrypted Excel workbook for this purpose, with hyperlinks to the sites.
Excel uses 128-bit AES encryption nowadays, a lot better than the simple and easily cracked algorithm used in early versions.
Best wishes,
Hans

User avatar
BobH
UraniumLounger
Posts: 9534
Joined: 13 Feb 2010, 01:27
Location: Deep in the Heart of Texas

Re: Gawker Hack

Post by BobH »

Thank you for the responses, folks.

The information on password protection is interesting. I like the idea of having an encrypted file (excel) where I can store and retrieve passwords. It will make it much easier to use pw's that have nonsense strings of characters and to keep up with userids. That whole idea seems feasible and eminently doable; however, when I tried to create and encrypt the Excel file, I ran into problems. I had a few problems encrypting the file and saving it. I wanted to use a strong, long key; so I created one in notepad thinking I would be able to copy it and not have to worry about phat phingering the double entry. Alas, the fields allowed for entering the key would not allow me to paste data from the clipboard. My Excel is quite old (2002/SP3). Perhaps this has been overcome in later versions. Eventually I was able to key in 2 very long strings of nonsense characters alike and saved the encrypted file. Now, upon opening the file, I find I cannot paste the long string - which I stored in yet another encrypted file but with a much simpler password - into the key panel. Is there a work around to the pasting process? It seems to me that this is a Catch-22 conundrum.

But back to the OP. My original questions haven't been answered. Can anyone tell me exactly what my Firefox browser sends when I type in a URL or click a link icon? Of course, the addressed URL is sent and I suppose that my IP address is sent along with time, date and packet information; but what else? I'd really like to understand this. And, while I know that what comes back is controlled by the sender - and varies in content and lenght, I would like to know what constitutes a minimum response.

The other question was about cookies, specifically third party cookies. I know that cookies as text files that contain information placed in them by the sender. I can see how - in a simple 2 party message exchange - the responding resource creates a text string that my browser must recognize as a cookie and store it in the appropriate place for the browser. How does my browser recognize that the text string is a cookie? This must be a universal id because I don't think the responding resource knows what browser I'm using (does it?). Then, extending the question, if the resource I addressed in the URL forwards my message to one or more logical (I'm not going to complicate this by trying to address the physical layer) addresses - who might in turn forward that message to one or more logical addresses - I can see how multiple third party cookies might be created; but it seems that the original addressed resource must then either pass those cookies along or store them in his browser or messaging software. What I'd like to know is something about the protocol(s) for passing those cookies and identifying them as third (or other party) cookies so that my browser knows that they are third (or other) party cookies. Firefox has to parse this, I think, because there are option controls for handling third party cookies.

Is it all alchemy requiring 3 of Merlin's lifetimes to serve the apprenticehip? I suspect that there is a governing body that defines these protocols and I'm sure that it must take years of study and certification to understand it all. I'm just looking to learn about the little pieces that have to do with cookies. If someone could tell me or point me to a wiki or a web page, I'd be grateful as I've been unsuccessful googling on my own.

Rsptfly, yr obt svt
BobH
Bob's yer Uncle
(1/2)(1+√5)
Dell Intel Core i5 Laptop, 3570K,1.60 GHz, 8 GB RAM, Windows 11 64-bit, LibreOffice,and other bits and bobs

User avatar
StuartR
Administrator
Posts: 12808
Joined: 16 Jan 2010, 15:49
Location: London, Europe

Re: Gawker Hack

Post by StuartR »

I often find that I can paste using the keyboard combination Control-V, even though there is no right click menu or paste button.
StuartR


User avatar
StuartR
Administrator
Posts: 12808
Joined: 16 Jan 2010, 15:49
Location: London, Europe

Re: Gawker Hack

Post by StuartR »

BobH wrote:...The other question was about cookies......
Try reading the Unofficial Cookie FAQ.
StuartR


User avatar
HansV
Administrator
Posts: 79447
Joined: 16 Jan 2010, 00:14
Status: Microsoft MVP
Location: Wageningen, The Netherlands

Re: Gawker Hack

Post by HansV »

Your browser sends a so-called user agent string that provides information about your browser and operating system. For example, this is the user agent string I send when I use Firefox:

Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13

This tells websites I visit that I'm using Windows 7 and the US English version of Firefox 3.6.13. It's possible to send a "faked" user agent, by the way - Opera offers this option, for compatibility reasons.

I don't know exactly how cookies work, but they are identified by the URL of the website. So a Lounge cookie is named eileenslounge.com (Firefox shows several parts of this cookie). Blocking 3rd party cookies means that the browser allows a site to create a cookie for its own URL only.

See Stuart's link.
Best wishes,
Hans

User avatar
BobH
UraniumLounger
Posts: 9534
Joined: 13 Feb 2010, 01:27
Location: Deep in the Heart of Texas

Re: Gawker Hack

Post by BobH »

Excellent!

Thank you, Stuart. :cheers: :cheers:

The ctrl-v works a treat.

I'm off to read the cookie FAQ.

I've also found some wiki.

Thank you, both, again!

rspfly, yr obt svt

BobH
Bob's yer Uncle
(1/2)(1+√5)
Dell Intel Core i5 Laptop, 3570K,1.60 GHz, 8 GB RAM, Windows 11 64-bit, LibreOffice,and other bits and bobs

ChrisJakarta
StarLounger
Posts: 97
Joined: 05 Feb 2010, 11:06
Location: Jakarta, Indonesia

Re: Gawker Hack

Post by ChrisJakarta »

StuartR wrote: Your approach is certainly a reasonable compromise.

The trouble with the idea of the "low risk" category is that many sites store your full name, address, email address and possibly credit card details.
II don't think I'd consider sites that store my credit card details as "low risk'. But most of the sites I access are like the Lounge, for which I provide minimum information, usually only E-mail address, sometimes location. I do not feel these require strong and individual passwords.
StuartR wrote: I find it easy enough to store all my passwords in a single encrypted document, and to have a different password for each site. The same document includes the URL for the site and other helpful information, so it is quite convenient for me to decrypt it when I need to.
Although there are other dedicated programs for this purpose, I have found the free Keepass suits me fine for storing my passwords, and I think it is more flexible than an Excel file.

Chris

User avatar
Sundog
5StarLounger
Posts: 704
Joined: 28 Jan 2010, 22:47
Location: Alien Country (Roswell NM)

Re: Gawker Hack

Post by Sundog »

StuartR wrote:I have found the free Keepass suits me fine for storing my passwords, and I think it is more flexible than an Excel file.
Does it allow input of a URL for easy access to websites? I like this feature, which I use in an Excel spreadsheet (like Hans). I also put notes, phone numbers, expiration dates, and other misc. stuff in the spreadsheet.
Sundog

User avatar
BobH
UraniumLounger
Posts: 9534
Joined: 13 Feb 2010, 01:27
Location: Deep in the Heart of Texas

Re: Gawker Hack

Post by BobH »

Howdy neighbor!

Yes, the software includes all that. There is a large panel for notes. Also, you can open a website from KeePass and it will provide the URL, username, pw to get you in. (At least it seems to be working for me.) It will also generate passwords as long and complex as you want with a single click. Of course, you have to change your user info to use the new pw on the website.
Bob's yer Uncle
(1/2)(1+√5)
Dell Intel Core i5 Laptop, 3570K,1.60 GHz, 8 GB RAM, Windows 11 64-bit, LibreOffice,and other bits and bobs

User avatar
Argus
GoldLounger
Posts: 3081
Joined: 24 Jan 2010, 19:07

Re: Gawker Hack

Post by Argus »

During the years I've most of the time used cookie white lists, thus I’ve not been collecting cookies from all around the net. And I've not had any problems with blocking third party cookies. If using that scheme, white lists, one sometimes has to set it up so that it doesn't block cookies related to a secure login etc. I.e. remove the "www." part or use some asterisk; such as "*.somesite.xyz", or simply “somesite.xyz" since they may use: "www.somesite.xyz" and "secure.somesite.xyz" etc.; and if you only accept cookies (for the session or permanently) from "www.somesite.xyz" there may be problems setting a cookie for a related address.

As for safe surfing; as mentioned at several places, among them at Steve Gibson's site, at the ShieldsUP! test page; the computer/router isn't only associated with an IP address, there's also a "reverse DNS"; i.e. the domain etc. associated with that address. Part of it is unique for that particular connection, and if it is related to your account at the ISP, not the IP address, then it will not change when your IP address changes. Thus follow you around the net even if the IP address is changed. However, since most home users have dynamic IP addresses this string is usually related to their IP address. Then it's not a problem.

I agree with Hans and Stuart; it's necessary to use different username & password combination on different sites. And if one uses many, as Chris, one can perhaps categorize the sites.
Byelingual    When you speak two languages but start losing vocabulary in both of them.

JoeP
SilverLounger
Posts: 2133
Joined: 25 Jan 2010, 02:12

Re: Gawker hack

Post by JoeP »

@BobH - The HTTP specification is quite extensive. If you are really interested in the complete specification you can see it at W3C.org - HTTP 1.1. You'd be interested in sections 4.2 & 14 for header information.

Joe
Joe