Gawker Hack
-
- UraniumLounger
- Posts: 9534
- Joined: 13 Feb 2010, 01:27
- Location: Deep in the Heart of Texas
Gawker Hack
Sometimes I feel like a 6-year old: big enough to play outside but too naive and uneducated to know what is dangerous.
The news this week of the Gawker hack made me realize how little I know about what happens to one's identifying data when one visits websites. The more I read, the more I realize I don't know and the more confused I become. Out of an abundance of caution, I cancelled a couple of gmail accounts I've had. I even found out that there is a web site where one can check to see if one's email addy or user name was compromised (http://www.didigetgawkered.com/; mind that I don't know how safe it is to use this but came across the information from an Infoworld article).
So, because I don't know, there just might be others out there who are in the boat with me; therefore I thought I'd ask some of the cognoscenti here to help us understand what happened in the Gawker hack and what steps one should take to safeguard - as much as one can - one's identity and passwords whilst web surfing. For example, I read that the Gawker database contained (or might have contained, I'm not sure) multiple usernames, email addresses, and passwords for a user, though how it got them I don't understand. (Just one point of my ignorance.) If that information were compromised, it could be used by anyone who had access to the information to represent themselves as me. OK, I use 5 or 6 different identities (email addys, usernames, passwords, etc.) on different sites. Although I'm open here (BobH stands for Bob Hutchins and my signature indicates the town I live in), there are other sites - mostly news sites where I comment and editorialize (no smut)- where I use noms de surfing . Is it possible that if I signed into one of those sites and it logged my id data (including IP address), that other identities could be discovered and stored in that database? Surely they could not discover my usernames and passwords from other sites using just an IP address, could they?
One of the things I don't understand at all is third party cookies. I presume that this is a cookie that one acquires through unsafe computing or some such. My guess is that if I buy something through, say Amazon, which then passes me to another website to enter the order, I get cookies from Amazon and whomever they send me to. Given our thread about corrupted cookies, I'd prefer not to go to Chicago, as it were. Therefore, I went into my browser (Firefox) and changed the options to disallow third party cookies. But I don't know what effect that action has, if any. Again, I'm demonstrating my ignorance in the hope that some of you kind souls will help me overcome it.
In addition to the answers to the admittedly broad questions above - how do sites garner multiple groups of identifying data and what is going on with third party cookies - I'd like to see a well written article that takes users through what nodes in the Internet might be doing with data each time one visits a sight and more specifically what data - at a minimum - might be stored when one registers on a web site (realizing that much of it depends on what the user chooses to provide). IOW, I'd like to know how to practice safe computing. What prophylaxis - by way of browser settings, caution in using pw's, userids, etc - is/are effective but still allow one to enjoy web surfing? Maybe theirs a "? for Dummies" book I need to read or someone might recommend a good web article - or better yet, one of you cognoscenti might write one.
Ignorantly, but with highest regards,
I remain yr obt svt,
Bob H
The news this week of the Gawker hack made me realize how little I know about what happens to one's identifying data when one visits websites. The more I read, the more I realize I don't know and the more confused I become. Out of an abundance of caution, I cancelled a couple of gmail accounts I've had. I even found out that there is a web site where one can check to see if one's email addy or user name was compromised (http://www.didigetgawkered.com/; mind that I don't know how safe it is to use this but came across the information from an Infoworld article).
So, because I don't know, there just might be others out there who are in the boat with me; therefore I thought I'd ask some of the cognoscenti here to help us understand what happened in the Gawker hack and what steps one should take to safeguard - as much as one can - one's identity and passwords whilst web surfing. For example, I read that the Gawker database contained (or might have contained, I'm not sure) multiple usernames, email addresses, and passwords for a user, though how it got them I don't understand. (Just one point of my ignorance.) If that information were compromised, it could be used by anyone who had access to the information to represent themselves as me. OK, I use 5 or 6 different identities (email addys, usernames, passwords, etc.) on different sites. Although I'm open here (BobH stands for Bob Hutchins and my signature indicates the town I live in), there are other sites - mostly news sites where I comment and editorialize (no smut)- where I use noms de surfing . Is it possible that if I signed into one of those sites and it logged my id data (including IP address), that other identities could be discovered and stored in that database? Surely they could not discover my usernames and passwords from other sites using just an IP address, could they?
One of the things I don't understand at all is third party cookies. I presume that this is a cookie that one acquires through unsafe computing or some such. My guess is that if I buy something through, say Amazon, which then passes me to another website to enter the order, I get cookies from Amazon and whomever they send me to. Given our thread about corrupted cookies, I'd prefer not to go to Chicago, as it were. Therefore, I went into my browser (Firefox) and changed the options to disallow third party cookies. But I don't know what effect that action has, if any. Again, I'm demonstrating my ignorance in the hope that some of you kind souls will help me overcome it.
In addition to the answers to the admittedly broad questions above - how do sites garner multiple groups of identifying data and what is going on with third party cookies - I'd like to see a well written article that takes users through what nodes in the Internet might be doing with data each time one visits a sight and more specifically what data - at a minimum - might be stored when one registers on a web site (realizing that much of it depends on what the user chooses to provide). IOW, I'd like to know how to practice safe computing. What prophylaxis - by way of browser settings, caution in using pw's, userids, etc - is/are effective but still allow one to enjoy web surfing? Maybe theirs a "? for Dummies" book I need to read or someone might recommend a good web article - or better yet, one of you cognoscenti might write one.
Ignorantly, but with highest regards,
I remain yr obt svt,
Bob H
Bob's yer Uncle
Dell Intel Core i5 Laptop, 3570K,1.60 GHz, 8 GB RAM, Windows 11 64-bit, LibreOffice,and other bits and bobs
(1/2)(1+√5) |
-
- Administrator
- Posts: 79447
- Joined: 16 Jan 2010, 00:14
- Status: Microsoft MVP
- Location: Wageningen, The Netherlands
Re: Gawker Hack
If I understand the news correctly, Gawker operates several popular sites. So when their servers were hacked, investigators could match several membership databases which contain usernames, passwords, IP addresses etc. and analyze the overlap. Reasonably well-known methods were used to decrypt the passwords (but keep in mind that you have to hack the servers before you can get at the data!).
It turned out that a surprisingly large number of people use the same username and password for all sites, and that many of the passwords were very simple.
So if they know that you're registered at LifeHacker and Gizmodo (sites operated by Gawker) as User123 with password 12345, they can try logging in to, say, Twitter, as User123 with password 12345, and have a reasonable chance of getting in. If they just have a username (not all passwords were decrypted), they can still try to log in to other sites with that username and the ten most popular passwords.
If you don't have a username on one of the Gawker sites, you're probably safe.
Apart from that: don't use the same username/password combination on different sites, and don't use a password that is easy to guess.
It turned out that a surprisingly large number of people use the same username and password for all sites, and that many of the passwords were very simple.
So if they know that you're registered at LifeHacker and Gizmodo (sites operated by Gawker) as User123 with password 12345, they can try logging in to, say, Twitter, as User123 with password 12345, and have a reasonable chance of getting in. If they just have a username (not all passwords were decrypted), they can still try to log in to other sites with that username and the ten most popular passwords.
If you don't have a username on one of the Gawker sites, you're probably safe.
Apart from that: don't use the same username/password combination on different sites, and don't use a password that is easy to guess.
Best wishes,
Hans
Hans
-
- Administrator
- Posts: 12808
- Joined: 16 Jan 2010, 15:49
- Location: London, Europe
Re: Gawker Hack
The method they used to find people's passwords would only work if you had a reasonably simple password.HansV wrote:...don't use the same username/password combination on different sites, and don't use a password that is easy to guess.
To make a properly secure password you should NOT use dictionary words, even if you combine them with couple of digits and punctuation marks. For example a pasword such as banana23 would be cracked in just one or two minutes using standard tools.
Think of a phrase that you can remember, use the initial letters, capitalize some letters you will remember and then added digits and punctuation marks. For example
I think Eillen's lounge is the best web site on the internet
Take initial letters = itelitbwsoti
Capitalize vowels = ItElItbwsOtI
Add some digits = 9ItElItbwsOtI4
Add some punctuation= !9ItElItbwsOtI4?
And there you have a highly secure 16 character password that is fairly easy to remember but would be almost impossible to decrypt.
It is also absolutely essential to use a different password on every web site. One very common scam is for a hacker to set up a convincing looking site that requires people to register. They can then capture your username, password, and email address, and try these details on common sites such as hotmail, gmail, facebook etc.
If you can't remember all the passwords then store them in an encrypted form that is easy to access. Even a password protected word document is better than nothing.
StuartR
-
- StarLounger
- Posts: 97
- Joined: 05 Feb 2010, 11:06
- Location: Jakarta, Indonesia
Re: Gawker Hack
Get idea Stuart, but...StuartR wrote:...It is also absolutely essential to use a different password on every web site...
I have 164 places where I need a username and password. My addled brain has no chance at all of remembering 164 usernames and 16-character passwords. I think we all know it is absolutely essential, but we all know that it is absolutely impractical.
I think we do need to decide on a hierarchy of risk. With respect, the risk to me if my username/password for Eileen's Lounge is cracked is fairly low. The risk comes if I ALSO use this combination for my bank. I tend to use a standard username/password combination for all such low-risk situations, which covers about 80% of the web sites I access. Then I take much greater care with the remaining 20% where there is a real risk.
This is certainly more practical. Is it really a risk?
Chris
-
- Administrator
- Posts: 79447
- Joined: 16 Jan 2010, 00:14
- Status: Microsoft MVP
- Location: Wageningen, The Netherlands
Re: Gawker Hack
As long as you don't use the same password for your bank as for "low-risk sites" it's OK. And don't use the same password for two "high-risk" sites.
Best wishes,
Hans
Hans
-
- Administrator
- Posts: 12808
- Joined: 16 Jan 2010, 15:49
- Location: London, Europe
Re: Gawker Hack
Your approach is certainly a reasonable compromise.ChrisJakarta wrote:...This is certainly more practical. Is it really a risk?...
The trouble with the idea of the "low risk" category is that many sites store your full name, address, email address and possibly credit card details.
I find it easy enough to store all my passwords in a single encrypted document, and to have a different password for each site. The same document includes the URL for the site and other helpful information, so it is quite convenient for me to decrypt it when I need to.
StuartR
-
- Administrator
- Posts: 79447
- Joined: 16 Jan 2010, 00:14
- Status: Microsoft MVP
- Location: Wageningen, The Netherlands
Re: Gawker Hack
I use an encrypted Excel workbook for this purpose, with hyperlinks to the sites.
Excel uses 128-bit AES encryption nowadays, a lot better than the simple and easily cracked algorithm used in early versions.
Excel uses 128-bit AES encryption nowadays, a lot better than the simple and easily cracked algorithm used in early versions.
Best wishes,
Hans
Hans
-
- UraniumLounger
- Posts: 9534
- Joined: 13 Feb 2010, 01:27
- Location: Deep in the Heart of Texas
Re: Gawker Hack
Thank you for the responses, folks.
The information on password protection is interesting. I like the idea of having an encrypted file (excel) where I can store and retrieve passwords. It will make it much easier to use pw's that have nonsense strings of characters and to keep up with userids. That whole idea seems feasible and eminently doable; however, when I tried to create and encrypt the Excel file, I ran into problems. I had a few problems encrypting the file and saving it. I wanted to use a strong, long key; so I created one in notepad thinking I would be able to copy it and not have to worry about phat phingering the double entry. Alas, the fields allowed for entering the key would not allow me to paste data from the clipboard. My Excel is quite old (2002/SP3). Perhaps this has been overcome in later versions. Eventually I was able to key in 2 very long strings of nonsense characters alike and saved the encrypted file. Now, upon opening the file, I find I cannot paste the long string - which I stored in yet another encrypted file but with a much simpler password - into the key panel. Is there a work around to the pasting process? It seems to me that this is a Catch-22 conundrum.
But back to the OP. My original questions haven't been answered. Can anyone tell me exactly what my Firefox browser sends when I type in a URL or click a link icon? Of course, the addressed URL is sent and I suppose that my IP address is sent along with time, date and packet information; but what else? I'd really like to understand this. And, while I know that what comes back is controlled by the sender - and varies in content and lenght, I would like to know what constitutes a minimum response.
The other question was about cookies, specifically third party cookies. I know that cookies as text files that contain information placed in them by the sender. I can see how - in a simple 2 party message exchange - the responding resource creates a text string that my browser must recognize as a cookie and store it in the appropriate place for the browser. How does my browser recognize that the text string is a cookie? This must be a universal id because I don't think the responding resource knows what browser I'm using (does it?). Then, extending the question, if the resource I addressed in the URL forwards my message to one or more logical (I'm not going to complicate this by trying to address the physical layer) addresses - who might in turn forward that message to one or more logical addresses - I can see how multiple third party cookies might be created; but it seems that the original addressed resource must then either pass those cookies along or store them in his browser or messaging software. What I'd like to know is something about the protocol(s) for passing those cookies and identifying them as third (or other party) cookies so that my browser knows that they are third (or other) party cookies. Firefox has to parse this, I think, because there are option controls for handling third party cookies.
Is it all alchemy requiring 3 of Merlin's lifetimes to serve the apprenticehip? I suspect that there is a governing body that defines these protocols and I'm sure that it must take years of study and certification to understand it all. I'm just looking to learn about the little pieces that have to do with cookies. If someone could tell me or point me to a wiki or a web page, I'd be grateful as I've been unsuccessful googling on my own.
Rsptfly, yr obt svt
BobH
The information on password protection is interesting. I like the idea of having an encrypted file (excel) where I can store and retrieve passwords. It will make it much easier to use pw's that have nonsense strings of characters and to keep up with userids. That whole idea seems feasible and eminently doable; however, when I tried to create and encrypt the Excel file, I ran into problems. I had a few problems encrypting the file and saving it. I wanted to use a strong, long key; so I created one in notepad thinking I would be able to copy it and not have to worry about phat phingering the double entry. Alas, the fields allowed for entering the key would not allow me to paste data from the clipboard. My Excel is quite old (2002/SP3). Perhaps this has been overcome in later versions. Eventually I was able to key in 2 very long strings of nonsense characters alike and saved the encrypted file. Now, upon opening the file, I find I cannot paste the long string - which I stored in yet another encrypted file but with a much simpler password - into the key panel. Is there a work around to the pasting process? It seems to me that this is a Catch-22 conundrum.
But back to the OP. My original questions haven't been answered. Can anyone tell me exactly what my Firefox browser sends when I type in a URL or click a link icon? Of course, the addressed URL is sent and I suppose that my IP address is sent along with time, date and packet information; but what else? I'd really like to understand this. And, while I know that what comes back is controlled by the sender - and varies in content and lenght, I would like to know what constitutes a minimum response.
The other question was about cookies, specifically third party cookies. I know that cookies as text files that contain information placed in them by the sender. I can see how - in a simple 2 party message exchange - the responding resource creates a text string that my browser must recognize as a cookie and store it in the appropriate place for the browser. How does my browser recognize that the text string is a cookie? This must be a universal id because I don't think the responding resource knows what browser I'm using (does it?). Then, extending the question, if the resource I addressed in the URL forwards my message to one or more logical (I'm not going to complicate this by trying to address the physical layer) addresses - who might in turn forward that message to one or more logical addresses - I can see how multiple third party cookies might be created; but it seems that the original addressed resource must then either pass those cookies along or store them in his browser or messaging software. What I'd like to know is something about the protocol(s) for passing those cookies and identifying them as third (or other party) cookies so that my browser knows that they are third (or other) party cookies. Firefox has to parse this, I think, because there are option controls for handling third party cookies.
Is it all alchemy requiring 3 of Merlin's lifetimes to serve the apprenticehip? I suspect that there is a governing body that defines these protocols and I'm sure that it must take years of study and certification to understand it all. I'm just looking to learn about the little pieces that have to do with cookies. If someone could tell me or point me to a wiki or a web page, I'd be grateful as I've been unsuccessful googling on my own.
Rsptfly, yr obt svt
BobH
Bob's yer Uncle
Dell Intel Core i5 Laptop, 3570K,1.60 GHz, 8 GB RAM, Windows 11 64-bit, LibreOffice,and other bits and bobs
(1/2)(1+√5) |
-
- Administrator
- Posts: 12808
- Joined: 16 Jan 2010, 15:49
- Location: London, Europe
Re: Gawker Hack
I often find that I can paste using the keyboard combination Control-V, even though there is no right click menu or paste button.
StuartR
-
- Administrator
- Posts: 12808
- Joined: 16 Jan 2010, 15:49
- Location: London, Europe
Re: Gawker Hack
Try reading the Unofficial Cookie FAQ.BobH wrote:...The other question was about cookies......
StuartR
-
- Administrator
- Posts: 79447
- Joined: 16 Jan 2010, 00:14
- Status: Microsoft MVP
- Location: Wageningen, The Netherlands
Re: Gawker Hack
Your browser sends a so-called user agent string that provides information about your browser and operating system. For example, this is the user agent string I send when I use Firefox:
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
This tells websites I visit that I'm using Windows 7 and the US English version of Firefox 3.6.13. It's possible to send a "faked" user agent, by the way - Opera offers this option, for compatibility reasons.
I don't know exactly how cookies work, but they are identified by the URL of the website. So a Lounge cookie is named eileenslounge.com (Firefox shows several parts of this cookie). Blocking 3rd party cookies means that the browser allows a site to create a cookie for its own URL only.
See Stuart's link.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
This tells websites I visit that I'm using Windows 7 and the US English version of Firefox 3.6.13. It's possible to send a "faked" user agent, by the way - Opera offers this option, for compatibility reasons.
I don't know exactly how cookies work, but they are identified by the URL of the website. So a Lounge cookie is named eileenslounge.com (Firefox shows several parts of this cookie). Blocking 3rd party cookies means that the browser allows a site to create a cookie for its own URL only.
See Stuart's link.
Best wishes,
Hans
Hans
-
- UraniumLounger
- Posts: 9534
- Joined: 13 Feb 2010, 01:27
- Location: Deep in the Heart of Texas
Re: Gawker Hack
Excellent!
Thank you, Stuart.
The ctrl-v works a treat.
I'm off to read the cookie FAQ.
I've also found some wiki.
Thank you, both, again!
rspfly, yr obt svt
BobH
Thank you, Stuart.
The ctrl-v works a treat.
I'm off to read the cookie FAQ.
I've also found some wiki.
Thank you, both, again!
rspfly, yr obt svt
BobH
Bob's yer Uncle
Dell Intel Core i5 Laptop, 3570K,1.60 GHz, 8 GB RAM, Windows 11 64-bit, LibreOffice,and other bits and bobs
(1/2)(1+√5) |
-
- StarLounger
- Posts: 97
- Joined: 05 Feb 2010, 11:06
- Location: Jakarta, Indonesia
Re: Gawker Hack
II don't think I'd consider sites that store my credit card details as "low risk'. But most of the sites I access are like the Lounge, for which I provide minimum information, usually only E-mail address, sometimes location. I do not feel these require strong and individual passwords.StuartR wrote: Your approach is certainly a reasonable compromise.
The trouble with the idea of the "low risk" category is that many sites store your full name, address, email address and possibly credit card details.
Although there are other dedicated programs for this purpose, I have found the free Keepass suits me fine for storing my passwords, and I think it is more flexible than an Excel file.StuartR wrote: I find it easy enough to store all my passwords in a single encrypted document, and to have a different password for each site. The same document includes the URL for the site and other helpful information, so it is quite convenient for me to decrypt it when I need to.
Chris
-
- 5StarLounger
- Posts: 704
- Joined: 28 Jan 2010, 22:47
- Location: Alien Country (Roswell NM)
Re: Gawker Hack
Does it allow input of a URL for easy access to websites? I like this feature, which I use in an Excel spreadsheet (like Hans). I also put notes, phone numbers, expiration dates, and other misc. stuff in the spreadsheet.StuartR wrote:I have found the free Keepass suits me fine for storing my passwords, and I think it is more flexible than an Excel file.
Sundog
-
- UraniumLounger
- Posts: 9534
- Joined: 13 Feb 2010, 01:27
- Location: Deep in the Heart of Texas
Re: Gawker Hack
Howdy neighbor!
Yes, the software includes all that. There is a large panel for notes. Also, you can open a website from KeePass and it will provide the URL, username, pw to get you in. (At least it seems to be working for me.) It will also generate passwords as long and complex as you want with a single click. Of course, you have to change your user info to use the new pw on the website.
Yes, the software includes all that. There is a large panel for notes. Also, you can open a website from KeePass and it will provide the URL, username, pw to get you in. (At least it seems to be working for me.) It will also generate passwords as long and complex as you want with a single click. Of course, you have to change your user info to use the new pw on the website.
Bob's yer Uncle
Dell Intel Core i5 Laptop, 3570K,1.60 GHz, 8 GB RAM, Windows 11 64-bit, LibreOffice,and other bits and bobs
(1/2)(1+√5) |
-
- GoldLounger
- Posts: 3081
- Joined: 24 Jan 2010, 19:07
Re: Gawker Hack
During the years I've most of the time used cookie white lists, thus I’ve not been collecting cookies from all around the net. And I've not had any problems with blocking third party cookies. If using that scheme, white lists, one sometimes has to set it up so that it doesn't block cookies related to a secure login etc. I.e. remove the "www." part or use some asterisk; such as "*.somesite.xyz", or simply “somesite.xyz" since they may use: "www.somesite.xyz" and "secure.somesite.xyz" etc.; and if you only accept cookies (for the session or permanently) from "www.somesite.xyz" there may be problems setting a cookie for a related address.
As for safe surfing; as mentioned at several places, among them at Steve Gibson's site, at the ShieldsUP! test page; the computer/router isn't only associated with an IP address, there's also a "reverse DNS"; i.e. the domain etc. associated with that address. Part of it is unique for that particular connection, and if it is related to your account at the ISP, not the IP address, then it will not change when your IP address changes. Thus follow you around the net even if the IP address is changed. However, since most home users have dynamic IP addresses this string is usually related to their IP address. Then it's not a problem.
I agree with Hans and Stuart; it's necessary to use different username & password combination on different sites. And if one uses many, as Chris, one can perhaps categorize the sites.
As for safe surfing; as mentioned at several places, among them at Steve Gibson's site, at the ShieldsUP! test page; the computer/router isn't only associated with an IP address, there's also a "reverse DNS"; i.e. the domain etc. associated with that address. Part of it is unique for that particular connection, and if it is related to your account at the ISP, not the IP address, then it will not change when your IP address changes. Thus follow you around the net even if the IP address is changed. However, since most home users have dynamic IP addresses this string is usually related to their IP address. Then it's not a problem.
I agree with Hans and Stuart; it's necessary to use different username & password combination on different sites. And if one uses many, as Chris, one can perhaps categorize the sites.
Byelingual When you speak two languages but start losing vocabulary in both of them.
-
- SilverLounger
- Posts: 2133
- Joined: 25 Jan 2010, 02:12
Re: Gawker hack
@BobH - The HTTP specification is quite extensive. If you are really interested in the complete specification you can see it at W3C.org - HTTP 1.1. You'd be interested in sections 4.2 & 14 for header information.
Joe
Joe
Joe