The recent publicity about Kanye West’s e-mail account being hacked made me think about how one account can lead to so many more. A quick scan through anyone’s Gmail account is likely to show various welcome e-mails from other accounts such as twitter and facebook.

These accounts are linked to an e-mail account for alerts or password reset functions. Sometimes the welcome e-mails will show the full credentials that the user signed up with, sometimes just the username. Most websites will have a password reset functions that sends an e-mail to the users e-mail account so a hacker could quite easy perform this operation once the first account is hacked.

So you can see if someone has an account they generally use for signing up to other websites, one hack will definitely lead to more compromise.

What can you do? This is a tricky one. Until more websites ask for security information during reset functions and stop sending credentials in e-mails this will always be a problem. The real advice is to make sure you protect your e-mail as much as possible and use good quality passwords that can’t easily be guessed. Avoid any computer that isn’t your own, particularly Internet cafes and public computers which are likely to harbour key logging software. The use of third factor authenticaiton such as token is also highly recommended where available.

Kanye West says someone has taken control of his Twitter. Not to mention his Gmail and MySpace accounts.

The rap star says that someone is using all three services to spread false reports, including one that claimed he was open to launching a new career as a bisexual porn star.

“Now somebody has been hacking into my MySpace and somebody’s actually hacked into my personal Gmail account and has been emailing people from it,” West wrote in a posting on his blog. “Hey world, I no longer have a Gmail!”

http://www.theregister.co.uk/2009/01/26/kanye_west_hacked/

Being an ethical hacker for 10+ years usually raised a few eyebrows when answering the ‘what do you do for a living’ question. People have a genuine interest in what’s seen as a secretive and bizarre cyber world. During these conversations it seems most computer literate people are now fully aware of Anti-Virus and Firewalls and the need for security software but are completely unaware of some of the latest and most sophisticated nasties.

Local attacks as I’ll categorise these nasties are vulnerabilities within software packages such as Microsoft Office, Adobe PDF reader and Flash player. We first saw these being used to target specific individuals in powerful and influential positions but are now being used for widespread use.

Simply by opening a hackers Word or PDF document for example you could give them full access to your beloved laptop. This principle also stands if you browse a website with an exploit written into the code. I have some great examples of these nasties downloaded from the Internet or created with a hacking/exploit toolkit which is readily available on the web called Metasploit. Anti-virus software will generally not touch these files and often gets disabled when they execute their payload.

No single software package can protect against these issue now matter what the vendors would have you believe.

Just be aware next time you open document from an unknown source or browse an erhhh non-corporate Internet site you might leave yourself open for attack.

Twitter could arguably be the facebook’esk Internet phenomenon of 2008 with millions of information hungry users tracking their favourite friends and organisations through a series of status updates.

As with many new fads the early technology rarely accounts for security until they get hacked. Twitter is no exception, some notable names including Britney spears had their accounts hijacked this week in what appears to be simple password guessing attack on an Twitter admins account.

This old school hack uses a principle of trying many password combinations until the right one is found, usually with the use of a simple script or tool. Twitter accounts do not enforce any password lockouts, policies or the use of CAPTCHA (those annoying wiggly letters you have to type in) making them prone to this kind of attack. The use of a decent password however would have stopped this attack in its tracks. Passwords should be of 8 or more characters, uppercase, lowercase, numbers and special characters.

Base them around a saying to make them more memorable for example $RobRul3s007$ which is my twitter password (joking) which is very unlikely to ever be found in this kind of attack.

The alleged photos are of William and Kate swimming intimately, cuddling, and making out. According to a London newspaper The Sun, two men, John and George contacted them in an attempt to sell the photos.

http://www.hollywire.com/celebrity-scandal/prince-williams-intimate-photos-are-stolen/

Following the hack, screenshots of Mrs Palin’s messages, inbox, pictures and address book were posted to the Wikileaks whistle-blowing site. It is thought the attackers exploited the password resetting system of Yahoo’s e-mail service.

Details about Mrs Palin’s life pulled from public sources reportedly helped defeat security questions.
http://news.bbc.co.uk/1/hi/technology/7624809.stm