Spam Nation (31 page)

If you’ve purchased software, it’s likely that the license keys to those software titles are stored somewhere in your email messages. Do you use online or “cloud” file storage services like Dropbox, Google Drive, or Microsoft SkyDrive to back up or store your pictures, files, and music? The key to unlocking access to those files also lies in your inbox.

And worst of all, if your webmail account gets hacked and was used as the backup account to receive password reset emails for one of your other accounts, guess what? Attackers can now seize both accounts.

Hopefully, it’s clear by now that keeping thieves out of your inbox is worth making the effort to take a few precautions. Fortunately, some simple tips and actions can help you maintain control over your email account—as well as lock down the system you use to access that account.

Until recently, some of the web’s largest providers of online services offered little security beyond requiring you to enter a username and password. Increasingly, however, the larger providers have moved to enabling multifactor authentication to help users avoid account compromises. Gmail.com, Hotmail/Live.com, and Yahoo.com> all now offer multistep authentication that users can and should use to further secure their accounts. These typically involve the sending of a numeric code via text message or smartphone app that needs to be entered along with your username and password. The code is sent and requested any time a suspicious login is detected—such as a login attempt from a computer or Internet address not normally associated with your account.

Dropbox, Facebook, and Twitter offer additional account security options beyond merely encouraging users to pick strong passwords. To check if your email or social network or other communications provider allows you to supplement your account security with two-factor authentication, check out the website twofactorauth.org. If your
provider is listed with a check mark, click the icon under the “Docs” column next to that provider for a link to instructions on how to configure and enable this feature.

Enabling two-factor authentication is a good way to increase your account’s security, but if you’re relying on crummy passwords to begin with, you’re still dangerously exposed. Plus, not every important service or site offers two-factor protections yet. Hardly anybody likes passwords—they can be such a pain to remember sometimes—but unfortunately we are stuck with them until we come up with stronger, more hacker-proof methods of securing our information.
17
Here are a few tips for creating strong passwords. Take a moment to review these tips and tools, and consider strengthening some of your passwords if they fall short.

If you’re like me—and really detest passwords but recognize that life is too short to try to remember hundreds of them—it may be a good idea to consider a password manager. These are computer programs or online services that can help users not only pick and use much stronger passwords, but better safeguard them as well. They do so by using strong encryption to store your passwords.

If you want help picking strong passwords but don’t trust that you can remember such cryptic and lengthy ones as “#$DG3dcLqziI%&*wp,” then good news: password manager programs are built to do that for you. Nearly all of them hook into your browser and handle the retrieval and insertion of your passwords when you visit a site at which you’ve
previously asked the program to remember your password. All you have to do is create and remember a single, strong “master password” that you’ll be asked for when you visit one of these sites.

Some of the more popular password management tools include KeyPass, Password Safe, and RoboForm. LastPass is another excellent option that works entirely online. (It does not require special software to be installed on your computer, so you can access your passwords no matter which machine you’re on—including your smartphone.)

If you prefer to pick and manage your own passwords—or if you just need a really good one to use as your master password in a password manager program—here a few tips for avoiding crummy passwords:

•
Create unique passwords that use a combination of words, numbers, symbols, and both upper- and lower-case letters.

•
Do not use your network username as your password.

•
Don’t use easily guessed passwords, such as “password” or “user.”

•
Do not choose passwords based upon details that may not be as confidential as you’d expect, such as your birthday, your Social Security or phone number, or names of family members or pets or anything else you post about on social media. (The bad guys use Facebook, Twitter, and Instagram too!)

•
Do not use words that can be found in the dictionary. Password-cracking tools freely available online often come with dictionary lists that will try thousands of common names and passwords. If you must use dictionary words, try adding a numeral to them, as well as punctuation at the beginning or end of the word (or both!).

•
Avoid using simple adjacent keyboard combinations. For example,
“qwerty” and “asdzxc” and “123456” are horrible passwords that are trivial to crack.

•
Some of the easiest-to-remember passwords aren’t words at all but collections of words that form a phrase or sentence, perhaps the opening sentence to your favorite novel or the opening line to a good joke. Complexity is nice, but length is key. Picking an alphanumeric password that was eight to ten characters in length used to be a pretty good practice. These days, it’s increasingly affordable for hackers and spammers to build extremely powerful and fast password-cracking tools that can try tens of millions of possible password combinations per second. Just remember that each character you add to a password or passphrase makes it an order of magnitude harder to attack via brute-force methods like this.

•
Avoid using the same password at multiple websites. It’s generally safe to reuse the same password at sites that do not store sensitive information about you (like a news website or discussion forum), provided you don’t use this same password at sites that
are
sensitive.

•
Never use the password you’ve picked for your email account at any online site. If you do, and an ecommerce site you are registered at gets hacked, there’s a good chance someone will be reading your email soon.

•
Whatever you do, don’t store your list of passwords on your computer in plain text. That’s like handing your identity over to cybercriminals if your computer gets hacked. My views on the advisability of keeping a written list of your passwords have evolved over time. I tend to agree with security expert Bruce
Schneier when he advises users not to worry about writing down passwords and having someone stumble across them in real life. Just make sure you don’t store the information in plain sight. The most secure method for remembering your passwords is to create a list of every website for which you have a password and next to each one write your login name and a clue that has meaning only for you. If you forget your password, most websites will email it to you (assuming you can remember which email address you signed up with).

All of the account security tools in the world won’t prevent your inbox or Facebook account from being hijacked if your computer gets compromised by password-stealing malware. While having antivirus software and a firewall on your system can help ward off threats, these are far from panaceas, and today’s cyberthreats are being built to evade detection by these, especially in that critical first twelve-to twenty-four-hour period after which the malware is blasted out via spam and social networking site links.

It’s important to understand that a key tenet of securing any system is the concept of “defense in depth,” or having multiple layers of security and not depending too much on any one approach or technology to block all attacks. And guess which layer is the most important one of all? You!

Memorize and practice Krebs’s “Three Rules for Online Safety,” and you will drastically reduce the chances of handing over your computer or mobile device to the bad guys. In short:

•
Rule 1:
“If you didn’t go looking for it, don’t install it.”
A great many online threats rely on tricking the user into taking some
action—whether it be clicking an email link or attachment, or installing a custom browser plug-in or application. Typically, these attacks take the form of scareware or fake antivirus pop-ups that try to frighten people into installing a security scanner. Other popular scams direct you to a video but then insist that you need to install a special “codec,” video player, or app to view the content. Only install software, software updates, or browser add-ons if you went looking for them in the first place. And before you install anything, it’s a good idea to grab the software
directly
from
the
source
. Sites like MajorGeeks.com and Download.com claim to screen programs that they offer for download. But just as you wouldn’t buy a product online without doing some basic research about its quality and performance—and ensuring it’s the actual product you want—take a few minutes to search for and read comments and reviews left by other users of that software to be certain you’re not signing up for more than you bargained. Also, avoid directly responding to email alerts that (appear to) come from Facebook, LinkedIn, Twitter, your bank, or some other site that holds your personal information. Instead, visit these sites using a web browser bookmark and manage your online social networks that way. Fatfingering a single character in a web address can lead to hostile sites set up to take advantage of typos.

•
Rule 2:
“If you installed it, update it!”
Yes, keeping the operating system current with the latest patches (from Microsoft, Apple, or Google, for example) is important, but maintaining a secure computer also requires care and feeding for the applications that run on top of the operating system. Bad guys are constantly attacking flaws in widely installed software products, such as Java, Adobe PDF Reader, Flash, and QuickTime. The vendors that make these products ship updates to fix security bugs several times a year, so
it’s important to update to the latest versions of these products as soon as possible. Some of these products may alert users to new updates, but these notices often come days or weeks after patches are released. A wonderful resource for anyone feeling update fatigue is Secunia’s Personal Software Inspector, a free tool that periodically scans for and alerts users to outdated security software. The latest version also can be set to update such products automatically. FileHippo also has a nice, free update checker.

•
Rule 3:
“If you no longer need it, remove it!”
Clutter is the nemesis of a speedy computer. Unfortunately, many computer makers ship machines with gobs of bloatware that most customers never use even once. On top of the direct-from-manufacturer junk software, the average user tends to install dozens of programs and add-ons over the course of months and years. In the aggregate, these items can take their toll on the performance of your computer. Many programs add themselves to the list of items that start up whenever the computer is rebooted, which can make restarting the computer a bit like watching paint dry. It takes forever. And remember, the more programs you have installed, the more time you have to spend keeping them up to date with the latest security patches.

I hope you find these tips useful and timely. For more information about how to stay safe online—including news about the latest threats, criminal schemes, and software bugs being leveraged by the spammers and scam artists online, check out my website,
KrebsOnSecurity.com
. While you’re there, drop me a note and let me know what you thought of this book, using the contact form at
www.KrebsOnSecurity.com/about
.

17.
It’s important to note that improved security and identification methods are in the works for certain digital technology and devices. Many banks in Europe, for example, put chips in their credit cards, which make the cards more difficult and costly to use for fraud. This is slowly being introduced in the United States as well. Another recent security measure worth noting is the addition of fingerprint ID technology on some phones and laptops as an option to lock or unlock them. And doubtless more is on the way.

Writers tend to be a solitary lot, but they seldom produce enjoyable works with the length and complexity of a book without a great deal of assistance and patience from friends and colleagues.

Spam Nation
would not have been possible without the help of several native Russian speakers who spent countless hours with me teasing out the conversations and links between various real-life characters profiled in this book. In particular, I would like to thank Alek Geldenberg, Aleksey Mikhaylov, and Maxim Suhanov for their tireless work in translating documents, emails, and chat logs, and in generally helping me connect the dots.

For their knowledge of the hacker underground and the denizens therein, my sincere gratitude goes out to Lawrence Baldwin, Adam Drake, Alex Holden, Lance James, Jon O, and Kimberly Zenz.

For helping me to extract patterns and meaning from epic truckloads of data, I am especially grateful to Damon McCoy, Stefan Savage, Brett Stone-Gross, Gary Warner (and their armies of grad students).

Joe Menn and Misha Glenny were there with encouragement and sage advice exactly when I needed it. Had it not been for the hours-long chat with Roland Dobbins in Snowmageddon 2009, I might not have had the courage to strike out on my own as an independent journalist.
Thanks of an unspecified nature go also to J.B. Snyder, a great guy who always does just what he says he’s going to do.

I owe more than I care to acknowledge for my continued physical and online safety to several folks. Chris Barton has kept me and my site online and out of trouble—even in the face of often withering attacks. Group-IB and Kaspersky Lab were instrumental in watching my back in Moscow. Various unnamed law enforcement officials have been helpful here in the States; thank you all.