Gmail accounts being hijacked like crazy

[datalink7]

My gmail account got compromised yesterday. But no emails were sent out so maybe I caught it right as it happened. I immediately changed my password to something even more complicated (twice as long as before and threw in some extra symbols).

 

[theevilsharpie]

spidey07 do you even know what SSL stands for?

Please stop posting.

 

[emgeiger1991]

Please stop posting.

Never! Why? just mad cause I know what it means along with https. I would just think it would be ridiculous to go out and preach this great thing that you wouldn't even know anything about it. He talks like he knows what he's talking about so i'm just trying to find out how much he actually does know.

 

[emgeiger1991]

I don't have a whole lot of respect for spidey07 in general but with regards to networking he knows his shit.

me too, i'm certified, and i'm studying for another one, here's one of the questions on the study guide

Which item can easily create an unencrypted tunnel between two devices?
A. PPTP
B. AES
C. L2TP
D. HTTPS
Answer: C

Well would you look there it don't say that https is unecrypted

 

[Crusty]

me too, i'm certified, and i'm studying for another one, here's one of the questions on the study guide

Which item can easily create an unencrypted tunnel between two devices?
A. PPTP
B. AES
C. L2TP
D. HTTPS
Answer: C

Well would you look there it don't say that https is unecrypted

I'll paste it again so you can understand just one of the reasons WHY people are telling you to stop posting.

http://www.thoughtcrime.org/software/sslstrip/

Your data is only as safe as the network it is on, and since you really have no control over which networks your data passes over you have no idea if someone is hijacking your SSL session unless you know what to look for or the hijack is rather shitty.

 

[JD50]

me too, i'm certified, and i'm studying for another one, here's one of the questions on the study guide

Which item can easily create an unencrypted tunnel between two devices?
A. PPTP
B. AES
C. L2TP
D. HTTPS
Answer: C

Well would you look there it don't say that https is unecrypted

This is why certification exams that only use multiple choice are worthless.

 

[dabuddha]

My password was a combo of capital letters, lowercase letters and numbers.

Password1 doesn't count 😛

 

[spidey07]

Never! Why? just mad cause I know what it means along with https. I would just think it would be ridiculous to go out and preach this great thing that you wouldn't even know anything about it. He talks like he knows what he's talking about so i'm just trying to find out how much he actually does know.

I was warning people on what is possible using HTTP which is sent in the clear, over the air, can be read by anybody in range of your wireless client or the access point. Hence why one should use HTTPS/SSL and verify the cert is good.

I then went on to explain there are programs to do a man in the middle attack on SSL which crusty even explained further even giving the name of this tool. So as a public warning to people that may not know, don't trust public wireless hotspots for any sensitive communications.

And also as a public warning, don't listen to people who don't know what they are talking about.

 

[OutHouse]

I log into Gmail this morning and it says my account has been disabled. I go through the process of proving it's me and then see some sent emails to my friends that contain only a link. I have no idea where the link goes b/c I didn't click any of them.

I immediately changed my password and sent emails to those that received the hijacked spam links.

I am very careful about phishing sites and clicking on questionable links. I seriously doubt the hijacking was on my end. Is it possible Google is to blame for this? Normally I'd say, "No, I'm a moron, I clicked on something I shouldn't have," but at least 5 other people I know (none of whom are the ones my hijacked account sent emails to) had their account hijacked this morning.

Any insight as to what's going on? Anyone else get hijacked?

my friends got jacked as well 2 weeks ago and she has a G1 android.

 

[OutHouse]

Once again, I'm continually amazed at people using the word "hacked" as a legitimate stand-in for having poor password security.

my friend who got compromised uses pass phrases not passwords. something like 'I love chocolate cake at 6AM!"

 

[OutHouse]

Never! Why? just mad cause I know what it means along with https. I would just think it would be ridiculous to go out and preach this great thing that you wouldn't even know anything about it. He talks like he knows what he's talking about so i'm just trying to find out how much he actually does know.

lol, you are a classic example of a boot-camp paper cert. Spidey has more real world networking security experience in his toe cheese than you will ever have.

seriously stop posting until you can stop barfing up brain dumps. you just may learn something useful.

 

[ScottFern]

Wow, and I thought it was some fluke thing. Happened to my professional job hunting email account with Google. I noticed only one email was sent out however probably because I rarely use the account.

 

[tk149]

I was warning people on what is possible using HTTP which is sent in the clear, over the air, can be read by anybody in range of your wireless client or the access point. Hence why one should use HTTPS/SSL and verify the cert is good.

I then went on to explain there are programs to do a man in the middle attack on SSL which crusty even explained further even giving the name of this tool. So as a public warning to people that may not know, don't trust public wireless hotspots for any sensitive communications.

And also as a public warning, don't listen to people who don't know what they are talking about.

Please explain this to me as if I were a kindergartener. Is it safe to access sensitive accounts (like bank account websites) using HTTPS over a public WiFi?

 

[OutHouse]

Please explain this to me as if I were a kindergartener. Is it safe to access sensitive accounts (like bank account websites) using HTTPS over a public WiFi?

personally i would never do that. i view all public wifi hot spots as a party line and you have no idea who is listening.

 

[Crusty]

Please explain this to me as if I were a kindergartener. Is it safe to access sensitive accounts (like bank account websites) using HTTPS over a public WiFi?

I would never do it. It's the fact that you can't trust the network so you can't trust that your connection is secure. Pulling off a successful MITM SSL hijack isn't as easy as it sounds, but it's always a possibility, especially on networks you can't trust. That doesn't mean that the network operators aren't running their own SSL proxy to decrypt the traffic either, although I highly doubt many 'public hotspots' deploy such technology.

It's generally easier to get someones personal info through social engineering and more traditional spyware attacks than through an SSL hijack.

That being said, is it absolutely important that you must know your exact account balance while sitting in starbucks? Simple due diligence can avoid most problems.

 

[DivideBYZero]

http://www.passwordmeter.com/

I get 88% - Very Strong

 

[irishScott]

http://www.passwordmeter.com/

I get 88% - Very Strong

Site doesn't accept passwords longer than 16 characters. Fail. Still got 100% off the first 16. 🙂

 

[coloumb]

http://www.passwordmeter.com/

I get 88% - Very Strong

😵

Holy crapoly - I need to change a few passwords 🙂

 

[cliftonite]

personally i would never do that. i view all public wifi hot spots as a party line and you have no idea who is listening.

Is it safe to use a public wifi to RDP into your desktop at home and surf on the desktop?

 

[Crusty]

Is it safe to use a public wifi to RDP into your desktop at home and surf on the desktop?

Depending on the RDP/VNC version, it will most likely send your username/password in plain text across the network. If you want to be secure on a public Wi-fi you need to be able to tunnel your entire network access to a secure network. Any traffic that leaks outside of the tunnel would help an attacker get access, including DNS requests.

Depending on what I'm doing, I usually tunnel a SOCKS proxy over SSH to my laptop and using firefox you can tunnel your DNS requests through it as well. If I need more general protection I'll fire up a VPN to my home or office.

 

[DivideBYZero]

Site doesn't accept passwords longer than 16 characters. Fail. Still got 100% off the first 16. 🙂

Christ, it's a password, not an introduction letter! :sneaky:

 

[DivideBYZero]

Site doesn't accept passwords longer than 16 characters. Fail. Still got 100% off the first 16. 🙂

https://www.microsoft.com/protect/fraud/passwords/checker.aspx

That one does, give it a go!

 

[Gibson486]

"Consecutive Lowercase Letters"

Yeah, except some sites do not have case sensitive passwords.

 

[irishScott]

https://www.microsoft.com/protect/fraud/passwords/checker.aspx

That one does, give it a go!

4/4 with the whole thing. Definitely more stringent than the other one though. First 16 only gave me 3/4.

 

[irishScott]

Christ, it's a password, not an introduction letter! :sneaky:

Ain't no Chinese gettin inside mah seetie wall!