Am I hacked again?

I’m 99% sure that my domain hosting and Twitter account are under attack right now. I can’t access either account and this is almost exactly what happened in 2013 when someone hacked half a dozen of my online accounts so he could get into @ruby thinking he could sell it on a hacker forum. This didn’t go well for him, but it was also an enormous pain in the ass for me.

You can see the whole story starting here: https://lotusmedia.org/tag/hacked/page/5

open padlock

If you’re not concerned about your privacy, you’re not paying attention

Cross-posted from MomsRising.org.

I don’t know about you, but the past year has been a real wake up call for me about the importance of digital security. I used to think of hackers as bored teenagers showing off for their friends, or scammers sending viruses and spam to people by the millions. But today’s online outlaws are much more sophisticated.

Not content to just blast misleading links at us, elite hackers have started spear phishing. This is a tactic that sends an e-mail to an individual with unique, personalized information making it look very real, and convincing the user to click through to a website where they will enter their login credentials. Some hackers also use social engineering (not technology) to trick people into giving away critical information that can then be leveraged to compromise accounts.

Unfortunately, we need to worry not only about obviously sensitive information like bank accounts and e-mails, even seemingly inconsequential accounts can be exploited to provide an opening. Once a hacker gets into any of your accounts, be it iTunes, Etsy, or Pinterest, they can use that information to access other services.

The threat to our privacy is real, and we have seen that there are people who may target us and access our data not just for commercial purposes but for political use. People and organizations that are working for social change have every reason to be concerned about how our personal information, organizational data, and private communications might be used.

Good security is a pain to implement, but every inconvenience for us is an even bigger hassle for a would-be hacker. Start now from wherever you are, and make incremental changes to improve your personal and organizational security.

 

OK, Ruby, we’re terrified! What do we do?

There is always room for improvement of our security practices, especially as we learn more about the threats that are out there. Here are my recommendations for where to start.

 

More resources

 

Here’s your reward for making it to the end of this challenging post! Freak out and laugh and get down all at the same time with Ashley Black learning about digital security with the help of Talib Kweli and others, on Full Frontal with Samantha Bee (NSFW).

Just another reminder that the companies that profit off our content and relationships give no fucks about us

Screenshot from a friendSo my Instagram account got hacked early last week. I’m not sure when. I found out when someone sent me this screenshot on Tuesday showing my photos with a different profile, which seemed to be marketing porn.

I submitted support tickets to Instagram on Wednesday and again on Thursday but never got any reply. Strangely, a few other friends said that they were also hacked this week! But they were able to get access back in less than a day after contacting support.

Finally, I used a professional network I’m in to see if anyone had contacts at Instagram. This connected me to someone, but he was on vacation! After I bugged him, he eventually connected me to someone else, and she was able to get my account restored on Saturday afternoon. They are both political staff there, not the help desk.

I still don’t know how it got hacked so I don’t know if there was a breach at Instagram or if someone got my password. I would very much like to know, and I also find it unacceptable (but sadly not surprising) that their tech support didn’t even care to reply to me or to stop a malicious hacker compromising their platform.

This whole thing caused some unpleasant flashbacks to The Great Hack of 2013, but my security is much better now because I use truly random, computer-generated passwords (and a password manager) and I always utilize multifactor authentication when it’s an option. So I immediately changed a few passwords that were overdue anyway, but I don’t see anything else suspicious on other accounts. Still keeping a watchful eye open…

Yahoo is the weakest link – but still strong enough!

Last night, someone (probably Isolate, the same loser who did it last time) tried to hack into my online identity.

Last night I received an unsolicited password reset e-mail from Twitter. I ignored it but kept a watchful eye. A few moments later I got a slew of messages from Yahoo.

7:32pm: Password reset requested. (Ignored.)

7:53pm: ruby62@mailinator.com [a service commonly used by spammers] was added to my account.

7:55pm: My password was reset.

7:56pm: My actual e-mail address was removed from the account.

Then they took my cell phone number off the account and changed my security questions. I braced for impact, hoping that that multi-factor authentication that I added to all my accounts after being hacked in May would withstand the assault.

And it did! I sent  messages to Yahoo via Twitter at 9:36pm and via their webform at 9:47pm, and at 11:35pm they acknowledged it but only via e-mail to my unused Yahoo address. It looks like someone also tried to get into an old Dreamhost account from a former client, but the account was already suspended.

Today I was able successfully reset my password and remove all the junk settings. I already had 2-step authentication turned on for this account so I’m not sure how it got hacked anyway, but I’m glad it didn’t go too far.

Although it was very likely the same teenager from Las Vegas doing the hacking, whoever it was made it seem like they were logging in from Europe:

Screen Shot 2013-07-16 at 8.14.25 PM

How to tell my story

I have finally finished compiling my detailed timeline of how I got hacked and then unhacked myself. It includes the exact times that I received password reset messages, when I wrote to support, when they wrote back to help, when they gave me the finger, etc.

I’ve got it all in a spreadsheet.  Now, how can I display this publicly? I’d love to make a timeline like this http://www.simile-widgets.org/timeline/ Or is there a Google widget I could connect to a Google Doc Spreadsheet?

This would also make great fodder for any reporter who wants to help people understand and avoid this, and/or to write about how shockingly unresponsive certain companies can be (cough, Twitter) when their own services are compromised.

Choose ONE: Hootsuite or Twitter verification

image

So, on Monday I attended an historic protest at the North Carolina General Assembly.  My phone was in-hand nearly the entire time (see goofy pic), as my main goal was documenting the civil disobedience and arrests of five elected officials from Orange County, NC. However, I found myself only able to retweet others from the Hootsuite app I use on my Android phone. I could post with other apps like Instagram, but my tweets (as @ruby and as @orangepolitics) just sat in Hootsuite’s outbox.

In the chaos of the day I chalked this up to the ongoing tangle left by last week’s hacking, so today while I was at a computer I made sure to fully authorize Hootsuite using the 2-step verification that I enabled for @ruby about a week ago. It seemed to work. This evening I tried again to use Hootsuite from my phone and found that I still can’t send from any of my Twitter accounts. So I asked @hootsuite, and amazingly, they said:

We are unable to guarantee full functionality with Twitter 2-step verification at this time. ^TF

https://twitter.com/HootSuite_Help/status/342457146727862272

Now I know that Twitter only enabled this feature less than 2 weeks ago, but here I am – a paying customer of Hootsuite (through work) – and now that I have enabled better security on ONE of my accounts, I can no longer post tweets from ANY of my accounts from my phone.

Amazed again that huge companies that rely on their web services don’t seem to care much about the security of their accounts. They should be pushing US (customers/products) to get more secure, not the other way around!

Doing the 2-step

So right after my Twitter account was hacked I learned that Twitter had finally implemented 2-step authentication just days earlier. I have now turned it on, of course.

But the really gigantic part of getting hacked was losing control over my entire Dreamhost account including several websites, e-mail addresses, and domain names.  Today I learned that Dreamhost also offers 2-step authentication. But they are not doing much to encourage people to use it. I Googled and was able to find these instructions and am so relieved to have this in place now.

I already had this enabled for Google and Facebook, but now that I’m looking at it, there are many other services that offer 2-step (a.k.a. 2-factor) authentication, including Dropbox and Paypal. LinkedIn just started using it this week. I’m a little annoyed that I had to go looking to find out about many of these.

So here’s my list so far who supports 2-step:

  • Google
  • Facebook
  • Twitter
  • Dreamhost
  • LinkedIn
  • Dropbox
  • PayPal/eBay

Did I forget any? The best way to find out if your favorite web service supports this is to Google “2-step” and the name of the service.

Twitter <3's hackers, apparently

I think this makes it pretty clear how seriously Twitter takes their security: The guy who hacked my account is still happily tweeting away about the latest social engineering methods and how it was my fault that he hacked into my personal accounts so he could try to sell @Ruby on hackerforum.net. 

Better late than never, Twitter added two-step authentication for accounts last month, but it’s clear they aren’t really concerned about their users when they do nothing to help protect users like me or @Mat, even when we know people are targeting us, and let genuine security risks chill out indefinitely.

twitter.com/isol8te

Please share this post if you agree that Twitter should take action against “Isolate” and any users who are known to have hacked other people’s Twitter accounts in the past.