This scares me...

TrackBacks (-1) Comments (0)
Omar Shahine is a program manager on hotmail, and a pretty clued up person. Which is why his latest blog post scares me silly.

That is what I found this evening. I believe that some one managed to issue a password reset command to my account and then somehow logged in and reset my password essentially owning my data.
and this

update: my account just got hijacked again, minutes ago. Also so did my GMail account.

I have no idea WTF is going on here. I have only used one computer this entire time.

Seriously scary stuff, and this for a guy who is pretty technical and also highly connected with people who can help.

Alarmed by this - I had a quick check of my own situation - my stuff is pretty well backed up - to a NAS point for local backup, and then to Amazon's S3 via JungleDisk. My GMail is regularly downloaded to Thunderbird via IMAP. But the thought of someone getting access to my Google account makes me break out in a cold sweat.

So - what do I do to make sure I'm as secure as I can be ?

  • Check my Google password is long and strong. (Yes - 20 chars, mix of letters, digits and symbols)
  • Vow never to connect to anything sensitive 'in the clear', especially over public WiFi.
    • When sensitive information (especiallly login details) is to be exchanged always connect via https (https:/mail.google.com/mail).Check your desktop and especially your laptop that this is the case. Check your bookmarks.
    • Set up an account with a VPN provider to use to connect through (and make sure you use it)
    • Use something like a 3G modem to bypass public wifi competely (but still connect via https). I have one (from Three), and it's great as a ADSL backup and also for travelling - no more £5.95 for 1 hour's unsecure internet access for me !
  • Make sure you have a personal question that is non-obvious (don't do date of birth, mother's maiden name etc). If your provider doesn't allow you to have a non-obvious question, then change, or don't store anything of value in there.
  • Make sure you are backed up, and that your backups work. I know this is one of those things that everyone says, but really, do it. You have no idea how much of a comfort it is when you know that all your really important info is backed up in a number of different places. JungleDisk is pretty amazing for letting you just set and forget - I back up all my pictures, and documents there, as well as my partner's docs - and Jungledisk is smart enough to only upload files that are new or changed (and you can pay $1 per month to activate a service to only upload diffs to large files).
  • Get a good virusscanner, malware protector and firewall. Keyloggers are another source of danger - I hear a lot of reports of kids playing WoW who have had their accounts hacked via keyloggers (from programs they've downloaded). Set your firewall to alert you on any new outbound connections, and don't allow anything you don't recognise through.
These are some of the steps I've taken to protect my data - I hope I've covered most of the obvious attack vectors (ooh knowledgeable do I sound !). So far I haven't had my accounts hacked, but past activity is no guarantee of future performance.



-1 TrackBacks

Listed below are links to blogs that reference this entry: This scares me....

TrackBack URL for this entry: http://www.digitalquery.com/cgi-bin/mtcs/mt-tb.cgi/171

Leave a comment

Recent Entries

Your intranet app...
Having spent a fair amount of time consulting on intranets and internal applications, as well as being on the receiving…
14 (now 18) alternatives and additions to basecamp.
I was looking around for some alternatives to Basecamp, and was pretty surprised to see that there are a ton of…
IABC Commonwealth Chapter
Despite the waves of jetlag that ocassionally threaten to leave me faceplanted on a table, I'm having fun here in…