Editor’s Note: This spot is normally reserved for our retro recaps, today’s Firefly recap can be found on Wednesday in this time slot, and the West Wing recap that’s been traded with it will appear later on today. In the meantime, here’s part one of Jordan’s new (very timely) series on removing the mystery from hackers. ~Ophelia
Welcome to part 1 of my series of blogs on hacking.
Seeing popular and favorite websites get hacked is a recurring sight on the web. Seeing reports of millions of user’s accounts get compromised. Passwords and emails stolen. Personal data now in the hands of thieves. Well, despite the alarmist tone of the news, it’s not as dangerous as losing your wallet in the street. In fact, most of the time these events are quickly forgotten by both users and website admins…which isn’t always a good thing.
First, all good websites don’t keep their users passwords in plaintext in their database. They, usually, only keep an hash of the user’s password. You might be wondering what a hash is. Well it’s just gibberish to the common eye. A hash is a string of encrypted characters created from a string of text with a math function. The function needs to have specific properties: the same string of text will always return the same value, two strings of text should not return the same result (no collisions) and finally you can’t find the original string of text by knowing the function algorithm. A good example of a hash function is MD5, although it have now been show to not be “collision resistant” which mean that two different strings of text could return the same value or hash. By doing this, the database never contains the real password, only the encrypted hash, and hackers won’t be able to unencrypt the hashes to find your password. So you actually can’t get your password stolen, if the web admin and website designers knew what they were doing. It should be web 101… When passwords are ‘parsed’ by hackers, like in this weekend’s shitstorm on Gawker, they’ve been guessed by a program trying a series of possible passwords with each username.
Second, username are almost useless. I said, almost…unless the hackers knows you go to a lot of specific websites. Which means that you are already compromised. Which means you might want to clean your computer and run a few anti-virus and malware apps ASAP and maybe unplug that internet cable. The only use of a username is for accessing other websites, because the username is half of the security you have when you login, the other being the password. With a username the hacker has half the job done to crack a specific credential, but they need to know if you go to a specific website first.
Third, the email. That one hurt a bit more. A) expect spam, lots of it. B) change your email password fast. Like the username, it’s half the credential, but in this case it’s easy to know where they should put it in and whom to contact to claim that “you” forgot your password to access the email box. One of my friend got his email box hacked a few years ago, it was a pain to get it back. Also, hacked email boxes don’t look compromised easily and they are usually used to allow people to get passwords reset on other websites. These days hackers prefer to keep the hacking of an email box secret, there is too much value in reading somebody else’s mail to be detected accessing their email box.
Finally, personal data. Security risk depends on the website. A website where you actually spent money, ordered something and that keep credit cards information will be a bigger risk than an obscure forum where you entered random information in all the fields. While websites usually have security measures on par with the information they keep, they aren’t infallible. Also, now website that accept credit cards don’t keep all the information about it (dates, security number, etc) making it harder for a hacker to do anything with the number. Still, getting personal information stolen make it easier for someone to use your ID in real life for other things. When possible use fake information and don’t save the information you don’t want to be saved.
Next time I will talk about the type of hacking and give a few tips to protect on self on the web.