OOC: Email Hacker Solutions
A quick OOC post (which I figured might be useful enough to be put
here instead of Parrott's, shoot me if I'm wrong)...
A list of things to do if you know (or suspect) that your email
account has been broken into:
(1) Tell the account provider. This is probably the number one 'duh'
tip. If your Hotmail account is insecure, tell Hotmail. Apparently
they take this kind of thing fairly seriously.
(2) If you've been using that account for anything important e.g.
password confirmation emails, bank statements etc, copy all those
emails to your computer and then DELETE THEM from your email
account. This means that the next time somebody gets access to your
account, they won't find all this wonderfully sensitive data lying
around. One of my friends made the mistake of using his Hotmail
account for all his password confirmation emails from other places
e.g. Yahoo, message boards etc. And then somebody got in, and he
rapidly discovered that this meant ALL his other passwords were
compromised.
(3) If you use the same password for anything else, change it as
quickly as you're able. If somebody finds out my Yahoo password and
does a Google search for "lucky_coincidence", I'm screwed if I use
the same password for anything with the same user name. If possible,
use a different password (and username) for every online service.
(4) Get a new email account, with a different name and password. Set
all your Yahoo groups, message boards, newsgroups etc. to mail to
that new account. Use that new account for anything new you sign up
for.
(5) Let people know that your email address has changed, that they
must NOT send you mail to your old account and that any mail coming
from that old account is NOT yours. This is important.
(6) I wouldn't delete the old account, for two reasons. Firstly, you
never know when you're going to have forgotten to change something
over. Six months from now you're going to want to retrieve a
password you've forgotten and you'll realise that you needed that old
account to get it. Check it regularly for new mail...but DON'T use
it actively - just for checking. No composing emails from it or
anything.
The second reason for not deleting it is that, in the rare occasion
that whoever hacked your account has kept access and thinks that
you're unaware of them, deleting the account would let them know
you're onto them. The more time they waste on that old, dead
account, the less time they'll spend trying to break into others.
(7) Onto the more general tips now. MAKE A STRONG PASSWORD. I don't
care if it's easier to remember your dog's name. I don't care if you
get bored with typing a password longer than three characters. I
don't care if you want to use the same password for everything ever
because it's less to remember. That's fine...if you want all of your
account to come crashing down the moment somebody tries to get in.
An excellent way to make a strong password is shown at
www.diceware.com. And I can vouch for the fact that, after a couple
of practices, it's perfectly possible to memorise a long (30
character) password that's generated by this method. Strong
passwords are still the best way to maintain account security. Don't
skimp on them.
(8) For the even more paranoid (read: me), a Hushmail account
(www.hushmail.com) is much more secure across a network connection
than a Hotmail one. I hate to say it, but last year it was perfectly
possible for me to view the emails of anybody on the same campus
network as me. If you're dealing with anything sensitive, encryption
is vital. Hence, Hushmail.
(9) And hence, on a deeper level, PGP. Unless you're passing strict
governmental, technological or business secrets this shouldn't be
necessary - but if you want to encrypt text, attachments or anything,
really, with a strength that is unlikely to be broken into within the
next ten years (without significant resources), then have a look at
www.pgpi.org.
(10) Don't piss people off.
Because some people will, if you annoy them enough, devote enough
of their time to screwing with your online persona(e) that they're
bound to get lucky eventually. The best approach is, as always, to
walk softly and carry a big stick.
(11) Don't try to get revenge. It's pointless unless you know what
you're doing, why you're doing it, and you're willing to put up with
a downward spiral of vengeance. It can be a lot of fun, of
course...but it's not worthwhile.
...
I think that's it. I rambled a bit there, apologies!
- Chris (JHXMT)