Never keep sensitive information on your emails
If you haven’t been visiting your social media site because of the holidays then you’ve probably haven’t heard of David’s story. While on vacation (like most of us now), his site and ultimately his domain name had been taken over by someone going by the name ‘Peyam.’ After contacting GoDaddy and ICDSoft (his site’s host and domain registrar) he soon found out that because all transactions were final, there was little that he could do. David even tried contacting the Peyam who offered (taunted) him with $650 initially for everything. The price dropped to $250 but David remains adamant that he will not pay anything up.
There’s currently no development on the story but I doubt Peyam would return the domain nor would David bend over to the demands.
How did the hack happen?
There are a lot of possible ways that the hack could’ve happened:
- A XSS (Cross-Site Scripting) exploit which allow code injection by malicious web users into the web pages viewed by other users.
- A keylogger on the PC he was using (it was on a net cafe)
- CSRF/XSRF (Cross-site request Forgery) which exploits the site’s trust in the client software, submitting requests that the site believes come from its own pages.
Any of these could’ve allowed access to David’s Gmail account which then lead a leak of his personal and account-related information. What’s worse is that David’s business, as a graphics designer was left compromised by this and I imagine it would take lots of time and effort to contact and inform his past clients about this.
How do I prevent this from happening to me?
- Carry your own browser – Although it’s not really helpful if the host machine is already compromised, bringing along a copy of Firefox Portable never hurts. It’ll keep your preferences and if you saved passwords on it, it’ll save you from the risk of getting keylogged. If you don’t want your browser storing passwords, use a password vault.
- Try not to be click happy – if you’re on a computer you don’t own, it’s best to consider it spyware heaven. Although people who own net cafe’s might contest, it’s still best to safe than sorry. Do what you need to do and get out. The less time you spend on that machine, the less risk you have of getting your information taken.
- Use the “noscript” plugin for Firefox – Noscript prevents sites from using JavaScript and Java without your permission. It can also block other potentially exploitable plugins such as Flash. You’ll lose a bit of functionalities on the sites your visit (dropdown menus, ajax, etc) but in exchange, you’ll be quite secure from anything that pops up in the background.
- Use a separate or “dummy” email for your important information – It’s a bit of a hassle to use a dummy email for this sole purpose but if you regularly check mails whenever you’re out or use email to contact clients and other people, it’s best to keep private things private (ex: 1 email for clients, 1 email for your hosting, domain name info and 1 personal). Why? Even if your personal email gets compromised, the hacker will only get to see personal messages like greetings and stuff. Sure he can blackmail you if you’re sending something nasty in there but at least you don’t leave your OTHER info out in the open.
- Don’t use free email services – If you own a business, any leak of business-only information is probably the least you want to have. You can cough up a bit of expense for a paid, yet secure email service or you can build your own mail server.
- Don’t announce to the world that you’re leaving – this is probably the worst thing that David did but who could blame him? If you’re leaving for an extended period of time. Make sure people will contact you at the first sign of trouble.
Of course if a professional hacker decides to crack down on you, there’s little you can do but seek professional help. If it’s just script-kiddies (people who call themselves “hackers” but simply exploit vulnerabilities, etc) you should be able to go away unscathed and likely unhacked.
Support David by Digging his post.
Tags: Email services, Google, Security