The constant battle for Internet security saw another brazen attack
this week as Russian hackers published millions of passwords they
collected after hacking the professional-networking site LinkedIn.
Then, hours later, dating site eHarmony announced
that a "small fraction" of its users -- others were saying 1.5 million
-- were compromised by a similar attack. Security professionals suspect
the same hackers may have done it.
"That's what we think," said Graham Cluley,
a senior technology consultant with Sophos Security. "It was shared in
the same places. The content is very similar. And the timing. All of
these factors just make it seem like too much to be a coincidence."
It's enough to make some
Web users throw up their hands. If the sites we use on a daily basis
can't keep our password data secure, how are we supposed to keep
ourselves safe?
But security experts say there are still plenty of steps we can take (even if too many people aren't following them).
How to check if your password was stolen
Password-management firm LastPass has released a secure tool to see if your password was among the more than 6 million stolen from LinkedIn. LastPass created a similar tool for people worried about the security of their eHarmony accounts.
Your password still matters
Even in cases such as the
LinkedIn breach, when it's a website, not a personal account, that's
being hacked, the strength of your password can still help keep you
safe.
On sites such as
LinkedIn, stored passwords are "hashed," meaning the site uses an
algorithm to encode them. So, even if hackers get the data, they still
have to unravel them before they're useful.
"Don't give up. Don't
think this is all futile," Cluley said. "Choose a long, hard-to-crack,
unique password. Not dictionary words. Not a sequence of numbers -- use
something that basically looks like gobbledygook. Those will be tougher
for the bad guys to crack."
In the case of LinkedIn, there are reports that as many as 60% of the encrypted passwords stolen have been decoded, raising questions about the strength of its security system.
Be careful of post-hack e-mails
When there's a well-publicized security incident on a well-known website, online crooks are more than happy to pile on.
In the wake of the
LinkedIn hack, security professionals were already reporting incidents
of users receiving "phishing" attempts -- e-mails that look like
official communications from LinkedIn. Instead, these messages try to
get users to reveal personal data that identity thieves could be use. Or
they include links that, when clicked on, can install malware on an
unsuspecting user's computer.
"We are investigating
the exact details but in the meantime please DO NOT CLICK on links in
email to change or verify account information, at LinkedIn.com or on any
other membership site," Cameron Camp of ESET Smart Security wrote on the company's blog. "Instead, navigate to the site directly by typing in the address bar in your browser."
Use different passwords for different sites
Cluley notes that the
hackers who attacked LinkedIn and eHarmony may not have even been
interested in information from those sites.
In many cases, they'll
be trying to use the passwords they find on other sites and accounts.
Many banks require additional information to log in. But accounts such
as Amazon, eBay and PayPal, for example, could be compromised if the
user has one password across multiple sites.
"If you get hacked in one place, you get hacked everywhere," he said.
Lots of folks complain
about how hard it is to remember multiple passwords. But there are free
online tools that will store and use them for you. Cluley mentioned
several, including KeePass, 1password and LastPass.
Cluley recommends those
tools over letting your Web browser store passwords for you, because
there have been cases of security flaws in some browsers, which hackers
have exploited to access user data.
No comments:
Post a Comment