PwnedList Checker Tool - Is your email account at-risk?

[Blacklab]

I thought other Pale Moon users might be interested in this "neat tool" - the quote below is from an article by the well regarded UK based IT security journalist Davey Winder that has just appeared in the latest PCPRO magazine Issue 216/Oct 2012:

Davey Winder wrote:
......a neat tool called PwnedList (https://pwnedlist.com), which will check whether your email address has appeared in any of the hacker dumps from corporate data breaches that appear online..... if it has you should set about a password-changing strategy immediately. PwnedList started when security researchers wondered how many compromised accounts could be harvested automatically by a scraping routine - the answer was 30,000 wihin 2 hours, complete with logins and passwords attached. The number of "pwned" emails harvested and compiled is now almost 24 million. It should be noted that PwnedList only scrapes the emails, and the accompanying password and login data is discarded. the emails are put through a one-way hash and the cleartext is then destroyed, and when you enter your email address in the checker it isn't stored in any form.

The full article "Generation I (I for Insecure)?" is based on research by Check Point the firm behind Zone Alarm and looks at the differing attitudes of Baby Boomers (ages 56-65) and Generation Y (ages 18-25) to security risks when using internet & social networking sites. The "oldies" are security conscious, the youngsters rather less so. (Research only download as 1.45MB pdf from http://www.pcpro.co.uk/links/216sec - the article itself isn't available online yet - presumably held back from PCPRO's website http://www.pcpro.co.uk while current magazine edition is on sale.)

I've tried all mine and then some of my friends' accounts that had been hacked - but all got a "NOPE" from PwnedList!

[Moonchild]

Of course, anyone worried about this should submit the SHA-512 hashes for their e-mail instead of plugging in the raw e-mail It's nice that they offer the option.

Don't know how to?

1. Grab WinHasher
2. In the program, select the tab "Hash text"
3. In the field "Text to hash", type your e-mail address in lowercase
4. Use encoding "Wester european"
5. Select "SHA-512" as Hash algorithm
6. Click "Hash"
7. Double-click the resulting hash text to select all, then press Ctrl+Insert or Ctrl+C
8. Paste the hash in the website's e-mail submission box to check

[Blacklab]

This pretty grim story has even made it onto BBC Radio in the UK today! The precis below is from a Third Apple article at: https://thethirdapple.wordpress.com/201 ... nightmare/

Wired Magazine journalist Mat Honan had his life hacked over the weekend. Hackers exploited security weaknesses in Amazon and Apple’s iCloud service to take over his Twitter account and Google account. They used the Twitter account to post all sort of racist and homophobic messages. That’s embarrassing, but it’s also minor compared to what else he went through.

In a nutshell, the hackers were able to disable his iPhone, disable his iPad, and wipe his MacBook. As in erase everything, including the last year or two of photographs of his young daughter. (Foolishly, Mat did not have a backup, and he accepts that if he had one, certain irreplaceable things wouldn’t be probably lost forever.) ........

Mat Honan's full horror story "My Epic Hacking" is in Wired Magazine at: http://www.wired.com/gadgetlab/2012/08/ ... n-hacking/ Ouch!

[Moonchild]

"wipe his macbook"? You mean whatever cloud data storage service he had and synched his macbook with did not have recoverable backups? That's pretty lame of a "service".

[Blacklab]

Not being an Apple fan, or a cloud fan for that matter, I continue to be amazed at how trusting "people" are with their personal data. Apparently this is how they wiped the MacBook - the quote is from page 4 of Mat Honon's Wired article:

But, mostly, I shouldn’t have used Find My Mac. Find My iPhone has been a brilliant Apple service. If you lose your iPhone, or have it stolen, the service lets you see where it is on a map. The New York Times’ David Pogue recovered his lost iPhone just last week thanks to the service. And so, when Apple introduced Find My Mac in the update to its Lion operating system last year, I added that to my iCloud options too.

After all, as a reporter, often on the go, my laptop is my most important tool.

But as a friend pointed out to me, while that service makes sense for phones (which are quite likely to be lost) it makes less sense for computers. You are almost certainly more likely to have your computer accessed remotely than physically. And even worse is the way Find My Mac is implemented.

When you perform a remote hard drive wipe on Find my Mac, the system asks you to create a four-digit PIN so that the process can be reversed. But here’s the thing: If someone else performs that wipe — someone who gained access to your iCloud account through malicious means — there’s no way for you to enter that PIN.

A better way to have this set up would be to require a second method of authentication when Find My Mac is initially set up........

What can you say? I suppose it's just the modern version of finding your HDD has died and you didn't make a backup.

[Moonchild]

So.. all it needs is access to that service, and you can have your laptop's data locked out... You know, I can see how it would be something prudent for high-security companies to be able to immediately and remotely lock data from access in case an asset gets stolen. However, the whole premise is flawed for laptops:

• First off, the remote hard drive wipe doesn't wipe the data, so it's not really removed. That's a good thing in case you actually manage to recover the laptop so you can restore it - but that doesn't happen very often, now, does it? An -actual- wipe would be better in that case.
• Then of course there is the problem if someone accesses your Apple service center as happened with this guy, there is apparently no secondary authentication - This is bad when it comes to destruction of data.
• The service also relies on the computer being hooked up to the Internet for anything to be done. For a phone, this is different since it will connect the moment it's switched on.
• If your laptop is stolen for your data, they are likely to do that before hooking it up to the 'net. So they will get to your data before it can be locked. Meaning the service isn't going to protect your data.
• If someone steals your laptop for the hardware, they are going to wipe the drive first thing. Meaning the service won't work, since it will require your identification of the laptop. (and I hope they don't key it to hardware IDs, because that could spell a catastrophy if someone hacks an iCloud server and runs a script on sequential hardware IDs).
• The restore of the "wipe" requires a 4-digit PIN. That in itself is a problem. A 4-digit pin is not safe by any means, and is probably VERY easy to crack.
• Last but not least: if a thief is locked out of the drive, what will they do? Format and reinstall - meaning issuing that command removes any chance of locating your laptop.