HaveIbeenPwned – CyberEye

Dan Gavin 21, Jun, 2024

Blog

The Saga of Joe Public, A Social Media and Email Tragedy

This is a story about Joe. Joe could be any one of us. During the day he is a nose-to-the-grindstone, focused, and hardworking employee. After work, however, he is careless and free, enjoying all that social media has to offer: posting photos, catching up with friends, reading the links his friends on social media post, and yes, he does enjoy the occasional cat video. He is active on his email account too.

Unfortunately, Joe is not really keen on cybersecurity hygiene. He clicks on any link he gets via email or social media without checking the URL first. He makes his life easy by using the same password for all his different accounts. Two-factor authentication is too much work and why would he need it anyway. Nobody would hack a regular guy. Since he is so friendly, his social media account is open to the public, so everyone knows everything about him. What he had for his birthday dinner last night; where he was born; his mother’s maiden name; and even the name of his first pet.

Although Joe seems to be the life of the party when it comes to social media, Joe was not ready for the party crasher. After work, as Joe was ready to relax and catch up on some email, he discovered he could not login – password failed. That’s strange. He had not changed the password to his email account. Ever. So, he decided to check his Facebook account to see if anyone else was having trouble with their email provider. And what do you think happened to his Facebook account? He was locked out of Facebook too. As he sat back to ponder what was happening, a friend from high school called. His friend asked why he was sending out emails pretending to be a Nigerian prince looking for money? He also noticed that Joe started posting advertisements on social media for the Pink Princess Palace. That’s when Joe figured out that he had been hacked! How could this have happened to him?

The hacker could have come in from many different attack vectors. After checking the website, https://haveibeenpwned, Joe noticed that his username and password were compromised in 17 different breaches. Since he used the same username and password for every site, it was easy for the hacker to take over his email and social media. Also, the hacker could have just used Joe’s username combined with all the information on Joe’s Facebook profile to answer the typical “security” questions many web applications use for password resets.

What does Joe do now to get back into his accounts and secure them? First, he should get in touch with his email and social media providers to let them know what happened to regain access to the account. This could even involve sending Facebook a copy of his Driver’s License to prove his identity. He will need to change his password to a nice long pass phrase – 16+ characters. He will also need to change his password on all his other accounts because the password has been compromised. Next, he should set up two factor authentication for all email and social media; and any other account he doesn’t want breached (like his bank and investment accounts). Two-factor authentication involves having the web service send a text with a one-time code. Even better, Joe would use a third-party application like Duo or Microsoft Authenticator.

To do this on your Facebook account for example, you need to login to your account. Click the arrow icon in the top-right corner and select “Settings & Privacy” and click “Settings.” In the left-hand navigation bar, choose “Security and Login.” Scroll down to the “Two-Factor Authentication” section and click “Edit” next to “Use two-factor authentication.” Follow the instructions from there based on the way you choose to receive your notifications. All email and social media apps have this option.

Now that Joe has so many usernames and passwords to remember, he decided to use a password manager to help him out so that he only needs to remember one long password. He downloaded Bitwarden to his computer and added the Bitwarden extension to all his browsers so that he has his secure passwords wherever he goes.

Joe is so excited about securing his email and social media that he tells his brother, John Q, and the rest of his friends so that they don’t have to go through similar torture. Joe has since become the lead blogger for the Cybersecurity Evangelist.

This article was originally published in the Sierra Vista Herald and can be found here.

Dan Gavin 11, Jan, 2021

Blog

Beware of the Dark Web

Lord of the Flies: Imagine a world where children are left entirely to their own guidance and education. One where the only instruction they ever receive is from peers. What kind of a world would that be?

Internet Born: When the Internet was born, it was called the DARPANET. Initially its creators tried to maintain control over its growth and development, but as it grew, that control became untenable. Eventually, a dark side emerged there.

Surface, Deep, Dark: The Internet can be subdivided into: the Surface Web (that which you can Google), and the Deep Web. You may be surprised to hear that most of you regularly visit the Deep Web. Accounts such as Facebook, Twitter, or your company network that require sign-in credentials are not index by search engines and are a major part of the Deep Web. Estimates put the Deep Web as over 95% of the internet. The Dark Web is a subset of the Deep Web that is intentionally hidden, requiring a specific browse to access. No one really knows the size of the Dark Web, but most estimates put it at around 5% of the total internet.

Dark Web: The Dark Web is best known as a place for illegal and nefarious activities. You can buy drugs, guns, credit card numbers, credentials, and hacked Netflix accounts. You can buy malware or pay hackers to breach your competition for intellectual property. There are even E-Commerce sites. Dark Web commerce sites have the same features as any e-retail operation, including ratings/reviews, shopping carts and forums. However, sellers have been known to suddenly disappear with their customers’ crypto-coins without providing the service. The old saying, “There is no honor among thieves,” applies.

Legal Activities: Not all activities on the Dark Web are illegal. Around half of the Dark Web is used for legitimate activities. It allows political dissidents to communicate anonymously with journalists without fear of persecution. People go to the Dark Web for mundane activities like joining a chess club or to exchange recipes. Facebook even has a presence called BlackBook. The New York Times has a presence. The Dark Web attracts those that are interested in being anonymous.

The Onion Router: The most common way to get on the Dark Web is through an anonymizing browser called a Tor (the onion router). The Tor browser routes your web page requests through a series of proxy servers operated by thousands of volunteers around the globe, rendering your IP address unidentifiable and untraceable. It is difficult to find your way around as there are no indexed search engines. The experience is unpredictable, unreliable, and often incredibly slow.

Why Should I Care: This is all very interesting, but I am not interested in a seedy journey to the Dark Web. Why should I care? The Dark Web is full of Personally Identifiable Information (PII) and password credentials recovered from breaches and sold, or just dumped to a site. Large identity theft companies, like Experian, offer services that search for your information on the Dark Web and notify you of their findings. Companies can look to their trusted security advisor to obtain a Dark Web monitoring service that tracks your company domain. For your own email address, you can check for yourself at www.haveibeenpwned.com. Enter your email address to see if your credentials have been caught in a breach. If so, it is time to change passwords and verify your account information.

Self Governance: In the novel Lord of the Flies, a group of boys is stranded on a deserted island. Their attempt at self-governance is a disaster. A dark side emerged. Civilization eroded and chaos reigned. Kind of like the Internet.