computer security

So I read two interesting articles this past week, both by the same author. The first one that I read was The only secure password is the one you can’t remember (first seen by me on Lifehacker). The second article that I read was an older article, linked from the first one: Who’s who of bad password practices – banks, airlines and more.

The first article discusses the need to use strong, unique passwords for all of your online accounts, and the struggle to remember all of these unique, strong passwords. The author makes the claim that if all of your unique passwords are strong enough, that you'll never be able to remember all of them. Thus, you need to use a password manager like LastPass, KeePass, or 1Password. The password manager, like it sounds, manages all of your passwords, enabling you to only have to remember one singular password that will let you access all of your online accounts. Each of your online accounts will then be protected by a strong, unique password that you are unlikely to remember.

This sounds good in theory, but what happens when your one singular password is compromised by a keylogger? No one is impervious to viruses and keyloggers, as I found out two weeks ago. From what I understand about LastPass, it allows you to log into your accounts from any computer, from anywhere. If it allows you to do that, what's to stop someone who compromised your master password via keylogger from doing the same?

Even if the password file is stored on your local machine, what's to stop someone from writing a virus specifically targeted at LastPass (or another one of these password managers) that will grab the password file from your local machine? If these password managers become widely used, you know that black hat hackers are going to be all over writing malicious software to target them.

As such, I personally believe that using a password manager compromises too much security for its convenience. So what to do instead? How do you create strong, unique passwords for each of your online accounts that you will actually remember?

Well, I'm not going to tell you my exact method, because I don't want anyone being able to guess my passwords. But you have to come up with a system that create one base, strong password that you will remember, and a system of altering that base password for each online account so that each one is different. I used the following Consumerist articles for inspiration for my system: Create A Different Password For Every Site And Never Forget A Single One and How To Easily Remember A Different Password For Every Site.

I won't lie, if someone got access to one of my passwords -- say, my Facebook password -- a human could probably look at the password and guess my Gmail password. But it would take a human to do so. No one is going to have a virus that is able to not only grab my Facebook password, but also systematically figure out my Gmail password, because the two passwords are different. It would take a human looking at my password to figure it out. I personally think I'm much more likely to be hit by a virus that targets millions of people over someone targeting me specifically.

Now, the frustrating part is after you come up with your awesome password remembering scheme that uses a strong password as its base, and then you encounter companies like Blizzard and Verizon that have stupid requirements on their passwords -- not letting you use certain characters -- that break your awesome password. I have to remember "different" passwords for these sites, unfortunately. These companies make me grumpy.

So, it finally happened. My Gmail account was compromised, despite all my best efforts, which included the following:

• I don't click on links in emails
• I keep my OS and other software up to date
• I don't enter my passwords on any computer that is not my own
• All of my passwords use both letters and numbers
• I use Firefox with Adblock Plus... MOST of the time.

That last item may have been my downfall. I've been using IE, Safari, and Chrome for various reasons recently: usually to see how one of the websites that I am developing displays in those browsers, but I also use them occasionally to view Google search results (to see the rankings of the websites that we're in charge of SEO for, since on Firefox, I have Web History enabled). I also very recently loaded up Chrome just to play Robot Unicorn Attack, because Chrome is a little faster than Firefox. :(

I know that Chrome has Adblock available for it, and I thought I had it installed, but I still saw ads when I went to play the game.

Another concerning thing is that recently, in Firefox, I remember seeing a Groupon ad even though I have Adblock Plus enabled. I gave the ad a funny look at the time, but didn't bother to look further into it since Groupon isn't shady. Maybe I should have :(.

My other downfall is that even though I KNOW it's a horrible thing to do, I use the same password pretty much everywhere I go. I just never took the time to figure out a system that would make it easy to make and remember unique passwords for each website. It was one of those things that I would do "eventually" and just never got around to doing.

So I might have been infected via an ad. I might have been infected by using the same password in too many places. I may have even been infected via my Droid X somehow, since I log into my Google Account on it.

I was first alerted that something was amiss when I received an email from myself, with my work signature. Immediately I knew something was wrong. I started getting some "mail failure notifications" as my hacker attempted to send emails to people in my address book whose emails either no longer exist, were typed in incorrectly, or just were smart enough to block my spam.

I quickly changed my Gmail password on my MacBook, which I figured had to be cleaner than my PC, but the spam emails kept being sent. I finally remembered that Gmail has a tool where you can kick off everyone who's logged into your account. I quickly did that and the emails stopped, and I changed my password a second time, from a different computer that I was 99% sure was clean.

Now it was time for the cleaning. I downloaded and installed MalwareBytes, and set it to do a full scan of both my hard drive and the USB drive that is connected to it. While the scan did its thing, I started changing passwords to a bunch of my online accounts. I got about four or five accounts done when I realized that I REALLY REALLY needed to come up with a system of unique passwords for each website (I was changing all of the accounts to the exact same password).

I finally came up with a system and started changing all the passwords again. I got to my WoW password, which wouldn't let me change it to my new, unique one because WoW only allows certain special characters in passwords. Bad, bad Blizzard! So my WoW password is a special snowflake from all of my other passwords.

MalwareBytes finally finished its full scan an hour later and found 0 infections. No!! I wanted it so badly to find something so that I could work on getting it clean. I sent frantic messages to Rob, who is away on a Knights of Columbus retreat this weekend. He had me download and run TDSSKiller and ComboFix.

TDSSKiller claimed it found one infection, but when I researched the name of the program, it turned out to be Daemon Tools, which is harmless. Rob told me to kill off the process anyway, but there wasn't any option to do so.

I couldn't get ComboFix to run at first. It was complaining that it only supports Win32 only. Rob managed to remote in and get it to run, though. Not sure what he did to get it to run. I am not sure what ComboFix found just yet -- I am waiting to check back with Rob, hopefully tomorrow, so he can analyze the log and tell me what it says.

I learned a few lessons from this ordeal, though.

The first: use unique passwords! I may have had my Gmail account compromised because another site that I used the same password on was compromised. If I don't find any malware, this might be what happened (but I doubt it, I strongly suspect malware).

The second: keep your Gmail contacts cleaned up! A few of the spam emails were sent out to people not in my contacts, but in Gmail's special list of contacts that it keeps of everyone that you have ever emailed or been emailed by, ever. So I've probably got a couple of folks wondering "Who is this Pam Hardy and why is she sending me spam?"

I went through all 100 of Gmail's "Other Contacts" and added about half of them to my actual address book, and deleted the other half.

The third lesson: ads are evil! Once my computer is somewhat usable, I need to go into IE and Safari and change their default homepages to Google, so that they never have a chance to display an ad to me. I also need to never play Robot Unicorn Attack on anything but Firefox. Also also I need to make sure that Adblock is actually installed and working correctly on Chrome.

This isn't a lesson, but more something I'm thankful for: my WoW account was not compromised. Even though I don't really care for WoW at the moment, if my account info got compromised it would have been a major pain in the neck to get all of my characters' gear restored. So I am grateful that for now, my WoW account is safe.

I never thought this would happen to me, but it did. Right now I feel violated. My life is on my computer, and my computer was violated. I feel icky just thinking about it.