So, in THIS (http://forumserver.twoplustwo.com/showflat.php?Cat=&Number=3584983) thread, we hear about someone who got their passwords/username/poker accounts compromised and lost a tidy sum of cash. For all you internet savvy players, what's the best way to protect ourselves from this type of hacking. I'm tempted to change all my passwords around when I go home tonight.

[ QUOTE ]
So, in THIS (http://forumserver.twoplustwo.com/showflat.php?Cat=&Number=3584983) thread, we hear about someone who got their passwords/username/poker accounts compromised and lost a tidy sum of cash. For all you internet savvy players, what's the best way to protect ourselves from this type of hacking. I'm tempted to change all my passwords around when I go home tonight.

[/ QUOTE ]

That thread is really good so far about discussing the specifics of the exploit. To learn more go there. But here are some suggestions in general that you can put to use.

If you use publicly accessible machines, do not visit password protected sites. I have to put this first because it is so damn true. Not even the strongest password creation and maintenance can protect you is someone can look over your shoulder as you type it.

Hardware key loggers are cheap and small, like this one (http://www.thinkgeek.com/gadgets/security/5a05/). Software key loggers are even freely available. (http://www.kmint21.com/keylogger/) Assume that someone can catch your password.

If you like to check email on the road and you do not have a Blackberry or laptop, get a separate email account for business related items and do not access it from unknown machines. Ever. Get yourself a Gmail account or whatever, and change banking, poker accounts, etc., to all use this new exclusive account, and only access it from places you trust.

Make sure communication that sends a password you care about is encrypted. That usually means a padlock somewhere on your browser. Note 2+2 is not secure. So make sure your password here has nothing to do with what you use elsewhere.

Changing passwords every once in a while is certainly not a bad idea, as long as you don't wind up losing them or compromising good passwords because you change them so often and forget them.

For passwords, avoid dictionary words, names of sports teams, names of kids, etc. Too easy to guess. If I am not incorrect, the Paris Hilton cell phone hack used her pet's name which was broadcast on her reality TV show.

Keep them long, somewhat random, and get some special characters in there. A nice way to do this is to make up a personal substitution. For example, make { stand for taco and % for burrito. Now you can think of a phrase like "Man, do I love the burritos at taco bell." and change this to M,dilt%@{b Then for another place you can use "Taco Time has lousy burritos" and make that {thlousy%.

Use different passwords for different places. I know it's tough, but using a convention like that above can help "I use Party money to eat tacos" for instance is "IuP$2eat{" and is not a bad password.

You can check password strength at sites like this. (https://cuweblogin2.cit.cornell.edu/cuwl-cgi/passCheck1.cgi)

1. Anti-spyware. I use Ad-Aware and Spybot Search & Destroy. It's best to have more than one, as one may catch a threat the other misses. Run scans frequently, at least weekly, daily is better.

2. Firewall. I use ZoneAlarm Pro. I think it's one of the best, if not the best, out there. It prevents unauthorized programs from accessing the Internet; every time a program tries to do so, ZoneAlarm will pop up and alert you, asking whether or not to allow it (and giving you a box to check if you want ZA to remember the answer, and not bother you again). If you don't have any idea why it's doing what it's doing, deny access. If it has a legitimate reason, you should be able to find out what it is, and decide from there. I also use a router, with built-in NAT (Network Address Translation); my router's IP address is exposed to the Internet, but my computers have IP addresses assigned by the router (via DHCP), so there's no direct route to my computer from the outside.

3. Anti-virus. Pick one; I happen to use Norton, but ZoneAlarm has its own built-in. And there are many others; you can check out back issues of PC Magazine or PC World for advice (they tend to do a comparison once or twice a year). Your local library should have these, or some other computer magazine.

4. Password security. If the site allows non-alphanumeric characters, use them. A password like "R#v*&zkyJ34!" is much harder to crack than "george". Use a password keeper if you can't remember them (then don't forget your master password!). I typically create passwords based on something I know, like the first letter of each word in the first line of a poem, then do some massaging. For instance, you could use "Mary had a little lamb", yielding "Mhall" (too short, but this is just an example), and then convert it to "Mh@l1"). Subtitute song lyrics, a favorite book, the initials of your teachers from first through 9th grades, whatever. Just make it something you can remember, even if you have to work a little to extract it. Use multiple passwords; do not use the same password for every site.

-Mike

Using a firewall, antivirus software, and spyware checking are all prudent.

So is securing your browser. An easy way to do this is to use Firefox with the default security settings. Let's not make this a holy war, folks, I have no grudge with Microsoft, I also know Mozilla has been caught with their pants down. But as far as making it easy for people by using a browser that by default is more secure, Firefox wins.

[ QUOTE ]
Using a firewall, antivirus software, and spyware checking are all prudent.

[/ QUOTE ]

Good advice. Add onto this patching. I'm assuming 99% are using windows, so turn on automatic updates. MS releases their patches on the 2nd tuesday of every month.

Go here (http://www.microsoft.com/athome/security/default.mspx) for some more basic advice on locking down your personal computer.

If you use a password safe like KeePass or PasswordSafe then you really should secure it with a pass-phrase and not a password.

Check out DiceWare (http://world.std.com/~reinhold/diceware.html) for a neat way of creating a memorable passphrase. Certainly you can use a different dictionary then they have provided.

I think the whole thing is bs. First of all it was his MAIL ACCOUNT that was hacked not his computer. Via that they got his password for his account. So either he stored his pass there [why would anyone do that?] or they used the account to mail party for a new pass [this is why passwords are better sent via regular mail]. Hotmail been hacked several times before and should never be used for stuff like this. I do not feel sorry for him at all.

As soon as somthing like this happens everyone talks about getting firewalls, antispywhere and stuff. It is not needed if you set up your computer correctly and do not do stupid things (like clicking on every file you get on email and so on). The only securitything worth having as far as I am conserned is a good virusscanner. I only use mine to scan downloaded files. Having a resident scanners just sucks the life of any computer and does nothing good.

[ QUOTE ]
it was his MAIL ACCOUNT that was hacked

[/ QUOTE ]

and just about everything I can think of that requires a password also has a function somewhere called something like “Forgot your password?” that will email your password to your email account. That means that if someone has/gets your email account password he can get the passwords to ALL your other online accounts.

“uR!6l#3Gh” is a password. “Biteme" is asking for big trouble and you’d better change it right now ... all three of you.

[ QUOTE ]
[ QUOTE ]
it was his MAIL ACCOUNT that was hacked

[/ QUOTE ]

and just about everything I can think of that requires a password also has a function somewhere called something like “Forgot your password?” that will email your password to your email account. That means that if someone has/gets your email account password he can get the passwords to ALL your other online accounts.

“uR!6l#3Gh” is a password. “Biteme" is asking for big trouble and you’d better change it right now ... all three of you.

[/ QUOTE ]

Yes that is what I was saying:
1. Hotmail is very unsecure
2. Passwords to important stuff like pokeraccounts should be sent via regular mail, not hotmail.
3. Most people being scammed or getting robbed like this made some mistake before it happened. His problem was chosing a bad email provider.

Also minimizing how much you got "online" will minimize the loss incase something happens.

No doubt, this exploit the combination of poor practices by Party and poor security in Hotmail hurt this guy. But you can't blame this user for having whatever amount in his account. He might play high limit.

Also, the original thread is the place to discuss the particulars of that case. The OP here wanted to know what good security practices are.

That said, I agree with you that trying to treat the disease (using ant-spyware, firewalls, etc.) is not as good as preventing it (not using exploited services like Hotmail and IE, not downloading untrusted software, disabling unwanted services, etc.). It's a good message that can't be overemphasized.

[ QUOTE ]
I think the whole thing is bs. First of all it was his MAIL ACCOUNT that was hacked not his computer. Via that they got his password for his account. So either he stored his pass there [why would anyone do that?] or they used the account to mail party for a new pass [this is why passwords are better sent via regular mail]. Hotmail been hacked several times before and should never be used for stuff like this. I do not feel sorry for him at all.

[/ QUOTE ]

I do agree that Hotmail is a lousy email service for secure transactions, but I wouldn't go so far as to say that I don't feel sorry for him. I think Party is to blame for sending out the info without requiring the answer to some security questions, and for not red-flagging the pattern of transactions following the password change (changing a password for a very active player, and then immediately setting out to drain the account?!?). Hopefully, they've learned a good lesson here.


[ QUOTE ]
As soon as somthing like this happens everyone talks about getting firewalls, antispywhere and stuff. It is not needed if you set up your computer correctly and do not do stupid things (like clicking on every file you get on email and so on).

[/ QUOTE ]

Totally untrue. It is quite possible to catch spyware or trojans simply by visiting a website or viewing HTML email (I have the latter turned off, and only activate it when I have to and I trust the source), and not even clicking on a link. My wife (who is not computer-literate; I have to explain every little thing to her three times, and then repeat the next time the issue comes up) visited some website (we're not even sure which one), and got something that tried to relay spam from our computer. Fortunately, the defenses I'd set up squelched that instantly. Without them, we might not have noticed for a long time; the trojan itself didn't trigger any virus alerts. And antivirus scanners are only as good as the most recent update; new threats require different defenses.

In any case, while the problem that prompted the OP was not necessarily something that would have been caught by a firewall or spyware scanner (though it could have been a keylogger inadvertently downloaded from somewhere), concern for network security is still valid. There are many hazards out there that are not as obvious and simple to avoid as you apparently think.


[ QUOTE ]
The only securitything worth having as far as I am conserned is a good virusscanner. I only use mine to scan downloaded files. Having a resident scanners just sucks the life of any computer and does nothing good.

[/ QUOTE ]

Good luck.

-Mike

[ QUOTE ]
Using a firewall, antivirus software, and spyware checking are all prudent.

So is securing your browser. An easy way to do this is to use Firefox with the default security settings. Let's not make this a holy war, folks, I have no grudge with Microsoft, I also know Mozilla has been caught with their pants down. But as far as making it easy for people by using a browser that by default is more secure, Firefox wins.

[/ QUOTE ]

I agree; I should have thought to mention that, myself. Not to mention that Mozilla is a lot quicker to respond to newly discovered exploits than Microsoft.

-Mike

[ QUOTE ]
Good luck.

[/ QUOTE ]

LOL, some people like you have over faith of those antispyware and firewalls. Did you know for example that some versions of ZoneAlarm is actually WORSE than having no firewall at all? This is beacuse some people found a way into your computer by using an exploit in the firewall itself, witch would not be there if it was not installed. It is always the most paranoid who uses all those crappy programs and then say "now my computer is safe", guess what, it is not.

[ QUOTE ]
[ QUOTE ]
Good luck.

[/ QUOTE ]

LOL, some people like you have over faith of those antispyware and firewalls.

[/ QUOTE ]

No, I use multiple layers of security, and still am paranoid.


[ QUOTE ]
Did you know for example that some versions of ZoneAlarm is actually WORSE than having no firewall at all? This is beacuse some people found a way into your computer by using an exploit in the firewall itself, witch would not be there if it was not installed.

[/ QUOTE ]

Yes, I did know about that, and updated as soon as it was possible. I also have my computer sitting behind a router with all but essential ports blocked, so someone probing for computers running ZA would have had to get that past just to find me. That's what multiple layers is all about. Everything has flaws, and you can't rely on any one defense.


[ QUOTE ]
It is always the most paranoid who uses all those crappy programs and then say "now my computer is safe", guess what, it is not.

[/ QUOTE ]

I never say, "now my computer is safe". My attitude is, it's as safe as I can make it, given what I know right now, and I try to find ways to make it safer.

I think your approach is more dangerous; you're relying on one layer of security, which you say you use only for programs you've downloaded, plus avoiding what you know to be risky behavior. But what if you visit a site you have no reason to think is unsafe, but has a hidden exploit embedded in its code? It's the problems you don't know about that may bite you someday. The only way to be completely safe is to stay off the Internet altogether, and nobody here is about to do that. Next best is to cover all the bases you can, and keep looking for more, which is what I do.

-Mike

How do we determine what ports are needed open? How do we close other ports? Thanks for the info and your help!

Thank you,

Jim Kuhn
Catfish4u
/images/graemlins/spade.gif /images/graemlins/diamond.gif /images/graemlins/club.gif /images/graemlins/heart.gif

[ QUOTE ]
How do we determine what ports are needed open? How do we close other ports? Thanks for the info and your help!


[/ QUOTE ]

A good place to start is Shields Up! (https://www.grc.com/x/ne.dll?bh0bkyd2) This tests your current set up, tells you what ports are open, and offers some help as to what they're for. In short, you're best off having all ports closed by default, and only opening ones that specific applications need (applications which do require certain ports should say so somewhere in their documentation). What you're trying to prevent is a worm seeking open ports to infiltrate through, and Shields Up! will tell you how vulnerable you are.

As to how to close them, you'll need to see the documentation for your router, if you have one. If you don't use a router, a firewall will serve the same purpose (I use both); as I said, I use ZoneAlarm, but you could use Norton or the new Windows XP firewall (I tried the XP one a few months ago, but it was pretty buggy then, and I switched back to ZA).

There is a free version of ZoneAlarm, though I think the additional features offered by the commercial versions are worth it. The nice thing about it is, if something new happens (an application asks for Internet access, etc.), ZA will pop up a dialog box asking whether to allow or deny access, and give you the option of having it do the same thing every time the app repeats it. So, the first time you use IE, for example, you'll need to tell ZA to allow it, but if you check the box, it will remember that and not ask you again. Check out the Zone Labs (http://www.zonelabs.com) web site for more info.

-Mike