Yes, I know I’m always banging on about passwords

Username and password theftThe simple fact is that this issue causes more problems than any other for my IT support clients. Therefore, I can’t resist telling you about something that happened a few weeks ago that offers yet another reason why you really shouldn’t use passwords more than once.

I received a phone call from a client saying that she’d just had a nasty email from someone saying that they had managed to access her Mac and, to prove it, they told her the password to get into her Mac. The email said they had stolen contact information, personal files, etc. I won’t describe what they said they were going to do next, but the bottom line was that they wanted about £3000 not to go ahead and do it.

Luckily, my client is a level-headed person who knew that a lot of what they said couldn’t be true. However, she was still – quite rightly – concerned about the accessing of her computer and asked me what to do. Since I was completely tied up with another client at the time I couldn’t give it detailed thought at that moment, so I advised her to contact the police and her bank and that I’d get back to her later.

The police said that it was a scam (ie, there was no real threat – they were just trying to “con” money out of her as opposed to extorting it). However, the police didn’t tell her how it was done.

ScamWhen I got a chance to look at the email itself later on, it seemed to me that absolutely everything in the email – except one fact – could be explained by saying that this was just a scam (that they were bluffing, lying, and hadn’t managed to get into her computer at all). The one inconvenient fact that didn’t fit this explanation was that they knew the Administrator’s password for her Mac. If they knew that, then there was a possibility that they could have accessed her Mac. That was why I had advised her to contact the police and her bank.

And then it struck me that the email address they used wasn’t her normal one, so maybe that was a clue. Maybe the combination of that email address and password had been used by her in another context and that that combination had become known to the bad person.

So, I checked to see if she had been “pwned”. This is when data is stolen in a data breach. You can check to see if your email address has been involved in a data breach by visiting “Have I Been Pwned?“. Sure enough, her email address and LinkedIn password had been stolen many years before in that organisation’s huge loss of data. Wikipaedia says of that data breach:

The social networking website LinkedIn was hacked on June 5, 2012, and passwords for nearly 6.5 million user accounts were stolen by Russian cybercriminals. Owners of the hacked accounts were no longer able to access their accounts, and the website repeatedly encouraged its users to change their passwords after the incident.

PwnedMy client did seem to remember being told of that data breach and undoubtedly did as LinkedIn suggested and changed her password. I asked her if she knew what the old password was and she couldn’t remember. Crucially, though, she said that it COULD have been the same password that she is now using (or was using until a few weeks ago!) as the administrator’s password on her Mac. What is almost certain is that her email address, together with that password, are up for sale on the Dark Net.

So, we concluded that what had probably happened is that the putative blackmailer bought her email address and LinkedIn password (probably on the Dark Net) and then just emailed her, assuming that the password for her Linked In account was the same as the password for her Mac. And he was right, so the scam worked (up to a point – but he certainly didn’t get any money from her). He managed to mis-direct us into thinking that he’d gained access to her computer when, in fact, he hadn’t.

This scam can only work if people re-use passwords and if they don’t keep a record of what passwords they used, when, and for what. Had my client not re-used passwords, and had she kept such records, she would have been able to tell that the password he claimed was her Mac’s password, was, in fact, an old password stolen in a data breach and not related to her Mac at all. The whole thing would then have been immediately obvious as a scam.

I rest my case (for now).

I’m having serious doubts about whether it’s a good idea to keep a LinkedIn account

Linked-In LogoRegular readers will know that I’m no great fan of social networking sites. I think they are devious, manipulative, insecure, and can not be trusted with a tenth of the personal data that people entrust to them.

Nevertheless, for about five years I have had an account at LinkedIn. I thought that as long as I only give them the minimum amount of information (about my professional self) then it should be ok. To be honest, the real reason for joining was to increase my credibility as a self-employed person advertising via his website. If I have “x” number of connections on LinkedIn then at least “x” people are saying that they know I exist and that they are not ashamed to be associated with me (at least as far as LinkedIn is concerned).

But a number of things have started happening that I don’t like. These include;

LinkedIn - you may know

This person has suddenly appeared at the top of the list of “people you may know” in my LinkedIn account – just days after I started an email exchange with her.

People showing up on LinkedIn as being “people I may know” that LinkedIn could not possibly have deduced from my current connections. Indeed, LinkedIn don’t suggest they are first, second, or third degree “connections”. I have always scrupulously denied LinkedIn access to my contact lists. And yet, the only thing that a lot of these “people I may know” have in common is that they are, in fact, in my address book. If LinkedIn has obtained my contacts legally then I can only think that they must have bought another service – of which I am a member, and to which I have inadvertently revealed my address book. In any event, I don’t like it. Online services taking over other services and then pooling information about their users is one of the most insidious mis-uses of data online that I can think of.

More and more emails being received from people I don’t know, asking me to “connect with them” on LinkedIn. LinkedIn is not supposed to be like some stupid social networking sites where the aim is to get as many “followers” or “friends” as you can – irrespective of whether you actually know them. It’s supposed to be about business networking. There’s going to be no point in it at all if you can’t trust that the relationships are genuine.

There has been a lot of press about LinkedIn being hacked and about LinkedIn allegedly misusing information gleaned from users’ email accounts. If you suspect that people in your address book have been receiving invitations to join LinkedIn – apparently instigated by you – then do have a look at this link:

LinkedIn customers say Company hacked their email address books

And these pages don’t exactly inspire trust, either:

Your leaked LinkedIn password is now hanging in an art gallery
LinkedIn hack
LinkedIn passwords hacked

A Leaky BucketPerhaps It was one of these episodes that gave rise to a client phoning me last week with the news that her Gmail account had been hacked and her contacts were receiving some very strange email messages that were supposed to have come from her. She said that she had just been exploring LinkedIn (where she has an account) and that this hacking happened just afterwards. I realise that there is no proven connection with LinkedIn, but that doesn’t stop my uneasy feeling about them.

Luckily, the hackers used her Gmail account to send all these strange messages, but they didn’t change her password. The only reason I could think of for this was that they’d got access to so many accounts that they were content with a “one-time use” of her account. We were very, very, lucky. I have tried to recover Gmail accounts from Google before (see this blog on Gmail Passwords) and it can be very difficult. When trying to prove ownership of your hacked account, Google will ask some impossible questions – such as “on what date did you open the account”!

Anyway, in this instance we were able to access the account and change the Gmail password. I’d like to take this opportunity to remind you not to use the same password several times (or similar ones such as mydog1, mydog2, mydog99 etc), as any human being that has hacked one site containing your email address and a password may well try the same combination (or similar ones) on other sites – see this blog on re-using passwords.

Add all these things together and I’m now teetering on the edge of closing my LinkedIn account. Certainly, I changed my own LinkedIn password as soon as possible after the above incident. I would advise you to do the same.

Computer error messages are only as good as the programs that call them

In other words, if the program is badly designed or badly tested then you may not be able to glean any useful information from a displayed error message other than “something’s gone wrong”.

Here’s an example that I would guess at least 80% of computer users have encountered at some time:

Your email is automatically being checked in the same way that it’s always automatically checked every five or ten minutes when suddenly a box pops up suggesting that your password is wrong. I have known people spend hours trying to find the “right” password, whereas the real problem is that there is something else preventing the email from being accessed. The password hasn’t changed and it isn’t wrong. Or, more likely, the password wasn’t wrong when the error message popped up, but you’ve now tried so many different possible combinations that you have little chance of getting back to the right one if you haven’t properly recorded the password somewhere. See one of my previous harangues on this subject.

I had something a bit like this happen to me this morning. Too early in my brain’s daily cycle to tackle anything meaningful, I idly clicked on a new email from LinkedIn advising me that someone had kindly “endorsed” me for something (no, I’m not convinced, either, that any of this stuff has any merit or meaning). Then I clicked on the “People you may know…. see more” link on the LinkedIn website. Instead of leading me to waste another precious three minutes of my life wading through pages of people I may know, I was taken to a badly formatted page that suggested that I was being penalised for having had too many of my “let’s be friends on LinkedIn” requests rejected by people saying they don’t know me.

"Problem Exists" messageHuh? How come? I never send such requests to people I don’t know. Even allowing for the odd case of poor memory, it’s just not possible that LinkedIn’s allegation could be true – and I’m not paranoid enough to be persuaded otherwise.

Well, the caffeine finally kicked in and I got on with my day. A little later, a website that I visit from time to time wouldn’t take me to a particular page and I happened to notice that there was a reference at the bottom of my browser (Firefox) to javascript. Nothing was happening and the reference to javascript just stayed there. “Aha”, methinks, “maybe javascript has got itself turned off”. So I dived into Firefox’s “config” page (bravely ploughing on past Firefox’s wonderful warning of “here be dragons”) and, sure enough, javascript was set to “off”. No idea how it happened, but I turned it back on and the website I had been trying to access let me carry on as normal.

"Press Key" messageA little later, the caffeine had really started working on my synapses and it suddenly occurred to me that my problem with LinkedIn might have been related to javascript and its offness. If so, normal service should be resumed now that I’d turned javascript back on. And so it was. Clicking on the “People you may know…. see more” link once more displayed pages and pages and pages of people who I either don’t know or don’t want to know any more.

"Change user" messageWhat had happened in this case wasn’t exactly an incorrect error message, but something in the programming on LinkedIn’s web page went wrong when a piece of javascript couldn’t execute, and I was left wondering what I’d done to upset LinkedIn. The answer was “nothing”. I hadn’t upset them. It was just a problem on their web page and I’d allowed myself to be misled as to the cause.

"Enter Prime" messageThere’s definitely a moral here about not completely trusting what you read on a computer screen when it doesn’t behave the way you expect it to. Although, deep down, we really do know that a computer program (or web page) is not human and is not capable of making the infinitely subtle and nuanced decisions that human beings can make, nevertheless our initial tendency when something unexpected happens on the computer is to believe what we are looking at! Maybe that error message on the email programs that suggests that you’ve either got your username or password wrong should really say something to the effect of

“Bit of a problem, I’m afraid. Can’t access your email. Maybe your username or password has been entered incorrectly or maybe there’s some other problem. By all means have a go at re-entering your username and password. If you still get the same result then the problem lies elsewhere and I can’t help any further as I’m just a humble little error message that gets called up every time something goes wrong, and I’m ever so sorry but I’m not clever enough to suggest anything more sophisticated than checking your username and password. Oh, one final piece of advice: don’t risk re-entering your password unless you are absolutely sure that you know what it is”.

Now, why couldn’t Microsoft think of that?

© 2011-2019 David Leonard
Computer Support in London
Privacy Policy Suffusion theme by Sayontan Sinha