If I Were A Bad Guy….

Last week it was publicized through various media outlets that a number of Twitter accounts had been compromised and were being used to send out sensational  and sometimes commerical “statuses.”  

http://blog.wired.com/27bstroke6/2009/01/professed-twitt.html

http://www.techcrunch.com/2009/01/05/twitter-gets-hacked-badly/

Amongst those compromised were president Obama’s and Facebook’s.  The kid behind it, GMZ, says he obtained access by guessing the password of a Twitter employee and then using that to steal other people’s accounts.  (By guess he means run a brute force password cracker utilizing a dictionary of words to try). 

Easy fix is to change the passwords.  This is the standard solution for compromises of this sort be it Twitter, or Youtube or MySpace or Facebook or etc.

Problem solved right?

Not quite.  What happened to the information taken during the compromise?  Namely what happened to the email address that serves as a login credential/username and the password.

If I were a bad guy, I would be using that information like mad. 

That email address equals a real person that I can send spam to over and over again.  Or, I can sell the email address as part of a list to other spammers. 

The more nefarious activity is to take that email address and password and try to log into every site I can imagine where an email address is used as a user name.  The information I could collect by doing something like this is incredible. 

But it shouldnt work right?  People dont use the same password over and over again do they?  Actually they do. About 94% of the time the password is either the same or a variation of the same password.  Utilizing a ‘bot or scripted program to access these accounts I can collect friends email addresses, I can spam from within the stolen account, I can read your email and messages, and I can steal the account outright by changing the password.

This scenario is the true concern; what are they doing with the information stolen?

So the next time you hear about a compromised Facebook or YouTube account, think about all the other accounts the intruder may have access to and what they may be doing with them.

Then think about your own usernames and passwords (yes words) and the fact that you may need to change them as well.

Ok enought about that, you should note I do not say hacked I say compromised and intruder.  A hack/hacker is something different than the common usage in the media.  I will address that the next time I post along with information about how spammers get paid and thus why they continue to spam you.

In the beginning there was a guy who did not know hat to do about the so called experts unwillingness to stop preaching ot the choir and instead educating the masses.  then one day this guy’s wife told him he wano longer allowed to complaint ot her becasue she was sick of it.  So if you can’t complain to your wife, spouse, significant other, domestic partner, etc., who do you complaint to?  Well the whol world of course or at least anyone willing to read this blog.

 With all that said, my intention with this blog is to discuss things in the news and give you my perspective on what is missing in the reporting.  For year I served as a law enforcement agent in an undercover capacity.  That experience has allowed me to think like a bad guy.  Couple that with knowign what can and will be investigated, I have detemrined that if I were truly a bad guy and I took advantage of the schemes, scams and tricks I have been taught/esperienced, I would be a gazillionaire.

But Im not a bad guy and thus Im not a gazillionaire.  What I am is a guy who believes that if I can educate people ot the schmes and scams then may be they will not fall for them and thus not become victims.   I will lay out the potential scams as I see it and then tell you the reader what to do to avoid becoming a victim. 

For the bad guys out there, this is not a how-to for crooks.  I will leave out key components and will of course log all that I can from those who visit the site.  The Internet does not make you untraceable if you are a trained investigator and I assure you I am.

I will also accept questions from the readers asking how a fraud scheme is perpetrated and what to do if you have been a victim.  To these points I make the promise that if I do not know the answer, I will find someone who does and share it with you. 

I will also do my best to give credit where credit is due so if I screw up and dont link to the right article or credit the right reporter, I trust you to bring that to my attention so that I can rectify the situation.

Tomorrow I will post about the recent Twitter compromise and what the real significance of such an intrusion is.  It is not the fact that messages were sent out saying Bill O’Reilly is Gay or President Obama wanting to have you sign up for ringtones.