Hacked off! Lawrence computer users exposed to a variety of hacking techniques to compromise online accounts

Friday, February 26, 2010


Screenshots from YouTube

Screenshots of the results from the hacking of Lawrence High School's YouTube account (top and center) and Free State High School's YouTube account (below).

Odds are you’re very careful with that password to your online bank account.

But are you equally protective of your other online accounts? Yahoo!, Gmail, Facebook, Twitter, LJWorld.com … and all the dozens of other sites you visit?

For a lot of Internet users, the answer is “not exactly.”

The hacking of two Lawrence high school classes’ YouTube accounts this week serves as a cautionary tale.

Students at Free State and Lawrence high schools each produced “lib dub” videos that recently got a lot of publicity here and around the country. Lawrence High’s version was so impressive that it got well over 130,000 views on YouTube. Quite an accomplishment.

But all that work was undone when a student from Free State High School hacked into the LHS account and made dozens of unflattering modifications to the video. Some of the changes couldn’t be undone, and so the video — along with the view tally and comment thread — had to be removed.

In gaining access to Lawrence High’s YouTube account, the hacker didn’t need spy-level computer programming skills — all that was required was a little persistence.

That’s because the password, like so many out there, was easy to guess.

Think your passwords aren’t easy to guess? So did the Free State students. Nevertheless, their YouTube account was hacked in turn, and now the video they worked so hard on is also ruined.

(Both original videos, pre-hack, can still be found on our site here and here.)

Officials from both schools declined to comment on the record about the incidents, but it’s clear the teachers and students involved are frustrated and upset that their online accounts were so vulnerable.

“There isn’t a way to be completely secure anywhere,” says Frank Wiles of Revolution Systems, a Lawrence-based computer consultant. “You’re not completely safe driving (to the store) or even walking out your front door. One-hundred percent security isn’t possible in the real world, and it isn’t possible in the digital world.

“However, just like in real life, you do the most logical things — locking your doors, avoid dark alleys, not leaving a gold bar sitting in the back seat of your car, etc. — and hope for the best,” Wiles says.

In the digital world, he says the logical things you can do to protect your account include:

1) Pick adequately secure passwords.

For example, DON’T use:

• an area mascot, a pet or a family member’s name (even if followed by 0 or 1, a lot of people do that),

• anything remotely similar to the log-in username,

• the last four digits of your Social Security number,

• 123, abc, etc.,

• the birthday of someone in your family,

• “password” or “letmein”

• in fact, don’t use any word from the dictionary.

(Here's a great blog on how to create a secure password).

Also, it’s important to not use the same password for all your online accounts. Wiles says there are a number of ways to keep track of dozens of different log-in combinations.

“Remembering passwords to all of the sites we use is hard,” Wiles says. “There are programs like OnePassword for Macs … that help.” RoboForm is a popular program for PCs.

“If you don’t want to go to that much trouble, set up three different layers of passwords,” he says. “My advice to most people is to set up a low-security password that you use most everywhere that requires a login, a medium-security password that you would use for something like Facebook, and then individual higher-security passwords for your online banking, stock trading, Paypal and the like.”


Screenshots from lawrence.com's Twitter inbox

Example messages from the recent spate of Twitter phishing scams.

2) Don’t click on links in e-mails or messages on Twitter, Facebook, etc.

Phishing scams have been around since the early days of e-mail, but these days they’re often more subtle than the wealthy Nigerian asking you to let him wire you money.

Facebook and Twitter users have recently been inundated with vague messages seemingly from their friends asking them to click a link.

Lawrence resident Lindsay Frye considers herself a “very knowledgeable” computer user, but she was snared by this tactic.

“The hacker sent out spam mail to ALL of my friends with a link to click on, saying something like I had a pic of them,” Frye says. She quickly noticed something was up and changed her password, which resolved the issue. But she’s heard of much more damaging results from the scam.

“I actually had a friend where the hacker got on her chat and asked for money and some of her friends ended up wiring money, thinking it was really her,” Frye says.

Wiles says a sound practice is to only enter sensitive information into a site that you got to by manually typing in the URL.

“Become ESPECIALLY concerned if, after clicking a link in an e-mail, somebody asks you to log in or provide any sensitive information. Just close your browser and then go back to the site by hand just to be safe,” he says.

3) If it seems to good to be true, it probably is.

Wiles says one of the most common ways that computer user’s information is accessed is through viruses or so-called “malware” infecting their PC. Exposing your computer to these attacks is as easy as clicking a scam advertisement or otherwise visiting a malicious site.

Wiles says it’s just prudent to resist anything like, “Fill out our online survey and win a trip to Alaska!”

“If it isn’t a brand or company you recognize — HGTV, for example — then it’s probably best to avoid it,” he says.

“One mistake people make is they believe viruses are a natural part of computing, as they exist in nature. Viruses only exist because someone messed up and left a security hole,” Wiles says. “It’s really an arms race as bored teen geniuses along with people with a strong profit motive build a better virus. It takes awhile for the anti-virus vendors to see it and adapt their products to protect against it.”