Anatomy of a Domain Hijacking, part 2: The Website Who Came In From The Cold
When secretGeek.net was taken I swore a solemn oath to myself:
My relentless campaign of jokes and nonsense will not be stopped.
And now, just a couple of long weeks later, here I am, happy to report I'm back in control of secretGeek.net.
Right when I was ready to migrate over to leonbambrick.com, I got an email from the Russian registrar, Regtime Ltd, saying:
Sorry for answer delay. Domain was transferred onto you account.
The number one thing, I think, that helped get the site back was when a good friend, Madina, translated a lengthy email into fluent Russian for me to send to the Russian Registrar.
She re-structured the email to put the sob-story up front, all about how much personal meaning this site has for me, and the positive effects it has had on my life. I think that did the trick.
So what did we learn?
I learnt that passwords at google can be brute forced, if pop is enabled. This can be sped up by use of multiple IP addresses, or a botnet.
That's the most likely way they got access to my account. My password was 'good' by gmail standards but is now 'freaking solid' by any standard.
And I've turned on 2-step verification, plus all the other recommendations from part 1.
Thanks for the encouragement and support. It was dark times, but now the nonsense can continue.
'Chip Camden' on Tue, 07 Jun 2011 22:09:53 GMT, sez:
Excellent, Leon! Welcome back.
'David H' on Tue, 07 Jun 2011 22:29:03 GMT, sez:
Благодарим Вас за Ваш визит. Пожалуйста, приходят снова.
'David H' on Tue, 07 Jun 2011 22:34:10 GMT, sez:
Boo to automatic reformatting of Cyrillic into HTML code ; )
'Barry Kelly' on Wed, 08 Jun 2011 01:55:43 GMT, sez:
I use a 10-character alpha-numeric password in turn generated from an even longer alpha-numeric passphrase (a similar mechanism to SuperGenPass and its ilk, so the generated password is different for every site I use it on); this particular source passphrase is only used for Google and a handful of high-security accounts. I estimate that, according to that seclist link you referenced (1200 attempts per account per day), with 10 billion accounts hammering away at POP it would take an average of 96 years to break into my account.
I recommend using something like SuperGenPass even with its limitations[*] all the time, because it's almost trivial and adds substantially to your security.
[*] The limitations are that the default bookmarklet is implemented via dynamic HTML in the page where the password box itself occurs. This means that a malicious page can potentially snoop on your password before it gets generated into the final password that actually gets sent across the wire, thereby getting access to the master key. This attack is mitigated by having different security levels of "master password". Any trivial crack of a password database (e.g. Gawker, Sony etc.) won't reveal your master password, and even if someone attacked the hashing algorithm, they'd still only get a weak security master key, unless they broke into your bank's website etc., in which case you have bigger problems.
'mike' on Wed, 08 Jun 2011 02:05:01 GMT, sez:
Glad it all worked out. Good of you to document this also for the benefit of the rest of us.
'Misty Fowler' on Wed, 08 Jun 2011 17:25:46 GMT, sez:
I'm so happy that your domain got hijacked! If it hadn't, then I might never have known about this site, and my life wouldn't be nearly as complete. Thanks, hackers!
P.S. I'm even more happy that you got it back.
'Jon Schneider' on Thu, 09 Jun 2011 00:00:07 GMT, sez:
That's great, Leon. I'm glad this worked out for you.
And thanks for sharing the story. I went and strengthened all of my passwords after reading Part 1...
'Steve Trefethen' on Thu, 09 Jun 2011 05:16:46 GMT, sez:
Congrats Leon. I've enjoyed your work keep it coming!
'Juan Manuel' on Thu, 09 Jun 2011 13:00:15 GMT, sez:
Nice, I was hoping for a happy ending! ;)
'Claire' on Thu, 09 Jun 2011 15:22:21 GMT, sez:
I use passwordsafe (http://passwordsafe.sourceforge.net/) and so far, so good. I did change my master pw after reading part 1 though. Glad to see you wrested control back from the hackers!
'Gregg' on Fri, 10 Jun 2011 15:55:46 GMT, sez:
'OJ' on Sat, 11 Jun 2011 01:03:46 GMT, sez:
Let me guess, your Gmail password was 'meatbag'? :)
'MJ' on Tue, 26 Jul 2011 10:02:56 GMT, sez:
I've had this very annoying problem with GMail where another guy has the same user name, but with a period in between. Google says the two user names are the same, but tell that to the other guy! He signs up on Facebook, etc. using this email address (with a period), and sure enough, I get the Facebook notifications!
I enabled 2-step authentication, and the problem has become far, far less.
'CariD' on Thu, 11 Aug 2011 05:25:38 GMT, sez:
Great to know you've taken back the control of secretGeek.net! I'm happy for you! You're lucky to have Medina who made a big help. And thanks a lot for sharing the good lesson you learned out of this experience. I swear I never knew till I read this article that passwords at Google can be brute forced, if pop is enabled. It made me so disturbed but at least now now I know what to do. Thanks to you!