how not to become the next hacker victim
I meant to post this last week, but then my LAN quit on me.
I don't know if you noticed the increase in hacked LJs. Latest hacking examples: copperbadge, dorkorific and through her shoebox_project, zarah5 and through her contrelamontre and orlandoslash (see airgiodslv's post and penknife's post).
If you clicked on links in any strange or unusual posts in any of those communities lately, especially if some new mod you've never seen before told you to go to some external site, go and run antivirus and spybot software. You may have a keylogger on your computer.
Here is copperbadge's account of what happened. And here is some more information regarding shoebox_project. zarah5v2 shares her tale here.
The hackers seem to target popular journals and/or admins of large communities. Makes sense when you consider the aim of having as many people as possible click on their keylogger-infested links.
So how are they getting access? One of LJ's achilles' heels seems to be Hotmail's practice of recycling email addresses (see penknife's post). If you used a Hotmail email to initially sign up with LJ, make sure you are still in control of it or try signing up with your old login again.
Then you can delete old email addresses via Email Management. Don't be surprised when you cannot actually do anything on the page at first. wistfuljane has explanations for you here.
I recommend you go in and remove any old emails that you've ever used with your LiveJournal account. First, you should select the oldest email on that list that you have control over, and change your email address to that one. Once you've validated it, you'll be able to go in and remove any newer email addresses (any email added after the one you selected). For security reasons, the first-validated email cannot be removed at this time. -- marta on how to secure your LJ account.
synecdochic mentions another (albeit complicated) way in case of emergency:
If you've made certain forms of payment over the years and in certain ways (basically anything where the credit card company would have confirmed your address/card # as part of the automated transaction), and there's enough of a history of payments from that card (so it's not a case of "steal account, pay for account, write to support"), there's a chance they can go through payment verification and manually clear off all your old addresses.
This should only be used in the event that you have already lost access to your first-validated email address, as it's a very time-consuming process and doesn't even always work, as often there's not an adequate history -- because LJ has had multiple payment vendors over the years, and no longer has access to payment details from several of the older ones -- and certain payment types, such as check, PayPal, etc, don't provide sufficient information to establish and verify identity. But in the event of disaster, it's one more thing that can be used.
It's also not something you ask Support for, because a). they have no access toa that kind of thing and b). you don't want your personal verification details hanging out there where anyone can see. You open a request with the Account Payments team, or email accounts@livejournal.com.
If you are a doofus like me who doesn't even remember ever owning the oldest email on the list, there is another way: set a security question. That way LJ will prompt you before resetting your password. Never use a question/answer combination that can be found out from your journal entries. cleolinda had the good idea to choose something completely random. Make it impossible to guess or glean from your journal entries.
Example: What is your favourite colour? Highschool football.
See, nonsensical. But do remember to write down the answer, just not in a computer file. A piece of paper is fine, we are dealing with hackers after all.
And if you still end up losing control over your journal, here is what LJ recommends you do.
Now, there is another issue that may or may not be related to it. Maybe you've noticed random friending by cyrillic journals. I stumbled across a series of entries by nympholept. It seems like those journals are bots. They may or may not save/repost your entries. Nobody seems to know what they do. Just to be on the safe side, report them to LJ Abuse and do not friend them back and give them access to locked entries.
Backup Tools: (repost from my Strikethrough entry)
http://fawx.com/software/ljarchive - lj backup tool (windows)
http://logjam.danga.com/ - lj backup tool (linux)
http://connectedflow.com/xjournal/ - lj backup tool (mac)
http://www.ljbook.com/ - lj backup tool (mac)
http://hewgill.com/software/ljdump/ - lj backup tool (mac)
http://www.livejournal.com/support/faqbrowse.bml?faqid=8 - LJ's own backup tool
http://www.livejournal.com/editprivacy.bml - complete lock-down tool for paid account users
http://antennapedia.livejournal.com/238132.html - Extracting LJ entries into local files, OS X edition, thanks to antennapedia
http://antennapedia.livejournal.com/266462.html - Journal migration tool, thanks to antennapedia
Security tools:
Markup Validation Service - check to see if a link leads to where it claims it leads
Spybot - anti-spyware software
Ad-aware - anti-spyware software
Key Scrambler - anti-keylogger addon for Firefox & IE (thanks to irreparable in the comments)
Further reading:
hacking:
http://community.livejournal.com/cult_sbp/792846.html
http://copperbadge.livejournal.com/2610603.html
http://isiscolo.livejournal.com/449003.html
bots:
http://community.livejournal.com/lj_support/762150.html
http://asylums.insanejournal.com/07refugees/82776.html
http://asylums.insanejournal.com/07refugees/81670.html
keyloggers:
http://www.securityfocus.com/infocus/1829
http://en.wikipedia.org/wiki/Keystroke_logging
In conclusion:
ETA [Dec 1st]: via azurelunatic in the comments:
I hear via announcements to the Support volunteer community that LJ is aware of the vulnerability that a first-validated email address not within your control causes, and is working on a tool that would be able to remove such addresses. However, I do not have a timeframe on when this would be available, [...]
ETA [Dec 6th]: From what looks to be a case of utter incompetence by LJ staff (see wistfuljane's post for more righteous anger), zarah5 has seen her journal return from the dead while still being locked out, only to wake up this morning to find her journal turned into an empty shell.
And you know this means the hacker has access to locked entries from people on Zarah's old flist, right? I had to remove the journal of a person I have known for years today. *sadface*
furiosity posts about incidents in HP fandom where the hacker(s) spam popular communities with their keylogger-infested links. Be careful on what you click! If someone claims outrageous news and wants you to click on external links, be very cautious and double-check the source.
The maintainers of deamus are suspended right now, as well as the community hp_ot3.
ETA [March 5th]: And they are back. It hit depression this time.
LJ released the above mentioned tool to delete old email addresses.
After changing to a new email address for use with an account, verifying it, and using it on the account for six months, it becomes un-removable, but allows for all earlier email addresses to be removed on the Manage Email page.
ETA [March 10th] new information from azurelunatic
When reporting a suspected bot, please go here.
As you may be aware, we changed the method for reporting bots. Please tell all users who open reports of bots on the public tech support board that they must report these journals to Abuse by visiting this link: http://www.livejournal.com/abuse/bots.bml. (Don't bother moving the request to Abuse unless there's urgent or private content in there, because that's the answer they'll get there anyway.)
Since I've received questions, please let me clarify: Abuse is no longer processing long lists of usernames because each of those giant lists has to be hand-checked, translated, etc., and urgent abuse cases get lost in the multiple bot reports, which are still important but not nearly as urgent as other things we need to handle. We cannot make exceptions. If everybody uses the new system, we get excellent aggregate data that can help the hand-checking go much, much faster, which also helps the caseload in Abuse to stay manageable. [ link]
I don't know if you noticed the increase in hacked LJs. Latest hacking examples: copperbadge, dorkorific and through her shoebox_project, zarah5 and through her contrelamontre and orlandoslash (see airgiodslv's post and penknife's post).
If you clicked on links in any strange or unusual posts in any of those communities lately, especially if some new mod you've never seen before told you to go to some external site, go and run antivirus and spybot software. You may have a keylogger on your computer.
Here is copperbadge's account of what happened. And here is some more information regarding shoebox_project. zarah5v2 shares her tale here.
The hackers seem to target popular journals and/or admins of large communities. Makes sense when you consider the aim of having as many people as possible click on their keylogger-infested links.
So how are they getting access? One of LJ's achilles' heels seems to be Hotmail's practice of recycling email addresses (see penknife's post). If you used a Hotmail email to initially sign up with LJ, make sure you are still in control of it or try signing up with your old login again.
Then you can delete old email addresses via Email Management. Don't be surprised when you cannot actually do anything on the page at first. wistfuljane has explanations for you here.
I recommend you go in and remove any old emails that you've ever used with your LiveJournal account. First, you should select the oldest email on that list that you have control over, and change your email address to that one. Once you've validated it, you'll be able to go in and remove any newer email addresses (any email added after the one you selected). For security reasons, the first-validated email cannot be removed at this time. -- marta on how to secure your LJ account.
synecdochic mentions another (albeit complicated) way in case of emergency:
If you've made certain forms of payment over the years and in certain ways (basically anything where the credit card company would have confirmed your address/card # as part of the automated transaction), and there's enough of a history of payments from that card (so it's not a case of "steal account, pay for account, write to support"), there's a chance they can go through payment verification and manually clear off all your old addresses.
This should only be used in the event that you have already lost access to your first-validated email address, as it's a very time-consuming process and doesn't even always work, as often there's not an adequate history -- because LJ has had multiple payment vendors over the years, and no longer has access to payment details from several of the older ones -- and certain payment types, such as check, PayPal, etc, don't provide sufficient information to establish and verify identity. But in the event of disaster, it's one more thing that can be used.
It's also not something you ask Support for, because a). they have no access toa that kind of thing and b). you don't want your personal verification details hanging out there where anyone can see. You open a request with the Account Payments team, or email accounts@livejournal.com.
If you are a doofus like me who doesn't even remember ever owning the oldest email on the list, there is another way: set a security question. That way LJ will prompt you before resetting your password. Never use a question/answer combination that can be found out from your journal entries. cleolinda had the good idea to choose something completely random. Make it impossible to guess or glean from your journal entries.
Example: What is your favourite colour? Highschool football.
See, nonsensical. But do remember to write down the answer, just not in a computer file. A piece of paper is fine, we are dealing with hackers after all.
And if you still end up losing control over your journal, here is what LJ recommends you do.
Now, there is another issue that may or may not be related to it. Maybe you've noticed random friending by cyrillic journals. I stumbled across a series of entries by nympholept. It seems like those journals are bots. They may or may not save/repost your entries. Nobody seems to know what they do. Just to be on the safe side, report them to LJ Abuse and do not friend them back and give them access to locked entries.
Backup Tools: (repost from my Strikethrough entry)
http://fawx.com/software/ljarchive - lj backup tool (windows)
http://logjam.danga.com/ - lj backup tool (linux)
http://connectedflow.com/xjournal/ - lj backup tool (mac)
http://www.ljbook.com/ - lj backup tool (mac)
http://hewgill.com/software/ljdump/ - lj backup tool (mac)
http://www.livejournal.com/support/faqbrowse.bml?faqid=8 - LJ's own backup tool
http://www.livejournal.com/editprivacy.bml - complete lock-down tool for paid account users
http://antennapedia.livejournal.com/238132.html - Extracting LJ entries into local files, OS X edition, thanks to antennapedia
http://antennapedia.livejournal.com/266462.html - Journal migration tool, thanks to antennapedia
Security tools:
Markup Validation Service - check to see if a link leads to where it claims it leads
Spybot - anti-spyware software
Ad-aware - anti-spyware software
Key Scrambler - anti-keylogger addon for Firefox & IE (thanks to irreparable in the comments)
Further reading:
hacking:
http://community.livejournal.com/cult_sbp/792846.html
http://copperbadge.livejournal.com/2610603.html
http://isiscolo.livejournal.com/449003.html
bots:
http://community.livejournal.com/lj_support/762150.html
http://asylums.insanejournal.com/07refugees/82776.html
http://asylums.insanejournal.com/07refugees/81670.html
keyloggers:
http://www.securityfocus.com/infocus/1829
http://en.wikipedia.org/wiki/Keystroke_logging
In conclusion:
- take control of your email accounts
- remove old and unused accounts
- set a security question
- backup your LJ
- contact LJ Abuse if you notice something suspicious
ETA [Dec 1st]: via azurelunatic in the comments:
I hear via announcements to the Support volunteer community that LJ is aware of the vulnerability that a first-validated email address not within your control causes, and is working on a tool that would be able to remove such addresses. However, I do not have a timeframe on when this would be available, [...]
ETA [Dec 6th]: From what looks to be a case of utter incompetence by LJ staff (see wistfuljane's post for more righteous anger), zarah5 has seen her journal return from the dead while still being locked out, only to wake up this morning to find her journal turned into an empty shell.
And you know this means the hacker has access to locked entries from people on Zarah's old flist, right? I had to remove the journal of a person I have known for years today. *sadface*
furiosity posts about incidents in HP fandom where the hacker(s) spam popular communities with their keylogger-infested links. Be careful on what you click! If someone claims outrageous news and wants you to click on external links, be very cautious and double-check the source.
The maintainers of deamus are suspended right now, as well as the community hp_ot3.
ETA [March 5th]: And they are back. It hit depression this time.
LJ released the above mentioned tool to delete old email addresses.
After changing to a new email address for use with an account, verifying it, and using it on the account for six months, it becomes un-removable, but allows for all earlier email addresses to be removed on the Manage Email page.
ETA [March 10th] new information from azurelunatic
When reporting a suspected bot, please go here.
As you may be aware, we changed the method for reporting bots. Please tell all users who open reports of bots on the public tech support board that they must report these journals to Abuse by visiting this link: http://www.livejournal.com/abuse/bots.bml. (Don't bother moving the request to Abuse unless there's urgent or private content in there, because that's the answer they'll get there anyway.)
Since I've received questions, please let me clarify: Abuse is no longer processing long lists of usernames because each of those giant lists has to be hand-checked, translated, etc., and urgent abuse cases get lost in the multiple bot reports, which are still important but not nearly as urgent as other things we need to handle. We cannot make exceptions. If everybody uses the new system, we get excellent aggregate data that can help the hand-checking go much, much faster, which also helps the caseload in Abuse to stay manageable. [ link]