Email Hacking, Hijacking, Spamming and Internet Safety

Today’s blog is off-topic.  It’s not about DNA, but it’s about something every bit as pervasive and something every person who accesses the internet needs to be aware of and understand.  Today, we’re going to talk about how e-mail accounts get hacked and hijacked, what the difference is, how those spamy one link e-mails are sent, and both as a person whose e-mail has been compromised and as an e-mail receiver, what you can and should do to protect yourself. If you haven’t already been a victim on one end of this scheme or the other, you likely will be.  If you received one of these types of e-mails from me today, you know why I’m writing this article.

So I’m finally taking a few days off.  I’m at a retreat.  I wake up this morning to a gloriously beautiful spring day and lay there in bed thinking how lucky I am as the sun streams in the window.  I reach over to the bedside for my iPhone to see what kind of e-mails have come in overnight, and there is a series of e-mails with the word “Hacked” in their titles, addressed to me.  I can tell right there, it’s not going to be a good day.

Yes, the people in one of my address books were receiving those nasty one-line-link e-mails.  This one happened to be for Viagra.  Worse yet, some of them had clicked on the link, and then when they saw the topic, they realized the e-mail was not really from me, even though the e-mail “from” address was mine, and e-mailed me to tell me so – including my husband who happened to think the Viagra link was hilarious.  Good thing he has a sense of humor.  Let’s just say I was much less amused.

Hacking vs Hijacking

As it turns out my e-mail address had been hacked.  It had not been hijacked.  What is the difference you ask?  A lot.

A hack job means your password has been compromised and the villain (that’s what we’ll call the hacker) has actually signed on to your account, read any e-mails coming in, looked through your inbox, your saved folders, especially any banking type of folders or one that you’ve named, God forbid, “passwords.”  It also generally means that the villain may have also changed your password and then your security questions so now you don’t and can’t get access to your own account.

If you’re lucky, they only send those spamy e-mails.  If you’re not lucky, the villain then changes your password and sets about to use you and your account to defraud people.  The best example I can think of is the e-mail that almost everyone has received at one time or another that goes something like this:

“Dear Joe,  I write you with tears in my eyes.  I’m at a hotel in London (or fill in the blank any other city out of the country) and my billfold was stolen.  I have no id or any money to pay the bill and I cannot leave the country without paying the hotel bill.  Can you please advance me some funds and I will pay you back immediately upon returning home.”

Well, obviously, anyone who replies to “you” is really talking to the villain now, and anyone who DOES advance “you” money is giving it to the villain who lives someplace far from here and is not traceable nor accountable in the US – generally in Russia.  Now you would think that this scheme, being as old as mud, would fail miserably, but it doesn’t because there are still naïve people out there who want to help.

If this happens to you and your password has been changed, contact your e-mail provider immediately for assistance as that is the only way you can resolve this situation.  Time is of the essence here – so do not delay.

Here’s a link that further discusses this phenomenon and recent Yahoo e-mail compromises.

Ok, that’s hacking.

What Is E-mail Hijacking?

Hijacking is when the villain uses your e-mail address, but not your address book to send spammy or virus filled e-mails to random people who you don’t know and have never communicated with.  Basically, they use your e-mail address to “fill in the blank” of the “sending” address.  They do not have to gain access to your account to do this. It’s also known as “spoofing” for obvious reasons.

Often, the first symptom you’ll see of this is lots of bounced e-mails that you didn’t send.  Many times, these links contain viruses that take over computers, steal the address books from non-cloud-based e-mail systems and worse if the recipient clicks on them.  Sometimes, out of curiosity, you’ll click on them in the bounced e-mail too, to see what “you” sent.  Don’t do it, no matter how curious you are.

The good news is that with a hijacked e-mail address, the villain has not compromised your actual account.  If they have sent the spamy e-mails to your contacts, then your account has been compromised, hacked, but changing your e-mail password (and making sure they have not set up a second or alternate e-mail address under your account) generally takes care of it.

The bad news is that once hijackers have your e-mail address as fodder, there is virtually nothing you can do to stop this type of activity.  Frustrating?  Indeed.  At this point, it’s up to the recipients to be savvy enough to recognize this type of e-mail and to not click on the links, which spread the virus further.

As a recipient of one of these e-mails, one clue that indicates a hacked account versus a highjacked account is to look at the list of recipients.  If they are in alphabetical order, meaning that your e-mail address begins with r and you are in the middle of a group of r addresses, and you know the sender, it’s probably a hacked account and the spammer is going through the contact list but only sending to small numbers of recipients at a time so that they will not be caught in the service providers’ spam traps.  You need to notify the sender who account has been hacked.  If the message looks spammy, but you don’t know the sender and there is no list of recipients, then it’s probably a hijacked e-mail address.

This is much worse with cloud-based e-mail systems.

What Is The Cloud? 

A cloud-based system is any system that you sign on to the internet to use and you use online such as Yahoo, Gmail, etc.  In other words, not on your own PC.  Cloud based systems can be accessed by cell phone or other device that is not a computer.

By contrast, I have a combination of two types of systems.  When I’m at home, I use Microsoft Outlook on my desktop system.  Outlook downloads all of my e-mails from my internet e-mail provider, Yahoo, in this case, onto my desktop system.  This means that all of my customer contacts, thankfully, are only on my desktop system which runs behind a full commercial hardware and software firewall and has the latest and greatest anti-virus/malware software (Norton Internet Security) which is run daily with any updates.  Plus my system uploads all of Microsoft’s patches as well, daily, and installs them.  Microsoft patches known security holes.  Villains exploit these known holes, especially on systems not kept current.

However, when I travel, I can’t get to my home system, of course, so I use Yahoo’s cloud based service where I sign onto their system and read my e-mails online.  I can reply and such just like in Outlook.  For convenience, I’ve saved the e-mail addresses I use frequently in my online address book.  Those are the addresses that were compromised, and only those.

So I know the compromise was not from my system at home, which was turned off in my absence, but from the Yahoo cloud-based e-mail side of things, using my Yahoo address book.  If you don’t store any addresses in your address book, there is nothing for the villain to steal.  Now, they may still harvest your e-mail address to use in spamming others.  Here’s another link about the recent Yahoo attacks along with links from Yahoo about how to protect yourself and steps to take if you have been compromised.

Rich Pasco wrote a great article about both hacking and hijacking, also known as spoofing.

How Did This Happen?

Having spent years in the technology industry, I pretty much stick to the books.  I know the rules and abide by them.  However, no one is immune, and ultimately, this is like a common cold, it will happen to everyone.

My password was not common, no “real words” but was only 8 letters/numbers.  This is, by today’s standards, a mediocre password.  There are tools out there called password crackers that can run against your password until it’s cracked, and they are very effective.  The only way my password could have been obtained was either utilizing a password cracker, captured using some type of capture software from a public (like hotel) network, or via a Yahoo security breach.  It could not have been guessed.  Password crackers are free on the internet.  More sophisticated ones aren’t free, but for the villain, they are worth every penny.  Yahoo’s security issues are discussed in the links above.  And yes, I was staying at a hotel.

I had a hard time believing my account had been breached, but it had.  I signed on to view my recent logins, and sure enough, look at what happened at 1:19 this morning…from Russia.  I assure you, that’s not where I was visiting on my retreat.  Now since Yahoo knew enough to flag this activity, as you can see below, it would have been very nice if they had notified me.

Password hack

It’s important to regularly change passwords and to utilize strong passwords.  Check this link for further discussion about password strength and vulnerabilities along with how to protect yourself.

10 Ways To Protect Yourself

  1. Utilize strong  passwords – meaning ones that are not your pet, your address, etc.  Use nonsense words and numbers combined with capitals and non alpha  characters, like sdfg7531+?.  Pain in the butt?  Yes.  More painful than having your account compromised?  Nope.
  2. Never use the same password for multiple accounts.  If they can get into one, then you’ve given them a free ticket for all of your accounts.  Facebook, Twitter, your bank…what else?
  3. Don’t keep password or financial information in any e-mail folders.  Period.  No exceptions.  Preferably don’t keep any of that on your computer at all.
  4. Don’t store e-mail addresses in cloud based e-mail systems.  Pain in the butt?  Yes.  But hackers can only steal what is in your address book or otherwise available to them.  By and large, they aren’t going to go through your e-mails individually to obtain addresses.  They may, however, delete your entire address book and all of your e-mails, if they are feeling particularly malicious.
  5. Always keep both anti-virus and mal-ware software up to date on your system.  If you clicked on a link that wasn’t what you expected or took you someplace you didn’t plan, run the software immediately.
  6. Never, NEVER, ever click on a one-line link e-mail no matter who it comes from.  It if looks suspicious, reply to the e-mail and ask the person if they really sent it and what it’s about.  If you don’t click on it, the worse that will happen is that you’ll miss an e-mail.  If you do click on it, you may well infect yourself and others will horrible viruses that can wreak havoc you can only imagine – or maybe can’t even imagine.  Conversely, when you send e-mails to people, always put enough verbiage that they know it’s really you.  This habit helps people identify messages that might be bogus.
  7. Don’t use public computers to check e-mail.  Be exceedingly careful about using hotel or public wifi sites as well.  If you do, change your password afterwards.
  8. Be extremely vigilant.  If something seems wrong or “funny,” it probably is.
  9. Back your system up regularly.  If your system were to be destroyed, you could recover essential items.
  10. Change your password often.  Pain in the patoot?  Yep.  Better than the alternative?  If you’ve ever been on either end of being compromised, you’ll know that it is!

Ok, back to DNA in the next article, I promise!

______________________________________________________________

Disclosure

I receive a small contribution when you click on some of the links to vendors in my articles. This does NOT increase the price you pay but helps me to keep the lights on and this informational blog free for everyone. Please click on the links in the articles or to the vendors below if you are purchasing products or DNA testing.

Thank you so much.

DNA Purchases and Free Transfers

Genealogy Services

Genealogy Research

Hackers and Your Genetic Secrets

Did that title get your attention?  Well, it was meant to, just like it was meant to in this NBC article titled “Scientists Demonstrate How Hackers Could Unlock Your Genetic Secrets.”  Or how about this one in the New York Times, “Web Hunt for DNA Sequences Leaves Privacy Compromised?”  Sensationalism sells….and so does fear.  Don’t panic, the sky is not falling.

I’ve had several people forward me a variety of links to several articles about this expressing concern.  Most people didn’t really understand what was going on…and since “family tree databases” were mentioned in the first paragraph, it frightened them.

This article says that the “security cracking trick relies on the availability of genetic information linked to surnames in a variety of public family-tree databases.”  Well, that’s sort of true, but not exactly true.  The issue is not the family tree databases, it’s the fact that the researchers in The Thousand Genomes Project, while keeping the names of those 1000 people “anonymous,” provided enough information that these scientific researchers, not hackers, were able to data mine the 1000 Genomes participants information to determine their Y-DNA marker values, then compared those haplotypes (marker values) just like we do in databases such as Ysearch and Sorenson.  And yes, they likely had matches to several surnames, like most of us do.

Individuals in the 1000 Genomes Project signed a release indicating that they knew that their data was to be used publicly, although their identity would not be revealed but that researchers could not guarantee their privacy.  The 1000 Genomes Project, unfortunately, posted the ages of the participants, which at the time seemed innocuous enough, and it was common knowledge within the scientific community that they all lived in Utah.  With these three pieces of information, their age, their location, and from the scientists data mining, a possible surname, the scientists were then able, if the surname wasn’t something like Smith or Jones, to use publicly available Google and “white pages” types of searches to find people in that state, of that age, by that surname, and then using obituaries and such, connect them through online family trees to their more distant families.  They did this with Craig Venter, for example.

This technique is nothing new to genealogists, as we’ve been finding cousins that way for years – the difference being of course that we didn’t data mine, otherwise in this case more aptly referred to as “scientific hacking,” the 1000 Genomes Project in order to find their Y-line DNA markers to determine a possible surname for them.  That is the issue and the point of this article and ironically, it’s scientists who did it, then published the “how-to” manual.

Any genetic genealogist knows, especially anyone dealing with adoptees, that you can only reveal a biological surname about 30% of the time.  In fact the scientists success rate was lower, 12%.  But that’s actually irrelevant in the bigger context of the article.  Their point was that they succeeded at all.

This is sort of like putting personal information on the internet, except your name, and then being surprised that someone could connect the dots and put the pieces together.  No one would be surprised today if that were to happen.  In fact, I’m sure we all have received cautions and warnings about putting too much info on Facebook because burglars were robbing homes when people were vacationing.  Many people have their hometown, their high school and their birthday and year publicly available on Facebook.  Now how many “security questions” does that answer right there?  Combine that with your dog’s name and your mother’s maiden name and you’ve got almost all of the common ones.

Aside from the fear-mongering, I have three issues with these reports as a whole.

1.  Statements like “they traced those three family tree pedigrees to find other connections between relatives and sensitive genetic data.”  Whoa, stop right there.  Just because you share a surname or even if you are a direct and immediate relative, that says nothing, absolutely nothing, about whether or not you inherited some genetically disposed health issue.  Remember, children inherit half of their DNA from each parent.  So unless they are finding identical twins or parents, one cannot infer that an entire family tree of people share frightening health traits.  It’s irresponsible to suggest otherwise.

2.  “For years, experts have worried that sensitive genetic data could be used to discriminate against patients, potential employees or would-be insurance customers.  Such discrimination is illegal when it comes to employment or health insurance, but the law doesn’t’ cover life insurance, disability insurance or long-term care insurance.  Theoretically an insurer could search through genetic records and turn you down because you have a genetic predisposition to, say, Alzheimer’s disease.”

Discrimination is an issue, and laws have been put in place to prohibit discrimination in the workplace.  But insurers aren’t going to sift through genetic data like a private investigator.  Suggesting this is unnecessary fear-mongering.  Insurers don’t do that, they simply tell you that a blood test is a pre-requisite of obtaining insurance.  I know, I bought life insurance and they sent a nurse to my house to verify my identity and take a blood sample.  At that time, they were looking for diabetes, AIDs and probably a whole lot more.  Today, they might be looking for genetic pre-dispositions.  I don’t know, but I do know they have a direct method of obtaining that information and it’s not spending untold hours sifting through someone else’s data that likely isn’t relevant to you anyway.

3.  This “research” project was inspired at Whitehead Institute, an affiliate of MIT, a publicly funded institution.  When Yaniv Erlich dreamed up this new hacking technique, he said he couldn’t resist trying it, so instead of simply discovering a potential issue and privately and quietly working with the proper people to resolve the issue, he decided to exploit it publicly, obtaining, I suppose, his 15 minutes of fame.  So yes, your tax dollars did indeed likely pay for some or all of this “research.”

In one of the articles,  Dr. Jeffrey R. Botkin, associate vice president for research integrity at the University of Utah, which collected the genetic information of some research participants whose identities were breached, cautioned about overreacting. “Genetic data from hundreds of thousands of people have been freely available online,” he said, “yet there has not been a single report of someone being illicitly identified.”  He added that “it is hard to imagine what would motivate anyone to undertake this sort of privacy attack in the real world.” But he said he had serious concerns about publishing a formula to breach subjects’ privacy. By publishing, he said, the investigators “exacerbate the very risks they are concerned about.”

Well, it’s obvious that these folks at Whitehead institute don’t live in the real world and clearly don’t have enough real scientific research to do.

So, what is the take home of all of this?

  • You are not at risk of having anything exposed in this incident unless you are one of the 1000 people in the 1000 Genomes Project.  If you are part of the 1000 Genomes Project, and male, there is a 12% risk that they figured out your last name and using other tools, possibly who you are, along with your family.  If you are related to someone in the 1000 Genomes Project, the researchers might have figured out that you are related to them.  So now the risk is that they’ll do what with that information???  Guaranteed, someone will figure out the same information and much more quickly, without your DNA and without government funding if you simply stop paying your bills.
  • If you participate in a research project, such as the 1000 Genomes Project, where your full results are made publicly available, you sign a release, and that release indicates that your privacy may not be able to be protected.  You are aware of the risks before you begin.
  • We, as a community, have been warned for years not to put information that might be medically informative on the internet, such as full sequence mitochondrial DNA information.  Anyone who does so, does it at their own risk.  The people in the 1000 Genomes Project knowingly took that risk.
  • If you stay within the confines of the genealogy and DTC mainstream testing companies, you are fairly well protected.  Having said that, reading the consent forms of any of the companies makes it clear that your identity is never entirely protected.  We’re genealogists after all.  What good is genealogical testing if you can’t contact people you match?
  • Inferred health risks are not the issue they are being portrayed to be in these articles.  Your cousins health risks are not necessarily yours.  Genetic inheritance is a complex and individual event.
  • Insurers who can use health information to restrict or deny insurance are simply going to request a blood sample.  They are not going to act like a blood hound on the scent of a rabbit and sort through tons of information for inferences.  Why would they when they can obtain the information they seek, directly and much less expensively?
  • For those researchers involved with information made publicly available, such at the 1000 Genomes Project, this is a wake-up call that perhaps less information available publicly is better.  Some information, such as ages and location should perhaps be available only to legitimate researchers, which would still have included the Whitehead Institute people, but would have taken away much of their thunder.  I understand this change has already been implemented, but that doesn’t entirely mitigate the issue of genetic data mining publicly available full genomic sequence information for identity, only makes it a little more difficult and less likely to succeed.
  • I clearly understand why hackers want my bank account information, and why identity thieves want my personal information, but why, in the real world, not at Whitehead institute, would anyone ever spend the time and effort to do this?  The motivation for these researchers was clearly to publish, but I can think of no reason other than that or simply “because they could” to spend the time doing something like this.  Who would want to and for what purpose?
  • The sky is not falling

It’s behind a paywall, but you can access the scientific article here that started all of this hubbub.

______________________________________________________________

Disclosure

I receive a small contribution when you click on some of the links to vendors in my articles. This does NOT increase the price you pay but helps me to keep the lights on and this informational blog free for everyone. Please click on the links in the articles or to the vendors below if you are purchasing products or DNA testing.

Thank you so much.

DNA Purchases and Free Transfers

Genealogy Services

Genealogy Research

Security and Privacy

Did you really mean to say that you didn’t want to see your matches????  Have you accidentally done this?

At Family Tree DNA, you may notice that some of your matches, especially at the 12 marker or HVR1 levels, particularly if you have a lot of matches, may be marked “private” and greyed out, with no contact or other information. What does this mean and why would someone take a DNA test for genealogy, then mark their results as private?

Those are great questions and there are several answers. First, some people don’t realize that the selection they make in their “Account Settings” tab affects how their results are displayed, or not displayed, to their matches.  They also don’t realize that it can suppress those matches for them as well.

Security 1

You can see that for both Y-line and mitochondrial DNA, you can disable matches and e-mail notification. This means that you won’t receive match notifications for 12 marker matches, if you disable that level, nor will any of your information be shown to your matches. Furthermore, you won’t see those matches either. They will not appear on your match list.  In fact, you won’t have a match list for the level you disable.

Some people only test at 12 markers, for example, so if you disable 12 marker matches, be absolutely sure that you really don’t want to be notified if you match someone with the same surname at 12 markers that did not test at a higher level. If you disable these notifications and matches, this is what your matches will see:

security 2security 3

As you can see, your match will be able to see your surname only, how many mutations difference there is between you and them, no “most distant ancestor,” no haplogroup information and more importantly, no way to contact you. This is typically not what people mean to do, but this is the result.

In one case, a man was distraught because he had no matches, but had disabled matches at all levels of testing, so of course, none showed. He had matches, he just couldn’t see them and he didn’t notice the message that said he had disabled matching at that level. He thought that the only function he had disabled was the e-mail match messages, but that wasn’t the case. It’s all or nothing at each level.  You can’t disable the messages without disabling the matches too.

There are other security options you can select as well. Some, are found under “Personal Profile” settings, others under “Account Settings,” and finally, a beneficiary designation in case something should happen to you. This is the only person that Family Tree DNA will allow to access your account. Please take a little time to click through these options so that you personalize your experience in such a way that best fits your testing goals.

Aside from your matches and project displays, the only other people who can see your information are the volunteer group administrators of the groups you join. You can control, by your selections, how much they can view. There are several items they can view, but not change, such as your e-mail address, for example.  Group administrators have a set of guidelines that they must follow.

In the case of mitochondrial DNA, if you have tested at the full sequence level, the project administrators of haplogroup projects cannot see your full sequence level which is necessary to categorize your results into subgroups unless you specifically change your setting to allow them to view your mitochondrial full sequence results. This is found under “Account Settings” then “Results Display Settings.” Change the answer to yes for the appropriate projects.

security 4

The key, of course, to privacy and security is to have as much privacy as you wish, without actually hurting your chances of making genealogical connections, and contacts, which is, after all, the entire reason that you tested in the first place.

______________________________________________________________

Disclosure

I receive a small contribution when you click on some of the links to vendors in my articles. This does NOT increase the price you pay but helps me to keep the lights on and this informational blog free for everyone. Please click on the links in the articles or to the vendors below if you are purchasing products or DNA testing.

Thank you so much.

DNA Purchases and Free Transfers

Genealogy Services

Genealogy Research