Madeira Blogs

Security Awareness

rss

Security Aware, topics on information technology security.

Pwned or Owned

Pwn or pwned comes from the verb to own or meaning to conquer or gain ownership.  In the case of being pwned online, it typically means the hacker has your credentials to a Web site that has been hacked at some point.

What does it mean if I've been pwned?
Being pwned means that a hacker has your credentials to a Web site that you've once subscribed to.

For example, Adobe: In October 2013, 153 million Adobe accounts were breached with each containing an internal ID, username, email, encrypted password and a password hint in plain text.  Compromised data: Email addresses, Password hints, Passwords, Usernames.

LinkedIn: In May 2016, LinkedIn had 164 million email addresses and passwords exposed. Originally hacked in 2012, the data remained out of sight until being offered for sale on a dark market site 4 years later. The passwords in the breach were stored as SHA1 hashes without salt, the vast majority of which were quickly cracked in the days following the release of the data.  Compromised data: Email addresses, Passwords

What can happen if your been pwned?
Blackmailed.  Yes actually blackmailed; follow me on this Hollywood screenplay.  

Day 1:  A particular Web site was hacked; we will call this Web site Alpha.  The Alpha Web site had some security holes and a hacker or group of hackers have subscribers email addresses, passwords, and password hints.

Day 2:  The hacker sends Alpha's subscribers a phishing emailing tempting them to click.  In this example, the phishing attempts are links or hooks to inappropriate adult Web sites.  The Subscriber (person that has been pwned) does not click on the link and deletes email.

Day 7:  The hacker sends Alpha's subscribers a phishing emailing tempting them to click.  The Subscriber (person that has been pwned) does not click on the link and deletes email.

Day 86  The hacker sends Alpha's subscribers a phishing emailing tempting them to click.  The Subscriber (person that has been pwned) does not click on the link and deletes email.

Day 211:  The hacker sends Alpha's subscribers a phishing emailing tempting them to click.  The Subscriber (person that has been pwned) clicks on the email.

Day 212:  The hacker is aware you clicked on the phishing link.  Remember the link is an inappropriate Web site.

Day 212:  The KEY DAY.  The hacker sends a message to the subscriber letting them know they are aware of the recent inappropriate Web site you visited.  And they give you the password they compromise when they hacked that site you subscribed to.  Key Point:  Knowing a previous password is a way of gaining trust that the hackers have something on you and they are legit.  The hacker then tells you to send them $3,000 in Crypto currency and they won't send your browsing activities to all your contacts within your contact list.

What should I do if I've been pwned?
Determine if the credentials you used on the site that was hacked is not the same credentials as a banking Web site. This is why banking and non-banking passwords should never be the same.  If your banking credentials are the same as the hacked site, change them immediately.  Refer to our Blog on New NIST password requirements on our Social Media page.

How to check if you've been pwned?
Goto https://www.haveibeenpwned.com/ then change credentials for sites that you have subscribed to.  Make sure your new passwords are not the same as your banking passwords.

Showing 0 Comment


Comments are closed.