Archive for Friday, February 26, 2010

Hacked off! Lawrence computer users exposed to a variety of hacking techniques to compromise online accounts

February 26, 2010


Screenshots of the results from the hacking of Lawrence High School's YouTube account (top and center) and Free State High School's YouTube account (below).

Screenshots of the results from the hacking of Lawrence High School's YouTube account (top and center) and Free State High School's YouTube account (below).

Odds are you’re very careful with that password to your online bank account.

But are you equally protective of your other online accounts? Yahoo!, Gmail, Facebook, Twitter, … and all the dozens of other sites you visit?

For a lot of Internet users, the answer is “not exactly.”

The hacking of two Lawrence high school classes’ YouTube accounts this week serves as a cautionary tale.

Students at Free State and Lawrence high schools each produced “lib dub” videos that recently got a lot of publicity here and around the country. Lawrence High’s version was so impressive that it got well over 130,000 views on YouTube. Quite an accomplishment.

But all that work was undone when a student from Free State High School hacked into the LHS account and made dozens of unflattering modifications to the video. Some of the changes couldn’t be undone, and so the video — along with the view tally and comment thread — had to be removed.

In gaining access to Lawrence High’s YouTube account, the hacker didn’t need spy-level computer programming skills — all that was required was a little persistence.

That’s because the password, like so many out there, was easy to guess.

Think your passwords aren’t easy to guess? So did the Free State students. Nevertheless, their YouTube account was hacked in turn, and now the video they worked so hard on is also ruined.

(Both original videos, pre-hack, can still be found on our site here and here.)

Officials from both schools declined to comment on the record about the incidents, but it’s clear the teachers and students involved are frustrated and upset that their online accounts were so vulnerable.

“There isn’t a way to be completely secure anywhere,” says Frank Wiles of Revolution Systems, a Lawrence-based computer consultant. “You’re not completely safe driving (to the store) or even walking out your front door. One-hundred percent security isn’t possible in the real world, and it isn’t possible in the digital world.

“However, just like in real life, you do the most logical things — locking your doors, avoid dark alleys, not leaving a gold bar sitting in the back seat of your car, etc. — and hope for the best,” Wiles says.

In the digital world, he says the logical things you can do to protect your account include:

1) Pick adequately secure passwords.

For example, DON’T use:

• an area mascot, a pet or a family member’s name (even if followed by 0 or 1, a lot of people do that),

• anything remotely similar to the log-in username,

• the last four digits of your Social Security number,

• 123, abc, etc.,

• the birthday of someone in your family,

• “password” or “letmein”

• in fact, don’t use any word from the dictionary.

(Here's a great blog on how to create a secure password).

Also, it’s important to not use the same password for all your online accounts. Wiles says there are a number of ways to keep track of dozens of different log-in combinations.

“Remembering passwords to all of the sites we use is hard,” Wiles says. “There are programs like OnePassword for Macs … that help.” RoboForm is a popular program for PCs.

“If you don’t want to go to that much trouble, set up three different layers of passwords,” he says. “My advice to most people is to set up a low-security password that you use most everywhere that requires a login, a medium-security password that you would use for something like Facebook, and then individual higher-security passwords for your online banking, stock trading, Paypal and the like.”

Example messages from the recent spate of Twitter phishing scams.

Example messages from the recent spate of Twitter phishing scams.

2) Don’t click on links in e-mails or messages on Twitter, Facebook, etc.

Phishing scams have been around since the early days of e-mail, but these days they’re often more subtle than the wealthy Nigerian asking you to let him wire you money.

Facebook and Twitter users have recently been inundated with vague messages seemingly from their friends asking them to click a link.

Lawrence resident Lindsay Frye considers herself a “very knowledgeable” computer user, but she was snared by this tactic.

“The hacker sent out spam mail to ALL of my friends with a link to click on, saying something like I had a pic of them,” Frye says. She quickly noticed something was up and changed her password, which resolved the issue. But she’s heard of much more damaging results from the scam.

“I actually had a friend where the hacker got on her chat and asked for money and some of her friends ended up wiring money, thinking it was really her,” Frye says.

Wiles says a sound practice is to only enter sensitive information into a site that you got to by manually typing in the URL.

“Become ESPECIALLY concerned if, after clicking a link in an e-mail, somebody asks you to log in or provide any sensitive information. Just close your browser and then go back to the site by hand just to be safe,” he says.

3) If it seems to good to be true, it probably is.

Wiles says one of the most common ways that computer user’s information is accessed is through viruses or so-called “malware” infecting their PC. Exposing your computer to these attacks is as easy as clicking a scam advertisement or otherwise visiting a malicious site.

Wiles says it’s just prudent to resist anything like, “Fill out our online survey and win a trip to Alaska!”

“If it isn’t a brand or company you recognize — HGTV, for example — then it’s probably best to avoid it,” he says.

“One mistake people make is they believe viruses are a natural part of computing, as they exist in nature. Viruses only exist because someone messed up and left a security hole,” Wiles says. “It’s really an arms race as bored teen geniuses along with people with a strong profit motive build a better virus. It takes awhile for the anti-virus vendors to see it and adapt their products to protect against it.”


bearded_gnome 8 years, 2 months ago

recently got a note claiming sunflower was updating their webmail and I needed to click on something...ooops, maybe that was real. no seriously I think it was fake.

but you know, my friend the banker in Nigeria has that $12-million headed my way. and the world general bank ordered the Nigeri General Bank to give me a million dollars to help fight poverty, that's coming too. and all these christian women who want my help spending their money!

momof4 8 years, 2 months ago

maybe some of these reporters should learn the story a little better before they post it, if they had done any reasearch what so ever, they would know that LHS's video (i'm not trying to say it was bad), has been on youtube for a while, at least a year, so that many views is not all that impressive. Freestates video just went up the day it was ruined. This article made it sound like Free State started this youtube battle, when infact Lawrence High students were responsible for the first youtube attach. The remarks that Lawrence High put on the FreeState video were very offencive, which is the reason that the Free State kids acted out.

Why is this article not pointing out the wrongs that LHS did? and why are there no pictures of the Free State video that was ruined?

jniccum 8 years, 2 months ago

Editor's note in response to momof4: The LHS lip dub was posted to YouTube on Feb. 11 -- which, as you will note, is less than a year ago.

zellaB 8 years, 2 months ago

Get your facts straight, momof4... The LHS video was shot less than a month ago. It was a great and wonderfully fun experience for all involved. I have heard that free state's video was also great and the kids had a blast making it. But the important fact is ONE LHS kid and ONE free state kid were responsible for the pranks, not the schools as a whole. The "changes" made to the LHS video were offensive also. The individual student's actions were addressed. I am sure this is not the first prank of it's kind and it probably won't be the last.

maxcrabb 8 years, 2 months ago

Momof4, Free State is still waiting on our apology for dressing up as Chesty, dancing on the bronze firebird, and taping it all for our homecoming video 6 years ago...

(he ended up getting tackled by a football player. classic!)

BrianR 8 years, 2 months ago

"Acted out" ???

I love it when people misuse terms like that.

Tony Holladay 8 years, 2 months ago

Guess I'll be changing my passwords from * to *

frank mcguinness 8 years, 2 months ago

Sounds like momof4 has her facts wrong. ouch

roggy 8 years, 2 months ago

It doesn't matter which one acted first. It only takes one idiot from each school to give a black eye to both! There are parents like momof4 that speak before knowing what they are talking about that give parents a black eye. Pranks have occurred on both sides. The harmless pranks can be fun but I hope the schools can help get control of the destructive pranks. We have two great public high schools that we can all take pride in.

were12 8 years, 2 months ago

hey maybe everyone here should get their facts straight. It was free state that had the idea of making the video first. Then lhs made one that was decent but had been on youtube for about 3 weeks now. Free state took time on theirs had to learn everything backwards and so they just did theirs. Then lhs hacked free states first and messed the good one up. So free state got back and also won in basketball so whos better? FREE STATE

asonesign175 8 years, 2 months ago

I would just like to point out that the "rick rolled" video that an LHS kid made wasn't the original video of Freestate's, if you saw the user names they were the same exact words for the names but on one of them the "F" in freestatelipdub(the username) was capitolized and the other was not, youtube user names are case sensitive, so the LHS kid did NOT hack in to make that video, he did however cleverly change the username just enough to make every one think that it was Freestate's actuall video.

The fake account only had a ripped off copy of Freestate's video, if you saw it the joke one it was really pixilated and blurry, that is what happens when you rip a video off youtube, the quality goes down majorly. Anyone can do it, and then mess with a video in microsoft movie maker. I acctually have the youtube ripping software on my computer. It's really easy to find, just search youtube ripper or copier, and you should find something.

As to who's is better, that is just a simple opinion. Take what ever you want in to consideration when chosing which is your favorite but no person can say that every one on the planet thinks insert school name's is better. Well you can, but you will probably be laughed at for trying to control free will.

asonesign175 8 years, 2 months ago

Yes, that is what I am saying. If you look on youtube for the Freestate video, there are 2 other accounts that have it posted, if you look in the comments of one of them there is a Freestatelipdub username, this is the fake account that an LHS kid made, also if you can find the actual Freestate username(freestatelipdub) you will see there are a few comments that reference this fake acounts name by the actual Freestate username.

This is Freestate's actual chanel:

And this is the fake chanel that an LHS kid made, he has since deleted the fake video and favorited the Freestate video to show he is sorry for what he has done:

Freestater456 8 years, 2 months ago

Look LHS attacked first and we retaliated. Yes maybe we went a little further than LHS but oh well they asked for it. Payback is a you know what.

Beating LHS, A Free State tradition

asonesign175 8 years, 2 months ago

Thanks for posting what we already knew! - Totally cleared my confusion, since i was the one that figured out for LJWorld that the LHS kid didn't really hack in to an account but instead created a cleverly named new one.

"Yes maybe we went a little further than LHS but oh well they asked for it."

NO school a project that kids have worked on for that long should NOT be permanently defaced. Yes, what the kid from LHS did was wrong in its own way but in no way did he permanently deface the FS video. No person deserves to have their hard work like that ruined all because of a stupid high school rivalry. That and it being a rivalry that ends once the kids graduate. Poking fun and making joke videos are ok, if made under separate acounts, there are millions of them on youtube.

Destroying some ones work is a terrible way to show your school pride. I would be embarrassed if one of my friends did that, not just shrug it off my shoulder and say, "oh well they asked for it".

Hop2It 8 years, 2 months ago

Wow. The comments that are apparently from students are quite amazing. I don't know whether to think about the lack of ethics or lack of grammar.

tomatogrower 8 years, 2 months ago

i"m with you Hop2It. No remorse from anyone. Isn't hacking against the law? Will charges be filed? Using someone's password is identity theft and fraud, isn't it?

ronaldo9 8 years, 2 months ago

I am a Free State student myself and would like to point out some things. One, this article inferred that Free State was the one who started this "hacking battle" when in fact, LHS started all of this. However, I am not trying to point fingers because unfortunately, it only takes immaturity from one sophomore to stoop to the level of LHS students. Both of these lip dubs were well done and were done so as a school PROJECT. There was never any intention for a "competition" or "battle". Free State just wanted to try and get more student involvement. Momof4, as been pointed out, the LHS video was for the LHS winter court and was only posted about a month ago and was recieving national attention. The remarks LHS made were far from "offensive". All the message simply said was, "LOL Free State sucks. Chestly Lions for the win." Being a Free State student myself, I do not find that offensive in anyway. While LHS should have never made a copy of our video, changed it, and posted it under another account, Free State should not have retailated in the way they did. As for Freestater456, please grow up. And Hop2lt, I hope that fits to your standards.

Hop2It 8 years, 2 months ago

Ronaldo9, thank you for your attempt at being at a peacemaker. Thank you also for appeasing the old people (like me) and using non-texting sentence structure. Small gestures show great things.

Now please go referee the adults that are still arguing about high school sportsmanship and LHS / FSHS game on the sports comment page.

classclown 8 years, 2 months ago

Watch out for back doors too. They'll get you every time.

Freestater456 8 years, 2 months ago

Ronaldo get off your high horse. You're probably one of those nerds who has no school spirit, so I really couldn't care less what you say to me. They reposted the lhs video so stop crying about "PERMANENT" damage. I don't think we should've retaliated either but we did and it was rather comical, so I'll laugh at. Plus the kid got 3 days OSS, So he got punished and LHS got their awful video back. Get over it.

bearded_gnome 8 years, 2 months ago

Ronaldo, I am a Free State student myself and would like to point out some things. One, this article inferred that Free State was the one who started this "hacking

---the article "inferred" nothing. it implied something perhaps, it insinuated something? it aledged something?
or, reading the presented facts, you inferred.*

I do however infer that you are young and starting out so English meaning and sentence structure are still fitting uncomfortably in your head.

most of all: this article, the editor's comment and 'Sign' comment highlight that this is just a high school rivalry!

please just line up the LHS and FSHS chess teams at high noon, with a tournament to the death. you lose, you're out. last man standing, his school wins! there's how to settle this one.

KU1992 8 years, 2 months ago

A couple final points. First, a clarification was printed in today's (3/5/2010) Journal World that stated: "Specifically, the Free State lip dub was copied (and paraodied) without defacing the original posting. Whereas the original Lawrence High lip dub was hacked and its audio track irrevocably corrupted, which led to the original posting being deleted, along with its 130,000 views and 200 comments." Second, the hacking of the LHS video included some pretty nasty homophobic comments, which, as a community, I'm hoping we'd all agree is despicable.

Commenting has been disabled for this item.