Today, a simple, 5-word tweet wasted most of my afternoon. It was sent from my Twitter account, but I didn’t send it. Someone hacked my Twitter account, and that sent me scurrying to find out what else they had found their way into. Luckily, I was right by my computer when it happened, and I was quickly able to get on top of the situation before any real damage was done.

The first thing I did was to delete the tweet and change my Twitter password. I was about to start changing other passwords, when my coworker, Ben, who recently attended a hacker/security conference called DefCon, also noticed my rogue tweet. He volunteered to help me figure out what was going on before I spent a lot of time changing my passwords, only to still have the root cause of the issue leave me vulnerable.

I’ve been running Microsoft Security Essentials for a couple of years now, so I thought I was safe. But Ben scoffed at that, and said that “the biggest problem with anti-virus software is that it makes people feel safe.” And then they don’t do the other things that they should to secure their computers. So he started digging in to my computer and my network. There were a few things to improve.

First, we altered some of the settings on my router to remove open ports for an old version of my website that was no longer hosted here (I moved it to WordPress back in January 2011). We shut down remote access to my Windows Home Server since I never use that anyway. I also changed the admin password on my network and downloaded the latest firmware for the router. There wasn’t any evidence that any of these were problems, but they were all gaps that could have been exploited.

Next, we downloaded Malwarebytes Anti-Malware software, and began running it on all my machines. Ben trusts this software, and after seeing it run, I trust it too. It found some hijacking software running on my Home Server that Microsoft Security Essentials hadn’t. It didn’t find anything on my main PC or on any other the others I have, but I will be running it more often in the future.

Once I was sure that my PC was free of key loggers, I started cycling through my email accounts and changing those passwords, and making sure that each one has one of the other accounts set up to notify it should someone try to change the password there.  I also checked the sent mail folders and trash folders to see if anything had been sent I hadn’t done myself.

Once that was done, I started cycling through all my most important accounts—anything to do with banking / money first, then the rest. It’s a slow process. I use an encrypted password vault type program that generates random passwords for each site, so that even if someone decrypts one of my passwords in a site’s database, it’s highly unlikely that’ll get them into any other sites. However, I wasn’t always this neurotic about passwords, and getting them all changed to different passwords has been long overdue. This event forced my hand.

So what caused all this? We suspect that a site I went to yesterday to buy a cookbook was not properly secured, and allowed some session hijacking software to run during the registration process. When I moved from this site to another (probably Twitter) it tracked my activity and cookies and logged my account info back to another server, which then provided the needed information to hacker to complete the hack.  Ben did a scan of the site and found numerous vulnerabilities and told me to stay far away from the site. I notified the site via email to give them an opportunity to fix the problem before anyone else is affected. We’ll see if they respond. I’m a little reluctant to name the site, as I have no proof that that site was the cause. I’ll just suggest to you that if you see your browser this icon in your browser (I use Google Chrome), that you not trust the site.

If you then click on the site, you can see the full warning.

One of the other lessons I learned was that if you end up at a site like this, close the browser. Once you close the browser, the session should end, and the JavaScript that was running should unload and end the threat.

So in all, I’ve spent at least four hours so far, and by the time I get to the rest of the sites that need a password change, it’ll take me another four hours. This is not only a gigantic waste of time, it’s a colossal waste of my limited energy. No damage has been done (as far as I can tell) to anything beyond my health, but it sure did put me in a bad mood. If, earlier today, you had asked me if hackers deserve time in prison for these stunts, I would have said “No, a bullet is much cheaper.”

As a software developer and a parent, the idea that so much time and energy must be spent by humanity on preventing cyber crime is galling. There are so many more productive things we could do with these creative (and resourceful) people’s time. But I know that international organized crime syndicates now have a leading role in the recruiting and hiring of professional hackers, and that this scourge is unlikely to end any time soon. Why? Because it’s a ridiculously easy way for people to make a large amount of money in a very short time, and they really don’t care who they hurt or what damage they do. Sure, there are altruistic hackers out there, determined to ‘take it to the man’—to dole out their own brand of justice in an unjust world, but I sincerely doubt whoever hacked me today had such lofty ambitions.

No, they probably did it for fun, and likely for the money (I’m sure the tweet they sent from my account was rigged to do even more damage). But what they really did was to cost me hours of my time, and all of my energy for the day.

I could have blogged about something I really wanted to blog about today, but I blogged about this instead in the hope that this will remind other people of some steps they need to do on their computers and network now, so they will be safer in the long run. Whatever steps you can do, you should, and as soon as possible.

Learn from my mistakes, people, and give these hackers a smaller target to hit.