[CTSARA] (no subject)

[Jon Perelstein]

As some of you may have seen, Toy Alladin's email account was hacked and a
bunch of spam is being sent out in his name.  In this case, the old classic
"I'm on vacation in London, got robbed, and now I need money" scam was sent
out.

Some things to remember from this:

1.  Change your passwords FREQUENTLY!!!!!  Every 90 days at a minimum, and
even more frequently

2.  Do NOT use the same password for different accounts, and especially not
for secure accounts like e-mail, banking, Facebook, etc.  Once "they" get
that one password, "they" can do all sorts of really nasty things across
your various accounts.

3.  Make sure your password is a strong password.  Include numbers and
punctuation symbols.

4.  Do not use words straight out of the dictionary.  A common hacking
approach is to just try every word in the dictionary.  If you're going to
use a word or two from the dictionary, purposely misspell at least one of
the words and then add a number and punctuation.  For example, substitute a
"ph" for the letter "f" or put "e before i".  "ham radio" might become
"ham#radeo3".  Those little changes make it dramatically more difficult to
crack your password.  And no, that's not one of my passwords.

5.  There is some research to indicate that it's easier to remember a long
phrase that catches your eye than a single word or a jumbled bunch of
letters and numbers.  For example, use something that's on your desk at
home that people wouldn't know is there.  Right now there's a bottle of
Lipton Green Tea on my desk, and the label says "Good Source Of
Antioxidants".  It's actually easier for most people to remember a phrase
like that than to remember an isolated word or two.  Add a number or a bit
of punctuation and you have something extremely difficult to crack yet easy
to remember (e.g., good*source**of***antioxidants827).  Looks like it would
be extremely difficult to remember, but it turns out that it is easy to
remember.  And no, that isn't one of my passwords.

6.  The single biggest source of password cracking is social engineering --
getting you to divulge your password or figuring it out from things they
know about you.

a.  NOBODY legit is ever going to ask you to send them an email with your
ID and password -- for ANYTHING.
b.  If you get an email from your bank, from the IRS, from work, from
Microsoft, from Apple, from ANYTHING asking you to go to a website to "fix
your account, respond to an immediate demand for information, deal with an
overdrawn situation, or whatever"  DON'T DO IT!!!   Nobody legit does that
-- especially not the IRS.  Don't ever click on the link.  If you want to
check your account, close your browser, start it up again, and go to your
account via the URL that you usually use (which you probably have as a
bookmark on your computer).
c.  If you're asked for an ID and/or password while you're doing something
online at a point in the process that normally doesn't ask for your ID
and/or password, do not enter it.  For example, if you are doing some
on-line banking and you're suddenly asked to re-enter your ID and/or
password at a spot in the process where you're not normally asked for that
info, don't enter it.  Stop.  Close the browser.  Contact the institution
to see if they've made a change to their system.
d.  Don't use anything that people would associate with you.  None of my
passwords has anything to do with ham radio.  None of them has to do with
my car or my work history as a software developer, or the names of my
children or the color of my hair (what hair??) or my birthday or the street
I live on, etc., etc.
e.  There are a lot of "venus flytrap" sites out there.  You click on a
link to see a funny picture or a message from your favorite politician or
pictures of your favorite actor/actress/singer/whatever (of course, you
would never be doing that for porn) and it asks you to set up an account
with your email address as the ID and a password.  You set up the account
as asked and of course use the standard password that you use for
everything.  Whamo, they now have your email address and the password
corresponding to that email address, and you're in trouble.  Watch out for
"venus flytrap" sites.  If you decide to register on a site, use a
different password that is not the same (or similar to) any of your other
passwords.

7.  Another common source of password cracking is obtaining it through
unprotected or compromised computers.

a.  Be very careful about leaving your computer unattended in a public
place while you're already logged in (e.g., at Field Day). "They" don't
need to steal the computer, "they" only need access for a few minutes to
click on the "forgot password" button on your key accounts (email, banking,
Facebook) and then read the emails returned.  "They" now have your new
password and you don't.   At the very least, log out when you're going to
be leaving the computer -- even for a few minutes.
b.  Don't use a public computer (e.g., at a library or the ones in Stamford
Govt Center) to access a secure account like your email or bank account.
 It's just too easy for someone to have put software on the computer that
will record the ID and password you entered and then send it via the
internet to the "bad guys".
c.  If you're going to use someone else's computer to access a secure
account, make sure that you do NOT check the "keep me logged in" button.
 Make sure that you very specifically sign out/log off the account you're
accessing and then make sure that you very specifically close all open
browser windows.  If you don't, your account may remain open on that
computer and someone can then access your info.

8.  Make sure you have a good firewall on your computer and good
anti-virus/anti-spyware on your computer, that you keep the software
updated, and that you run regular scans.  Note that Apple computers are NOT
invulnerable, nor are Linux computers.  The primary reason why they haven't
had as many problems as Windows-based computers is that Windows-based
computers have such a huge installed base.  Your typically malware writer
is going to write for the huge installed base and not for the computer that
represents less than 10% of the installed base.

I'm sure that there are additional idea out there if anyone else wants to
chime in.

73s
Jon
WB2RYV