My Fake ATT Bill…

My Fake ATT Bill...

Tell me if you’ve heard this one before…

Looks like my ATT statement is ready, and isn’t nice of them to send me an email notification?  But uh-oh!  Look how much that bill is for!  Surely someone’s made an error!  I’d better click on that link and get this straightened out, pronto!

Ok, let’s stop here for a moment and assess some clues here:

  1. I think someone once said “Never click links in emails from people I don’t know”
  2. But I know who AT&T is, so this is ok right?

A closer look at the source code for the email shows the following:

 

<br>

Log in to online account management to view

your bill and bill notices, maintain your

email account or make a payment. If you are

not registered for online account

management, you must do so to view and print

your full bill and bill notices at <a

href=”hxxp://not.an.att.domain.name/wp-content/plugins/mm-forms-community/upload/temp/info.html” style=” color:

rgb(6, 122, 180); text-decoration: none;”>www.att.com/managemyaccount</a>.<br>

Log in to online account management to view

your bill, maintain your email account or

make a payment.<br>

 

Yeah, that’s not an ATT address in the link.  (fyi – I changed the url from the actual, malicious link)   Yet another phishing attempt.  Crafty bastards are getting pretty good at making these emails look real, but they did a lousy job obfuscating the links in the email. (in fact there’s no obfuscation at all except for the fact that the email is in html)

The lesson here:  No matter how legit the email looks, never ever click links in an email.   If I were an actual AT&T customer the right thing to do would be to open a browser, navigate to the AT&T home page using the correct address instead of relying on one supplied via email and login to view my account.

 

LinkedIn Phishing

 

135 million+ members | Manage your professional identity. Build and engage with your professional network. Access knowledge, insights and opportunities.


I just received a fraudulent email claiming that my LinkedIn account was locked out.  At first glance the sender appeared legit as did the body of the email and the link that I was supposed to click on to reset my password.

Reviewing the raw source of the email showed that it was bogus.  (that and the obvious fact that I could still log in to my LinkedIn account)

 

The link went to some web site (NOT LinkedIn)  that’s most likely designed to get me to enter my user credentials and if I had done that, then someone else would now have control of my Linkedin account.

 

Just because it looks legit, doesn’t mean that it is.   Don’t get all clicky just because someone sent you an email.

 

 

ALERT: McAfee DAT #5958 Issue

From McAfee AvertLabs:

“McAfee is aware that a number of corporate customers have incurred a false positive error due to incorrect malware alerts. Our initial investigation indicates that the error can result in moderate to significant performance issues on systems running Windows XP Service Pack 3.

The 5958 DAT has been removed from McAfee download servers, preventing any further impact to corporate customers. McAfee teams are working with the highest priority to support impacted customers and plan to provide an update virus definition file shortly. You can view information at https://kc.mcafee.com/corporate/index?elq_mid=2362&elq_cid=757526&page=content&id=KB68780 (NOTE: system is currently slow) or the McAfee Community at http://community.mcafee.com/docs/DOC-1374/

http://isc.sans.org/diary.html?storyid=8656

Free online backups for home use

Just a quick note this morning to remind everyone to make sure that you’re making plenty of backups of your data.   I’m a bit paranoid when it comes to data loss, so I like to take extra precautions.  Since all of our computers are macs every machine here has an external drive attached for using Apple’s Time Machine to make automatic backups.  I also archive my data to a shared location on the network.  The only problem with either of these approaches (as implemented) is that it doesn’t get the data offsite.   To solve that problem, I’ve been using Mozy for the last two months.  Mozy offers 2GB of free online storage for home use per account.  It’s not enough to back up everything, but it goes a long way to backup my most important or timely documents.  I may consider upgrading my account and pay the $4.95 a month to get unlimited storage.

I haven’t tried the Windows client so I can’t vouch for it, but so far the Mac client has worked with no problems.

::Full Disclosure::

And if you decide to try it out I’d appreciate it if you used my link here.  It’s a referral program and I get an extra 256MB of space for each person that signs up through the link.   For a short time, their bumping that up to 512MB per sign up, so I thought I’d plug the product here and maybe earn myself a bit of extra backup storage!

Critical Microsoft Patch Released

The SANS Internet Storm Center is reporting that Microsoft has released a critical security patch to address a vulnerability in remote code execution for users of Windows 2000, Windows XP, and Windows Server 2003.

There are unconfirmed reports that this critical patch was released out of band due to the vulnerability that it addresses is currently being exploited in the wild.

Passphrase Mnemonics

How many passwords do you have?  More than one?  Do you have a separate, robust, easily remembered password for each and every login you have?  I’m thinking that the majority of people fall into one of two categories when it comes to passwords; first up are the folks that just find it too annoying or bothersome to try to remember so many passwords so they just use the same password for every site.   The other group go to the opposite extreme and utilize great little tools like 1password or PasswordSafe.  These tools allow you to create cryptographically strong passwords and they will manage them for you as well.  These just require the user to remember one master password, then use a little bit of the cut & paste, never once needing to actually memorize the password.

Somewhere between these two is “Passphrase Mnemonics”  (yes, that’s my term for it – don’t blame anyone else).  Passphrase Mnemonics allows the average individual to have unique, easily remembered and cryptographically strong passwords for each and every site requiring a login without resorting to writing them down or storing them in a program.

Before we get right down to it though, let me explain why this post is entitled ”Passphrase Mnemonics” and not “Password Mnemonics”  It’s really quite simple: the term “password”  implies using a single word to verify your login, whereas “passphrase” implies using a string of words or a phrase.   Phrases are easy to remember and can provide more security than a single word.  And at this point, we should all be using phrases instead of words.  Especially words that can be found in a dictionary.  Not just an english dictionary; any dictionary such as French, Spanish, Swahili, Finnish, Vulcan, Klingon, Elvish, etc.   Any word that’s found in a dictionary can be easily brute forced using one of several freely available tools.

On to the method or the “Mnemonic”  (by the way, a “Mnemonic” is simply a memory device that you use to remember something ~ think of the old rhyme “30 days hath September…”  That’s a mnemonic to help remember the number of days that each month has)

Step by Step:

  1. Find a favorite book or movie – I like to choose a book with at least twelve chapters, so for this example I’ll use “Snow Crash” by Neal Stephenson
  2. Choose a chapter based on the number of the month.  Since this post is being written in September, I’ll use chapter 9.
  3. The initial passphrase will be the first sentence of the given chapter, so in this case the first sentence of the 9th chapter of “Snow Crash” is “The world freezes and grows dim for a second”
  4. Lets choose a site that requires a login.  I’ll choose Yahoo.
  5. Now create the passphrase for the site by using the first three letters of the site, followed by a special character:  yah!
  6. Appending the first three words of the initial passphrase (substituting underscores for spaces) yields: yah!The_world_freezes
  7. Last step, change each word by substituting a number or a special character for a letter in each word: yah!Th3_w0rld_fr3ezes

So for every site that requires a password you simply prefix your passphrase with the first three letters of the site.  This same password for Amazon would be ama!Th3_w0rld_fr3ezes.

Is this as robust and as secure as using software based password tools like PasswordSafe?  No, not at all.  But it’s a sure bet safer than using the same password everywhere!  And you don’t even need to write it down or have your pda handy to keep it safe.  All you need to do is remember your passphrase (Th3_w0rld_fr3ezes) and know what site you’re logging into and viola! Simple, cryptographically strong and easily remembered unique passwords for each site.

If you’re comfortable using software-based password managers, by all means continue to use them.  If you’ve considered them in the past, maybe now would be a good time to do a bit of googling on password managers and find one you like.  But if not, this relatively simple process will at least provide you with a method of creating decent passwords (passphrases)