Dear Colleagues,
You probably recently received the email below from me; I hope
you realised it was a scam. However it _wasn't_ the normal mechanism,
whereby someone hacks a vulnerable computer, but inserts in the "from"
field some other bunny's address. It was clear to me as soon as I saw
the email that they _really_ had my address book (my apolologies for
this). It took me a while to identify which email account it really
came from, but it is now clear that the hacker had been able to log
into _this_ gmail account, and send it from here. Since I am somewhat
careful about such things, I was quite surprised. There are four ways
I can think of that this could have happened.
1. The hacker scanned passwords on google and just lucked out here:
unlikely, since I'm pretty sure google would protect against
large-scale password testing, and it was a secure password (ranked by
google as "strong")
2. Most likely (mea culpa): I used a similar user/password on a few
other accounts - places you would normally think secure - and the
hacker lucked out on a security lapse in one of them (for example, one
of them reflected the password back to me by email - in the clear -
about three years ago; I guess I should have abandoned it then, and
stopped using the same password on different sites - but how many of
us can remember 30 different passwords for the 30 different sites we
need to use, without writing them down....). OK, now I'm gonna change.
Really.
3. There was a keystroke logger installed on some machine I used?
Hmmm, I almost entirely use highly-secured unix-based systems, but I
guess I do browse once a month or so from windows machines whose
security I can't validate. I guess this has to stop for any sites that
requires security
4. Most worrying: My university has so far failed to install
patches for the DNS cache poisoning bug (see http://www.doxpara.com/).
Actually, I have actively protected against this by switching to using
opendns. But this doesn't protect me in this case. Since google will
allow _anyone_ to do a "forgot my password" query, resulting in an
email of the password - in the clear - to the secondary email address,
the attacker only has to guess what the secondary address is, and to
cache-poison one of the address servers for the path from google to
that email address, to get my google password. It's probably too early
for this to be the cause in this case - but it is a fast-escalating
risk. This is a darn good reason to ensure that your ISP is properly
protecting you. If your ISP isn't patched (test with the link on the
doxpara page), _please_ contact them and complain. Remember that our
risk is determined by all the DNS hosts for all of the mail forwarders
between us and the mail sender (gmail or your equivalent). Ohhh, and
email isn't the only way that someone else's DNS can cause havoc for
us (see the doxpara links, but there are doubtless many other
potential attacks that nobody thought of yet). We all need virtually
all DNS providers to fix this urgently.
Of course, the biggest worry is that the hacker would have had access
to all email in this account; I can't find out how long for. I've
spent two days searching through thousands of emails, checking as far
as I can that there wasn't anything critically important in any emails
here (fortunately, it's not where most of the sensitive stuff goes). I
can't find anything. I guess it probably means s/he can't either...
and probably can't search as effectively, since I know what to look
for... and will get bored quicker than me... I hope.
Best Wishes
Bob McKay
On Thu, Aug 7, 2008 at 6:10 AM, Bob McKay <urilabob@xxxxxxxxx> wrote:
> Good shopping good service!,
> How are u doing these days?Yesterday I found a web of a large
> trading company from china,which is an agent of all the well-known
> digital product factories,and facing to both
> wholesalers,retailsalers,and personal customer all over the world.
> They export all kinds of digital products and offer most competitive
> and reasonable price and high quality goods for our clients,so i think
> we you make a big profit if we do business with them.And they promise
> they will provide the best after-sales-service.In my opinion we can
> make a trial order to test that. Look forward to your early reply!
> The Web address:http://www.mwhdy.com/
>
--
To unsubscribe from this list: send the line "unsubscribe linux-acpi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
