Tuesday, January 18, 2011

Malware, Bots, and Blogging

Something happened this morning that really alarmed me....somehow some code attached itself to my email contacts (not all of them) but many...Eldy got an ad from a drug company from Canada for a drug that looked like it came from me but it didn't! Several of my friends and blogging friends got weird looking emails that had no message in it but  was blank or said "hi!"  My name was on it. People are asking, "did you send this?" No, I most definitely did NOT! I talked to my geeky (love you, bro!) tech savvy brother about how something could get attached to my email account and he was not sure but had lots of suggestions to try and fix it. He was able to do some tracing from the email that came to him from me, and it came from a server in Turkey or Serbia, I think he said. The attachment that locked onto my email was garbage and harmless. He said it was probably a "bot". A bot is a software application that performs automated tasks much fast than a human can, and is sort of a code gathering software "robot". Because blogs contain so much HTML code that is literally open for the world to see, it makes it easier for these software bots to go gathering bits and pieces of information. But this bot could have gotten through on wi-fi, on downloaded files, who knows where?  Somehow this "bot" got thru to my email and attached itself to the contact list sending out random, garbage email with little or nothing attached to it. I get occasional "anonymous" comments on the blog that are garbage or ads for foreign products. I never open them, I just mark them as spam and delete them.  Guess I'm going to have to take my email off the blog and figure out another way to let people make comments without it being attached to the blog. Stay tuned, there may be some changes!  Now I see why some people on blogs use captcha--this is the graphically encoded text that is slightly twisted or looks very weird to the human eye and you have to type it into a box in order to be recognized by the blog or site you are on. This is to avoid a malicious or harmless bot gathering information from your blog or website because it can't decipher it, it's only recognizable to the human eye. It's a pain sometimes, because we don't always have an accurate perception of what it is we are supposed to type in! At least captcha usually gives you another chance.

There was an Apple store in Naples so off we went to get their expertise. All they had me do was change my password to my hot mail account. The tech guy there said that should take care of it! He was very certain of that. Just frustrating and annoying reminder that passwords need to be changed once in awhile or more often...I'm still a little leery of whether this is the end of it or not, but I know I will change my passwords more often. Here is some advice on password strength from my brother who got it from the Wiki page on password strength. Kinda long, but VERY good advice....Hope this helps someone to avoid what happened to me and to many others, I'm sure...we'll see you tomorrow with some great gater stories!

Guidelines for strong passwords

Common guidelines

Common guidelines for choosing good passwords are designed to make passwords less easily discovered by intelligent guessing:
  • Password length should be around 12 to 14 characters if permitted, and longer still if possible while remaining memorable
  • Use randomly generated passwords where feasible
  • Avoid any password based on repetition, dictionary words, letter or number sequences, usernames, relative or pet names, romantic links (current or past), or biographical information (e.g., dates, ID numbers, ancestors names or dates).
  • Include numbers, and symbols in passwords if allowed by the system
  • If the system recognizes case as significant, use capital and lower-case letters
  • Avoid using the same password for multiple sites or purposes
  • If you write your passwords down, keep the list in a safe place, such as a wallet or safe, not attached to a monitor or in an unlocked desk drawer

Additional guidelines

Double a character consecutively, to discourage shoulder surfing, the technique whereby someone observes the typing over a shoulder. Don't triple a character and don't double more than one character. If the typist is fast, it's hard to see how many times a key was consecutively pressed.[19]
As a user might need access from a phone with a small keyboard, consider which nonalphanumerics appear on all models, if any do.[20]
Individuals and businesses can also choose to use devices or cloud-based applications that generate a one-time password, which are functional for only one session or expire after a limited amount of time. One-time password generator solutions are available using cloud-based services, mobile phone applications, a security token and other methods.

Examples of weak passwords

As with any security measure, passwords vary in effectiveness (i.e., strength); some are weaker than others. For example, the difference in weakness between a dictionary word and a word with obfuscation (i.e., letters in the password are substituted by, say, numbers— a common approach) may cost a password cracking device a few more seconds– this adds little strength. The examples below illustrate various ways weak passwords might be constructed, all of which are based on simple patterns which result in extremely low entropy:[5]
  • Default passwords (as supplied by the system vendor and meant to be changed at installation time): passworddefaultadminguest, etc. All are typically very easy to discover.
  • Dictionary words: chameleonRedSoxsandbagsbunnyhop!IntenseCrabtree, etc., can be automatically tried at very high speeds.
  • Words with numbers appended: password1deer2000john1234, etc., can be easily tested automatically with little lost time.
  • Words with simple obfuscation: p@ssw0rdl33th4x0rg0ldf1sh, etc., can be easily tested automatically with little additional effort.
  • Doubled words: crabcrabstopstoptreetreepasspass, etc., can be easily tested automatically.
  • Common sequences from a keyboard row: qwerty12345asdfghfred, etc., can be easily tested automatically.
  • Numeric sequences based on well known numbers such as 911 (9-1-19/11), 314159... (pi), or 27182... (e), etc., can easily be tested automatically.
  • Identifiers: jsmith1231/1/1970555–1234, "your username", etc., can easily be tested automatically.
  • Anything personally related to an individual: license plate number, Social Security number, current or past telephone number, student ID, address, birthday, sports team, relative's or pet's names/nicknames/birthdays/initials, etc., can easily be tested automatically after a simple investigation of person's details.

2 comments:

  1. Are you saying this happened to you on a Mac computer? I haven't had any trouble so far with mine, knock on wood!

    ReplyDelete
  2. My guess is this did not have anything to do with her computer, but more likely the blog and display of email address. It's possible her Hotmail contact list was grabbed while she was on Hotmail (displaying it, perhaps) on an unsecure connection. I recommend to all that their web email accounts be accessed only on a secure connection (that's https:, rather than http:). This is usually in your settings screen on your email account, labeled something like "use secure connection only".

    ReplyDelete