Tag: passwords

Did I spam myself?

A client writes:

I just received an email from myself with a fraudulent QR code containing a link that’s clearly a scam. But it looks like it actually came from my email, and other people are listed as recipients. What should I do?

Sadly, it’s not difficult to make email appear on the surface as being from any given address. Harder to make that more than surface-level, requiring a true hacking of an account. Since you and I have worked together, we have pretty well covered the bases to set the chance of that happening to you dang close to zero.

In other words, and to answer the question of what you should do now: Ignore it, stay vigilant, and keep using those strong passwords and two-factor authentication, preferably with a password manager. (I got a blog post about those, and the TL;DR there is that, for iPhone users, Apple Passwords is free, and great even if you have a PC. And 1Password [affiliate link] is fantastic if you want something more robust.)

All that said, to get more forensic about it, you can look at the source code of the original. In Apple Mail on the Mac, go to View menu > Message > Raw Source.

I know it looks like the matrix, and I don’t pretend to read it like prose myself. But see below for an example of part of the source code from a legitimate message, one of the sections you can look for where you can see your domain and terms like “dkim” and “dmarc” matched with “pass”, which indicates my email service (Google) asking your email service (also Google), “Hey, is this legit from yourdomain.com like it purports to be?” and getting a couple different “Yes”’s in response.

ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=yourdomain.com header.s=google header.b=Ssjl9RVC;
spf=pass (google.com: domain of xxx@yourdomain.com designates
209.85.220.41 as permitted sender) smtp.mailfrom=xxx@yourdomain.com;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=yourdomain.com;
dara=pass header.i=@mydomain.com

If you look in there and something doesn’t pass a sniff test, let me know!

Identity Theft

In the past six months I’ve received two letters from local health facilities telling me that they’ve been hacked. One office suggested we victims use a company called IDX in case of identity theft. I have Googled IDX, but I do not like that they use cookies. I’m also wary about handing over my social security number. What do you think?

I sure appreciate your vigilance and suspicion! I don’t know if you clicked on the reviews for IDX when you searched for the company, but they indicate pretty clearly that you should steer clear. I’m not asserting that all such companies aren’t worth their salt, but at least a few of IDX’s customers are displeased.

The businesses you are hearing from are under obligation to make some kind of remedial suggestion to you, though I wish they had stricter obligation to maintain tight security in the first place.

What they should be doing is telling you to place credit freezes at the three major bureaus, and to change your major passwords to all be different if they aren’t already. Also use multi-factor authentication on every account that allows.

Sigh.

Your instinct guided you correctly, and keep trusting your gut. If anything on the internet smells even a little fishy, it almost certainly is entirely fishy. That said, you should know that nearly every single website you visit employs cookies. Of a nature it can be a useful technology, for example, letting a web app remember how I had logged into it and displaying my most recent choices on that app. You are not wrong, however, that cookies are also used for purposes more convenient to the site owner than to me, in gathering information about me to sell to data brokers.

The GDPR law passed by the EU in 2016 requires that websites that use cookies must display a choice screen if they want to operate in the EU. I think the spirit is right, though the implementation has proven annoying: rather than use different policies for visitors from different locations, the sites show those choice screens to the globe. So perfectly legitimate, nice, well-meaning, or beneficial websites might show you that they use cookies and let you turn different categories of cookies.

Finally, while I support your care in handing your social security number to just anyone, that number is flowing like water all over the internet, and the credit freezing and password security are our primary, if not only, defenses against identity theft.

Be Vigilant: Phishing Works

A friend writes:

I received an email from a colleague this afternoon. She uses Google Drive to send big files. The email said, “Barbara is trying to send you a file too big for email. Please sign into Google Drive.”

Not thinking that I was already signed in, I clicked and signed in, and even gave my phone number. It only took a min for me to realize what happened when I was taken to an art gallery. So I’m changing everything, all credit and bank and passwords, etc.

But I’m guessing they could have sucked every bit of data out of all my Google info in a couple of minutes. Oy vey…

It’s such a horrific — and tragically common — story these days. My friend has made the right move: Changing all his passwords, especially to all the major accounts such as Facebook, Apple, and Google, should secure him for the time being. Also, I think making sure you’re subscribed to a credit-monitoring bureau, and alerting them to such a happenstance, would be beneficial.

So just to make sure you know: Using a password manager such as 1Password [affiliat link], Dashlane, or LastPass helps immensely in these situations. You can use 1P to change all your passwords much faster than doing it manually, ensuring their all different and superlong. I even use 1Password to help me store the fake answers I create for the security questions.

J2 News: Prevent Someone From Becoming You

Black HatIf you got my last newsletter, you know that this is the year when we all — the whole internet-using universe — become targets for bad hackers. We’ve already learned how they will try to get at our Macs. Now we need to look at how our online accounts and identities are vulnerable. Please at least read the first section, on passwords.

Got GSP? Picking a Good, Strong Password

You know how, recently, you might see a spate of emails from a friend that you know are junk — invitations to off-shore pharmacies and the like? And then that same friend emails everyone in his or her address book, to the effect of, “Sorry, someone hijacked my email!”?

Well, that happened because your friend had a password that was too simple, too easy to crack, and someone cracked it and took control of the mailbox.

This intrusion is not just an inconvenience to your friend and the people in their inbox. If someone has your email password, they can get passwords to ALL of your other online accounts, including possibly banking. And hackers make money — more than you might think — by acquiring access to things like passwords, online accounts, credit card numbers, etc. (Hackers commit other kinds of crimes, too, but let’s continue.)

How do they do it? I’m not a hacker, but I can abstract it: The bad guys have their computers scan the internet for, say, @gmail.com addresses. Then they point other software at the Gmail servers, and run software to try to log in to known accounts by guessing all the possible password permutations. Unless you’re famous and being specifically targeted, they’re not researching the names of your kids and pets. They just run through the dictionary, and common names, and number sequences (e.g., “1234”), and their bots work really fast. If your password is more simple than what I’ve outlined below, they can guess it.

Here’s a real disconcerting site, which I found by googling “crack gmail password.” There are others.

So, I’ve already posted this, but it’s well worth restating:
Please — as in, umm, now — please create a Good, Strong Password for your email and any other important online accounts.

A Good, Strong Password contains:

  • at least 10 characters of both letters and numbers
  • at least 1 capital letter, preferably in the middle
  • at least one non-alphanumeric character, preferably in the middle
  • no recognizable names or words.

Microsoft words their recommendations slightly differently, and offers one tip for creating a password. I like their suggestion of choosing a memorable phrase and building the password from there. I even think that choosing a full sentence with capitals and punctuation might be a good way to remember the password; a bunch of recognizable words would be safe-ish. I also like passwords that are easy to type, as long as they don’t contain keys in order, such as “fghj.” Here are some other tips.

I have met every different kind of personality when it comes to creating and remembering passwords. And believe me, I have every sympathy for people who feel they have more important things to do with their brains. Unfortunately, we have come to a time when, from here on out, you either keep your digital stuff locked tight, or you get your life messed with.

Keeping Track

The natural question that follows is, how do I keep up with all my passwords? Fortunately, your Mac has an excellent built-in device for this, called the keychain. Several software packages are also available for Macs and PCs. Check out my full write-up on the keychain and other options.

Do the It’s-Really-Me Two-Step

There is another method to lock your ID even tighter. It’s called “two-factor” or “two-step” authentication. Not every service offers it, and I won’t lie and say it ain’t for those who like to keep technology simple. But Google has rolled it out, even to their free accounts, and it is as smooth as I could expect something like this to be.

You dance the Google two-step like this: When you sign into a new computer — or every 30 days on your usual computers — besides accepting your password, Google sends you a text message with a code. You have to enter that code on the Google web site to continue.

Google two-step verification

Also, for all your other apps that access your account, such as an email or calendar program, Google will generate a single-use “application” password that you only have to enter once; it will get stored by your computer or phone, and if said device gets stolen, you can revoke permission.

“Gosh, this sounds like fun!” you’re saying. You can’t wait for us to come over and show you this awesome new computery thing. Just wait! There’s more…

Google offers a couple of backup verification methods in case you can’t get a text: You can receive a voicemail with the code, or your phone can run an app that generates a code for you, or you can carry a piece of paper with 10 “backup” codes on it. Really, I’m not kidding.

They also will do a retinal scan and test your DNA against a sample they keep in a cryo-vault… OK, that time I was kidding.

Enabling Two-Step Verification for your Google account is in your Account Settings. It’s a bit of a process, and I recommend reading carefully each step of the way.

Facebook also does this login two-step now, which is good because 750,000,000 accounts are a terrifically big honey pot, and we all know someone whose account got hacked. Go to the Account Security section in Account Settings, and make it look like this:

Facebook Account Security settings

Facebook should already know your cell number, and will text you a code to enter.

I dearly wish more services were doing the two-step. Yahoo, Amazon, eBay, Apple iTunes — they should all get on this bandwagon. But the smart ones are at least starting to require Good, Strong Passwords.

Welcome to the Age of the Hack. Don’t shoot the messenger.