« November 2009 | Main | January 2010 »

December 2009

Sunday, 20 December 2009

The Twelve Days of Phishmas

Phishers are full of holiday spirit. Do ye doubt me? Listen in on an underground Ventrilo channel and you'll hear them carolling!

On the first day of Phishmas, an email came for me...

 I won the Irish Lottery!

On the second day of Phishmas, an offer came for me...

 Cheap Gucci bags, and I won the Irish Lottery!
On the third day of Phishmas, Wells Fargo texted me...
I am overdrawn, cheap Gucci bags and I won the Irish Lottery!

On the fourth day of Phishmas, a doctor emailed me...

I could be much bigger, I am overdrawn, cheap Gucci bags and I won the Irish Lottery!

On the fifth day of Phishmas, an email offered me

Vi-Agr-A! I could be much bigger, I am overdrawn, cheap Gucci bags and I won the Irish Lottery!

On the sixth day of Phishmas, Jewel Taylor wrote to me...
Help me transfer millions, Vi-Agr-A! I could be much bigger, my account's suspended, cheap Gucci bags and I won the Irish Lottery! 

On the seventh day of Phishmas, a dealer mailed to me...

I could wear a Rolex, Help me transfer millions, Vi-Agr-A! I could be much bigger, I am overdrawn, cheap Gucci bags and I won the Irish Lottery! 

On the eighth day of Phishmas, the CDC mailed me...

 Free swine flu vaccines, I could wear a Rolex, Help me transfer millions, Vi-Agr-A! I could be much bigger, I am overdrawn, cheap Gucci bags and I won the Irish Lottery! 
On the ninth day of Phishmas, the IRS mailed me...
I have a tax credit, Free swine flu vaccines, I could wear a Rolex, Help me transfer millions, Vi-Agr-A! I could be much bigger, my account's suspended, cheap Gucci bags and I won the Irish Lottery! 
On the tenth day of Phishmas, Eva Mendes tweeted me...
See me nude in Fiji, I have a tax credit, Free swine flu vaccines, I could wear a Rolex, Help me transfer millions, Vi-Agr-A! I could be much bigger, I am overdrawn, cheap Gucci bags and I won the Irish Lottery!
On the eleventh day of Phishmas, GoDaddy mailed to me...
My domain's been transferred, See me nude in Fiji, I have a tax credit, Free swine flu vaccines, I could wear a Rolex, Help me transfer millions, Vi-Agr-A! I could be much bigger, I am overdrawn, cheap Gucci bags and I won the Irish Lottery!
On the twelfth day of Phishmas, Stoya sexted me...
Here's my latest porn flick, My domain's been transferred, See me nude in Fiji, I have a tax credit, Free swine flu vaccines, I could wear a Rolex, Help me transfer millions, Vi-Agr-A! I could be much bigger, I am overdrawn, cheap Gucci bags and I won the Irish Lottery!
Happy Holidays to you all. I wish you all a safe surfing, tweeting, 'booking, and messaging 2010!


Posted at 11:11 AM in Anti-Malware and Anti-phishing | | Comments (2)

Thursday, 17 December 2009

Is your password on the worst offender list?

I noticed recently that a password list I posted to my web site several years ago is still visited frequently. Curious, I Googled password list to see what other lists I might find. Not surprisingly, Google returned nearly 2 million search engine hits. Push past the trivial "Top 10" lists that are designed purely to improve a Digg ranking and you'll find some longer, interesting ones such as Top 500 Worst Passwords of All Time.  

Study the 500 passwords listed carefully and you will see how laziness, brain freeze, and flawed thinking dominate password composition:

  • Nearly all of the passwords are shorter than 7 characters.
  • Most of the passwords are single English words or given names.
  • Many of the passwords are or include a profanity.
  • Many of the passwords are key sequences from a row on a QWERTY keyboard.
  • None of the passwords use a capital letter.
  • None of the passwords use a special character ([email protected]#$%^&*)

Think about this for a minute. By altering just one of the above behaviors, you are assured that your password is not among the 500 worst ever. Herein lies the irony: weakly composed passwords are largely the result of users who don't think for even 15 seconds about the composition of a password

The comments I typically hear when I ask folks how they compose passwords include "If I make it complicated I won't remember it", "My brain freezes when I'm asked to compose a password", and from the MySpace generation, "Who ^%!ing cares?" (this is no doubt the user demographic where most of the passwords containing profanities and most frequent use of the notorious 123456 password are to be found).

It's possible to make a password easy to remember without making it complicated. Instead of using a single word, use two or more words, a phrase, or a quotation. Capitalize each word (this isn't really disclosing that much helpful information to an attacker and certainly not enough to speed up a password cracker program). In between the word, use a special character: even if you use the same one to help you remember, your password will be more strongly composed. What you'll end up with may look something like this:

  • My!Dog!Has!Fleas
  • Your*Password*Is*Strong
  • Black$Jelly$Beans

To completely master password composition, add a Arabic number. To make it memorable, substitute the number where you'd include a word:

All six of these passwords satisfy the "Best" rating at the Microsoft Online Safety pages Password Checker.  None took me more than 20 seconds to compose. Note that I used the same special character (surely you have a favorite special character!). This isn't that hard, folks...

Posted at 10:04 AM in All matters security, Stop Think Connect | | Comments (2)

Next »
Find me on Mastodon and Facebook

Spotlight Posts

  • FTC's proposed Trade Regulation Rule on Impersonation of Government and Businesses is important for #infosec
    M3AAWG comments on the FTC's proposed rule Trade Regulation Rule on Impersonation of Government and Businesses is available. I was one of the contributors to the comment. In the comment, M3AAWG "suggests additional regulatory solutions and best practices to complement the goals of this rule, such as clarifying the scope of the rule to include the use of domain names in impersonation schemes and the use of technologies that enable impersonation" and the important role that Whois plays in investigating impersonation and fraud. Several reports that my Interisle colleagues and I published are cited in the comment, along with the...
  • Cybercrime Information Center reports sharp increases in phishing attacks, unique domains reported in August-October 2022 time period
    A recent ebb in domain names reported for phishing created some euphoria in the domain industry. With phishing activity, as with tides, ebbs are invariably followed by flows. In their August- October 2022 Quarterly Phishing Activity, the Cybercrime Information Center observed a 40% increase in phishing attacks and a nearly 20% increase in unique domain names reported for phishing.
  • Cybercrime Information Center's YouTube Channel
    My colleagues and I at Interisle have created a YouTube channel to complement the quarterly reporting and studies of cybercrime we host at the Cybercrime Information Center. Our goal is to share, in a few minutes, the findings and insights from our research in a format that's easily accessible and shareable, informative, and entertaining. The inaugural videos provide 2-5 minute summaries of our annual Phishing and Malware Landscape studies. We'll continue to produce videos of our annual studies. If you like what you see, leave us a comment.
  • Malware Landscape 2022: unabated malware growth, continued exploitation of IoT devices
    My colleagues at Interisle and I have published a study, Malware Landscape 2022: A Study of the Scope and Distribution of Malware. The study, which analyzed 2.5 million records of distinct malware events from May 2021 to April 2022 collected by the Cybercrime Information Center, explains what malware was most prevalent, where malware was served from, and what resources criminals used to pursue their attacks.
  • New TLDs are coming #Dangerclose.
    A Domain Name Wire post, Time to pay attention to the next round of new TLDs, begins with an ominous: They’re coming. Eventually. While not as dramatic or enduring as Arnold Schwarzenegger's "I'll be back", the reporter cites policy activity at ICANN as evidence that new TLDs are coming. Eventually. In a September 2019 post, and in response to the ICANN memorandum, Readiness to Support Future Rounds of New gTLDs, I asked, Has enough been done to study and rectify the concentration of security threats in the new TLD space? In that post, I quoted correspondence from ICANN's security advisory...

Search

My Photo

Categories