Nick -
Just send me the $2500 and don't worry your pretty little head about
it... I'll be sure he gets it. Or at least that it gets spent.
Actually there are a whole class of phishing schemes that are slightly
too oblique for me to guess exactly what they are about. Sometimes I
think it is (to extend the phishing metaphor) chumming... tossing out
bait with no hook to get a frenzy going. For example, if they send out
1.9 million requests for various things ($2500 loan because of robbery
in Phillipines, or $900 for a plane ticket to get back to Manila from
Denver to help the family, or ...) and then scrape the open web archives
of lists like FRIAM for that same text, they can find how receptive
folks (like yourself) are to that particular scam. Let's say your
question to the list was "how do I get the money to him, I"m sure this
is legitimate, he must have forgotten to give me the info where to wire
the $2500) then they recognize that their scam is good and to elaborate
it for you (and others like you), or even to just follow up in person
(... Nick, I forgot to tell you in my last e-mail... can you
wire-transfer that $2500 to XXXyyyZZZ in Manila right away... and it
would really help if you send me your Driver's License #, Credit Card #s
with expiration and security code, and maybe your mother's maiden name
"just in case"?)
Another possibility (slimmer) is that the ReplyTo field in the original
e-mail is different from the From: which you recognize. When you
blithely hit "Reply", it goes to another e-mail. Given that e-mail
addresses have two parts (the common name, and the actual address such
as "Nick Thompson <sasm...@swcp.com>") someone (like me) can make it
feel like the recipient is replying to you while actually replying to
me... it takes a tiny bit of sophistication but... heck, for
$2500/mark, why not stretch oneself a bit and learn some tricks?
Could anybody translate Owen's message into ordinary language? Or
shouldn't I bother my pretty little head about it.
Probably not, but let me try riffing on it in pidgen Zuni and Basque:
Basically, someone who runs the forum (mail list? Web Site discussion
group?) indicated to the constituents that their server(s) had been
compromised (we don't know how or how they know it)... they apparently
indicated that the hackers (probably? surely?) got access to the forum
users' Database which would have "personal information" (name, e-mail,
more?) and apparently (encrypted) passwords.
One way to discover clear-text from an encrypted list (passwords) is to
encrypt (using various methods?) a dictionary of likely words/phrases
and compare the resulting encryption to the password list. If any of
the encrypted words/phrases match something in the list, then you know
that clear text (password). This depends on your using words that are
likely to be in their dictionary. Their dictionary needn't be a list of
english-language words (though that is an obvious collection to
include), it could be a collection of likely or already known passwords
(e.g. "password" or "f*ckoff!", etc.)... thus if they crack your
password on one site, they can add that to their "dictionary" and if you
have used it on another site, it will pop right up with this form of
attack.
If the site administrator/system uses "salt" (see wikipedia link), each
password gets folded in with a psuedo-random number so that it no longer
looks anything like the original password that might show up in a
dictionary. user:nickt password:nickt becomes user:nickt
password:gob@#ledy$%go%ok , with the latter less likely to be in their
dictionary (which might also be custom-built based on your personal
information such as DOB, paternal uncle's favorite cat, mother's maiden
name, Pet Cockatiel's DOHatch, etc.).
Ikusi arte, So' a:ne, Adios, Ciao, Carry on!
- Steve
Meanwhile, this morning, I got an urgent message from an acquaintance
asking me to loan him 2500 dollars on account of his being robbed "at
gunpoint" in the Philippines. A call to his home revealed that he
was safe and sound in Denver. Here is the puzzle. The spoofer gave
me nowhere to send my money. Thus, I have 2500 dollars to send and
nowhere to send it. The only way I had of getting back to him/her was
via the spoofed email address. No link. No bank account number. No
phone number in Manila. How does THAT work?
Nick
Nicholas S. Thompson
Emeritus Professor of Psychology and Biology
Clark University
http://home.earthlink.net/~nickthompson/naturaldesigns/
<http://home.earthlink.net/%7Enickthompson/naturaldesigns/>
*From:*Friam [mailto:friam-boun...@redfish.com] *On Behalf Of *Owen
Densmore
*Sent:* Monday, November 18, 2013 10:13 AM
*To:* Complexity Coffee Group
*Subject:* [FRIAM] Forum hacked
A forum I belong to has been hacked, including personal info as well
as passwords.
How do they use this information?
I presume they try the hash function on all combinations of possible
passwords. (Naturally optimized for faster convergence). They see a
match, i.e. a letter combination resulting in the given hash of the
password.
If they crack one password, does that make cracking the rest any easier?
And does "salt" simply increase the difficulty, and indeed can it be
deduced, as above, by cracking a single password?
.. or is it all quite different from this!
-- Owen
============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com