Re: [FRIAM] Forum hacked
Owen - A forum I belong to has been hacked, including personal info as well as passwords. How do they use this information? I presume they try the hash function on all combinations of possible passwords. (Naturally optimized for faster convergence). They see a match, i.e. a letter combination resulting in the given hash of the password. I presume you mean encrypted passwords. If the forum has been compromised (and they know it) then whether they can recover them or not, then the most they have is passwords to that site/forum? Unless of course you have been practicing poor password hygiene, using the same one (or very similar) on multiple sites? If they crack one password, does that make cracking the rest any easier? Only if there is no salt used. Since most/many sites have idiosyncratic ideas of password constraints (must have xxx, can't have yyy, minimum, maximum, precise lengths, etc.), having one or more passwords decrypted can narrow those constraints to some extent (if a # or a % shows up in a password, it is likely that *all* special characters are allowed, if special characters *always* show up in the sample of decrypted passwords, then it is likely it is a requirement... same for numerals and capitals). Conversely, if one example of a decrypted password shows up without one or more of these typical requirements, then a smaller space can be searched for low-hanging fruit. And does salt simply increase the difficulty, and indeed can it be deduced, as above, by cracking a single password? salt http://en.wikipedia.org/wiki/Salt_%28cryptography%29 when used correctly is per-password, so cracking one doesn't help you crack the others... it really only helps against guessing (e.g. dictionary) attacks. It makes up for unimaginative passwords basically. .. or is it all quite different from this! I don't know what the state of the art for random hackers is these days, but if your own personal password hygiene (no-reuse, no dictionary words/combos, special chars), then you are in fair shape (personally) though now you are at risk for phishing from spoofed friends and anything else that your personal information opens you to. Of course, the NSA, the KGB, ha Mos'ad and other organized crime groups can brute force a lot these days... what they can and can't brute force is obviously classified. Moral of the story, don't be a low-hanging fruit! . Perhaps if you communicate only in Zuni (Shiwi) or Basque, that will help a little ;^\. /Luk hom an beye:na:kwe deliba?da'kowa we'atchonan/, - Steve FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Re: [FRIAM] Forum hacked
Could anybody translate Owen's message into ordinary language? Or shouldn't I bother my pretty little head about it. Meanwhile, this morning, I got an urgent message from an acquaintance asking me to loan him 2500 dollars on account of his being robbed at gunpoint in the Philippines. A call to his home revealed that he was safe and sound in Denver. Here is the puzzle. The spoofer gave me nowhere to send my money. Thus, I have 2500 dollars to send and nowhere to send it. The only way I had of getting back to him/her was via the spoofed email address. No link. No bank account number. No phone number in Manila. How does THAT work? Nick Nicholas S. Thompson Emeritus Professor of Psychology and Biology Clark University http://home.earthlink.net/~nickthompson/naturaldesigns/ From: Friam [mailto:friam-boun...@redfish.com] On Behalf Of Owen Densmore Sent: Monday, November 18, 2013 10:13 AM To: Complexity Coffee Group Subject: [FRIAM] Forum hacked A forum I belong to has been hacked, including personal info as well as passwords. How do they use this information? I presume they try the hash function on all combinations of possible passwords. (Naturally optimized for faster convergence). They see a match, i.e. a letter combination resulting in the given hash of the password. If they crack one password, does that make cracking the rest any easier? And does salt simply increase the difficulty, and indeed can it be deduced, as above, by cracking a single password? .. or is it all quite different from this! -- Owen FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Re: [FRIAM] Forum hacked
If you send it to me, I’ll gladly tell you that you shouldn’t bother your pretty little head about it. Sorry, I couldn’t resist! :-) Gary On Nov 18, 2013, at 12:52 PM, Nick Thompson nickthomp...@earthlink.net wrote: Could anybody translate Owen’s message into ordinary language? Or shouldn’t I bother my pretty little head about it. Meanwhile, this morning, I got an urgent message from an acquaintance asking me to loan him 2500 dollars on account of his being robbed “at gunpoint” in the Philippines. A call to his home revealed that he was safe and sound in Denver. Here is the puzzle. The spoofer gave me nowhere to send my money. Thus, I have 2500 dollars to send and nowhere to send it. The only way I had of getting back to him/her was via the spoofed email address. No link. No bank account number. No phone number in Manila. How does THAT work? Nick Nicholas S. Thompson Emeritus Professor of Psychology and Biology Clark University http://home.earthlink.net/~nickthompson/naturaldesigns/ From: Friam [mailto:friam-boun...@redfish.com] On Behalf Of Owen Densmore Sent: Monday, November 18, 2013 10:13 AM To: Complexity Coffee Group Subject: [FRIAM] Forum hacked A forum I belong to has been hacked, including personal info as well as passwords. How do they use this information? I presume they try the hash function on all combinations of possible passwords. (Naturally optimized for faster convergence). They see a match, i.e. a letter combination resulting in the given hash of the password. If they crack one password, does that make cracking the rest any easier? And does salt simply increase the difficulty, and indeed can it be deduced, as above, by cracking a single password? .. or is it all quite different from this! -- Owen FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Re: [FRIAM] Forum hacked
On Mon, Nov 18, 2013 at 10:44 AM, Steve Smith sasm...@swcp.com wrote: Moral of the story, don't be a low-hanging fruit! . Easier said than done. -- rec -- FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Re: [FRIAM] Forum hacked
Nick - Just send me the $2500 and don't worry your pretty little head about it... I'll be sure he gets it. Or at least that it gets spent. Actually there are a whole class of phishing schemes that are slightly too oblique for me to guess exactly what they are about. Sometimes I think it is (to extend the phishing metaphor) chumming... tossing out bait with no hook to get a frenzy going. For example, if they send out 1.9 million requests for various things ($2500 loan because of robbery in Phillipines, or $900 for a plane ticket to get back to Manila from Denver to help the family, or ...) and then scrape the open web archives of lists like FRIAM for that same text, they can find how receptive folks (like yourself) are to that particular scam. Let's say your question to the list was how do I get the money to him, Im sure this is legitimate, he must have forgotten to give me the info where to wire the $2500) then they recognize that their scam is good and to elaborate it for you (and others like you), or even to just follow up in person (... Nick, I forgot to tell you in my last e-mail... can you wire-transfer that $2500 to XXXyyyZZZ in Manila right away... and it would really help if you send me your Driver's License #, Credit Card #s with expiration and security code, and maybe your mother's maiden name just in case?) Another possibility (slimmer) is that the ReplyTo field in the original e-mail is different from the From: which you recognize. When you blithely hit Reply, it goes to another e-mail. Given that e-mail addresses have two parts (the common name, and the actual address such as Nick Thompson sasm...@swcp.com) someone (like me) can make it feel like the recipient is replying to you while actually replying to me... it takes a tiny bit of sophistication but... heck, for $2500/mark, why not stretch oneself a bit and learn some tricks? Could anybody translate Owen's message into ordinary language? Or shouldn't I bother my pretty little head about it. Probably not, but let me try riffing on it in pidgen Zuni and Basque: Basically, someone who runs the forum (mail list? Web Site discussion group?) indicated to the constituents that their server(s) had been compromised (we don't know how or how they know it)... they apparently indicated that the hackers (probably? surely?) got access to the forum users' Database which would have personal information (name, e-mail, more?) and apparently (encrypted) passwords. One way to discover clear-text from an encrypted list (passwords) is to encrypt (using various methods?) a dictionary of likely words/phrases and compare the resulting encryption to the password list. If any of the encrypted words/phrases match something in the list, then you know that clear text (password). This depends on your using words that are likely to be in their dictionary. Their dictionary needn't be a list of english-language words (though that is an obvious collection to include), it could be a collection of likely or already known passwords (e.g. password or f*ckoff!, etc.)... thus if they crack your password on one site, they can add that to their dictionary and if you have used it on another site, it will pop right up with this form of attack. If the site administrator/system uses salt (see wikipedia link), each password gets folded in with a psuedo-random number so that it no longer looks anything like the original password that might show up in a dictionary. user:nickt password:nickt becomes user:nickt password:gob@#ledy$%go%ok , with the latter less likely to be in their dictionary (which might also be custom-built based on your personal information such as DOB, paternal uncle's favorite cat, mother's maiden name, Pet Cockatiel's DOHatch, etc.). Ikusi arte, So' a:ne, Adios, Ciao, Carry on! - Steve Meanwhile, this morning, I got an urgent message from an acquaintance asking me to loan him 2500 dollars on account of his being robbed at gunpoint in the Philippines. A call to his home revealed that he was safe and sound in Denver. Here is the puzzle. The spoofer gave me nowhere to send my money. Thus, I have 2500 dollars to send and nowhere to send it. The only way I had of getting back to him/her was via the spoofed email address. No link. No bank account number. No phone number in Manila. How does THAT work? Nick Nicholas S. Thompson Emeritus Professor of Psychology and Biology Clark University http://home.earthlink.net/~nickthompson/naturaldesigns/ http://home.earthlink.net/%7Enickthompson/naturaldesigns/ *From:*Friam [mailto:friam-boun...@redfish.com] *On Behalf Of *Owen Densmore *Sent:* Monday, November 18, 2013 10:13 AM *To:* Complexity Coffee Group *Subject:* [FRIAM] Forum hacked A forum I belong to has been hacked, including personal info as well as passwords. How do they use this information? I presume they try the hash function on all combinations of possible
Re: [FRIAM] Forum hacked
Thanks, Steve, It's terrifying how naïve I am. But you already knew that. Well, you didn't send me the $2500 yet (is the check in the mail?) so you can't be *that* naive. What might be terrifying (I think you are being hyperbolic, the buzz of a rattlesnake, the growl of a grizzly are terrifying, your naivete is at worst just quaint!) is that you are not alone that this is another way in which we've outdriven our headlights. We *all*, astute technophiles included, have a hard time keeping up with this stuff. While some of us posture and fluff as if *we* have it all understood and under control, we don't... anymore than the nameless tens of thousands of painters/carpenters/handymen back in the day burned down their workshops/homes because they didn't understand the spontaneous combustion of linseed (and related) oils in discarded rags. I don't fully understand your profession. Evolutionary Psychology as I understand it, however, would seem to address this question in some way. There must be precedent for this co-evolution of our extended phenotype/technosphere and our ability to apprehend it and it's (often fairly immediate?) implications.Your insights are welcome. - Steve Nick Nicholas S. Thompson Emeritus Professor of Psychology and Biology Clark University http://home.earthlink.net/~nickthompson/naturaldesigns/ http://home.earthlink.net/%7Enickthompson/naturaldesigns/ *From:*Friam [mailto:friam-boun...@redfish.com] *On Behalf Of *Steve Smith *Sent:* Monday, November 18, 2013 11:18 AM *To:* The Friday Morning Applied Complexity Coffee Group *Subject:* Re: [FRIAM] Forum hacked Nick - Just send me the $2500 and don't worry your pretty little head about it... I'll be sure he gets it. Or at least that it gets spent. Actually there are a whole class of phishing schemes that are slightly too oblique for me to guess exactly what they are about. Sometimes I think it is (to extend the phishing metaphor) chumming... tossing out bait with no hook to get a frenzy going. For example, if they send out 1.9 million requests for various things ($2500 loan because of robbery in Phillipines, or $900 for a plane ticket to get back to Manila from Denver to help the family, or ...) and then scrape the open web archives of lists like FRIAM for that same text, they can find how receptive folks (like yourself) are to that particular scam. Let's say your question to the list was how do I get the money to him, Im sure this is legitimate, he must have forgotten to give me the info where to wire the $2500) then they recognize that their scam is good and to elaborate it for you (and others like you), or even to just follow up in person (... Nick, I forgot to tell you in my last e-mail... can you wire-transfer that $2500 to XXXyyyZZZ in Manila right away... and it would really help if you send me your Driver's License #, Credit Card #s with expiration and security code, and maybe your mother's maiden name just in case?) Another possibility (slimmer) is that the ReplyTo field in the original e-mail is different from the From: which you recognize. When you blithely hit Reply, it goes to another e-mail. Given that e-mail addresses have two parts (the common name, and the actual address such as Nick Thompson sasm...@swcp.com mailto:sasm...@swcp.com) someone (like me) can make it feel like the recipient is replying to you while actually replying to me... it takes a tiny bit of sophistication but... heck, for $2500/mark, why not stretch oneself a bit and learn some tricks? Could anybody translate Owen's message into ordinary language? Or shouldn't I bother my pretty little head about it. Probably not, but let me try riffing on it in pidgen Zuni and Basque: Basically, someone who runs the forum (mail list? Web Site discussion group?) indicated to the constituents that their server(s) had been compromised (we don't know how or how they know it)... they apparently indicated that the hackers (probably? surely?) got access to the forum users' Database which would have personal information (name, e-mail, more?) and apparently (encrypted) passwords. One way to discover clear-text from an encrypted list (passwords) is to encrypt (using various methods?) a dictionary of likely words/phrases and compare the resulting encryption to the password list. If any of the encrypted words/phrases match something in the list, then you know that clear text (password). This depends on your using words that are likely to be in their dictionary. Their dictionary needn't be a list of english-language words (though that is an obvious collection to include), it could be a collection of likely or already known passwords (e.g. password or f*ckoff!, etc.)... thus if they crack your password on one site, they can add that to their dictionary and if you have used it on another site, it will pop right up with this form of attack. If the site
Re: [FRIAM] Forum hacked
Steve, Actually, McLuhans Global Village was one of the important Evolutionary Psychological insights. We are designed to to live in small communities where the consequences of misbehavior are pretty severe exile, for instance. So, that old joke about rural Maine, where You have to lock your car in the summer because otherwise somebody might put a zucchini in it. When chaos occurs and the village system breaks down, we are designed to trust nobody. Which is the internet, anyway? N Nicholas S. Thompson Emeritus Professor of Psychology and Biology Clark University http://home.earthlink.net/~nickthompson/naturaldesigns/ http://home.earthlink.net/~nickthompson/naturaldesigns/ From: Friam [mailto:friam-boun...@redfish.com] On Behalf Of Steve Smith Sent: Monday, November 18, 2013 1:55 PM To: The Friday Morning Applied Complexity Coffee Group Subject: Re: [FRIAM] Forum hacked Thanks, Steve, Its terrifying how naïve I am. But you already knew that. Well, you didn't send me the $2500 yet (is the check in the mail?) so you can't be *that* naive. What might be terrifying (I think you are being hyperbolic, the buzz of a rattlesnake, the growl of a grizzly are terrifying, your naivete is at worst just quaint!) is that you are not alone that this is another way in which we've outdriven our headlights. We *all*, astute technophiles included, have a hard time keeping up with this stuff. While some of us posture and fluff as if *we* have it all understood and under control, we don't... anymore than the nameless tens of thousands of painters/carpenters/handymen back in the day burned down their workshops/homes because they didn't understand the spontaneous combustion of linseed (and related) oils in discarded rags. I don't fully understand your profession. Evolutionary Psychology as I understand it, however, would seem to address this question in some way. There must be precedent for this co-evolution of our extended phenotype/technosphere and our ability to apprehend it and it's (often fairly immediate?) implications.Your insights are welcome. - Steve Nick Nicholas S. Thompson Emeritus Professor of Psychology and Biology Clark University http://home.earthlink.net/~nickthompson/naturaldesigns/ http://home.earthlink.net/%7Enickthompson/naturaldesigns/ From: Friam [mailto:friam-boun...@redfish.com] On Behalf Of Steve Smith Sent: Monday, November 18, 2013 11:18 AM To: The Friday Morning Applied Complexity Coffee Group Subject: Re: [FRIAM] Forum hacked Nick - Just send me the $2500 and don't worry your pretty little head about it... I'll be sure he gets it. Or at least that it gets spent. Actually there are a whole class of phishing schemes that are slightly too oblique for me to guess exactly what they are about. Sometimes I think it is (to extend the phishing metaphor) chumming... tossing out bait with no hook to get a frenzy going. For example, if they send out 1.9 million requests for various things ($2500 loan because of robbery in Phillipines, or $900 for a plane ticket to get back to Manila from Denver to help the family, or ...) and then scrape the open web archives of lists like FRIAM for that same text, they can find how receptive folks (like yourself) are to that particular scam. Let's say your question to the list was how do I get the money to him, Im sure this is legitimate, he must have forgotten to give me the info where to wire the $2500) then they recognize that their scam is good and to elaborate it for you (and others like you), or even to just follow up in person (... Nick, I forgot to tell you in my last e-mail... can you wire-transfer that $2500 to XXXyyyZZZ in Manila right away... and it would really help if you send me your Driver's License #, Credit Card #s with expiration and security code, and maybe your mother's maiden name just in case?) Another possibility (slimmer) is that the ReplyTo field in the original e-mail is different from the From: which you recognize. When you blithely hit Reply, it goes to another e-mail. Given that e-mail addresses have two parts (the common name, and the actual address such as Nick Thompson mailto:sasm...@swcp.com sasm...@swcp.com) someone (like me) can make it feel like the recipient is replying to you while actually replying to me... it takes a tiny bit of sophistication but... heck, for $2500/mark, why not stretch oneself a bit and learn some tricks? Could anybody translate Owens message into ordinary language? Or shouldnt I bother my pretty little head about it. Probably not, but let me try riffing on it in pidgen Zuni and Basque: Basically, someone who runs the forum (mail list? Web Site discussion group?) indicated to the constituents that their server(s) had been compromised (we don't know how or how they know it)... they apparently indicated that the hackers (probably? surely?) got access to the forum users' Database which would have personal
Re: [FRIAM] Forum hacked
Nick - Actually, McLuhan's Global Village was one of the important Evolutionary Psychological insights. We are designed to to live in small communities where the consequences of misbehavior are pretty severe ... exile, for instance. So, that old joke about rural Maine, where You have to lock your car in the summer because otherwise somebody might put a zucchini in it. When chaos occurs and the village system breaks down, we are designed to trust nobody. Which is the internet, anyway? Sadly, the Internet is the best and worst of both (small village and teeming metropolis)... a global mega-village where if you aren't careful and leave your Apple unlocked someone might leave a Zucchini in it. Do you remember the stories (apocryphal?) about how during a NYC Garbage Collectors (1970s?) strike people would put their garbage in large boxes, wrap it up in nice paper and a bow, leave it in their unlocked car and hope someone would steal it? I choose to be deliberately trusting but careful. For example, when I loan books or tools, I treat them as I would gifts. If they happen to be returned, then it is a boon. If they don't, I trust they went to a good home. Maybe that is generous, not trusting? A motto I seek to live by is Plan for the worst; Hope for the best also... - Steve PS... if you visit Doug's, don't leave your car unlocked, you may find halfway home that there is a Peacock in the back seat. FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com