[Dixielandjazz] Attention DJML members: Email hacking is on the rise

[Haupt Dave]

In the past few months, we've seen a sharp increase in the number of emails that DJML receives, for which the member claims they did not send the email.  At first, I assumed it was spoofed email.  Someone with a modest amount of internet knowledge can use any of several normal email clients, such as Outlook, to pretend that the email came from someone else.  If I get a copy of those emails, I can inspect header information and most of the time, identify that it did not originate from the person who is in the "reply to" address.  That method is not 100% though - it depends on the header information (what is known as an IP address) not matching the sender's provider.  For instance, the email return address goes to AOL, but the IP address is Comcast.  There are valid reasons why this might happen, so it's only a clue.

However, it seems that we're seeing more than just spoofing, we are seeing outright hacking into accounts.  One of my own accounts was compromised last week.

Here's how it works.  The would-be hacker runs a piece of software that zips through hundreds of thousands of guesses for your password.  If you use any email provider who has a web interface, they'll try your account.  And, as far as I know, all current email providers have a web interface.

The software tries combinations of English words as your password, and if it knows personally identifying info about you, such as your name, it tries them.

I had done something stupid.  Back when the internet was a bit safer, I had created an email address with my ham radio callsign and name, and used as the password, a simple English word.  Dumb even fifteen years ago, and today, an outright invitation to be hacked.

A friend called me on the phone to tell me I'd been hacked.  I first assumed it was spoofing, but then I logged into my email account, and checked the "sent" folder.  There were the spam emails, sent directly from my account, by someone logged directly into it as me.  My password was compromised.  Of course, when I saw this, I made huge forehead indentations in my keyboard, as I realized how stupid it was to use a plain English word as a password.

The hackers seem to find a way in, then send spam to everybody in your address book.  Keeping your address book empty helps, but it's better to close the door on the hackers.

So, this is a strong recommendation to all DJML members to select a strong password for all your accounts.  You can make variations on a password and use it for different accounts, so you aren't completely lost.  Believe it or not, writing your passwords down on a sheet of paper that you tape to your monitor is not at all risky, if it's a home computer.  Hackers do their work over the internet, and they cannot read that sheet of paper taped to your monitor.  They might be able to read a file on your computer, however.

Here are the basic strong password rules.

1) Do not include any English words, unless you can't avoid the little ones like "at" or "in" for instance.  Simply reversing a word seems to not help.  E.g. "newspaper" spelled backwards will be guessed.
2) Use a combination of upper and lower case letters.
3) Include numerals.

You can come up with your own "formula" for creating them.  Think of things you know about yourself that you don't talk about in email.  What was the name of the dealer who sold you your first car?  Let's say it's "Anderson Chevrolet".  Take out all the vowels on the first word and now you have "NDRSN".  Make up your own formula for the capitals, like "boom CHICK boom CHICK" so you'll know that you capitalize #2 and #4 and maybe #6 and #8 since they'll actually be #2 and #4 in the next measure, er, word.  Select another nonsense word the same way - think of something you'd know but that you don't think much about, like that presidential candidate you voted for in college who did not win, and maybe this time, take out all the consonants.  Put a two or three digit number between the two non-words or before or after the whole thing.  I've given only one example of a way to come up with a password that, to anybody else, looks totally random.  And one that a
 computer program is unlikely to guess.

Do not use your name, the name of the instrument you play or the words of anything you routinely discuss in email.

This style of hacking can only be reduced by making strong passwords.

Hope this helps.

Kindly,

A somewhat humbled Asst DJML moderator
Dave Haupt
Hillsboro, OR