[Dixielandjazz] Attn All DJML Members

Robert Ringwald rsr at ringwald.com
Thu Jul 12 19:35:11 PDT 2012 

I am once again posting an email that was posted on DJML a few months ago by our DJML Assistant Moderator Dave Haupt regarding email accounts being hacked. It seems to be happening more and more.  

Please read and take note.  

--Bob Ringwald
DJML Moderator

In the past few months, we've seen a sharp increase in the number of emails that

DJML receives, for which the member claims they did not send the email.  At first,

I assumed it was spoofed email.  Someone with a modest amount of internet knowledge

can use any of several normal email clients, such as Outlook, to pretend that the

email came from someone else.  If I get a copy of those emails, I can inspect header

information and most of the time, identify that it did not originate from the person

who is in the "reply to" address.  That method is not 100% though - it depends on

the header information (what is known as an IP address) not matching the sender's

provider.  For instance, the email return address goes to AOL, but the IP address

is Comcast.  There are valid reasons why this might happen, so it's only a clue.

However, it seems that we're seeing more than just spoofing, we are seeing outright

hacking into accounts.  One of my own accounts was compromised last week.

Here's how it works.  The would-be hacker runs a piece of software that zips through

hundreds of thousands of guesses for your password.  If you use any email provider

who has a web interface, they'll try your account.  And, as far as I know, all current

email providers have a web interface.

The software tries combinations of English words as your password, and if it knows

personally identifying info about you, such as your name, it tries them.

I had done something stupid.  Back when the internet was a bit safer, I had created

an email address with my ham radio callsign and name, and used as the password, a

simple English word.  Dumb even fifteen years ago, and today, an outright invitation

to be hacked.

A friend called me on the phone to tell me I'd been hacked.  I first assumed it was

spoofing, but then I logged into my email account, and checked the "sent" folder.

There were the spam emails, sent directly from my account, by someone logged directly

into it as me.  My password was compromised.  Of course, when I saw this, I made

huge forehead indentations in my keyboard, as I realized how stupid it was to use

a plain English word as a password.

The hackers seem to find a way in, then send spam to everybody in your address book.

Keeping your address book empty helps, but it's better to close the door on the hackers.

So, this is a strong recommendation to all DJML members to select a strong password

for all your accounts.  You can make variations on a password and use it for different

accounts, so you aren't completely lost.  Believe it or not, writing your passwords

down on a sheet of paper that you tape to your monitor is not at all risky, if it's

a home computer.  Hackers do their work over the internet, and they cannot read that

sheet of paper taped to your monitor.  They might be able to read a file on your

computer, however.

Here are the basic strong password rules.

1) Do not include any English words, unless you can't avoid the little ones like

"at" or "in" for instance.  Simply reversing a word seems to not help.  E.g. "newspaper"

spelled backwards will be guessed.

2) Use a combination of upper and lower case letters.

3) Include numerals.

You can come up with your own "formula" for creating them.  Think of things you know

about yourself that you don't talk about in email.  What was the name of the dealer

who sold you your first car?  Let's say it's "Anderson Chevrolet".  Take out all

the vowels on the first word and now you have "NDRSN".  Make up your own formula

for the capitals, like "boom CHICK boom CHICK" so you'll know that you capitalize

#2 and #4 and maybe #6 and #8 since they'll actually be #2 and #4 in the next measure,

er, word.  Select another nonsense word the same way - think of something you'd know

but that you don't think much about, like that presidential candidate you voted for

in college who did not win, and maybe this time, take out all the consonants.  Put

a two or three digit number between the two non-words or before or after the whole

thing.  I've given only one example of a way to come up with a password that, to

anybody else, looks totally random.  And one that a

 computer program is unlikely to guess.

Do not use your name, the name of the instrument you play or the words of anything

you routinely discuss in email.

This style of hacking can only be reduced by making strong passwords.

Hope this helps.

Kindly,

A somewhat humbled Asst DJML moderator

Dave Haupt

Hillsboro, OR

__________

More information about the Dixielandjazz mailing list