Interesting Email Scam I Recieved

Internet Crime Complaint Center logoI received an impressive email scam recently. My response was to forward it to the email provider’s abuse contact (abuse@outlook.com) and file a complaint with the Internet Crime Complaint Center (ic3.gov). I’ll include the whole email later. The bottom line: Scammer has my password and will humiliate me if I don’t pay $1900 in bitcoin.

The scammer’s email landed in my spam folder. I was given a deadline of July 11. I didn’t clean out my spam folder till today (July 15).

In fact, the scammer does have one of my passwords: a throwaway password I use with throwaway accounts. When a web site makes me “register for an account” to retrieve information I want, this is the type of password I used to use. Now that I use password manager software (Lastpass specifically) I choose passwords more randomly and let the manager remember them.

Continue reading Interesting Email Scam I Recieved

Organizing Video Clips for an Online Course

Video clapperboard slate, courtesy B&H Photo Video I’ve signed on to do a Coursera online course on cloud security. I’ll share more details as production progresses. This post contains a few notes on organizing video clips for a large project.

The video almost always consists of two synchronized streams: one of my bearded face narrating the video and the other of animated images, text, and diagrams. This is more complicated than my older video efforts, which consisted of animated presentations with voiceover.

I’ve now learned the value of the famous movie-studio clapperboard slate. I’ve also learned that your file naming process has to blend well with your editing style.

Continue reading Organizing Video Clips for an Online Course

How to Trace an Email Message

email iconThere is no way to verify an email’s contents except through cryptography. Until every email client includes encryption and reliable authentication, we should always doubt an email’s source.

We can increase our confidence in an email a little, though, by tracing its path through the mail system. I use this technique more-or-less daily to look at potential phishing emails. If the final Received header didn’t come from my bank, then I know it’s fake.

Continue reading How to Trace an Email Message

HR and Phishing

UMN phishing exampleI receive thousands of emails every month. I do a lot of (for me) critical activities online. I never receive legitimate emails demanding a suspicious online action any more.

Except from HR departments.

IT security people know this is a problem. The upper left image comes from the University of Minnesota’s phishing awareness blog. HR people as individuals also seem to know that phishing is a problem. But they still insist on sending suspicious-looking emails that demand personal information. No doubt it saves their department a few dollars.

Full disclosure: as noted at the end of this posting, Minnesota’s HR department has taken several steps to reduce these risks.

Continue reading HR and Phishing

The Six Types of Cyber-Risks

BombMy textbook lists categories of cyber-attacks that focus on an attack’s lasting impact: how does it affect the target’s assets and resources? Since the categories really reflect the attack’s impact on the target, they really represent risks. Here are the categories I use right now:

Denial of service – Pillage – Subversion

Masquerade – Forgery – Disclosure

This is a work in progress as I figure out some conceptual ideas.

Continue reading The Six Types of Cyber-Risks

Quantum Skepticism

img_0540-1Quantum computing gives us a way in theory to quickly crack certain types of cryptography. Well-funded startups are working on prototype quantum circuits, as are big guns like Intel, Microsoft, and IBM. Success could render a lot of today’s encryption obsolete. In theory.

Academic and industrial research labs have built basic quantum circuits. If Moore’s Law applies to quantum circuits, they will be the next big thing.

I remain skeptical. Quantum computing seems like perpetual motion machines to me, though I’ve never researched reasons to support my intuition. Researcher Gil Kalai presents an argument based on computational theory and models of noise. He argues that practical computations will lose out to noise effects. I’ll be interested to see more about this.

Two Longs and a Short

By Dick Pence

Phone operator using a switchboardThis story appeared in The Washington Post in 1991, shortly after a computer glitch caused a “long-distance blackout” on the East Coast.

Those big phone outages of the past couple of weeks have had me feeling a bit guilty over what’s been happening. You see, I remember exactly how all this started.

Back in 1950 I was a novice seahand aboard a cruiser based in Philadelphia, barely six months out of high school and fresh from the plains of South Dakota. One Friday night in November, we were granted shore leave at the end of a two-week training cruise. Homesick and seasick, I headed immediately for the row of pay phones that lined the dock.

Depositing a carefully preserved nickel (remember?), I dialed “O.” The following is a roughly verbatim account of what transpired after the Philadelphia operator answered.

Continue reading Two Longs and a Short

The Big Bug in the News: the WPA2 flaw

Wi Fi signal graphicThe big news this week is a protocol flaw in the Wireless Protected Access protocol, version 2 (WPA2). The Ars Technica article covers the details pretty well. This is what every Wi-Fi wireless router on the planet uses these days. The problem does not directly damage your system, but it can uncover data you had intended to encrypt.

The technique can trick the system into reusing a cryptographic key. To keep encrypted data safe we must avoid encrypting the same data twice (here’s an example of how it fails). While crypto system designs usually account for this, the attack on WPA2 tricks the system into reusing the key.

Continue reading The Big Bug in the News: the WPA2 flaw

Comparing Leaks: Trump vs. Hillary

Lattice for Secret, Top Secret, and compartmentsAs I said in an earlier post, no crime is committed if the appropriate official leaks sensitive classified information. This applies to both Secretary Clinton’s email server and President Trump’s unfortunate meeting with Russian diplomats. Both carried the authority to disclose what they disclosed. One question remains: what damage might have ensued from each leak?

I would argue that in both cases the initial lapse of judgement did not explicitly damage the United States. In both cases, however, the subsequent brouhaha may have leaked classified information. I personally doubt that the country will suffer much from either leak, though that is based on my own assessment of national threats (a political opinion).

Continue reading Comparing Leaks: Trump vs. Hillary

Tiptoeing Through Vulnerabilities

BombI sympathize with developers who throw up their hands and say, “I don’t do security stuff.” No matter what you choose, there’s a trade off that could go wrong. It’s especially troublesome if one deploys a “security website.” I’ve deployed security education websites in many environments over the past 20 years, and I rarely achieve the security level I’d like.

I wanted to watch a security webinar today.  But the webinar requires Adobe Flash, in which security researchers seem to uncover 1 or 2 vulnerabilities a month. I discarded Flash when upgrading my OS a couple years ago. It’s ironic that a security webinar might tempt it back onto my machine.

Continue reading Tiptoeing Through Vulnerabilities