Category Archives: Security

This photo should not exist

pin.it/fnnc4j6fjamugy

Once we get past the creep factor of Nazi army uniforms, we see a communications team sending a secret message. They are using the legendary Enigma machine to encrypt the message.

But why, why did that officer allow a photographer to record this highly sensitive activity?

A failure of operational security (OPSEC). Allies in Blechley Park would have sacrificed lives for this photo, or any photo showing the device in operation.

Invoice Phishing Campaign

Phishing email

Here is a phishing email I received today. These almost always land in my junk mail (hooray!).

This particular one encourages me to click on a Microsoft Word file claiming to contain an invoice I should pay. I also received a couple with “.xps” attachments. These apparently make use of printer paper specification files in MS Windows.

According to an article in Threatpost, these may be part of a phishing campaign that uses an unpatched flaw in MS Windows.

Continue reading Invoice Phishing Campaign

Sen. John McCain, 1936-2018

In June, 1999, Senator John McCain had started his presidential bid and was visiting companies in Silicon Valley, including Secure Computing Corporation, where I worked. He was there to discuss government policies on several tech topics, including the export of cryptographic technologies and products. I had been writing policy statements about crypto exports as part of my job. I’d also published my first book, Internet Cryptographyso they flew me out from Minnesota to meet the Senator.

Continue reading Sen. John McCain, 1936-2018

Interesting Email Scam I Received

Internet Crime Complaint Center logoI received an impressive email scam recently. My response was to forward it to the email provider’s abuse contact (abuse@outlook.com) and file a complaint with the Internet Crime Complaint Center (ic3.gov). I’ll include the whole email later. The bottom line: Scammer has my password and will humiliate me if I don’t pay $1900 in bitcoin.

The scammer’s email landed in my spam folder. I was given a deadline of July 11. I didn’t clean out my spam folder till today (July 15).

In fact, the scammer does have one of my passwords: a throwaway password I use with throwaway accounts. When a web site makes me “register for an account” to retrieve information I want, this is the type of password I used to use. Now that I use password manager software (Lastpass specifically) I choose passwords more randomly and let the manager remember them.

Continue reading Interesting Email Scam I Received

How to Trace an Email Message

email iconThere is no way to verify an email’s contents except through cryptography. Until every email client includes encryption and reliable authentication, we should always doubt an email’s source.

We can increase our confidence in an email a little, though, by tracing its path through the mail system. I use this technique more-or-less daily to look at potential phishing emails. If the final Received header didn’t come from my bank, then I know it’s fake.

Continue reading How to Trace an Email Message

HR and Phishing

UMN phishing exampleI receive thousands of emails every month. I do a lot of (for me) critical activities online. I never receive legitimate emails demanding a suspicious online action any more.

Except from HR departments.

IT security people know this is a problem. The upper left image comes from the University of Minnesota’s phishing awareness blog. HR people as individuals also seem to know that phishing is a problem. But they still insist on sending suspicious-looking emails that demand personal information. No doubt it saves their department a few dollars.

Full disclosure: as noted at the end of this posting, Minnesota’s HR department has taken several steps to reduce these risks.

Continue reading HR and Phishing

The Six Types of Cyber-Risks

BombMy textbook lists categories of cyber-attacks that focus on an attack’s lasting impact: how does it affect the target’s assets and resources? Since the categories really reflect the attack’s impact on the target, they really represent risks. Here are the categories I use right now:

Denial of service – Pillage – Subversion

Masquerade – Forgery – Disclosure

This is a work in progress as I figure out some conceptual ideas.

Continue reading The Six Types of Cyber-Risks