Invoice Phishing Campaign

Here is a phishing email I received today. These almost always land in my junk mail (hooray!). This particular one encourages me to click on a Microsoft Word file claiming to contain an invoice I should pay. I also received a couple with ".xps" attachments. These apparently make use of printer paper specification files in... Continue Reading →

State of the Art Password Cracking

While researching my next edition of Elementary Information Security I came a this posting from last January. It comes from the "netmux" web site and describes a $5,000 design for a password hash cracker. It also links to other state of the art cracking gear.

In June, 1999, Senator John McCain had started his presidential bid and was visiting companies in Silicon Valley, including Secure Computing Corporation, where I worked. He was there to discuss government policies on several tech topics, including the export of cryptographic technologies and products. I had been writing policy statements about crypto exports as part of... Continue Reading →

Interesting Email Scam I Received

I received an impressive email scam recently. My response was to forward it to the email provider's abuse contact (abuse@outlook.com) and file a complaint with the Internet Crime Complaint Center (ic3.gov). I'll include the whole email later. The bottom line: Scammer has my password and will humiliate me if I don't pay $1900 in bitcoin.... Continue Reading →

How to Trace an Email Message

There is no way to verify an email's contents except through cryptography. Until every email client includes encryption and reliable authentication, we should always doubt an email's source. We can increase our confidence in an email a little, though, by tracing its path through the mail system. I use this technique more-or-less daily to look... Continue Reading →

HR and Phishing

I receive thousands of emails every month. I do a lot of (for me) critical activities online. I never receive legitimate emails demanding a suspicious online action any more. Except from HR departments. IT security people know this is a problem. The upper left image comes from the University of Minnesota's phishing awareness blog. HR people... Continue Reading →

The Six Types of Cyber-Risks

My textbook lists categories of cyber-attacks that focus on an attack's lasting impact: how does it affect the target's assets and resources? Since the categories really reflect the attack's impact on the target, they really represent risks. Here are the categories I use right now: Denial of service - Pillage - Subversion Masquerade - Forgery - Disclosure This is a... Continue Reading →

Quantum Skepticism

Quantum computing gives us a way in theory to quickly crack certain types of cryptography. Well-funded startups are working on prototype quantum circuits, as are big guns like Intel, Microsoft, and IBM. Success could render a lot of today's encryption obsolete. In theory. Academic and industrial research labs have built basic quantum circuits. If Moore's... Continue Reading →

The Big Bug in the News: the WPA2 flaw

The big news this week is a protocol flaw in the Wireless Protected Access protocol, version 2 (WPA2). The Ars Technica article covers the details pretty well. This is what every Wi-Fi wireless router on the planet uses these days. The problem does not directly damage your system, but it can uncover data you had intended... Continue Reading →

Create a website or blog at WordPress.com

Up ↑