Forum hacked

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

A forum I belong to has been hacked, including personal info as well as passwords.

How do they use this information?

I presume they try the hash function on all combinations of possible passwords.  (Naturally optimized for faster convergence).  They see a match, i.e. a letter combination resulting in the given hash of the password.

I presume you mean encrypted passwords.   If the forum has been compromised (and they know it) then whether they can recover them or not, then  the most they have is passwords to that site/forum?  Unless of course you have been practicing poor password hygiene, using the same one (or very similar) on multiple sites?

If they crack one password, does that make cracking the rest any easier?

Only if there is no salt used.  Since most/many sites have idiosyncratic ideas of password constraints (must have xxx, can't have yyy, minimum, maximum, precise lengths, etc.), having one or more passwords decrypted can narrow those constraints to some extent (if a # or a % shows up in a password, it is likely that *all* special characters are allowed, if special characters *always* show up in the sample of decrypted passwords, then it is likely it is a requirement... same for numerals and capitals).   Conversely, if one example of a decrypted password shows up without one or more of these typical requirements, then a smaller space can be searched for low-hanging fruit.

And does "salt" simply increase the difficulty, and indeed can it be deduced, as above, by cracking a single password?

"salt"  when used correctly is per-password, so cracking one doesn't help you crack the others... it really only helps against "guessing" (e.g. dictionary) attacks.  It makes up for unimaginative passwords basically.

.. or is it all quite different from this!

I don't know what the state of the art for random hackers is these days, but if your own personal password hygiene (no-reuse, no dictionary words/combos, special chars), then you are in fair shape (personally) though now you are at risk for phishing from spoofed "friends" and anything else that your "personal information" opens you to.  

Of course, the NSA, the KGB, ha Mos'ad and other organized crime groups can brute force a lot these days... what they can and can't brute force is obviously classified.  

Moral of the story, "don't be a low-hanging fruit!" .

Perhaps if you communicate only in Zuni (Shiwi) or Basque, that will help a little ;^\.

Luk hom an beye:na:kwe delibałda'kowa we'atchonan,
 - Steve

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

If you send it to me, I’ll gladly tell you that you shouldn’t bother your pretty little head about it.

Sorry, I couldn’t resist!

:-)

Gary

On Nov 18, 2013, at 12:52 PM, Nick Thompson <[hidden email]> wrote:


============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

Could anybody translate Owen’s message into ordinary language?   Or shouldn’t I bother my pretty little head about it.

Probably not, but let me try riffing on it in pidgen Zuni and Basque:

Basically, someone who runs the forum (mail list? Web Site discussion group?) indicated to the constituents that their server(s) had been compromised (we don't know how or how they know it)... they apparently indicated that the hackers (probably? surely?) got access to the forum users' Database which would have "personal information" (name, e-mail, more?) and apparently (encrypted) passwords.

One way to discover clear-text from an encrypted list (passwords) is to encrypt (using various methods?) a dictionary of likely words/phrases and compare the resulting encryption to the password list.  If any of the encrypted words/phrases match something in the list, then you know that clear text (password).  This depends on your using words that are likely to be in their dictionary.  Their dictionary needn't be a list of english-language words (though that is an obvious collection to include), it could be a collection of likely or already known passwords (e.g. "password" or "f*ckoff!", etc.)... thus if they crack your password on one site, they can add that to their "dictionary" and if you have used it on another site, it will pop right up with this form of attack.

If the site administrator/system uses "salt" (see wikipedia link), each password gets folded in with a psuedo-random number so that it no longer looks anything like the original password that might show up in a dictionary.   user:nickt password:nickt becomes user:nickt password:gob@#ledy$%go%ok , with the latter less likely to be in their dictionary (which might also be custom-built based on your personal information such as DOB, paternal uncle's favorite cat, mother's maiden name, Pet Cockatiel's DOHatch, etc.).

Ikusi arte, So' a:ne, Adios, Ciao, Carry on!
 - Steve

 

Meanwhile, this morning, I got an urgent message from an acquaintance asking me to loan him 2500 dollars on account of his being robbed “at gunpoint” in the Philippines.   A call to his home revealed that he was safe and sound in Denver.  Here is the puzzle.  The spoofer gave me nowhere to send my money.  Thus, I have 2500 dollars to send and nowhere to send it.  The only way I had of getting back to him/her was via the spoofed email address.  No link.  No bank account number.  No phone number in Manila.  How does THAT work? 

 

Nick

 

 

Nicholas S. Thompson

Emeritus Professor of Psychology and Biology

Clark University

http://home.earthlink.net/~nickthompson/naturaldesigns/

 

From: Friam [[hidden email]] On Behalf Of Owen Densmore
Sent: Monday, November 18, 2013 10:13 AM
To: Complexity Coffee Group
Subject: [FRIAM] Forum hacked

 

A forum I belong to has been hacked, including personal info as well as passwords.

 

How do they use this information?

 

I presume they try the hash function on all combinations of possible passwords.  (Naturally optimized for faster convergence).  They see a match, i.e. a letter combination resulting in the given hash of the password.

 

If they crack one password, does that make cracking the rest any easier?

 

And does "salt" simply increase the difficulty, and indeed can it be deduced, as above, by cracking a single password?

 

.. or is it all quite different from this!

 

   -- Owen

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

Roger -

On Mon, Nov 18, 2013 at 10:44 AM, Steve Smith <[hidden email]> wrote:

Moral of the story, "don't be a low-hanging fruit!" .

Easier said than done.

Agreed... as what constitutes "low hanging" changes rapidly.  

But seriously, using your username as your password, or "password" as your password or your lastname joined with your birthyear is pretty low fruit. 

My mother (86) can't really comprehend anything past that, but *can* and *does* keep a password list in a book by her computer... totally open to physical attack (anyone coming into her home) but as good as it gets (with a good password generator) otherwise I think. 

My wife (no where near 86) is stubborn and uses the lowest hanging fruit she can find.  Fortunately she doesn't do any online banking, and is paranoid enough about the NSA that very little else of worry is connected to her online activity.

Me?  I'm probably a prime target because I *think* I know what I'm doing... I haven't been hacked/spoofed/phished effectively (yet) to my knowledge but... shite, for all you know, this is someone just pretending to be me!  (or is it one of my many personalities?)

- Steve



============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

WRT password cracking - Dan Goodin has a good series of articles on password cracking at Ars Technica.
============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

Thanks, Steve,

 

It’s terrifying how naïve I am.

 

But you already knew that.

Well, you didn't send me the $2500 yet (is the check in the mail?) so you can't be *that* naive.

What might be terrifying (I think you are being hyperbolic, the buzz of a rattlesnake, the growl of a grizzly are terrifying, your naivete is at worst just "quaint"!) is that you are not alone.... that this is another way in which we've outdriven our headlights.  We *all*, astute technophiles included, have a hard time keeping up with this stuff. 

While some of us posture and fluff as if *we* have it all understood and under control, we don't... anymore than the nameless tens of thousands of painters/carpenters/handymen back in the day burned down their workshops/homes because they didn't understand the spontaneous combustion of linseed (and related) oils in discarded rags.

I don't fully understand your profession.  Evolutionary Psychology as I understand it, however, would seem to address this question in some way.  There must be precedent for this co-evolution of our extended phenotype/technosphere and our ability to apprehend it and it's (often fairly immediate?) implications.    Your insights are welcome.

- Steve

 

Nick

 

Nicholas S. Thompson

Emeritus Professor of Psychology and Biology

Clark University

http://home.earthlink.net/~nickthompson/naturaldesigns/

 

From: Friam [[hidden email]] On Behalf Of Steve Smith
Sent: Monday, November 18, 2013 11:18 AM
To: The Friday Morning Applied Complexity Coffee Group
Subject: Re: [FRIAM] Forum hacked

 

Nick -

Just send me the $2500 and don't worry your pretty little head about it...  I'll be sure he gets it.  Or at least that it gets spent.

Actually there are a whole class of phishing schemes that are slightly too oblique for me to guess exactly what they are about.   Sometimes I think it is (to extend the phishing metaphor) chumming... tossing out bait with no hook to get a frenzy going.   For example, if they send out 1.9 million requests for various things ($2500 loan because of robbery in Phillipines, or $900 for a plane ticket to get back to Manila from Denver to help the family, or ...) and then scrape the open web archives of lists like FRIAM for that same text, they can find how receptive folks (like yourself) are to that particular scam.  Let's say your question to the list was "how do I get the money to him, I"m sure this is legitimate, he must have forgotten to give me the info where to wire the $2500) then they recognize that their scam is good and to elaborate it for you (and others like you), or even to just follow up in person (... Nick, I forgot to tell you in my last e-mail...  can you wire-transfer that $2500 to XXXyyyZZZ in Manila right away... and it would really help if you send me your Driver's License #, Credit Card #s with expiration and security code, and maybe your mother's maiden name "just in case"?)

Another possibility (slimmer) is that the ReplyTo field in the original e-mail is different from the From: which you recognize.  When you blithely hit "Reply", it goes to another e-mail.  Given that e-mail addresses have two parts (the common name, and the actual address such as "Nick Thompson [hidden email]") someone (like me) can make it feel like the recipient is replying to you while actually replying to me...   it takes a tiny bit of sophistication but...  heck, for $2500/mark, why not stretch oneself a bit and learn some tricks?

Could anybody translate Owen’s message into ordinary language?   Or shouldn’t I bother my pretty little head about it.

Probably not, but let me try riffing on it in pidgen Zuni and Basque:

Basically, someone who runs the forum (mail list? Web Site discussion group?) indicated to the constituents that their server(s) had been compromised (we don't know how or how they know it)... they apparently indicated that the hackers (probably? surely?) got access to the forum users' Database which would have "personal information" (name, e-mail, more?) and apparently (encrypted) passwords.

One way to discover clear-text from an encrypted list (passwords) is to encrypt (using various methods?) a dictionary of likely words/phrases and compare the resulting encryption to the password list.  If any of the encrypted words/phrases match something in the list, then you know that clear text (password).  This depends on your using words that are likely to be in their dictionary.  Their dictionary needn't be a list of english-language words (though that is an obvious collection to include), it could be a collection of likely or already known passwords (e.g. "password" or "f*ckoff!", etc.)... thus if they crack your password on one site, they can add that to their "dictionary" and if you have used it on another site, it will pop right up with this form of attack.

If the site administrator/system uses "salt" (see wikipedia link), each password gets folded in with a psuedo-random number so that it no longer looks anything like the original password that might show up in a dictionary.   user:nickt password:nickt becomes user:nickt password:gob@#ledy$%go%ok , with the latter less likely to be in their dictionary (which might also be custom-built based on your personal information such as DOB, paternal uncle's favorite cat, mother's maiden name, Pet Cockatiel's DOHatch, etc.).

Ikusi arte, So' a:ne, Adios, Ciao, Carry on!
 - Steve

 

Meanwhile, this morning, I got an urgent message from an acquaintance asking me to loan him 2500 dollars on account of his being robbed “at gunpoint” in the Philippines.   A call to his home revealed that he was safe and sound in Denver.  Here is the puzzle.  The spoofer gave me nowhere to send my money.  Thus, I have 2500 dollars to send and nowhere to send it.  The only way I had of getting back to him/her was via the spoofed email address.  No link.  No bank account number.  No phone number in Manila.  How does THAT work? 

 

Nick

 

 

Nicholas S. Thompson

Emeritus Professor of Psychology and Biology

Clark University

http://home.earthlink.net/~nickthompson/naturaldesigns/

 

From: Friam [[hidden email]] On Behalf Of Owen Densmore
Sent: Monday, November 18, 2013 10:13 AM
To: Complexity Coffee Group
Subject: [FRIAM] Forum hacked

 

A forum I belong to has been hacked, including personal info as well as passwords.

 

How do they use this information?

 

I presume they try the hash function on all combinations of possible passwords.  (Naturally optimized for faster convergence).  They see a match, i.e. a letter combination resulting in the given hash of the password.

 

If they crack one password, does that make cracking the rest any easier?

 

And does "salt" simply increase the difficulty, and indeed can it be deduced, as above, by cracking a single password?

 

.. or is it all quite different from this!

 

   -- Owen

============================================================

FRIAM Applied Complexity Group listserv

Meets Fridays 9a-11:30 at cafe at St. John's College

to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

 

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

The addition of a salt to a password makes rainbow tables much less effective because it makes the table space larger, even trading off chain length for convergence.  However, rainbow tables are no longer the thing - with multi-GPU setups, password crackers just brute force passwords.  Basically, the sequence is:
============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

Nick -

Actually, McLuhan’s Global Village was one of the important Evolutionary Psychological insights.  We are designed to to live in small communities where the consequences of misbehavior are pretty severe … exile, for instance.  So, that old joke about rural Maine, where You have to lock your car in the summer because otherwise somebody might put a zucchini in it.  When chaos occurs and the village system breaks down, we are designed to trust nobody.  Which is the internet, anyway?

Sadly, the Internet is the best and worst of both (small village and teeming metropolis)...  a global mega-village where if you aren't careful and leave your Apple unlocked someone might leave a Zucchini in it.  

Do you remember the stories (apocryphal?) about how during a NYC Garbage Collectors (1970s?) strike people would put their garbage in large boxes, wrap it up in nice paper and a bow, leave it in their unlocked car and hope someone would steal it?

I choose to be deliberately trusting but careful.  For example, when I loan books or tools, I treat them as I would gifts.  If they happen to be returned, then it is a boon.  If they don't, I trust they went to a good home.  Maybe that is generous, not trusting?   A motto I seek to live by is "Plan for the worst; Hope for the best" also...

- Steve
PS... if you visit Doug's, don't leave your car unlocked, you may find halfway home that there is a Peacock in the back seat.

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

The Filipino jail and other vacation/travel scams are sent to every person in the originally hacked person's email list.  The perps don't know who is who - they're looking for someone who is gullible enough and likes the victim enough to reply.  It's like spearphishing (sending an email with a malicious exploit or link to a specific target) based on personal information.  I've used an example of that on a Cabinet-level exec only to find that the connection I though existed was actually negative - the target disliked the person from whom I thought they would accept email.  Much of modern cyber crime is nothing more than confidence tricks updated to the modern milieu.  A lot of the rest is simply spying but using computers and networks.
============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

Ray -

  I've used an example of that on a Cabinet-level exec only to find that the connection I though existed was actually negative - the target disliked the person from whom I thought they would accept email.

I always wondered how SNL folks managed to get such better insider contacts in the Gov't than LANL ;^)

Now we know the truth! 

- Steve

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

Exactly.  It's astounding what information critical to the security of computer systems can be found through Open-Source Intelligence (OSINT).  The CIA has opened an office that does nothing but OSINT.
============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

Ray -
>> PS... if you visit Doug's, don't leave your car unlocked, you may
>> find halfway home that there is a Peacock in the back seat.
>
> Yumm!
Is there a Peacock equivalent of the Turducken?   Does Peacock taste
like Pheasant?

- Steve
PS... Doug really loves his many birds.  These Peacocks, as I understand
it, have been a free-range flock roaming a number of properties in his
Nambe neighborhood since it was all a single Rancho maybe 100 years
ago?   There is probably some genetic testing of this isolated community
that could be done, similar to the Icelandic studies?

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com