Spam used my password 1

[PalmStrike]

I just wanted to point something out, I have just recieve some spam adressed with a from address as my hotmail password. Now there is no possible coincidence for this, my passwords that I use, are just too obtuse. So if they have my asswords, what else could they possibly have.

Any comments or ideas on that, or how to prevent an obvious invasion of privacy.

I think this is an ethics thing here. I mean, I don't put my details on my computer if I can avoid it. but still...

 

[sleipnir214]

SMTP allows you to put whatever "From:" header you want on an email. It does not in any way mean that they have any password of yours.

I have at one time or another forged an email where the &quot;From:&quot; header read: &quot;Santa Claus <sclaus@north.pole>&quot; Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[iSeriesCodePoet]

That wasn't the point... it has his password as the from address. There is like a billion to one chance of that happening. iSeriesCodePoet
IBM iSeries (AS/400) Programmer

 

[sleipnir214]

The chances of winning the Powerball lottery jackpot are 1 in 120,526,770. People win that jackpot several times a year. This does not mean that a jackpot winner is in collusion with the managers of the lottery.

I don't know what &quot;obtuse passwords&quot; means in this case. If the password is comprised of randomly-selected characters of the maximum length, then yeah, the odds are significantly against it. Not impossible, just significantly against it.

If the password in question is easy to remember, it will have sufficient patterns in it to make it easy to remember, those odds go way down. Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[PalmStrike]

I have changed my password now, but, it used to be something meaningfull to me, and I don't believe it a coincidence, that a random generator could come up with this word, and this spelling and punctuation and direct it at me. I think I have been tracked. but why?

I am not a conspiracy theorist, but if anyone can grab your password, How quick can your identity be taken and used, causing you problems financially, and dare I say compromised legally?

 

[skiflyer]

If it was a word, any word... or phrase, or something sensical in english, even if you had swapped numbers for letters.... i.e. w1nt3r for winter... it's quite easy to get these passwords... someone somewhere stores it encrypted with a known algorithm (irreversible of course), but leaves it open to a dictionary attack.

-Rob

 

[Chopstik]

Skiflyer,

Does the same hold true if the password is in a non-English language? Just curious, but am now learning lot more about security than thought I knew in the past... Everything is absolute. Everything else is relative.

 

[skiflyer]

sure, if someone has made a dictionary for that.

Here's the scam...

Password are encrypted using one way irreversable encryption methods.

That way, everytime you enter a password, rather than passing it over the network, you can encrypt it locally, and compare the encrypted versions.

Because of the irreversability of the encryption, the password files themselves don't need incredible security... of course they're secured, but still it's not a #1 priority.

That means an attacker can see all these encrypted passwords... no big deal because they can't reverse it into the real password.

BUT if they know the encryption scheme (which is usually published since it's so secure), they can form a dictionary of words they think are passwords. They then encrypt each word of that dictionary and compare the results of those encryptions with the password files and see what matches, hence resulting in a lookup table which gives them an answer.


i.e.

You enter password hello, and I turn it into 123.

The hacker makes a dicitonary of the first column
and encrypts each one resulting in the second column

hello 123
goodbye 456
and 789
other 111
foolish 321
passwords 531

And he has the password files 123, and his 123, he can make a match.

If he's made a dictionary including your language, the same principles apply.

Quite extensive dictionaries are available online. And I've watched them work in mere seconds matching passwords like w1nt3r with ease.

Though, I do have to say... with a hotmail account, this isn't exactly a likely situation... with a school account, or work account, this becomes much more likely.

(haven't tried it, but searching google for Unix Security Dictionary Attack should result in some lengthier discussions)

Hope that was clear,
Rob

 

[Chopstik]

Ah, so many new things to learn... That is why I like technology - it just goes on and on and on

I can see this is going to open up a whole new can of worms for me, but better that than being bored, I say... Thanks! Everything is absolute. Everything else is relative.

 

[PalmStrike]

I was looking into keystroke logs, as two people mentioned to me about these, and I remember when I was trying to learn C, that each key has it's own number.

I mean is this common to send a cookie through the post that can locate a keystroke log on your computer, and then send back maybe 2 - 3 hours worth of keystroke?

I agree chopstick, security is an interesting subject.

 

[skiflyer]

You can't send a cookie which can log keystrokes, that's just not possible. Capturing keystrokes would require either the attachment of a hardware device between your keyboard the CPU, or a Terminate and Stay Resident program which (in this case, some sort of virus) which was actually running on your computer and sending the information to someone.

As far as each key having it's own number, that's just because computers don't recognize letters... everything is in binary, we don't see binary well, so people have converted things to hexadecimal and decimal notation for easier reading by the human eye, and these representations can be used in programming. Check out

http://www.asciitable.com

if you're curious as to what these numbers are.

-Rob

 

[pofadda]

Am I missing something?

Palmstrike wrote:
[snip]
I just wanted to point something out, I have just recieve some spam adressed with a from address as my hotmail password. Now there is no possible coincidence for this, my passwords that I use, are just too obtuse. So if they have my asswords, what else could they possibly have.
[/snip]

S/he does not say that the spammer used his/her PASSWORD, just put the hotmail ADDRESS in the From: field. If this is what happened, no invasion has taken place as no real use was made of the writer's email except as a filler for a largely insignificant field!

Have we wasted our breath/finger-tips fretting because we didn't read the posting in the first place??? ;-)

 

[SF0751]

poffada, I read the orginal post as:

Hotmail password = HOTMAILPASSWORD
SPAM &quot;From:&quot; address = HOTMAILPASSWORD

PalmStrike, all other issues aside - have you changed your HotMail password yet? I routinely change my passwords for secure systems, and always when I feel that my password may have been compromised. Susan
Under certain circumstances, profanity provides a relief denied even to prayer. - Mark Twain

 

[skiflyer]

poffada

No I don't think we have... wouldn't you be concerned if your confidential information started being sent to you? Even if no one had used it against you as of yet? I'd certainlly be anything between annoyed and disturbed depending on the exact information at stake.

-Rob

 

[PalmStrike]

Pofadda,

Right, to get into hotmail you hve a password don't you, for example:

Watchamate

Now I got an email from watchamate@hotmail.com.

Obviously watchamate is not my password.

and yes, I would say you are missing manners.

 

[PCLine]

...but then, just because you think something doesn't make you right (or me of course).

As I see from your original post, this is about your &quot;asswords&quot;.

On a serious note: Why would a SPAMMER tell you &quot;Hey, look. I've got your password!&quot;? What's in it for them?

People who break accounts want you to KNOW that they got in ~ they don't want you to THINK they got in.

 

[PalmStrike]

hmm, asswords, must have had a tipple that day, wondered why the words were wobbling around.

And as to your question
Why would a SPAMMER tell you &quot;Hey, look. I've got your password!&quot;? What's in it for them?

Sales to conspiracy theorists.

no no, point taken

 

[BJCooperIT]

Just a question for those that might know. With the advent of all the spyware (&quot;Find out where your spouse/children surf and record their chats!&quot for which we all get hundreds of e-mails. If you installed one of these, could it record your password and then pass them on the next time you logon to the internet? (select * from life where brain is not null)
Consultant/Custom Forms & PL/SQL - Oracle 8.1.7 - Windows 2000

 

[PalmStrike]

I personnally would not download anything that I have not been recomended by someone, or done substantial research into, impulsive buying is one thing, but impulsive downloding is another thing, you don't know what sort of can of worms you can get yourself into if you are a bit concerned about where your personal details are.

I use a program called SpyBot, which is a shareware program written specifically for identifying spy ware on your computer, it also has other handy functions on it. If you read his terms page, you would warm to the guy.