From: Craig Phillips [cphillips@cnci.us]

Sent: Wednesday, February 20, 2013 11:12 AM

To: info@cnci.us

Subject: Cocktail Talk - Pulling a Thread, the Sweater Unravels

 

Having trouble viewing this email? Click here

 

Cocktail Talk

 

May 2013

Cocktail Talk

Craig:   

Welcome to CN Consulting's "Cocktail Talk".

 

Cocktail Talk is a casual monthly newsletter intended to arm you with amusing bits and bytes of information on whats happening in the computer world. Topics sure to break the ice and capture an audience at many a social or business event.

 

Cocktail Talk is archived on www.cnci.us

 

Currently, on Cocktail Talk - Pulling a Thread, the Sweater Unravels 

 

An iProduct game called Hack RUN gave me cause to think. In Hack RUN you assume the role of a disassociated, burned, programmer type offered a job to crack level after level of a computer network for a mysterious future employer.

 

Hack RUN asks you to start with one piece of information and deduce answers to consecutive riddles using an old school 3270 terminal. One thing leads to another, and like the fabled sweater, the whole thing unravels. 

 

What would today's hacker pull on to unravel our sweater?

 

I think they'd pull on our personal email account. After all, it follows you through much of your life, longer than work email accounts anyway, and you use it to set up all other accounts in your online world. 

 

Most people aren't going to have their own personal domain name, or even want one. So we turn to free email account providers and an email address that ends in @yahoo, @gmail, @icloud, @cetera @cetera @cetera. I guess you could make an argument for hiding in plain site, but the reality is that hackers are going to attack the largest herd of possible victims, and there we are, setting up our free email account only to become part of the big herd.  

 

Once we settle on a name that's not already in use we have to provide a password, one that's easy to type and remember. The most popular Yahoo passwords, those used on 400,000 hacked Yahoo accounts, are 123456, password, welcome, ninja, abc123, 123456789, 12345678, sunshine, princess and qwerty.  Add monkey, letmein, dragon, baseball, iloveyou, trustno1, shadow, ashley, football, jesus, michael, mustang and password1 and you pretty much have the top 25 of the herd.

 

Now that we have a personal account, in the most likely attacked community, and the top passwords are public knowledge, we use it to set up all our other accounts in our online world. If these email accounts and passwords aren't the username and password for our other accounts, they are most likely what "reset my password" and "I forgot my username" are attached to.

 

Sometimes we don't even use these accounts. Sometimes we only keep them around for the very reason they are so dangerous, because they're tied to every other account we've set up in our online world.

 

Once your email account is compromised your attacker can login to your account and view your email, or change settings to have it sent to them, even check a box to allow their Outlook to send and receive using your account. All things you can do from your settings, no special hacker skills required. Now the hacker can access your email, and you won't even know.

 

Your email indicates websites where you shop, where you're likely to have accounts, and hackers already have the key. An order confirmation, a special offer, or newsletter tells a hacker exactly where to go. It doesn't matter if your email address and password gets them in or not. All they have to do is click "I forgot my username" or  "reset my password" and your credentials, or a password reset, will be sent to them using your personal email. 

 

Now they have your credentials and can login to your account, use your saved credit card information, and go shopping. They can delete or reroute order confirmation and tracking information emails, all things you can do from your settings, and you wouldn't even know.

 

The rest of it isn't rocket science, or more importantly for Cocktail Talk, computer science, but the February 2008 Cocktail Talk tells you a little about how they get from there to cash money using ebay and overpriced cell phones.

 

 

Change your password, or not, that's your call, and that's Cocktail Talk.

 

 

 

Thank you for reading,

 

Signature 

Craig Phillips

CN Consulting, Inc.

 

 

CN Consulting, Inc - www.cnci.us
Computer Consulting for Business!

 

 

CN Consulting Inc. (CNCI) is an independent consulting company formed in 1990 and located within easy reach of both Chicago and Milwaukee.

 

CNCI maintains a select client base providing consulting services concerning the use of information technology. We persistently look for advantage to our clients in added value and reduced cost made available by advancing technology.

 

CNCI does not have financial interest in any given product or product line. We evaluate current and emerging technologies solely based on their benefit to our clients. CNCI implements the solutions it recommends and readily partners with companies that offer products and services to the advantage of our clients. CNCI offers complete client support with singular accountability.

 

We maximize the benefit of our clients' existing technology, systems, and platforms while integrating the benefits provided by new technology.

 

Business Continuity and Business Development are our goals with Continuity being the foundation of Development.

 

Forward email

This email was sent to info@cnci.us by cphillips@cnci.us |  

CN Consulting, Inc. | 23830 112th St | Salem | WI | 53179

 

THIS IS A TEST EMAIL ONLY.
This email was sent by the author for the sole purpose of testing a draft message. If you believe you have received the message in error, please contact the author by replying to this message. Constant Contact takes reports of abuse very seriously. If you wish to report abuse, please forward this message to abuse@constantcontact.com.

No virus found in this message.
Checked by AVG - www.avg.com
Version: 2013.0.2899 / Virus Database: 2639/6110 - Release Date: 02/17/13