I received a blackmail message by email. It claimed that they hacked my system and had compromising videos from my computer's camera. As proof, they gave me what they claimed was my password. But I only used that password on two sites: canadacomputers.com and xpresscanada.com (a long-dead Canada Computers site). So I'm not worried. I informed CC about three weeks ago. They seemed to ignore the report. I phoned again two weeks ago, and they were interested. I told them if I didn't hear that they'd informed their customers that I'd publicize this security breach. I've heard nothing else. So I presume that they have not announced it to their customers. Today I got another blackmail message with the same password. What do you think that I should do? PS: my password is a random string generated by mkpasswd(1) so it would not have been discovered by an online exhaustive search. They most likely filched the password file from CC. PPS: I'm glad that I don't reuse passwords!
have you configured pyzor, etc AND 'scoring' in your spamassassin? essentially : Spam is dead. (So, you do not have to receive these 'blackmail' emails) For scoring : I use superblock.ascams.com - at 5.5 (If you are listed here you are sending spam, phish, virus, spyware) Then I use bl.spamcopnet also at 5.5 (If you are listed here you are sending spam) And I use the barracuda lists at 3.3 I also use block.ascams.com and at 3.0 (sometimes 3.5) (this has all the spammy social media and spam mailing lists) Then I drop anything over 12 (sometimes 13, sometimes 14 - depending if the Internet is angry or not so angry) Email servers with a good reputation - sails through - email servers with a poor reputation is marked as spam (anything over say 6 and anything over 12-14 is auto bounced For individual business domains, drop is sometimes set to 6 or 7 - so these accounts literally see no spam ever - for the legit emails that are blocked - the sending server is usually placed under pressure to 'clean up' their reputation... - and if they are not - they lose clients :) hth Andre On Sat, 4 Aug 2018 00:47:09 -0400 (EDT) "D. Hugh Redelmeier via talk" <talk@gtalug.org> wrote:
I received a blackmail message by email. It claimed that they hacked my system and had compromising videos from my computer's camera.
As proof, they gave me what they claimed was my password. But I only used that password on two sites: canadacomputers.com and xpresscanada.com (a long-dead Canada Computers site).
So I'm not worried.
I informed CC about three weeks ago. They seemed to ignore the report. I phoned again two weeks ago, and they were interested. I told them if I didn't hear that they'd informed their customers that I'd publicize this security breach.
I've heard nothing else. So I presume that they have not announced it to their customers.
Today I got another blackmail message with the same password.
What do you think that I should do?
PS: my password is a random string generated by mkpasswd(1) so it would not have been discovered by an online exhaustive search. They most likely filched the password file from CC.
PPS: I'm glad that I don't reuse passwords! --- Talk Mailing List talk@gtalug.org https://gtalug.org/mailman/listinfo/talk
On 4 August 2018 at 04:47, D. Hugh Redelmeier via talk <talk@gtalug.org> wrote:
I received a blackmail message by email. It claimed that they hacked my system and had compromising videos from my computer's camera.
As proof, they gave me what they claimed was my password. But I only used that password on two sites: canadacomputers.com and xpresscanada.com (a long-dead Canada Computers site).
So I'm not worried.
I informed CC about three weeks ago. They seemed to ignore the report. I phoned again two weeks ago, and they were interested. I told them if I didn't hear that they'd informed their customers that I'd publicize this security breach.
I've heard nothing else. So I presume that they have not announced it to their customers.
Today I got another blackmail message with the same password.
What do you think that I should do?
PS: my password is a random string generated by mkpasswd(1) so it would not have been discovered by an online exhaustive search. They most likely filched the password file from CC.
PPS: I'm glad that I don't reuse passwords!
Someone at work got a similar email claiming that the emailer had compromising video footage (it was a work account - no cams and very improbable anyway). It demanded bitcoin and gave a hash to deliver it to. But it didn't show a password, so yours is a somewhat nastier and more effective variant. Ours claimed to have footage of the person's "senescence." OMG - you caught me aging?! (Okay, not quite what it means.) As for the password thing ... I really haven't figured out what best practice is on time between notification-of-breach to public reveal. (I went after the Science Centre about their use of SSL2 on their website - where they take people's credit cards - so I have had a peripherally related experience with problem/notification/reveal https://www.gilesorr.com/blog/science-centre-ssl.html ). I'd say a month? But I'd probably start the clock from your three weeks ago email. Although if you didn't tell them _when_ you were going to reveal, that's not totally fair. But it's also weighed against the public damage that's arguably being caused by these emails. The Canada Computers password database breach could have been years ago. But if it was, did they make that known? Did they even know? <sigh> P.S. And I'm glad I've never purchased from their website, only their stores. -- Giles https://www.gilesorr.com/ gilesorr@gmail.com
Don't worry about this kind of email. It's a know scam. It's very easy to get hand of a stolen password database, and as most people only have one or two passwords, claim you hacked them and have compromising info. But they don't have, don't worry. On Aug 4, 2018 09:10, "Giles Orr via talk" <talk@gtalug.org> wrote: On 4 August 2018 at 04:47, D. Hugh Redelmeier via talk <talk@gtalug.org> wrote:
I received a blackmail message by email. It claimed that they hacked my system and had compromising videos from my computer's camera.
As proof, they gave me what they claimed was my password. But I only used that password on two sites: canadacomputers.com and xpresscanada.com (a long-dead Canada Computers site).
So I'm not worried.
I informed CC about three weeks ago. They seemed to ignore the report. I phoned again two weeks ago, and they were interested. I told them if I didn't hear that they'd informed their customers that I'd publicize this security breach.
I've heard nothing else. So I presume that they have not announced it to their customers.
Today I got another blackmail message with the same password.
What do you think that I should do?
PS: my password is a random string generated by mkpasswd(1) so it would not have been discovered by an online exhaustive search. They most likely filched the password file from CC.
PPS: I'm glad that I don't reuse passwords!
Someone at work got a similar email claiming that the emailer had compromising video footage (it was a work account - no cams and very improbable anyway). It demanded bitcoin and gave a hash to deliver it to. But it didn't show a password, so yours is a somewhat nastier and more effective variant. Ours claimed to have footage of the person's "senescence." OMG - you caught me aging?! (Okay, not quite what it means.) As for the password thing ... I really haven't figured out what best practice is on time between notification-of-breach to public reveal. (I went after the Science Centre about their use of SSL2 on their website - where they take people's credit cards - so I have had a peripherally related experience with problem/notification/reveal https://www.gilesorr.com/blog/science-centre-ssl.html ). I'd say a month? But I'd probably start the clock from your three weeks ago email. Although if you didn't tell them _when_ you were going to reveal, that's not totally fair. But it's also weighed against the public damage that's arguably being caused by these emails. The Canada Computers password database breach could have been years ago. But if it was, did they make that known? Did they even know? <sigh> P.S. And I'm glad I've never purchased from their website, only their stores. -- Giles https://www.gilesorr.com/ gilesorr@gmail.com --- Talk Mailing List talk@gtalug.org https://gtalug.org/mailman/listinfo/talk
| From: Mauro Souza via talk <talk@gtalug.org> | Don't worry about this kind of email. It's a know scam. The email proves that my password is in the wild. In no way does that prove it won't be used in other ways. As I said, I wasn't worried for my own security (except as regards my Canada Computer account). I did change my CC password and checked for scary activity on that account. (Come to think of it, I didn't check if "I" left spammy comments or reviews on their site. I'm worried for all other Canada Computer account holders, some of whom are less careful about reusing passwords. I'm worried that Canada Computer is not acting responsibly when informed of a security problem.
I had one of my passwords compromised from some random service six years ago, and since that I use a password manager. Every account I own (the ones I remember, BTW) have unique, random and very long passwords (70 chars or more). So if one leaks, I just change one. No matter what password manager you use (I have Enpass), you will have almost unbreakable passwords. And subscribe to Have I Been Pwned (something like that), so you are informed when the password or hash you have is seen somewhere. On Sat, Aug 4, 2018, 10:24 D. Hugh Redelmeier via talk <talk@gtalug.org> wrote:
| From: Mauro Souza via talk <talk@gtalug.org>
| Don't worry about this kind of email. It's a know scam.
The email proves that my password is in the wild. In no way does that prove it won't be used in other ways.
As I said, I wasn't worried for my own security (except as regards my Canada Computer account). I did change my CC password and checked for scary activity on that account. (Come to think of it, I didn't check if "I" left spammy comments or reviews on their site.
I'm worried for all other Canada Computer account holders, some of whom are less careful about reusing passwords.
I'm worried that Canada Computer is not acting responsibly when informed of a security problem. --- Talk Mailing List talk@gtalug.org https://gtalug.org/mailman/listinfo/talk
Hope this helps you feel better, or gives you a giggle. I got the same e-mail, referencing an old password. Likewise the claim that they have video footage from my computer cameras save that I do not have computer cameras, and I use dos, and I experience blindness so unless that adult site they claim I visited came with audio descriptions...well. I promised to pay them after they shared my story with the New York Times. Kare On Sat, 4 Aug 2018, Mauro Souza via talk wrote:
Don't worry about this kind of email. It's a know scam.
It's very easy to get hand of a stolen password database, and as most people only have one or two passwords, claim you hacked them and have compromising info. But they don't have, don't worry.
On Aug 4, 2018 09:10, "Giles Orr via talk" <talk@gtalug.org> wrote:
On 4 August 2018 at 04:47, D. Hugh Redelmeier via talk <talk@gtalug.org> wrote:
I received a blackmail message by email. It claimed that they hacked my system and had compromising videos from my computer's camera.
As proof, they gave me what they claimed was my password. But I only used that password on two sites: canadacomputers.com and xpresscanada.com (a long-dead Canada Computers site).
So I'm not worried.
I informed CC about three weeks ago. They seemed to ignore the report. I phoned again two weeks ago, and they were interested. I told them if I didn't hear that they'd informed their customers that I'd publicize this security breach.
I've heard nothing else. So I presume that they have not announced it to their customers.
Today I got another blackmail message with the same password.
What do you think that I should do?
PS: my password is a random string generated by mkpasswd(1) so it would not have been discovered by an online exhaustive search. They most likely filched the password file from CC.
PPS: I'm glad that I don't reuse passwords!
Someone at work got a similar email claiming that the emailer had compromising video footage (it was a work account - no cams and very improbable anyway). It demanded bitcoin and gave a hash to deliver it to. But it didn't show a password, so yours is a somewhat nastier and more effective variant. Ours claimed to have footage of the person's "senescence." OMG - you caught me aging?! (Okay, not quite what it means.)
As for the password thing ... I really haven't figured out what best practice is on time between notification-of-breach to public reveal. (I went after the Science Centre about their use of SSL2 on their website - where they take people's credit cards - so I have had a peripherally related experience with problem/notification/reveal https://www.gilesorr.com/blog/science-centre-ssl.html ). I'd say a month? But I'd probably start the clock from your three weeks ago email. Although if you didn't tell them _when_ you were going to reveal, that's not totally fair. But it's also weighed against the public damage that's arguably being caused by these emails.
The Canada Computers password database breach could have been years ago. But if it was, did they make that known? Did they even know? <sigh>
P.S. And I'm glad I've never purchased from their website, only their stores.
-- Giles https://www.gilesorr.com/ gilesorr@gmail.com --- Talk Mailing List talk@gtalug.org https://gtalug.org/mailman/listinfo/talk
| From: Giles Orr via talk <talk@gtalug.org> | Someone at work got a similar email claiming that the emailer had | compromising video footage (it was a work account - no cams and very | improbable anyway). It demanded bitcoin and gave a hash to deliver it to. Same. | But it didn't show a password, so yours is a somewhat nastier and more | effective variant. Yes. The password was even in the Subject. That would probably get the attention of most people. It didn't work in my case because my passwords look like line noise and are not well-known to me. Imagine if your password were, say, your first pet's name. | Ours claimed to have footage of the person's | "senescence." OMG - you caught me aging?! (Okay, not quite what it means.) Some of the delights of spam are the pretentious language fails. (I know, "people in glass houses...".) | As for the password thing ... I really haven't figured out what best | practice is on time between notification-of-breach to public reveal. (I | went after the Science Centre about their use of SSL2 on their website - | where they take people's credit cards - so I have had a peripherally | related experience with problem/notification/reveal | https://www.gilesorr.com/blog/science-centre-ssl.html ). I read that previously. It added to my general sense of despair. Often when you mention your blog it prompts me to binge read it to catch up. Thanks! (I recommend that TLUGers have a look at Giles' blog and not just this one entry.) | I'd say a month? | But I'd probably start the clock from your three weeks ago email. Although | if you didn't tell them _when_ you were going to reveal, that's not totally | fair. But it's also weighed against the public damage that's arguably | being caused by these emails. Both times that I talked to Canada Computers, I told them that if I didn't get a response within a week, that I would consider other avenues of disclosure. I did not say that the response had to be their ultimate reaction to the breach, just that I needed some response. My email to TLUG is clearly a disclosure. I posted it two weeks after I talked with a technical person at CC. I realized that my earlier discussion with a Customer Service Rep might not get through, which is why I phoned again instead of publicly disclosing. BTW, the CSR had mentioned that she had received a similar call before. I imagine that mailing the TLUG list is not the most appropriate disclosure. I was hoping for suggestions for additional disclosure. | The Canada Computers password database breach could have been years ago. | But if it was, did they make that known? Did they even know? <sigh> Exactly. That's why I mentioned xpresscanada.com even though that site died many years ago. | P.S. And I'm glad I've never purchased from their website, only their | stores. How retailers handled web sites has changed a lot in the many years that CC has had a web site. Perhaps their security is better now. Perhaps not.
On 2018-08-04 12:47 AM, D. Hugh Redelmeier via talk wrote:
I received a blackmail message by email. It claimed that they hacked my system and had compromising videos from my computer's camera.
As proof, they gave me what they claimed was my password. But I only used that password on two sites: canadacomputers.com and xpresscanada.com (a long-dead Canada Computers site).
Is it not terrible practise to store unencrypted passwords on a web site? -- Stephen
On 2018-08-04 11:07 AM, Stephen via talk wrote:
Is it not terrible practise to store unencrypted passwords on a web site?
It is terrible practice and no one should ever do that in this day and age. Unfortunately there are still some publically accessible sites that do it. -- Cheers! Kevin. http://www.ve3syb.ca/ | "Nerds make the shiny things that https://www.patreon.com/KevinCozens | distract the mouth-breathers, and | that's why we're powerful" Owner of Elecraft K2 #2172 | #include <disclaimer/favourite> | --Chris Hardwick
| From: Stephen via talk <talk@gtalug.org> | Is it not terrible practise to store unencrypted passwords on a web site? Yes. But even if you hash them (best practice) with a slow hash function (best practice but not as common as one would hope) with salt (also best practice), they may well be crackable off-line using GPUs and rainbow tables. Most peoples' passwords area easy to brute force. I would have thought mine was a bit tough.
On Sat, Aug 04, 2018 at 12:47:09AM -0400, D. Hugh Redelmeier via talk wrote:
PS: my password is a random string generated by mkpasswd(1) so it would not have been discovered by an online exhaustive search. They most likely filched the password file from CC.
For non-essential sites, I use "secret password" that I can remember, plus the "site name" which I can also remember. So far, no blackmail. -- William Park <opengeometry@yahoo.ca>
On 08/04/18 00:47, D. Hugh Redelmeier via talk wrote:
I received a blackmail message by email. It claimed that they hacked my system and had compromising videos from my computer's camera.
As proof, they gave me what they claimed was my password. But I only used that password on two sites: canadacomputers.com and xpresscanada.com (a long-dead Canada Computers site).
So I'm not worried.
I informed CC about three weeks ago. They seemed to ignore the report. I phoned again two weeks ago, and they were interested. I told them if I didn't hear that they'd informed their customers that I'd publicize this security breach.
I've heard nothing else. So I presume that they have not announced it to their customers.
Today I got another blackmail message with the same password.
What do you think that I should do?
PS: my password is a random string generated by mkpasswd(1) so it would not have been discovered by an online exhaustive search. They most likely filched the password file from CC.
PPS: I'm glad that I don't reuse passwords! --- Talk Mailing List talk@gtalug.org https://gtalug.org/mailman/listinfo/talk
I also received such an email, which was amusing because my desktop doesn't have a camera.. so I ignored it. I gpg encrypt my master password file. If any of the systems that have a copy (and I do keep copies) were stolen, I can be assured that my passwords are still private. In addition to the passwords, I store a few dozen lines of random characters, from which I draw new passwords from. My default template for a passwords entry is: <entry Name_Of_Entry> user = password = url = </entry> which makes cut n paste of desktop convenient. My workflow is to use a bash script to accept the master password and use it to decrypt the gpg file to a random temp file, and then launch vim on it. When vim terminates I check the temp file and re-gpg it if it has changed. I am aware that I am vulnerable for the time that I am reading a password from the file. I have my wife follow my the same procedure on win10 desktop with an openoffice encrypted file (oo also uses strong encryption). My wife was a big password re-user, but clicking on a desktop icon to open a odt file to get her old/new password info is within her capabilities. -- Michael Galea
participants (9)
-
ac -
D. Hugh Redelmeier -
Giles Orr -
Karen Lewellen -
Kevin Cozens -
Mauro Souza -
Michael Galea -
Stephen -
William Park