If you have an email address, and you’ve ever used it to register for online services and sites, there’s a good chance you’ve received email that threatens you in some way, and some of it is downright creepy.
This email may refer to your name. It may include a password you’ve used in the past, or even currently. The email may appear to have been sent from your own email address, and may claim to have taken over that email account.
The good news is that very little of what these emails claim is actually true. The bad news is that you still have a problem.
But why does this happen?
It all starts when someone gets careless, or someone else decides that the IT budget is too high.
Imagine that you’re the person responsible for information security at any company that… uses computers (so basically, any company on the planet). Now imagine that you’re bad at your job. Or disgruntled. Or your manager keeps cutting your budget. Inevitably, things start to slide. Security updates don’t get installed. Software that isn’t properly checked for security implications gets installed on company computers. Users don’t get security training. Bad decisions are made, such as not properly encrypting user passwords. And so, the company’s computers, and the data they contain, become vulnerable. Eventually, malicious people figure this out, and through various means — many of which are trivially simple to carry out — gain access to your data. And that data includes information about your customers. That information is then sold online, to other, even less scrupulous people. Brian Krebs documents many of these breaches; here’s one example.
You can find these lists online if you know where to look. Some are only accessible from the dark web. Some are published more brazenly, on easily-accessed public web sites, including Facebook.
Sometimes these lists contain passwords. In really awful cases, the passwords aren’t even encrypted. But usually they are encrypted, which makes them slightly less useful. Only slightly, because many people still use terrible passwords: common passwords, like 1234; passwords that are used by the same person in multiple places; and passwords that are easy to crack.
Any password can be cracked, by which I mean converted from its encrypted form to its original, unencrypted form. Short and simple passwords can be cracked in nanoseconds. Longer, more complex passwords take longer. At any given point in time, passwords that are long and complex enough simply can’t be cracked quickly enough to be worth the attempt. This is a moving target. As computers get faster, the point at which a password becomes worth cracking gets nearer.
These shady lists of users, passwords, and email addresses can be used for lots of things, ranging from merely irritating to criminal. But there’s money to be made, as long as you don’t care about being a world-class asshole.
If you’re an asshole, and you’re looking for an easy way to make money and irritate people, just shell out a few bucks for one of these lists, and download a few scripts that turn that list into spam. Because computers are really good at things like this, you hardly have to do any actual work. Just feed a list into some crappy script, sit back, and watch the money pour in. If you had to do this with paper and snail mail, it clearly would not be worthwile.
A user’s story
Let’s look at this another way: from the perspective of Iam Notreal, an ordinary Internet user. Iam registered for an account at LinkedIn in 2011 using his real name and his NopeMail account, email@example.com. He also used the same password he uses everywhere else: banana1234.
In 2012, intruders gained access to LinkedIn servers and were able to download its user database. The database included usernames, email addresses, and poorly-encrypted passwords. Now Iam’s real name, real email address, and an encrypted form of his one and only password are on a list, and, beginning in 2016, that list is being sold on the dark web to anyone who has a few bucks to spare.
In 2016, Iam starts getting spam to his NopeMail account. Most of it is ordinary spam: poorly-worded appeals to click a link. Occasionally he receives spam that mentions his real name, which is alarming, but not particularly harmful. At some point, Bill tries to ‘unsubscribe’ from what he believes is a mailing list, by replying to one of these spam emails. Congratulations, Iam, you’ve just graduated to a new list, of confirmed, valid, active email addresses. This list will also be sold on the dark web, at a higher price than the original list.
Meanwhile, other dark forces are at work behind the scenes. Someone runs the original list through a widely-available password cracker. This software looks at each encrypted password and attempts to decrypt it based on a set of parameters, including lists of commonly-used passwords. Sadly, Iam’s password is rather short, and contains a common word, and it takes the software about a nanosecond to crack it. Now Iam is on an even more valuable list, which includes cracked passwords.
Fast forward to 2018, and now Iam is getting email that claims to have taken over his email account, or to have video from Iam’s own webcam showing him doing unmentionable things, and it also includes Iam’s one and only password, right there in plain text. Iam is panicked: if the sender knows his password, are the rest of the claims true? He doesn’t know it, but the sender’s claims are bullshit.
As scary as this sounds, it’s only the most common use of lists like these circa late 2018, early 2019. The same information could be used to take over Iam’s LinkedIn account (if he ignored warnings from LinkedIn to change his password, or if he changed it back to the same password), take over his NopeMail account (if he failed to change its password after the LinkedIn breach), or take over any other account that can be found on any other service he uses, once it’s discovered.
Why is that spam coming from my own email address or my own mail server?
Unfortunately, it remains trvially easy to spoof almost all information contained in an email message. Current anti-spam efforts like SPF, DKIM, and DMARC are focused on validation, and there’s nothing stopping anyone from spewing out email with mostly-forged headers. That includes the FROM header, which means scammers can make email look like it came from just about any address they want. Only close inspection of all the headers reveals the actual source.
Why does that spam contain my password?
If a scammer has access to a purloined user list that includes plaintext or cracked passwords, it’s a simple matter of customizing the content of their malicious spam so that the username and/or password vary, depending on the unlucky recipient.
What you should do
Stop using crappy passwords. If you’re not sure how crappy your password is, check it at howsecureismypassword.net. You can also install this extension in your Chrome browser; it will warn you if your password is too weak.
Stop re-using passwords. If site A is hacked, and your password for site A is the same as for site B, you’ll have to change your password on both sites.
Use a password manager. Yes, it’s annoying to have an extra step whenever you want to log in somewhere, but using a password manager means that you only ever have to remember one password. They can also generate passwords for you, saving you the trouble.
Check Have I been pwned to see how many breaches have included your email addresses and passwords.
Sign up at Spycloud to continuously monitor your email address for inclusion in breaches.
Although there are ways to use purloined user lists besides spam, most of the damage we see is related to email.
Despite being really old technology, email has continually improved in terms of security. Newer technologies like SPF, DKIM, and DMARC make it much easier for email providers to determine which email is legitimate and which is not.
You can help by making sure any email domains you manage use SPF, DKIM, and DMARC. If your mail provider doesn’t use these technologies, lean on them to start. If they resist, find another provider. I have several clients who use the business mail service provided by telecom giant Telus here in Canada. Telus farms this work out to a provider in the USA called Megamailservers. The Megamailservers service does not currently support DKIM or DMARC, and there’s nothing on their web site (or that of Telus) about any plans to change that.
Password Management Software
So, everyone should use a password manager. But wait, didn’t I just read that all the most popular password managers can be bypassed very easily? Yup. Opinions vary as to whether the risk of such exploits is significant. From my perspective, the risk is this: yes, a malicious actor needs physical, remote, or programmatic access to your computer to use these exploits. But once they have access, they no longer have to waste time looking for interesting information. All they need to do is look for password manager data and sent it to themselves. That makes their job MUCH easier.
But using a password manager is still much safer than not using one.
In the late 1990s and early 2000s, when formatted email first became widely-used, displaying formatted email was dangerous, because vulnerabilities in Windows allowed specially-crafted email to execute code on the recipient’s machine. Merely previewing formatted email was risky.
Windows updates and email client changes reduced the effectiveness of malware embedded in the content of email, although clickable links and attachments were still — and continue to be — dangerous.
These days, the dangers of enabling formatted text and images in email are mostly about privacy. A significant portion of all email — especially email sent through mass messaging services like Mailchimp — contains tiny images that, when viewed in an email client, tell the sender when you viewed it. This information is used by the sender to determine the effectiveness of their email campaign. It’s not dangerous, but it is creepy. Of course, not all embedded images are there for marketing reasons; some have more nefarious purposes.
The dangers of email can be almost eliminated by configuring your client software to display email in plain text (without any formatting), and without images. Better still, for those concerned about having their actions tracked online, using text-only email prevents any image-based tracking that would otherwise occur when you open your email.
Most desktop email client software has options that force all email to be viewed in a plain text format. Web-based clients are less likely to offer this option, but some, including GMail, can at least be configured not to display images.
I have always recommended the use of text-only email, and I follow my own advice. Email is still the easiest way for malicious persons to induce unwary users into taking actions that should be avoided. As long as that’s true, the only truly safe way to use email is to disable formatting and images. This also makes email less engaging, but I’m willing to forego fancy-looking email for safety and privacy.
It’s a major new version number, but there’s not much to get excited about in Firefox 56.0, unless the ability to take screenshots in your browser was on your wish list.
Also new in Firefox 56.0 is the Send Tabs feature, which allows you to send web page links to your other devices. Right click on any web page and select Send Page To Device to try it. I suppose it’s easier than sending yourself email.
Starting with version 56.0, Firefox’s web form autofill feature can fill in address fields. I didn’t even know this was missing in previous versions. In any case, this feature is currently only available for users in the USA; it will be made available in other countries in the coming weeks.
Firefox’s preferences (Options) pages have been reorganized and cleaned up significantly. There’s now a search box on the Options page, which should make finding that elusive setting a bit easier. The explanatory text associated with many options has been improved for clarity. The privacy options and data collection choices have been reworked so they are better aligned with the updated Privacy Notice and data collection strategy.
Finally, media on background tabs will no longer play automatically; it will only start playing once the associated tab is selected.
Most importantly, you can now see exactly what data is being collected from your computer and sent to Microsoft.
Telemetry data revealed
The information Windows 10 collects at the Basic privacy/telemetry/diagnostic level is listed in great detail on a new page on the Technet site: Windows 10, version 1703 basic level Windows diagnostic events and fields. The information is moderately technical, and may not be of much use to regular users, but it’s worth skimming if you have any concerns about Windows 10 telemetry.
Still, the new version contains incremental improvements, and a few changes that are likely to be useful. Interesting, but not particularly useful changes include Paint 3D, mixed reality support, and 4K gaming support. Visuals, Ink, Surface Dial, Bluetooth, notifications, background execution, Cortana, Skype, Windows Defender, Windows Store and app download all get modest improvements.
Enhancements to Desktop Bridge, which allows traditional desktop apps to be migrated to the new Windows UI, will make a lot of lives easier. The Windows Subsystem for Linux is also expanded with new functionality. The Edge browser gets some new features that are likely to be helpful for people who actually use Edge. A new Game Mode may make Windows 10 gaming slightly more palatable. Beam game streaming is now built into Windows 10. A new feature called Night Light allows Windows 10 to reduce blue light from a display at specific times.
Windows 10’s privacy settings are overhauled in the new version, including a new privacy dashboard, although the overall result seems to be less control rather than more. The window of time during which Windows 10 can update itself has been widened slightly, but there’s still no way to avoid Microsoft’s remote fiddling unless you’re using an Enterprise version.
All in all, there’s nothing particularly objectionable about this update, and there are enough improvements to make it worthwhile. Which is good, because you’ll get it whether you want it or not. Whenever Microsoft wants you to get it.
Update 2017Apr28:Microsoft says the first phase of the Creators Update rollout is underway. In this phase, only computers with new hardware are being updated. The next phase won’t start until Microsoft is happy with phase one, so it’s difficult to predict when that will happen. Microsoft also recommends enabling ‘full’ telemetry/diagnostic/privacy settings to help diagnose any issues the update may encounter (they’re hoping you’ll forget to disable them as well). Apparently further rollout could be blocked indefinitely if serious issues are encountered at any phase. You can download the update from the Microsoft Download Center, but Microsoft cautions that doing so bypasses blocks and may be somewhat risky. Ars Technica hasmore.
The good news is that Microsoft is improving the state of privacy in Windows 10, albeit slowly, and grudgingly. The bad news is that the improvements are unlikely to satisfy anyone genuinely concerned about what Windows 10 is really doing.
New: Privacy Dashboard
A few days ago, Terry Myerson, Microsoft’s Executive Vice President of the Windows and Devices Group, announced a new web-based Privacy Dashboard, accessible via your Microsoft account. If you don’t have a Microsoft account, you’re out of luck. I’m still using my Microsoft account to log into my test system, because otherwise I’d have to buy a Windows 10 license. You probably already have a Microsoft account even if you don’t use Windows 10, as they are used for XBox Live, Skype, and other Microsoft services as well.
Poking around in the Privacy Dashboard, the Browsing History section is empty for me, presumably because I don’t use Cortana or Edge. The Search History section is also empty for me, because I don’t use Bing search. But if you use Cortana, Edge and Bing, you’d be able to see all that history here, and be able to remove it as well.
The Location section shows where you’ve been when you logged in on Windows 8.1 and 10 computers. Again, you can clear any or all of this. The section for Cortana’s database shows everything Cortana knows about you, based on your interactions. This is where things get interesting for me, because I only used Cortana for a couple of days when I first installed Windows 10. Cortana knows how often I eat at restaurants, and how far I go to get there. It knows my main mode of transportation. It knows what kind of news interests me. It’s not much, but it’s enough to be kind of creepy.
The Privacy Dashboard is a step in the right direction, and it’s very useful for anyone interested in seeing exactly what information Microsoft has collected. It also allows you to clear much of that information. But what if you want to prevent Microsoft from gathering this information in the first place?
Privacy improvements in Windows 10
Also revealed in Myerson’s post are upcoming changes to the privacy settings in Windows 10. The initial privacy setup has changed, and now provides a bit more information about the various privacy levels and settings. Microsoft is “simplifying Diagnostic data levels and further reducing the data collected at the Basic level.” But in fact there will be fewer privacy levels to choose from, and there’s still no real explanation of exactly what data is sent. And of course the most useful ‘Security’ level (which disables almost all telemetry) is only available to Enterprise users. Us regular folks can only throttle data collection down to the ‘Basic’ level.
According to Microsoft, the Basic level “includes data that is vital to the operation of Windows. We use this data to help keep Windows and apps secure, up-to-date, and running properly when you let Microsoft know the capabilities of your device, what is installed, and whether Windows is operating correctly. This option also includes basic error reporting back to Microsoft.” This sounds reasonable, but it’s lacking in detail and — for many users — still sounds like an intrusion.
Luckily, there are alternatives. I recently discovered a Powershell script called Reclaim Windows 10 that can disable all of the telemetry settings in Windows 10. I’ve yet to test the script, but it looks promising.
Advertisements in Windows 10?
Microsoft still insists this isn’t about advertising: “We want you to be informed about and in control of your data, which is why we’re working hard on these settings and controls. And regardless of your data collection choices, we will not use the contents of your email, chat, files, or pictures to target ads to you.” I’d like to believe that, but it seems unlikely. Microsoft is clearly taking aim at Google’s huge lead in online advertising, and the idea of having a captive audience for advertising (in the form of millions of Windows users) is obviously just too tempting to resist.
Microsoft continues to push Windows 10, now at the expense of Windows 7, which it now says “does not meet the requirements of modern systems, nor the security requirements of IT departments.”
Sadly, some less-well-informed people have decided that anonymity is somehow the root of all evil on the net, and think that forcing people to use their real names online will magically make everyone nice. This kind of thinking has even pervaded some very high profile companies, including Google and Facebook, both of which have pushed hard to make people use their real names.
Anonymity is a frequent topic of discussion over at Techdirt, where the comments section is open to the public and allows anonymity. Because the Techdirt staff actually engage with commenters (jerks and otherwise), the debate rarely gets out of hand, and some of the most interesting comments are posted by anonymous users.