About two years ago, Nerds On Site implemented a strong password policy for all our email users.  Because of todays technology it’s become trivial to “crack” weak passwords, it’s too easy for malicious software and people to take control of email accounts – this means someone could send emails from your account without your knowledge. By strengthening your password, you’re reducing the risk.

It’s easy to reset your password – go to https://mail.nerdsisp.com and enter your email address and current password.  Once you’re logged in, the system will prompt you for a new, stronger password – the system will let you know if it’s a good password or not. Try to chose something that will be easy to remember, or maybe write it down in a safe place (Hint: don’t leave it taped to the side of your screen.)

If you use Outlook, or Mac Mail, or another email client on your computer, you will need to update it to use the new password you’ve just chosen.

To help you with this, here’s a step-by-step video to guide you.

For fun, do you wonder just how weak your current password is? Check out security guru, Steve Gibson’s password tester: https://www.grc.com/haystack.htm.

Remember, strong passwords don’t guarantee that your email won’t get hacked, but it is a big step towards better protection.

Here’s an amusing article about just how weak (and common) some password are: http://www.zdnet.com/blog/service-oriented/security-101-users-still-using-extremely-weak-passwords/8003.

In light of reduced SPAM as of late, I was somewhat surprised to see phishing and theft attempts as sophisticated as this come through to my inboxes today – at least one in each of my different email addresses, but all came from email accounts of friends on Facebook. I searched the major anti-virus and malware vendors as well as google and twitter and nothing turned up, so maybe I’m just one of the first to be hit. Here’s a message I received, and a similar one in each of my mailboxes:

A few other variations are as follows:

SUBJECT: Very good
BODY: Click here to read this message

SUBJECT: wooow
BODY: click here to see the attached video

In each case the “click here…” is hyperlinked to somethingrandom.l13.me and the URL also contains the actual email address of you, the recipient.

It appears the originator of this spam/phishing attack at the very least is validating email addresses of people opening the message.

I also tried checking Google’s SafeBrowsing service at this URL:

http://www.google.com/safebrowsing/diagnostic?site=l13.me

At the time of this writing, here is the result showing that it has not detected any malware on this site. I suspect this will change overnight:

In case some great SPAM researchers come across this article, here is the full RAW source (except my email address has been replaced with someone@notavaliddomain.ca):

Part 1 of 2:

Part 2 of 2:

If you choose to click on URL in the email itself, that’s when the spammer’s phishing attack begins, and will prompt you for your Windows Live username & password. Note that it is NOT live.com, however, which means you’re giving your username and password directly to the thief:

As you might expect, the domain itself (l13.me) was only registered a week ago, and has its real ownership disguised:

The same domain ownership disguise applies to videos4you.net where the phishing is actually hosted.

And finally, when I check to see where all the “click here to view this message” are being served from (somethingsomewhere.l13.me) they point to IP address 69.64.54.99 which is registered to Hosting Solutions International:

Naturally, I have advised the abuse email address of this clearly-malicious intent and hope to have a quick response. I don’t have any misgivings about how quickly the attacker can direct web traffic to a new host, or start generating spam with a newly-created domain elsewhere. The cat-and-mouse games just continue…

I just hope this anatomy of this particular SPAM message helps somebody somewhere avoid these types of traps, and perhaps we can all find a solution to cleaner and more productive email.

UPDATE #1:

IF you’re a victim, here is Microsoft’s article on what to do:

http://www.microsoft.com/security/online-privacy/phishing-scams.aspx#Victim

A woman in Britain has been fined after reading her previous employer’s email after they failed to change the passwords to the accounts she once had access to for work purposes.

These days, we must all keep track of our online passwords for work and personal use of everything from email to Facebook. Many people use the same passwords for all of their accounts, and it’s often something that’s easy to remember. In some cases, users will go months (or years) without changing their passwords. There are many excellent reasons to change your password. If your computer is infected with viruses or spyware, they be monitoring your online activity. After the computer has been cleaned, it’s a good idea to change your passwords.

Some employees  use sticky notes or saved files on the computer to remind them of passwords. The problem with that is they are easy to lose, and allow any nosey person walking by to read your passwords. If you must write down your passwords, make sure to put that documentation somewhere out of sight, or in a place no one would think to look.

The best way to manage passwords nowadays is through services like LastPass, which is free and installs a small add-on to your internet browser that allows a one-click login to your secure password vault. When you open your internet browser, you will be prompted for the master password, and for each website you want to log into, LastPass will automatically fill in the information for you, and even log you in automatically if you want it to. Very handy, and very secure.

The coolest part about it is you can use the same LastPass login and master password on multiple computers, since the information is stored on their secure servers and not stored locally on the computers. LastPass even includes a strong password generator, so you don’t have to struggle to think of any.

There are other programs that work in a similar fashion, but they store the information locally on the computer, so if the computer crashes and it’s not backed up, you lose all of your passwords.

Please change your passwords on a monthly basis to reduce risk of having accounts compromised.

Password management tools like Blackberry password managers and Roboform are great, but what if you don’t have them with you? The Little Grey Cell Storage System(tm) is always available, but has a limited capacity (more limited for some of us than others). There are a number of free and paid online password managers available. Do you want to trust your passwords to this type of service?

I have been looking at a service in beta called Passpack. It has lot of great convenience features and flexibility that allows you to trade-off convenience for higher security. It can also import passwords from other password managers, including Roboborm.

These folks seem to understand security and implement it well. The passwords are strongly encrypted locally, using a strong passphrase. So far, I have not entrusted them with my most sensitive passwords, but I like the implementation, the features, and the backup in case I do not have my USB key with my Roboform passwords available (I have been known to leave it on the desk from time to time).

What do you think? Are online password managers secure and should we be trusting them with our most sensitive passwords?

Dennis H – August 18, 2008

So many passwords and so little brain space! The stronger the passwords are, the more difficult they are to remember. Even when we use clever schemes to make strong passwords that we can remember, it becomes almost impossible to remember which password goes where. The end result – we end up re-using a few passwords for everything, which is just not good security.

I told you my dirty little secret about using a U3 drive yesterday. The biggest single reason I use it is for my RoboForm2Go. It’s not free (there is a free version, but it only remembers ten passwords), but it is a great password manager and form filler. It integrates with both IE and Firefox, includes a password generator, uses strong encryption with a master password (one is about the number of strong passwords I can remember), and the 2go version on a U3 drive allows me to use it on any computer without installing anything or leaving anything behind.

There are also versions for non-U3 USB drives, Blackberry, Palm, Symbian, and Windows Mobile. For an extra $10 you can get it pre-installed on a 256 MB USB drive.

What is YOUR favorite? Tell us what you use to manage passwords. Keepass? (free alternative for Windows users)? OnePassword (great for Mac uers)? There are several available for the Blackberry. TELL US YOUR SECRET!

Dennis H – August 15, 2008