Phish in an Envelope

C&IT’s security staff learned about a new form of phishing that has been spotted at several universities, and we want you to be aware of the technique that the Bad Guys are using.

A small number of people at multiple sites are getting physical mail, not email, indicating a possible security issue they should be aware of.  Details are supposedly included on an enclosed DVD.  Individuals targeted range from upper management to researcher/student assistant. Nobody is safe.

The DVD contains an executable you are supposed to run that contains the details.  In reality it contains a trojan horse that snaps a screenshot every few seconds and uploads it to a remote command/control site. The malware runs as the user, and isn’t picked up by antivirus.

If you receive such a package, please get in contact with C&IT as soon as possible.  DO NOT insert the DVD into your system.  If you have any questions, please contact the C&IT Help Desk at 313-577-4778 or

Building Better Passwords

Making good passwords can sometimes be a challenge.  On the one hand,  you want something that will be relatively easy for you to recall so that you can access your account. On the other hand, you need a password that is strong enough to withstand guessing or “cracking” attempts that often occur on the Internet.  I freely admit that it’s a balancing act, and not an entirely pleasant one.

For me, probably the *single* most frustrating aspect of creating a strong password is that each system uses different rules for what is required and prohibited in passwords.  The rules enforced for your AccessID password are different from your accounts that you use for your online banking, Amazon, iTunes, your household utilities, credit cards, etc.

When creating or changing a password, look out for the following “gotchas”:

  • What is the maximum number of characters it can use?
  • Can I use special characters or punctuation?
  • Am I required to use numbers or uppercase letters?  How many?

While using the same password for all of your online accounts is bad, creating some sort of pattern or schema for how you create your passwords is actually one of the recommended ways on how you can keep your online identities secure.  In the end, you need to create a password that is meaningful to you, while meaningless to everybody else.

  • Avoid using a single common word.  Attackers frequently use lists of words from the dictionary when trying to brute-force their way in.
  • The longer the password, the better!  Even adding 3 characters to your password can make it over 140,000 times harder to guess if you are using uppercase and lowercase letters.
  • Stay a little abstract.  For example, say you enjoy birdwatching, and want to incorporate that meaning into your passwords.  Don’t use “birdwatch” or anything similar to that.  Instead, think of a place or a time in which you had a really good time birdwatching.  Then, recall an object or a thing that stuck out in your mind at that time.  Use that final idea as part of your password pattern.
  • Use more than just lowercase characters, if the system allows it.  You do not need to go overboard, but simply having a single instance of a number, an uppercase character, and a special character increase your security by several orders of magnitude.  Doing this also helps protect your password from dictionary attacks.
  • DON’T simply add a number to the end of your current password.  All the bad guys know you do this, and alter their attacks slightly to compensate.

Knowing all of this, let’s break out a little math to show how much more important it is to add complexity into your passwords.  In the case of a 10 Character Password:

Character Sets Used in Password: Possible Combinations:
All Lowercase: 141,167,095,653,376
Lowercase & Uppercase: 144,555,105,949,057,024
Lower/Upper & Numbers: 839,299,365,868,340,224
Lower/Upper/Numbers & Special Characters: 59,873,693,923,837,890,625

Over 59 quintillion ways to create a 10-character password if you follow all of the rules above…wow!  Knowing all of this, what are some examples of good passwords?  Well, keeping in mind any possible restrictions that the password system may have, using the above principles you can generate passwords similar to these:

Steeple Gardens @August
R0tten Tree Stump Beneath The Wind0w

Lastly, never give up hope!  Many times I have sat on a password screen, desperately trying to come up with a good password that meets all of the inane requirements of their system. In the end, it IS worth it!  Having the peace of mind that your online identity is secure and is less likely to be hijacked by unscrupulous people is a good thing indeed.