Trouble sending email from Wayne Connect to Hotmail?

If you have sent an email from your Wayne Connect account to a Hotmail, MSN, or Live.com email address within the past week, you probably had it bounce back as “undeliverable.” That’s because these email providers have flagged Wayne Connect as a source of spam.

How did this happen? It’s the result of a long chain of events:

  1. Spammers send phishing messages to Wayne Connect accounts. Some users — even a handful– take the bait and send in their AccessID and password
  2. Or, the spammers used passwords from LinkedIn accounts to break into a Wayne Connect account — because the Wayne Connect user’s passwords were identical on both systems
  3. Spammers use the compromised AccessIDs to send millions of spam messages
  4. Spam recipients report spam to Real-Time Blackhole List (RBL) services such as SpamCop
  5. Multiple reports to the RBL service “confirm” that Wayne Connect is a spam source, and it is placed on the RBL.
  6. Email providers check the RBL to make a quick decision about an incoming message that originated from Wayne Connect. If Wayne Connect is on the RBL, they bounce the message and send some cryptic info mentioning SMTP Error 550.
  7. Wayne Connect support staff is alerted about the RBL status; locate the compromised Wayne Connect accounts and close them down; then contact the RBL services to remove Wayne Connect’s entry.
  8. The RBL services wait several days to process the request, to make sure that the spam has truly stopped.
  9. Email resumes flowing again after Wayne Connect is removed from the RBL services.

As you can see, even if just a few people are victimized by spammers, it can spell trouble for many other Wayne Connect users.  You can help by being vigilant when handling your email. Here are some good tips to remember (adapted from Microsoft’s Safety & Security Center):

  • Before you click, preview a link’s web address. Move your mouse pointer over a link without clicking it. The address should appear on the bottom bar of your web browser. Official Wayne State web addresses always end in wayne.edu
  • Check the spelling. Spammers often use deliberate, easily overlooked misspellings to deceive users. Examples that we have seen include wanye.edu and waney.edu
  • Carefully evaluate contact information in email messages. Watch out for spelling errors or if no phone number provided. One recent phish used the non-existent email address customerservice@wayne.edu — which looks legitimate, but no phone number was provided.

If you have found a phish — report it! Just follow these simple instructions on WSU’s IT Knowledgebase.

If you’re in doubt, just leave the email message alone and contact the C&IT Help Desk 313-577-4778.

If you want to learn more ways to identify phish, check out our Is an email legitimate? guide.

Got questions? Post them below!

450,000 Yahoo! Voices Accounts Disclosed

On July 12, 2012, over 450,000 clear-text passwords were disclosed in relation to Yahoo! Voices accounts.  The datafile containing this information is circulating throughout the Internet, and multiple media outlets are reporting on this situation:

http://arstechnica.com/security/2012/07/yahoo-service-hacked/

You can check to see if an email address you have registered with Yahoo! Voices was part of the data breach:

http://dazzlepod.com/yahoo/

If you find your email address while searching the above site, it is strongly recommended that you change your passwords *immediately*. This information is public and can be used by anyone at any time.  While the above website is courteous enough to not display the disclosed password, any individual can download the datafile and view it unhindered.  Hackers frequently will use credentials from one system to social engineer their way into other systems, so no account is too insignificant.

Building Better Passwords

Making good passwords can sometimes be a challenge.  On the one hand,  you want something that will be relatively easy for you to recall so that you can access your account. On the other hand, you need a password that is strong enough to withstand guessing or “cracking” attempts that often occur on the Internet.  I freely admit that it’s a balancing act, and not an entirely pleasant one.

For me, probably the *single* most frustrating aspect of creating a strong password is that each system uses different rules for what is required and prohibited in passwords.  The rules enforced for your AccessID password are different from your accounts that you use for your online banking, Amazon, iTunes, your household utilities, credit cards, etc.

When creating or changing a password, look out for the following “gotchas”:

  • What is the maximum number of characters it can use?
  • Can I use special characters or punctuation?
  • Am I required to use numbers or uppercase letters?  How many?

While using the same password for all of your online accounts is bad, creating some sort of pattern or schema for how you create your passwords is actually one of the recommended ways on how you can keep your online identities secure.  In the end, you need to create a password that is meaningful to you, while meaningless to everybody else.

  • Avoid using a single common word.  Attackers frequently use lists of words from the dictionary when trying to brute-force their way in.
  • The longer the password, the better!  Even adding 3 characters to your password can make it over 140,000 times harder to guess if you are using uppercase and lowercase letters.
  • Stay a little abstract.  For example, say you enjoy birdwatching, and want to incorporate that meaning into your passwords.  Don’t use “birdwatch” or anything similar to that.  Instead, think of a place or a time in which you had a really good time birdwatching.  Then, recall an object or a thing that stuck out in your mind at that time.  Use that final idea as part of your password pattern.
  • Use more than just lowercase characters, if the system allows it.  You do not need to go overboard, but simply having a single instance of a number, an uppercase character, and a special character increase your security by several orders of magnitude.  Doing this also helps protect your password from dictionary attacks.
  • DON’T simply add a number to the end of your current password.  All the bad guys know you do this, and alter their attacks slightly to compensate.

Knowing all of this, let’s break out a little math to show how much more important it is to add complexity into your passwords.  In the case of a 10 Character Password:

Character Sets Used in Password: Possible Combinations:
All Lowercase: 141,167,095,653,376
Lowercase & Uppercase: 144,555,105,949,057,024
Lower/Upper & Numbers: 839,299,365,868,340,224
Lower/Upper/Numbers & Special Characters: 59,873,693,923,837,890,625

Over 59 quintillion ways to create a 10-character password if you follow all of the rules above…wow!  Knowing all of this, what are some examples of good passwords?  Well, keeping in mind any possible restrictions that the password system may have, using the above principles you can generate passwords similar to these:

Steeple Gardens @August
Amaz!ngMonk3yAtTheZoo
R0tten Tree Stump Beneath The Wind0w

Lastly, never give up hope!  Many times I have sat on a password screen, desperately trying to come up with a good password that meets all of the inane requirements of their system. In the end, it IS worth it!  Having the peace of mind that your online identity is secure and is less likely to be hijacked by unscrupulous people is a good thing indeed.

 

Brave New World of Passwords

It wasn’t that long ago that things were so much simpler!  Before you may have only had to worry about your password for your email account.  In today’s brave new world, you have passwords for your phone, your WiFi (at home and at work), your banks, your utilities, your magazine subscriptions, etc. etc.  It’s a lot of accounts to keep track of!  This series of articles over the next few weeks will give you some practical ways to manage this headache.

Sadly, all these wonderful tools to help manage your life also have a nasty dark side: with the exponential rise in computer crime, they can be used by other people to manage your life for you.  Or, at least, drain your bank account and use your identity to commit fraud.  The best way to combat this is to start with a change in mindset: you can no longer think of your password as just a way to check email from your family.  Your passwords are your life!  A competent criminal can do just as much damage to your life with access to your electronic records as they can with your Social Security Number.  No sane person would give up their SSN to a stranger, and you should think THE SAME WAY in regards to your passwords.

Many institutions dictate that any activity done with your account is your responsibility.  The reasoning is that ONLY YOU should know the password to access your account, thus any activity on your accounts MUST have been authorized by you.  This has resulted in several tricky legal scenarios in both civil and criminal court.

The moral of the story: PASSWORDS ARE CRITICAL!  This is important so I will say it again – Passwords are like underwear:

  • Change them often;
  • NEVER share them with others;
  • Leaving them out in the open is something kids do;
  • It can be really hard to part ways with one you are used to, but it needs to be done.

Next time, I will share some tips on how create good passwords.  In the meantime, feel free to use the comments to ask questions or share your thoughts!

Undergarments and Passwords

Passwords are like underwear:

  • Change them often;
  • Don’t share them with others;
  • Leaving them out in the open is something kids do;
  • It can be really hard to part ways with one you are used to.

Trust me, I feel the same pain and frustration when it comes to keeping track of all the passwords that I use for my work and personal lives.  Everyone has accounts for their desktop computers, for the servers they connect to, for the departmental applications they run, for the banks they do business with, for the utility companies for online billpay, and for the plethora of other online resources.  Keeping a handle on all of these electronic identities takes more time than it should, but it beats the alternative of having your identity stolen.

Changing your passwords once or twice a year is an excellent practice to get in to.  Consider doing it at the beginning and middle of each year – changing all your passwords is a New Year’s Resolution you can keep, and you can consider it your patriotic duty around the Fourth of July.  Why change your passwords with such frequency?  Two good reasons:

  1. It keeps reminding you about all of your electronic accounts so nothing slips thru the cracks, and
  2. In the event one of your accounts is compromised, it limits the amount of time bad things can happen.

When creating new passwords, an easy way to keep a handle on all of them is to create a simple password scheme that only you know.  A password scheme can consist of a base password combined with a little bit of information about the system or site you are logging in to.  For example:

Base Password: SkydivingMakesMe$ick

System Append Final Password
Desktop Login Windows SkydivingMakesMe$ickWindows
Work Login WSU SkydivingMakesMe$ickWSU
Banking Website money SkydivingMakesMe$ickmoney
Electric Utility Website Power SkydivingMakesMe$ickPower
Facebook Login FB SkydivingMakesMe$ickFB

 

By using this method, you create a simple phrase that you can easily remember.  This phrase is just a few words, and should contain a capital letter, a special character, or a number in it somewhere for added security.  Then you can just prepend or append a tiny word in relation to what you are accessing.  Congratulations!  In five minutes you have just created one of the most secure passwords and schemes known to man. Also, by doing this, you can abolish the need for writing down your passwords – another common way to get yourself into trouble.  It really is that simple!

Not sharing your passwords or account names would be a really good idea at this point.  You worked hard enough to create this amazing, easy way to remember all of this information – the last thing you want to do is make it all obsolete!  Do not disclose your username to any non-affiliated party, and NEVER disclose your password for ANY reason.  The moment you tell someone your password, your electronic life is now in their hands.  If an organization says that they need to know what your password is, discontinue using them immediately.  There are plenty of reputable organizations who will be more than willing to deal with you without violating your security.