Identity Fraud Alert

Status
Not open for further replies.
Jun 14, 2010
2,350
Robertson & Caine 2017 Leopard 40 CT
Breaches happen all the time. You must use a different (unique) user/password combination in each site. Don't duplicate same user/password combination in different sites. Don't use a pattern that's predictable or a variation on personal names/words that are public information (your boat name, spouse, dog etc.). An easy way to use strong passwords is to use multi-word passwords that include capitalization, spaces and numbers. Example: "I $ail and it is a Skill" would be VERY difficult for a computer to crack but it's easy to remember and type.
Use a PASSWORD MANAGER that keeps each one encrypted, and a strong master password. Use the password manager to also keep track of the "secret words" some sites make you enter. (Use bogus secret words -- the more info you give out about first dog or favorite teacher etc, the less secure you are).
 
  • Like
Likes: JamesG161
Apr 25, 2017
195
pearson 26 holland mi
Hey guys.

Its not your sailboat forum being the problem :)
upload_2018-8-9_16-23-46.png


here's the content, code, from one such email. lifelock IS NOT custhelp.com don't know who they are. don't really care.

https://www.marketwatch.com/story/m...esses-may-have-been-exposed-report-2018-07-25

any such emails leaked are likely to be phished. hard. a little bit of automatic searching and the folks using the list might be able to create 2 or more points of credibility... in this case your membership at life lock and the membership here or on other forums, to help 'sell' the phish

Stay safe out there all.

https://www.linkedin.com/in/daniel-eakin/ i'd stake my career on it being a phish. i'd not mind looking at other email examples if you have em. just as long as it doesn't take over my life lol.
 
Last edited:
Jun 10, 2017
174
Catalina 1980 Catalina 30 Mk II John's Pass / Tampa Bay
Guys,

Speaking of ever-having-to-change usernames & passwords,
working in my most recent engineering firm, you had to change network U's & P's every 3 months.

After awhile walking into cubicles, folks would have the new U&P's written on sticky notes on their PC's
visible to all. So much for security HUH, having to come up with ever-having to-change usernames & passwords.

No wonder most people don't remember them & I know this well, as I am the help-desk support for my
friends & family members. U&P's are among the biggest problems aside of not keeping up with virus definitions & scans.

As to a fix for this....................NO, it will only get worse.
After all, where are you going to hide yours?
 
Jun 14, 2010
2,350
Robertson & Caine 2017 Leopard 40 CT
Guys,

Speaking of ever-having-to-change usernames & passwords,
working in my most recent engineering firm, you had to change network U's & P's every 3 months.

After awhile walking into cubicles, folks would have the new U&P's written on sticky notes on their PC's
visible to all. So much for security HUH, having to come up with ever-having to-change usernames & passwords.

No wonder most people don't remember them & I know this well, as I am the help-desk support for my
friends & family members. U&P's are among the biggest problems aside of not keeping up with virus definitions & scans.

As to a fix for this....................NO, it will only get worse.
After all, where are you going to hide yours?
That's why I recommended a password manager. I use and recommend LastPass -- they have a free version but the paid version will allow your mobile devices and multiple computers to sync, and the enterprise version enables you to have shared password folders with other users and/or free accounts (so you can keep your business and family separate but still have one place to look). The "hash" for your data uses your "Master Password" as part of the algorithm, so make the MP a secure one (at least 12 characters, and a longer sentence makes it unhackable). Even if the LastPass site gets hacked it would take years for a supercomputer to crack your data, and you should be changing passwords regularly anyway. LastPass has form-fill features that make it easy.

Also, never trust your browser cache to store passwords -- it can be read by any browser plug-in. Browser plug-ins are a leading vector for breaches and some of them include key-loggers and screen scrapers. No Plug-ins should ever be installed unless it's LastPass or antivirus sourced. No weatherbug, no shopping plugins, no Amazon helper, or coupon printers etc.
 
May 17, 2004
5,685
Beneteau Oceanis 37 Havre de Grace
Hey guys.

Its not your sailboat forum being the problem :)
View attachment 154829

here's the content, code, from one such email. lifelock IS NOT custhelp.com don't know who they are. don't really care.

https://www.marketwatch.com/story/m...esses-may-have-been-exposed-report-2018-07-25

any such emails leaked are likely to be phished. hard. a little bit of automatic searching and the folks using the list might be able to create 2 or more points of credibility... in this case your membership at life lock and the membership here or on other forums, to help 'sell' the phish

Stay safe out there all.

https://www.linkedin.com/in/daniel-eakin/ i'd stake my career on it being a phish. i'd not mind looking at other email examples if you have em. just as long as it doesn't take over my life lol.
Actually, it looks like custhelp.com could be a legit site. The root redirects to an Oracle customer service site, so my guess is that lifelock contracts with them to help with their mass mailing or other customer service needs.

Don't get me wrong, I don't feel like there's a real breach either, but I don't think that link is part of a phish. If anyone wants to PM me the source of the email I'd be happy to take a look too.
 

JamesG161

SBO Weather and Forecasting Forum Jim & John
Feb 14, 2014
7,770
Hunter 430 Waveland, MS
I use Apple's "key chain" and use their suggested Military 256 grade password. You can keep randomly getting really wild passwords. It gives me a timed update notification to Change my User name and password for each Apple cloud stored site. I have a single complex password that unlocks my whole "Key Chain" each time I start my computer.
With Apple, I can log out of my own computer when l leave it unattended. It is still running. Return and log back in.

Nice protection...
Jim...
 
Feb 17, 2006
5,274
Lancer 27PS MCB Camp Pendleton KF6BL
There is no such thing as "military 256". That is a marketing term.

The strength of your password is based on the number of characters used, plus, the type of character used. So 8-characters is weaker than 16-characters. And alphanumeric (1q2w3e4r) is stronger than alpha (qwertyui). But a combination of upper and lower characters plus numeric and special characters is the best (!q2w#E4r).

But I digressed. Passwords have nothing to do with phishing emails. If you are a subscriber of LifeLock...

https://krebsonsecurity.com/2018/07/lifelock-bug-exposed-millions-of-customer-email-addresses/
 
Apr 27, 2010
1,279
Hunter 23 Lake Wallenpaupack
I don't know the Apple technology, but maybe "Military 256" means 256 bit key length, like AES 256. If I recall, AES 256 is the largest key length in the standard. OK, so I digressed even more ...
 
Feb 17, 2006
5,274
Lancer 27PS MCB Camp Pendleton KF6BL
Agree, @isaksp00, that the "military 256" refers to AES256 and SHA256 which are all associated with encryption, not password protection. Regardless, it is best practice to make one's password as difficult to crack as possible.
 

Ward H

.
Nov 7, 2011
3,787
Catalina 30 Mk II Cedar Creek, Bayville NJ
I use and recommend LastPass
Another good password manager is 1Password. Syncs across multiple platforms and devices, has password generator that you set for #of characters, special/alpha/numeric. Plus you can securely store other PI.
 
  • Like
Likes: dlochner

JamesG161

SBO Weather and Forecasting Forum Jim & John
Feb 14, 2014
7,770
Hunter 430 Waveland, MS
Sorry, I did mix up to Apple protections methods.:redface:
Thanks for the correction @Brian D
____
Apple does have very strong random password generator and even a generator that lets you put your own suggestion and randomize it.
Example: You enter you dogs name Fido. It would give you F5!i$d4o or F1i2d3o$
Also password hints to help remember your own passwords.;)
_____
"Military 256" means 256 bit key length
:thumbup:
I mixed up Apple's File encryption method called "File Vault" that does use "Military 256" method of file encryption. Apple warns you, if you forget your password to Encrypt/Decrypt a file or document, Apple cannot undo your "lost file". BTW Encrypted file sizes are larger and takes long computer times to Encrypt/Decrypt it.

It was not marketing though. Before the time Apple did it, in the late 1980's, people used 8 bit encryption methods simply for slower computers. The military computer speeds allowed 256 bit encryption.

Jim...
 
Jan 11, 2014
12,962
Sabre 362 113 Fair Haven, NY
Another good password manager is 1Password. Syncs across multiple platforms and devices, has password generator that you set for #of characters, special/alpha/numeric. Plus you can securely store other PI.
:plus: 1Password works and keeps everything synced.
 
Oct 19, 2017
7,980
O'Day Mariner 19 Littleton, NH
When I worked at a prep school as their director of technology (IT guy), most of our computers were first or second generation Pentiums. I had an old 386 with an old version of Windows Works on 3 floppies. I set it up in the library as a word processor and a catalog lookup system. I have a different password for every computer and personally had a different password for everything. I also gave each computer a name "Einstein", "Schrodinger's Cat", "WC Fields", etc. so kids and faculty could identify the computer that had a problem better. The 386 was named "Guinevere" the password was " 'TisITheKing ". I once caught a kid who had downloaded a password cracker because the download was left in one of the lab computer's history and I quickly glanced through their histories before clearing them. I confronted the little miscreant and he said he was just interested in how they worked. Uh huh, right :cool:. Anyhow, instead of bringing it to the attention of the dean, I told the little hoodlum to follow me to the library. We sat down at Guenevere and I logged in. A password cracker isn't much good without the password file and that is stored in a secured folder in the Windows directory, at least it use to be. You have to log in to gain access to it in the first place. I pulled the file up and fed it into the Cracker program. In 1 minute it had guessed " 'TisIThe " including the apostrophe at the beginning. I shut it down an said, "look at that, it works. If I ever catch you downloading a program like this again, you're going home. Have a good day." The kid who downloaded a random credit card number generator and the kid who sent an anonymous email threatening to kill another student weren't so lucky.

- Will (Dragonfly)
 
Oct 19, 2017
7,980
O'Day Mariner 19 Littleton, NH
Maybe new encryption algorithms are better, but if you only need to guess one character at a time before moving on to the next character to guess, those guessing math times listed above aren't true. Only a fully encrypted password that is rendered into a single numeric value that is either correct in its entirety or wrong will take those kinds of times to guess. And then, you can probably guess the correct one, on average, in half that time. Not that that isn't still a $#!t load of time.

- Will (Dragonfly)
 
May 17, 2004
5,685
Beneteau Oceanis 37 Havre de Grace
Maybe new encryption algorithms are better, but if you only need to guess one character at a time before moving on to the next character to guess, those guessing math times listed above aren't true. Only a fully encrypted password that is rendered into a single numeric value that is either correct in its entirety or wrong will take those kinds of times to guess. And then, you can probably guess the correct one, on average, in half that time. Not that that isn't still a $#!t load of time.

- Will (Dragonfly)
Password encryption schemes now work on the password as a whole, so you don't get any information on your guesses unless you get the whole thing right. The only exception I can think of is WPS (the push button way to "securely" connect a device to a WiFi access point). WPS uses an 8 digit passcode but checks the first 4 digits then the next 3, with the last digit as a checksum. Don't use WPS.
 
Status
Not open for further replies.