In spite of the Washington Post being chosen by Snowdon to publish his “revelations” (a circulation-grabbing but arguably cyclical move), and in spite of accepting a Pulitzer prize for this irresponsible journalism, the paper is now calling for him to be prosecuted. Unlike the liberal Guardian in the UK, the US paper, which profited by his betrayal are now seeing the situation for what it is.
ECJ Hotspot Ruling Makes Free WiFi a NoNo
The latest nutty ruling from the European Court of Justice is yet another example of judges and politicians failing to get the advice of anyone who knows how stuff works before opening their mouths and putting their foot in it.
This concerns a case where some digital rights lawyers tried to sue the owner of a lighting shop in Germany because some of his punters were downloading naughty stuff over his free WiFi. Article 12 of the EU E-commerce Directive says that an ISP isn’t usually responsible for the activity of its users, in the same way the local council isn’t responsible if a thief uses one of their footpaths to make a getaway. But thanks to some deep pocketed sharks lawyers and a defence mounted by some gonzo for the Pirate Party, the ECJ ruled otherwise:
The Court holds that an injunction ordering the internet connection to be secured by means of a password is capable of ensuring a balance between, on the one hand, the intellectual property rights of rightholders and, on the other hand, the freedom to conduct a business of access providers and the freedom of information of the network users. The Court notes, in particular, that such a measure is capable of deterring network users from infringing intellectual property rights.
Basically, until they roll the dice again, offering free WiFi is off the menu at your local coffee shop; customers have to register and get a password, so Sony etc know where to go knocking when their crooners are pirated.
This is going to cause great inconvenience to the majority of normal users, but not much to the pirates. In order to implement this, having a simple open WAP for your customers to use isn’t going to be possible. They’ll all need to be changed to stop and ask for a password before proceeding. You’ll have to give your name and address to the café owner, have an account created and be issued with a unique user-ID and password. The ruling doesn’t go in to any detail about how vociferate the ID check should be, but that’s a whole new boîte de Pandore.
However, if you’re a pirate, you just give false credentials. No problem. Or even easier, capture the unencrypted traffic and pinch someone else’s password, then sit back and snigger as the fuzz kick down their door instead.
You could, of course, insist that such networks are also encrypted using WPA. Not all endpoints support this, but lets leave that aside. Unlike WEP which can be broken in 30 seconds on a laptop, WPA2 takes a couple of hours on some fairly hefty dedicated kit (or 24 hours on a standard AWS compute server). So that’s alright then.
Once a fake account has been obtained, of course, you can provide lists of WPA2 keys, IDs and passwords on the pirate web. I predict there’ll be a huge list of fake credentials within a couple of days of it being implemented. Well I would predict it the ECJ ruleing could be implemented without major infrastructure changes and the enormous manpower needed to enforce it. But that’s not going to happen, is it?
But hang on a minute – doesn’t this all sound familiar? Well yes, there’s the UK’s Data Retention Regulations of 2009. This already requires service providers to keep a log of the name and address of users, and what IP address they were using at any given time. If you’ve noticed WiFi hotspots provided by some large companies asking for your name, address and password when you first log in, now you know why.
Is this effective? Of course not. Who’s going to give their real name and address? If you’re a legitimate user, you’re going to be wary of junk mail; if you’re a pirate you’d have to be crazy.
So once again, we have some complete idiots in the EU (in this case) flying in the face of technological reality, where the only practical response to their utterances is to ignore them. What a waste of time and money. It’d be cheaper to stick to our own idiot politicians.
BT Internet mail is broken – Deferred: 421 Too many messages (1.5.6.1) from xxx.xxx.xxx.xxx
When Yahoo ran BT Internet’s customer email for them, it wasn’t great. We all know they had problems coping with spammers hammering away trying to deliver scams and marketing messages to BT’s punters, putting the whole system in to paranoid anti-spam mode on occasions. But it could have been worse, and now it is.
Since Critical Path (now owned by Openwave Messaging) took over running the shambles in May 2013, they appear to have hit on the bright idea of not accepting more than 49 emails a day from any one server. What? Yes, you read that correctly. If the server tries to send message fifty it gets a delayed email response:
Deferred: 421 Too many messages (1.5.6.1) from xxx.xxx.xxx.xxx
Sendmail (or other normal MTA) will simply continue trying to send it for a week, but if you have more than fifty messages a day on average to BT punters the queue is never going to empty. And fifty messages isn’t a lot. Suppose you’re a company and someone wants their work emailed forward to BT Internet? That could easily be fifty for one luser. And if you’re an web host, one of your customers is probably going to want all the email for a domain to go to a @btinternet.com address, and they’ll likely set it up without you even knowing about it.
This has being going on for over a year now, with a possible reduction in the limit last autumn. There was a theory going around that it would reject domains if the SPF record was inconclusive. Although SPF sounded like a good idea for the first five minutes, it’s rubbish when used as a naive check on mail that’s been forwarded.
I’ve been able to get some unsatisfactory information out of BT on this issue. Basically their policy is to “throttle” mail from an IP address if they think more than a certain proportion of it is spam, based on SPF records and suchlike. In the case of a user having all their mail forwarded to a BT Internet box, a high proportion of it is going to be spam; it’s inevitable. And a check of the SPF record is obviously going to fail (doah!)
BT luser forums are full of complaints about this, although the cause is misunderstood. Users get bounce messages, but it’s the server log that tells the whole picture, and as it’s often delayed they believe that a hokey “fix” has actually worked and others follow.
So what can be done about it? The obvious answer is to stop using BT Internet mail. They’ve shown a complete unwillingness to address this issue, and will doubtless make some excuse that most users are unaffected – that’s to say the other large ISPs and freemail services; direct business-to-BT Internet Luser is a small fraction. If that doesn’t work for you, the minimum you should do is ban anyone forwarding mail to @btinternet.com through your servers. Then make sure that domains you host have the correct SPF records. If you don’t, and one exceeds the limit, the IP address will be blocked and prevent your other customers from using it too.
No one who knows anything about spam control will rely on SPF, of course. But if there is someone who knows what they’re doing at Openwave, their voices are clearly being ignored.
If you’re a BT customer and you use email, based on the fact this problem has gone unresolved for a year now, the only advice I can give is to move away. Which is inrtersting, because this April BT announced plans to charge their ex-punters 60 to keep their (broken) @btinternet.com domain names – the same price as BT Internet’s broadband offering anyway. Done, you will be.
Why passphrases are a bad idea
Following my discussion of password lengths, it appears that NIST are concerned about naughty people brute-forcing hashes in stolen password lists. In order to make it more difficult, they’re recommending long passwords, like me. But unlike me, they’re suggesting that they should be made up of randomly chosen words to make them easier to remember because the users could connect them in their mind.
NCSC have their own version, which is basically the same. Originally it was suggested four words would be enough, but it’s often reported as just three.
Leaving aside the chances of someone actually picking random words that are genuinely random, I was curious as to how difficult this would be to crack.
Instead of having the 26 letters of the alphabet to play with, using words gives you a lot more symbols. I wondered how many, so I looked in the obvious place – the BSD spell-check dictionary. That’s a lot of words, but realistically you’d want them to be between three and nine characters long. If you make them too long it’ll take more time to type than people will be willing to spend. Also, looking at longer words, they tend to be made up of smaller ones, or common letter combinations (“anti”, “un”, “ly”, “able”).
So, with a bit of awk, I extracted all the words between three and nine characters. There are a LOT. But on closer inspection, they’re not words I’d have ever picked at random, mainly because I’ve never heard of them. They’re the kind of combinations that cause arguments among scrabble players.
To get some idea how many realistic words there were I extracted 200 at random, and went through to pick the ones I knew. I let proper names count, and it turns out that I knew about 20% of them overall. Whether I’d pick many of them if asked to think of a word at random is another matter; and one worthy of study. However, best-case this extrapolates to about 18,000 unique words in the symbol set. So for a three-word combination the best you’re going to get are 18,000^3 or 6E+12. That’s as good as an nine-character a-z password. A nine-character password can be broken in 14 seconds maximum.
Sorry NCSC, but I don’t like these odds. Let’s go up to the four-word version: That has 1E+17 combinations, which could take a couple of months to crack. But this is still being very optimistic about the choice of words being random.
The rationale behind using a passphrase is that it’s easier for users to remember, and this is a good point. People can create a mind map; a short story or scene using the four chosen words. It is certainly easier than remembering a sequence of random symbols. You can also create a mind map using symbols by giving them meaning (1 = flagpole, 2=swan) etc. But this misses an important point – the sheer number of passwords people have in the modern world. I suggest most people would struggle remembering more than half a dozen mind maps, yet probably have well over 100 unique passwords. The only way to manage so many unique passwords is to store them somewhere, encrypted with one master password.
In short, a passphrase instead of a password only makes sense if its pretty darn long. If you’re going for entropy, a random character password – if you can remember it – will be much, much quicker to type.
Barking Mad.com – Is Bark.com is going to the dogs?
Bark.com launched in 2014 as a web based service matching service providers with customers. Basically, you register as a client, say what you need done and it sends job leads to suitable businesses. A bit like computer dating.
And like any business relying on data matching, it will live or die by the accuracy of its data. It got off to an interesting start by purchasing the data from Dublin-based SkillsPages – 20M contacts of dubious pedigree. I know about this, because in the interests of research, someone registered as a supplier of a highly unlikely service in the name of a very well known science fiction character. No checks were made, but as no one needed the dilithium crystals realigned in the warp drive in a Constitution-Class Federation starship, no offers of employment were ever received by Chief Engineer Scotty. Until, that is, Bark bought the dodgy data and decided Scotty was an electrician in south London and then the leads started rolling in.
Okay, so we all had a good laugh at their expense before the account is cancelled once the joke had worn thin, but it should be an object lesson in data validation if you’re trying to give potential customers confidence in your “Professionals”.
And then this morning, in the space of 90 minutes, I received a load of emails to a made-up address on one of the domains I look after, but using my name. The emails contained quotes for a job that I had apparently posted. How could this be? I scrolled back down the email and found a “Welcome to Bark” message, giving “my” username and password, and implying I’d just created an account and posted a job request. Obviously someone had, but it wasn’t me.
My first reaction was to read the email carefully, looking for the “I didn’t register this account” link, but there was nothing of the kind. Of course, what they should really do is verify any email address; i.e. check that it actually belongs to the person claiming to set up the account.
Out of respect to the people who’d bothered to quote for the job, I emailed them all back saying “Sorry – someone seems to have done this as a joke”. However, Bark bounced these all back, because I’d sent them from my real email address; one that obviously didn’t match the fake one. So Bark can check email addresses when they want to!
Bark.com is leaving itself open to all kinds of trouble by operating like this. The killer is that the professionals putting in the quotes have paid bark.com to do so, but could claim that bark.com hasn’t taken enough care to ensure the job leads are genuine. By not even verifying the email address, they could be said to be making absolutely no effort at all.
When I spoke to Bark.com and raised this very specific issue, the claim was this rarely, if ever, happens. I provided the details and they promised to refund the people who’d been charged for a false lead, and said “This is not how we operate, this should never happen”, and that “when it’s brought to their attention they close down the bogus account and refund the money.”
How long should my password be?
Don’t worry. I’m not getting into cryptography in any detail, and I’m going to try very hard not to mention entropy at all. There is so much confusion about passwords already, thanks to Hollywood movies and IT professionals parroting technobabble. I’m going to explain this in English.
What’s wrong with passwords?
If you’ve seen a cracker breaking into a computer on a TV programme, you’ll be familiar with the setup. Faced with a “login:” prompt, and imminent discovery by the guards walking down the corridor, they frantically type a few desperate things and suddenly the screen changes to “Downloading data, 15 seconds remaining”.
This is, of course, complete fiction. But how do crackers really steal passwords? Let’s assume they can’t guess it, because you haven’t used your kid’s name, “password” or “letmein” (the most common genius ideas from the 2000s). Weak passwords are still a problem, as is leaving a default password on something after installation. But assuming you’re not crazy enough to have one, there are still ways discover hard-to-guess passwords.
Password “sniffing”
The first method is obvious. If you type in your password with someone looking over your shoulder, it’s no longer secret. This may seem too simple to worry about, but it happens. And watch out for cameras. But it can also be done remotely, and this is what a keyboard logger Trojan does. This simple piece of malware intercepts everything you type on your keyboard, passwords and all.
Most malware you’re likely to be infected with includes a key logger, or may download one once the criminals have control of your device. Why wouldn’t malware spy on you while it’s at it? They’re also found on PCs in Internet cafes around the world. It’s amazing how many people lose control of the Hotmail accounts after accessing their email on holiday.
If your password is grabbed by a key logger, it’s complexity, or lack of it, really doesn’t matter. It’s compromised. The traditional defense is to ensure you use different passwords for each system and change your passwords frequently. The first is vital, the second wishful thinking. Changing your Gmail password before the criminals do is unlikely.
There is another solution – two factor authentication (2FA). When you get down to it, there are two ways to prove you are you. One is something you know (e.g. a password), and the other is something you have (e.g. a key, as in lock and key). It helps, think about the them as being a combination lock and a physical keyed lock in the real world. And a door lock that uses both is A Good Thing.
You may think that having a physical key is a perfectly good option, as the key is (effectively) unique. No one else has the key. But supposing you lost it? With 2FA, no one can use you key without also knowing the combination. And if your combination became known, it’s useless without the physical key.
Another good example is chip-and-pin bank cards.
Incidentally, you may hear people going on about MFA (Multi-factor authentication). What the third or subsequent factors may be is hard say, but for marketing purposes “multi” sounds better than “two”. (Bio-metrics are often cited as a third factor, but it’s effectively using your body as a key. In other words it’s still something you have).
Wholesale pilfering
But I’ve digressed. I was supposed to be talking about the second way of having your password stolen, and it’s also pretty simple: An attacker gets access to a computer containing a list of passwords, including yours.
Although it has been known to happen, there should never actually be such a list of readable passwords. That’d be crazy. If you don’t have a list of user-IDs and corresponding passwords, no one can steal it. If you do have such a list, expect it to be nicked.
But if there’s no list of passwords, how does a computer know if you’ve entered your password correctly? What is it checking your password against to see if it matches? That’s the cleaver bit.
What you do is keep a list of users, together with their hashed passwords. A hash is a code derived from your password, but which isn’t your password. When you log in, the computer derives the hash code from whatever you’ve entered and compares it with the stored hash – if they match then you entered the right password.
So how is a hash derived? How about an example. In our system a password is going to be a number, for simplicity. And I’ll call this number ‘p’ (for password). The resulting hash I will call ‘h’. Our hashing function (number 1) is going to be:
h = p x 7
Applying this to various passwords gives:
| User (stored) | Password (not stored) | Hash (stored) |
| Tom | 123 | 0861 |
| Dick | 200 | 1400 |
| Alice | 321 | 2247 |
| Jane | 567 | 3969 |
Table showing passwords hashed using trivial method
So, if Alice comes along and types her password as “321”, the computer hashes it and gets 2247. It then compares this with the stored hash, and open sesame.
If the user list is stolen, the thief won’t know Alice’s password is 321. Unless, of course, they divide the hash value by seven. Hash method 1 is pretty rubbish, as you can work it backwards.
But if instead of multiplying, you divided by seven then you wouldn’t be able to work backwards to Alice’s password if you only stored the integer part. Or the modulus. But unfortunately, one in seven passwords entered would also match. Unless you pick a suitably complex number – how about Pi, and ignore the integer part. If we do this, we end up with the following:
| User (stored) | Password (not stored) | Hash (stored) |
| Tom | 123 | 1521 |
| Dick | 200 | 6619 |
| Alice | 321 | 1774 |
| Jane | 567 | 4817 |
| Harry | ??? | 9915 |
Table showing passwords hashed using the improved algorithm
This is a much better hash, as you can’t reverse the method and retrieve the password. You can’t take Harry’s hash of 9915 and calculate what his password was. But, unfortunately, you can still work it out. If our passwords are all three digit numbers, there are only 1000 possible choices, and a computer could try them all in turn until if found a match. And this is why password complexity matters. If there are enough possible combinations it could take an unrealistic amount of time to try them all.
The next question to ask is “How many combinations are there?” I said at the start I’d keep the maths very simple, so you may want to skip this bit. But it’s not hard.
If you have a single character password that has to be a letter a-z, there are 26 possible combinations. That should be obvious. If you have two letters, the possible combinations are 26×26=676. Three letters is 26x26x26 (or 26^3)=17576 choices, and so on. In other words, if you take the number of possible characters and raise it to the power of the length you’ll have the total number of possible passwords. The following table gives the possible combinations for different lengths of password and sets of symbols.
| length | a-z | a-z,0-9 | a-z,A-Z | a-z, A-Z, 0-9, ~!@#$%^&*_-+=` |(){}[]:;”‘<>,.?/ |
| 1 | 26 | 36 | 52 | 96 |
| 2 | 676 | 1296 | 2704 | 9216 |
| 3 | 17576 | 46656 | 140608 | 884736 |
| 4 | 456976 | 1679616 | 7311616 | 84934656 |
| 5 | 1E+07 | 6E+07 | 4E+08 | 8E+09 |
| 6 | 3E+08 | 2E+09 | 2E+10 | 8E+11 |
| 7 | 8E+09 | 8E+10 | 1E+12 | 8E+13 |
| 8 | 2E+11 | 3E+12 | 5E+13 | 7E+15 |
| 9 | 5E+12 | 1E+14 | 3E+15 | 7E+17 |
| 10 | 1E+14 | 4E+15 | 1E+17 | 7E+19 |
| 11 | 4E+15 | 1E+17 | 8E+18 | 6E+21 |
| 12 | 1E+17 | 5E+18 | 4E+20 | 6E+23 |
| 13 | 2E+18 | 2E+20 | 2E+22 | 6E+25 |
| 14 | 6E+19 | 6E+21 | 1E+24 | 6E+27 |
| 15 | 2E+21 | 2E+23 | 5E+25 | 5E+29 |
| 16 | 4E+22 | 8E+24 | 3E+27 | 5E+31 |
Table of possible permutations based on password complexity and length
If you’re not familiar with the number format 2E+09, it simply means 2 followed by nine zeros. When we’re talking about big numbers, the number of digits is going to be more useful.
On the face of it, the last column, including all the punctuation characters, is considerably better than a simple choice from a-z. But look more closely and you’ll notice that adding a few more simple characters quickly brings the number of combinations up. For example, an eight-character really complex password has a similar number of permutations to a simple ten-character one. Or a nine-character password if you add 0-9 to a-z.
I don’t know about you, but I’d rather type simple characters rather than messing about with shift, capital letters and punctuation. This puts pay to Myth Number 1: using punctuation and suchlike is necessarily better. The extra keystrokes hitting the Shift key are greater than if you stuck to lower-case.
Actually, it’s a lot worse than that. Everyone knows that people capitalize the first letter, use a $ instead of S and stick a ! on the end – or something similar. If they’re forced to change the password regularly they add 01, 02, 03… and so on to the end, which means an attacker can try such likely variations first.
So the characteristics of a good password are, simply, something that’s complex enough that it would take an unrealistic amount of time to brute-force, AND which is easy to type. Forget easy to remember; it’s got to be random. Passwords containing words to bulk out the length are much easier to crack, as words can be checked for early on.
So how complex does a password need to be? Well that depends on how fast an attacker can cycle through all the possible combinations. Using a computer, does 1000 guesses a second sound reasonable? How about a million? In Your Dreams. The fastest password guesser I know of in private hands can test 400,000,000,000 every second. That’s 4E+11. If you used the full symbol set, at random, a six-character password would take less than a second. If you simply have a rule saying “must contain two out of digits, upper-case letters or symbols”, and people have just one of each to satisfy the requirement, it’ll be substantially faster.
Put another way, a fully secure Microsoft-standard random password with no mistakes will take about five hours, maximum. You can bet nation states and serious cyber-criminals are going to be faster still; I wouldn’t be surprised if it was minutes or even seconds.
So how long if I want to be safe?
So how long should your password be? Well I’d like one that can’t be cracked in 1000 years as a minimum. That’s 3E+10 seconds. The cracker runs at 4E+11 a second, so multiply them together and you get around 1E+22 combinations needed.
From the table above, 16 random a-z characters is enough, or 15 characters if you add 0-9. If you want to include punctuation and so on, and you really, really, don’t mind mixing them in at complete random, then 12 will be enough. But this is a minimum, and you’ll probably have to add a character every year.
The smart answer is to abandon passwords and use certificates instead.
Five year old “new” malware discovered “by Kaspersky”
Yesterday Russian security company Kaspersky has released an analysis of what it claims is previously undiscovered malware, which has come to be known as Salron. Kaspersky’s analysis is incomplete, but contains more detail than was generally available in public beforehand. They admit it’s “probably” been around for five years, and this is true; but it’s not exactly unknown. The unknown group behind the attacks has become known as Strider, and they’re using a backdoor program called Remsec. Details of this were published by Symantec a week ago.
Kaspersky’s conclusion is that this is a “Nation State” level piece of malware. It’s possible, but other than being very competently produced, I have seen no conclusive evidence to back the claim at this stage, but there’s quite a bit that’s circumstantial. According to Symantic, it’s been used to target relatively few organisations – mostly in Russia, with a Chinese airline and an unspecified embassy located in Europe. In other words, that naughty Mr Putin is at it again. Or is it the Chinese attacking their neighbour?
Based on the public analysis, it was written by some very smart people and avoids the mistakes made in previous systems such as Stuxnet. Kaspersky points to it being a rung up the technology ladder as an indication it was another government-sponsored effort, although in practice, anyone could learn the same lessons and produce a new generation.
AV companies have been detecting this for over a week, and it hasn’t thrown up a large number of infections. This is intriguing. Also, the way it works to circumvent very specific and uncommon high-end security software indicates its in the APT category.
Microsoft, who’s operating systems it attacks, has yet to comment.
Quadrooter – major security bug in Qualcomm Android drivers
Check point software claims to have found what it calls a serious vulnerability in Qualcomm software running on LTE chip-sets used in many Android ‘phones. Apparently they informed Qualcomm about six months ago, and they’ve now modified their drivers to stop it in future, and issued patches, but I doubt many of the 900,000 of the devices already sold with the LTE chips will end up being patched. LTE is two-thirds owned by Qualcomm.
Check Point has released an App to check whether your phone is vulnerable, but it’s up to the device manufacturers to actually push the patch on to their users. The major ones may, but the majority of handsets are of the cheaper variety, sold in third world countries, and not as well supported.
Normally I’d treat stories like this with a bit of caution, and I’ve yet to fathom exactly how ti works. However, Check Point’s description is scary – and the Israeli company isn’t known for hype. Basically, the flawed Qualcomm chip-set drivers have flaws that allow a downloaded App to gain root access without the need for any unusual permissions. This is bad.
Check Points advice is to only trust Apps installed from Google Play, which is ironic given that as recently as this May they released a report saying you shouldn’t trust Apps from Google Play as too many nasty ones crept in.
Parent Pay adds fuel to its fire
Following a disastrous software “upgrade” on 6th June, it appears that ParentPay, the controversial on-line payment system used by many schools, finally appears to have noticed it has a problem. In an email sent to all its 1.7 million victims users today, CEO Clint Wilson apologised that people were having difficulties with the new system and conceding their support service was overwhelmed. He promised to fix the problems and get it right over the summer.
Perhaps in order to emphasise the fact that he really don’t know much about this technology stuff, the email was sent in a Microsoft-only format, with an invitation to “view it in your web browser” if you weren’t using Hotmail, or whatever else it was designed for. It really doesn’t bode well.
The ParentPay website was always awkward, requiring very specific web browsers in order to operate, and using insecure technologies rather than HTML. The latest update relied very heavily on JavaScript and assumed specific screen resolutions, forcing people to upgrade browsers and wait for updates in order to use it – and it looks ridiculous on a desktop-sized screen.
At the same time ParentPay implemented a system where parents were made to pre-pay in to the account and then allocate funds later, rather than paying for the items at the time they were selected/purchased. Subsequently the company has sought to defend this tiresome system as an initiative to help low-income families, although exactly how pre-payment does this isn’t clear. The fact that ParentPay is left holding money for longer before the school gets is probably didn’t even cross their mind.
Parents, already leery about the whole ParentPay system and the way it has been imposed on them by schools in spite of widespread long-standing dissatisfaction, have taken to social media to slag off the crass software update and appalling customer service..
It’s a sad fact that schools and local authorities lack the necessary IT savvy to spot a turkey when its marching up and down in front of them, and instead opt for “safety” in numbers. I don’t actually blame the schools for this – it’s not their job. It’s the government and local authorities that are unable to provide good advice – but local authority and government IT projects are, of course, a byword for expensive shambles.
Am I being phished?
Today I received an intriguing email with a Microsoft Word attachment implying I had money coming to me if I filled in a form. Yeah, right. I was just about to hit delete but I was a bit surprised the sender was addressing me as Prof. Leonhardt. It’s hardly the first time someone’s got this wrong – and to be on the safe side I can see why people might start high and work backwards through Dr. and so on, as people who are about such matters are only offended if you start too low.
But why would a botnet add the title?
On closer inspection I recognised it was a royalty payment enquiry from a publishing company that had actually done a book for about five years ago. I didn’t expect it to sell (it wasn’t that kind of book), so hadn’t thought much about out.
But I still haven’t opened the attachment. The email headers suggest it came from the publisher, but they can be forged. And this could be a clever spear-phishing attempt – after all, if you bought the book, which was largely about email security, you’d have the name of the publisher and my name – and the email address used can be found using Google.
I don’t believe I have ever been spear-phished before, so I’m feeling a bit more important than I did yesterday.
Time to fire up the sandbox!