Bogus "account hacked" message

[allison]

On 01/08/2019 04:29 PM, Grant Taylor via cctalk wrote:
> On 01/08/2019 02:09 PM, allison via cctalk wrote:
>> Its actually funny.  The password given is three yahoo (groups) hacks
>> ago (about 10 years) but the email address used was a public one way
>> reflector (arrl.net).
>
> So you are (or were) a licensed ham.  73 to you.  :-)

Still am.  Hence the reflector as mycall at arrl.net.  But the reply if
there is one will be from
a different address.  Anyone with a functional brain can look that up.

>
>> So all and all its a crude phishing attempt.  I write down old
>> passwords to keep from reuse and I use long mixed ones.  So I know it
>> was from that and meaningless.
>
> Hopefully you keep that list in a way that's not cleartext on your
> computer.
>
Cleartext on paper in my handwriting... ok, that may mean loosely encrypted.

Generally anything useful is walled off or encrypted.  I also maintain
an air gapped
archive.  Hardware is cheap and disk cheaper.  Someone hacks this
machine with
ransomware, I wipe and reboot as a 64gb disk is not big and not the
motherlode.

Better is the stuff on the VAX under VMS user account...  I put it on
the net on occasion and
the fun begins as the script kiddies try to log in.  Mind you need both
an account name and
a password longer than 15 chars.  Standard lockout after three fails is
15 minutes.  No Apache
and other webby stuff plus Decnet over IP messes with them.    Once I
put up an VMS account
with the directiories all write-locked  with virus copies (maybe a few
megabytes of oldies) in it
and a guest password it was funny to watch the access and then nothing
from that IP.

> I too have lists of old passwords in my password vault.
>
>> The source is useless as the address is a bogus hack as well.
>
> I'm still curious.  Mainly because I run my own mail server and wonder
> if the messages would have been stopped by my filtering.
>
Like I said the reflector is public and they used the right call, easy
to look up and verify.

>> Same claims of rude and crude caught off the camera save for the
>> systems use never had one or are blocked/disconnected(laptops) and at
>> best a stupid threat. I run linux on multiple flavors/platforms so
>> typical M$ hacks don't fly either.
>
> Scare tactics.
>
Or hilarity!  As a women it was funnier to read.  Like, really!?!

>> I was tempted to buy the smallest bitcoin possible maybe 0.1 cent (1
>> milliDollar) for laughs and send that as they deserve the very least
>> for a dumb hack.
>
> I would avoid doing anything good to the miscreants.
A millibuck is a pFFT (raspberry noise) to someone demanding kilo bucks.
I have mostly contempt for them.  Been at it longer too.
>
>> Ignore the phoolz and if the password matches current change it.
>
> Yep.

The usual is that that password accessed as many as a dozen or more
sites and accounts.
If one is hacked then which one of the many if even remembered.

>> consider changing them periodically.
>
> I thought there had been some research and reports, particularly from
> NIST (?) about a year ago where /forced/ periodic password changes
> were actually a bad thing.
>
>
Yes, many when forced to do that on 30 or 90 day rotations use poor
passwords (weak) or worse write
them down and tape them under the keyboard.   The interval can be random
and long or anytime a hack
has been reported somewhere even if not the known systems.   I worked
one place where "123" was a
low level password for a decade and still every Monday I'd get called
"did the password change?"
because they forgot it.  If used from outside it got you mostly nothing
and access to very slowest
machines if you made it through the firewall (discrete hardware).


Allison