I have been getting more phishing e-mail lately that points me to "bad" files on what would normally be "good" sites. Last week I got a message that pointed to index1.htm on a site. Index.htm was the valid home page and appeared to be the personal site for a young lady in Brazil. I couldn't read the page but it didn't look malicious. When I went to the index1.htm page it had a flash application that would tell me that I needed to download a new viewer to view a news article.

The message today pointed me to a web site for a doctor. The link went directly to a .exe file in the URL so I knew better than to click on it. The interesting thing about this message is that I supposedly got an e-card from "a friend". At the bottom of the message was a link to www.greetingcard.org which has a section for an "Email Scam Alert!" on the lower right of its home page. You would think that the phishers would not put in clues that their e-mail is bogus right in the e-mail. Then again, maybe I should be thankful that they are not better as it would be harder to figure out which e-mails are legitimate and which ones I can blog about.

I read the article at http://redtape.msnbc.com/2008/08/almost-everyone.html about the "Forgot your password" link to reset your password as being a possible attack vector. I think they discussed the security issue quite well and also pointed out that there are no reports that this method has been used widely to attack accounts. I know that in all the time that I have had a Hotmail account I have twice gotten e-mails about a password reset that I didn't initiate. The first time I ignored the e-mail until I got a reminder about 10 days later that it was about to expire, the second time I immediately clicked on the link stating I hadn't started the password reset. I also went and changed my password just in case someone had compromised my account.

The article has some good advice about not using obvious answers to the reset questions. I think this might be one case where my generation has a lot more latitude in choosing a non-obvious answer. While my birth date and mother's maiden name might be easy to find on the Internet, when I was a teenager there was no blogging so I would assume outside of the people that I went to school with and a few close family members nobody would know the name of my first girlfriend. It might be easy for a hacker to guess the answer to that question but hopefully it would take them a few tries and the back end systems would be alerted well before they guessed the correct answer.

Another tactic that I have used is to pick an "obvious" question but then give it a false answer. As was pointed out in a recent issue of the RISKS digest, they aren't validating the answer, just that you can type in the same value twice. I use the name of my pet as a question but rarely if ever use Max which was the name of my dog but instead make up other "names". The best are a semi random set of number and letters that aren't even a name so if someone is running a dictionary attack of the most common pet names your answer will not be in the dictionary.

To help me not forget the password in the first place, or to remember the answer if I need to I can always look at my Password Minder file. The thing I like is it will automatically generate random passwords for me and has a notes area where I can write down my secret question and answer. The data (both passwords and comments) is encrypted on the disk so I feel pretty safe about it not being stolen from me.

Yesterday I got an e-mail saying it was and open letter from United Airlines to its "best customers" about the high cost of fuel and how it is causing problems in the industry. The gist of the e-mail was that speculation on the cost of oil is what is driving up the cost of oil and that the government needs to regulate the market to save us all from high fuel prices. I was immediately suspicious because I have flown United Airlines but do not have enough miles to be awarded any status in their frequent flier program. The e-mail was "signed" by the executives of several airlines asking me to  I didn't click on the link for several reasons.
1. I was busy and didn't think I had the time.
2. The text on the link and the actual link didn't point to the same web site. The link goes through unitedoffers.com which could be a web site by United Airlines but I didn't want to spend the time to check it out.
3. As I already stated I was a little suspicious of the "best customers" claims.
4. I generally don't click on links in unsolicited e-mail but instead prefer to go directly to the web site linked to.
5. The emotional nature of the subject. When I get an e-mail that gets me fired up and angry I always try to stop, calm down, and think a little before I do anything with it. This was drilled into me early on in my career by a VP of Software Engineering who would talk a lot about Carreer Shortening Moves.

Later in the day yesterday I got my monthly notice from Delta Airlines about my frequent flier account. Since I fly with Delta and have a lot of frequent flier miles I was sure they would mention this open letter since they were one of the signers. They didn't so I was pretty sure it was a phishing e-mail. I went on my way smug in my assurance that I had done the right thing.

As I was watching the local news they ran a story about the open letter. The story was more about the rising cost of fuel for airlines and the number of layoffs each airline had announced for this year but they did mention the open letter. So then I got to thinking that maybe the letter was legitimate.

This morning I spent a few minutes looking around for the answer to the question on whether the e-mail is valid or not. Here is what I found out.

When I went to the TV station's web site I couldn't find the article in the list of most recent articles. I also tried their search on the site but it couldn't find the article either. That makes me wonder why other stories from last night are on the web site but not that one. [+1 for phishing e-mail]

I checked the United Airlines, Delta Airlines, and Delta Airlines blog sites but didn't see the open letter mentioned on any of them. [+3 for phising e-mail]

Unitedoffers.com redirects back to the United Airlines web site. [+1 for legitimate e-mail]

I typed in the address of the link in the e-mail. The site looks like it is calling for reform of the oil speculation market. I haven't clicked on any other links. [+1 for legitimate e-mail]

Doing a Live search and Google search for the web site bring up the web site, a lot of people asking in forums if this is a real site, and some descriptions like this one:
"Go to the web site and enter your zip code so your representatives can be identified. Next, enter some personal information and emails get sent to the peeps that made an oath to serve." [Neutral since I don't know what personal information they are collecting]

In the end analysis I decided that I wasn't curious enough to go to the web site and enter my personal information (or even get to the page where I could see what the information they are asking for is) so I may never know if this is a legitimate e-mail or not. If I start seeing it posted to the official web sites of the airlines that supposedly signed the document I will probably decide that it is legitimate and then see if I want to sign the petition. The other thing that I have decided to do is to give into the emotion that I felt when I first read the e-mail and look up the e-mail address of my Senators and Representative and ask them if they have seen this and if there is anything that they can do.

I am sure you have had a time in your life when it seems like everyone gives you advice. It might be graduation, marriage, the birth of a child, a change in jobs or something that prompts the people around you to offer advice. Most of the time you are forced to smile pleasantly, act like you are going to take the advice, and then wait until the giver of the advice is out of earshot to mumble to yourself about how you wish people would leave you alone. Occasionally you really need advice and go looking for it. One of those cases might be if you thought that your personal information had been stolen. You would expect that the government that had issued the identity claims would have the best advice on how to fix the problem.

I read an article about the web page at http://www.hmrc.gov.uk/manuals/nimmanual/NIM39140.htm that will tell people in the UK how to handle the case of their National Insurance Number has been abused. (The original article likened the National Insurance Number to the US Social Security Number but whether they are similar or not isn't really important here, just that someone thought you should have a way to report/fix fraud of the National Insurance Number.) The web page has a title that boldly proclaims:

NIM39140 - National Insurance Numbers (NINOs): Format and Security: What to do if you suspect or discover fraud

You can see from the formatting that there are several paragraphs and bullet points that should give you the information that you need. However each and every paragraph and bullet point is replaced by the text:

(This text has been withheld because of exemptions in the Freedom of Information Act 2000)

This leaves you wondering what you should do if you suspect or discover fraud. I haven't looked around to see if there is any information on another web site or if you are just stuck going back to the people who always give you advice and asking for some. This time, however, you will need to listen closely and follow their advice.

I got this from an issue of the RISKS digest. The real problem is that we don't know what OS is used when we purchase a certificate. It might be a good idea to contact the vendors you have purchased certificates from and make sure that you are not affected by this.

DSA-1571-1 openssl -- predictable random number generator Date Reported: 13 May 2008 Affected Packages: openssl

Vulnerable: Yes

Security database references: In Mitre's CVE dictionary: CVE-2008-0166.

More information:

Luciano Bello discovered that the random number generator in Debian's openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may be guessable.

This is a Debian-specific vulnerability which does not affect other operating systems which are not based on Debian. However, other systems can be indirectly affected if weak keys are imported into them.

It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation. ...

http://www.debian.org/security/2008/dsa-1571