[GTALUG] blackmail

Giles Orr gilesorr at gmail.com
Sat Aug 4 08:10:32 EDT 2018 

On 4 August 2018 at 04:47, D. Hugh Redelmeier via talk <talk at gtalug.org>
wrote:

> I received a blackmail message by email.  It claimed that they hacked my
> system and had compromising videos from my computer's camera.
>
> As proof, they gave me what they claimed was my password.  But I only used
> that password on two sites: canadacomputers.com and
> xpresscanada.com (a long-dead Canada Computers site).
>
> So I'm not worried.
>
> I informed CC about three weeks ago.  They seemed to ignore the
> report.  I phoned again two weeks ago, and they were interested.  I
> told them if I didn't hear that they'd informed their customers that
> I'd publicize this security breach.
>
> I've heard nothing else.  So I presume that they have not announced it
> to their customers.
>
> Today I got another blackmail message with the same password.
>
> What do you think that I should do?
>
> PS: my password is a random string generated by mkpasswd(1) so it would
> not have been discovered by an online exhaustive search.  They most likely
> filched the password file from CC.
>
> PPS: I'm glad that I don't reuse passwords!
>

Someone at work got a similar email claiming that the emailer had
compromising video footage (it was a work account - no cams and very
improbable anyway).  It demanded bitcoin and gave a hash to deliver it to.
But it didn't show a password, so yours is a somewhat nastier and more
effective variant.  Ours claimed to have footage of the person's
"senescence."  OMG - you caught me aging?!  (Okay, not quite what it means.)

As for the password thing ...  I really haven't figured out what best
practice is on time between notification-of-breach to public reveal.  (I
went after the Science Centre about their use of SSL2 on their website -
where they take people's credit cards - so I have had a peripherally
related experience with problem/notification/reveal
https://www.gilesorr.com/blog/science-centre-ssl.html ).  I'd say a month?
But I'd probably start the clock from your three weeks ago email.  Although
if you didn't tell them _when_ you were going to reveal, that's not totally
fair.  But it's also weighed against the public damage that's arguably
being caused by these emails.

The Canada Computers password database breach could have been years ago.
But if it was, did they make that known?  Did they even know?  <sigh>

P.S. And I'm glad I've never purchased from their website, only their
stores.

-- 
Giles
https://www.gilesorr.com/
gilesorr at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/talk/attachments/20180804/89ad286f/attachment.html>

More information about the talk mailing list