[GTALUG] blackmail

Sat Aug 4 10:10:33 EDT 2018

| From: Giles Orr via talk <talk at gtalug.org>

| Someone at work got a similar email claiming that the emailer had
| compromising video footage (it was a work account - no cams and very
| improbable anyway).  It demanded bitcoin and gave a hash to deliver it to.

Same.

| But it didn't show a password, so yours is a somewhat nastier and more
| effective variant.

Yes.  The password was even in the Subject.  That would probably get
the attention of most people.  It didn't work in my case because my
passwords look like line noise and are not well-known to me.  Imagine
if your password were, say, your first pet's name.

|  Ours claimed to have footage of the person's
| "senescence."  OMG - you caught me aging?!  (Okay, not quite what it means.)

Some of the delights of spam are the pretentious language fails.  (I
know, "people in glass houses...".)

| As for the password thing ...  I really haven't figured out what best
| practice is on time between notification-of-breach to public reveal.  (I
| went after the Science Centre about their use of SSL2 on their website -
| where they take people's credit cards - so I have had a peripherally
| related experience with problem/notification/reveal
| https://www.gilesorr.com/blog/science-centre-ssl.html ).

I read that previously. It added to my general sense of despair.
Often when you mention your blog it prompts me to binge read it to
catch up.  Thanks!

(I recommend that TLUGers have a look at Giles' blog and not just
this one entry.)

|  I'd say a month?
| But I'd probably start the clock from your three weeks ago email.  Although
| if you didn't tell them _when_ you were going to reveal, that's not totally
| fair.  But it's also weighed against the public damage that's arguably
| being caused by these emails.

Both times that I talked to Canada Computers, I told them that if I
didn't get a response within a week, that I would consider other
avenues of disclosure.  I did not say that the response had to be
their ultimate reaction to the breach, just that I needed some
response.

My email to TLUG is clearly a disclosure. I posted it two weeks after
I talked with a technical person at CC.  I realized that my earlier
discussion with a Customer Service Rep might not get through, which is
why I phoned again instead of publicly disclosing.  BTW, the CSR had
mentioned that she had received a similar call before.

I imagine that mailing the TLUG list is not the most appropriate
disclosure.  I was hoping for suggestions for additional disclosure.

| The Canada Computers password database breach could have been years ago.
| But if it was, did they make that known?  Did they even know?  <sigh>

Exactly.

That's why I mentioned xpresscanada.com even though that site died
many years ago.

| P.S. And I'm glad I've never purchased from their website, only their
| stores.

How retailers handled web sites has changed a lot in the many years
that CC has had a web site.  Perhaps their security is better now.
Perhaps not.