This Blog Is Not For Reading

A blog, just like any blog, only more so

  • Subscribe

  • Categories

  • RSS Bob Jonkman’s Microblog

    • New note by bobjonkman 9 July 2022
      New Zealand #ProportionalRepresentation
    • Favorite 9 July 2022
      bobjonkman favorited something by blacksam: What country do Canadians threaten to move to when they don't like election outcomes? #politics #canada
    • bobjonkman repeated a notice by blacksam 9 July 2022
      RT @blacksam What country do Canadians threaten to move to when they don't like election outcomes? #politics #canada
    • New note by bobjonkman 5 July 2022
      Congratulations to Dr. Cooley, and to you! And welcome to Canada!https://twitter.com/SNOLABscience/status/1542562373193633793 I saw the news on Twitter, and said to myself "Hey, I know that person!" It's amazing how familiar we humans feel with each other using only social media...
    • bobjonkman repeated a notice by steve 5 July 2022
      RT @steve Spring Cleaning, Except its Packing to Move to Canada https://steve.cooleysekula.net/blog/2022/07/02/spring-cleaning-except-its-packing-to-move-to-canada/
    • Favorite 5 July 2022
      bobjonkman favorited something by steve: Spring Cleaning, Except its Packing to Move to Canada https://steve.cooleysekula.net/blog/2022/07/02/spring-cleaning-except-its-packing-to-move-to-canada/
    • New note by bobjonkman 26 June 2022
      I've never played #Minecraft - Is this #Federated software? Is it #FreeSoftware? If so, how can Microsoft control what's happening on someone's private server? Even if such code existed in a #FreeSoftware application, I would have thought there'd be a fork that eliminates that external control. It's time for that now. But if #Minecraft isn't […]
    • bobjonkman repeated a notice by lnxw48a1 26 June 2022
      RT @lnxw48a1 Seen via @sullybiker https://freeradical.zone/@thenewoil/108539077382008407 Microsoft bans in #Minecraft will soon carry over to privately run servers as well. One commenter said "Seems like there is a really simple solution here: Don't be a toxic asshole on a public server." But once $CORPORATION starts interfering with privately hosted servers in any way, those servers' […]
    • New note by bobjonkman 27 May 2022
      Mind you, there's something charming and soporific about listening to a professional baseball game with an old-fashioned, laid-back announcer. But most of those have retired... #ASMR
    • New note by bobjonkman 27 May 2022
      Applies to all professional #Sportsball: begging to see overpaid drug-users doing something that the rest of us would gladly do for free. When I walked our dog we'd pass the local baseball field, and we'd stop and watch the game for hours. But the one time I went to a professional baseball match (Toronto Blue […]

What to do about compromised Hotmail passwords

Posted by Bob Jonkman on November 18th, 2010

autoroute à emails

autoroute à emails by Biscarotte

I administer a number of e-mail systems, and I’ve been seeing a lot of spam coming from Hotmail accounts recently. And both friends and clients have been telling me that it’s not them who are sending spam from Hotmail (and ending up in my e-mail systems), their accounts have been hacked. One person asked me:

Is it just Hotmail? What else could I use? Can’t I just change my password?

Changing passwords is only an effective solution if the account was compromised by social engineering, eg. the legitimate user giving out the password in a phishing attempt or other direct means, or if a simple password was guessed or cracked.

There is evidence that Hotmail and Yahoo’s password recovery mechanism is flawed (eg. the Sarah Palin breach), so that malusers can acquire a new password for an account. I don’t think this is happening, because victims are not reporting being locked out of their accounts. Of course, if the service merely sends out the current password then this may be what is happening, and no amount of password complexity will protect the account.

If the passwords were compromised by an automated password cracker then I would expect only simple passwords to be breached, and accounts with strong passwords would be safe. I do not know what kind of passwords were in use by the people who have compromised accounts, but it is likely they were simple passwords.

While I have no evidence, I think the current rash of breaches is due to a more systematic attack by URL munging, or fuzzing the inputs on a POST request, or some other attack vector. These attacks do not require an authenticated login, and in that case no amount of password complexity will provide security either.

I haven’t heard of similar compromised accounts in Gmail, so that may be a suitable alternative for now. I’ve been recommending that people use the mail accounts provided by their ISPs, largely so that they can make use of the ISP’s technical support if their accounts do get compromised. And, of course, if they’re paying their ISP for a mail account then there may be immunity from liability (“My mail account was compromised and I was paying my ISP for security, so all this spam is their fault”).

–Bob.

Update 5 Feb 2012: I retract the first sentence in the last paragraph. E-mail Administrator friends have been telling me that Google Mail is just as vulnerable as Hotmail and Yahoo. Having just read “Hacked!” in The Atlantic I’m convinced the problem of compromised mail accounts is worse than I thought, and that no online providers (especially the “free” ones) adequately protect the e-mail of their users.

autoroute à emails by Biscarotte is used under a Creative Commons by-sa-v2.0 license.

 
Better Tag Cloud