This Blog Is Not For Reading

A blog, just like any blog, only more so

  • Subscribe

  • Categories

  • RSS Bob Jonkman’s Microblog

    • New note by bobjonkman 3 October 2020
      There's also Megablocks, the precursor to Duplo. And there are also Micro Megablocks, the same size as LEGO. The kits for Micro Megablocks were much better than the LEGO kits, making slightly larger models but using only standard bricks. The LEGO models were smaller, depending on many custom pieces specific to the kit, which were […]
    • Favorite 3 October 2020
      bobjonkman favorited something by clacke: Not only are Duplo blocks *like* Lego blocks, they *are* Lego blocks, and I don't just mean that Duplo is a Lego brand and produced in the same factory, the two systems are actually compatible.A Lego 2x2 block fits and sticks to the underside of a Duplo block, and the […]
    • bobjonkman repeated a notice by clacke 3 October 2020
      RT @clacke Not only are Duplo blocks *like* Lego blocks, they *are* Lego blocks, and I don't just mean that Duplo is a Lego brand and produced in the same factory, the two systems are actually compatible. A Lego 2x2 block fits and sticks to the underside of a Duplo block, and the nob on […]
    • Favorite 27 September 2020
      bobjonkman favorited something by clacke: > At least as far as we’re aware, however, this is the first time that a pirated copy of a movie has actually been shown at a cinema in the United States. And surely, it must be the first instance where a pirated copy has been obtained from a torrent […]
    • bobjonkman repeated a notice by tobias 27 September 2020
      RT @tobias ♲ @frederic: "Starting this Thanksgiving I am going to write a complete Unix-compatible software system called GNU (for Gnu's Not Unix), and give it away free to everyone who can use it." September 27, 1983 - Richard Stallman. www.gnu.org/gnu/initial-announ… Happy birthday to GNU \0/
    • Favorite 27 September 2020
      bobjonkman favorited something by tobias: ♲ @frederic@pouet.couchet.org: "Starting this Thanksgiving I am going to write a complete Unix-compatible software system called GNU (for Gnu's Not Unix), and give it away free to everyone who can use it." September 27, 1983 - Richard Stallman. www.gnu.org/gnu/initial-announ…Happy birthday to GNU \0/
    • bobjonkman repeated a notice by lxoliva 27 September 2020
      RT @lxoliva happy original software freedom day! on this day, 37 years ago, Richard Stallman launched the Free Software Movement, and the GNU Project, to build a user-freedom-respecting operating system, so that all users could do their computing in freedom
    • Favorite 27 September 2020
      bobjonkman favorited something by lxoliva: happy original software freedom day! on this day, 37 years ago, Richard Stallman launched the Free Software Movement, and the GNU Project, to build a user-freedom-respecting operating system, so that all users could do their computing in freedom
    • New note by bobjonkman 22 September 2020
      In the Netherlands (which the Dutch call "Nederland") the language is called "Nederlands", so that makes sense. Perhaps English speakers couldn't differentiate between "Nederlands" and "Deutsch", which corrupted to "Dutch". And why do we call the country "Germany" and the inhabitants "Germans" when they call their country "Deutschland" and themselves "die Deutsche"?
    • Favorite 29 August 2020
      bobjonkman favorited something by eloquence: Disturbing reports that Google Play is threatening to kick out Mastodon apps. See:https://mastodon.social/@Gargron/104763960269049818https://toot.fedilab.app/@fedilab/104765191594914330App stores have a track record of acting capriciously & are also easy targets for gov't censors (including Trump). This is why alternatives like @fdroidorg are so important for user freedom.If unfamiliar: F-Droid is a free & open […]

What to do about compromised Hotmail passwords

Posted by Bob Jonkman on 18th November 2010

autoroute à emails

autoroute à emails by Biscarotte

I administer a number of e-mail systems, and I’ve been seeing a lot of spam coming from Hotmail accounts recently. And both friends and clients have been telling me that it’s not them who are sending spam from Hotmail (and ending up in my e-mail systems), their accounts have been hacked. One person asked me:

Is it just Hotmail? What else could I use? Can’t I just change my password?

Changing passwords is only an effective solution if the account was compromised by social engineering, eg. the legitimate user giving out the password in a phishing attempt or other direct means, or if a simple password was guessed or cracked.

There is evidence that Hotmail and Yahoo’s password recovery mechanism is flawed (eg. the Sarah Palin breach), so that malusers can acquire a new password for an account. I don’t think this is happening, because victims are not reporting being locked out of their accounts. Of course, if the service merely sends out the current password then this may be what is happening, and no amount of password complexity will protect the account.

If the passwords were compromised by an automated password cracker then I would expect only simple passwords to be breached, and accounts with strong passwords would be safe. I do not know what kind of passwords were in use by the people who have compromised accounts, but it is likely they were simple passwords.

While I have no evidence, I think the current rash of breaches is due to a more systematic attack by URL munging, or fuzzing the inputs on a POST request, or some other attack vector. These attacks do not require an authenticated login, and in that case no amount of password complexity will provide security either.

I haven’t heard of similar compromised accounts in Gmail, so that may be a suitable alternative for now. I’ve been recommending that people use the mail accounts provided by their ISPs, largely so that they can make use of the ISP’s technical support if their accounts do get compromised. And, of course, if they’re paying their ISP for a mail account then there may be immunity from liability (“My mail account was compromised and I was paying my ISP for security, so all this spam is their fault”).

–Bob.

Update 5 Feb 2012: I retract the first sentence in the last paragraph. E-mail Administrator friends have been telling me that Google Mail is just as vulnerable as Hotmail and Yahoo. Having just read “Hacked!” in The Atlantic I’m convinced the problem of compromised mail accounts is worse than I thought, and that no online providers (especially the “free” ones) adequately protect the e-mail of their users.

autoroute à emails by Biscarotte is used under a Creative Commons by-sa-v2.0 license.

Tags: , , , , , , , , , , , ,
Posted in email, Internet, spam | 1 Comment »

 
Better Tag Cloud