This Blog Is Not For Reading

A blog, just like any blog, only more so

  • Subscribe

  • Categories

  • RSS Bob Jonkman’s Microblog

    • New note by bobjonkman 8 June 2023
      Several other authors of software that accesses the Twitter API have come to that conclusion as well. When #Twidere, my phone app to access Twitter stopped accessing Twitter back in January I pretty much abandoned Twitter. I still check Twitter with its WebUI, less than once a week, but I no longer post or engage […]
    • Favorite 8 June 2023
      bobjonkman favorited something by steve: I finally had a chance to figure out why my social bridging software was no longer able to talk to Twitter. Indeed, it's because under Twitter's new leadership, python-twitter has been deemed as violating something in their terms of service. It says I can submit a ticket, but they make […]
    • bobjonkman repeated a notice by steve 8 June 2023
      RT @steve I finally had a chance to figure out why my social bridging software was no longer able to talk to Twitter. Indeed, it's because under Twitter's new leadership, python-twitter has been deemed as violating something in their terms of service. It says I can submit a ticket, but they make it impossible to […]
    • Favorite 8 June 2023
      bobjonkman favorited something by steve: Got weirdly hung up on a simple problem involving the Poisson equation, and still have not resolved it. Who knew an isotropic collisionless gas in a spherically symmetric gravitational potential would be so IRRITATING? https://chirp.cooleysekula.net/attachment/7fcc02ad3df2ed9843b945250eef98bff9f7892a5da3711780562d1c81133b64/view
    • bobjonkman repeated a notice by steve 8 June 2023
      RT @steve Got weirdly hung up on a simple problem involving the Poisson equation, and still have not resolved it. Who knew an isotropic collisionless gas in a spherically symmetric gravitational potential would be so IRRITATING? https://chirp.cooleysekula.net/attachment/7fcc02ad3df2ed9843b945250eef98bff9f7892a5da3711780562d1c81133b64/view
    • New note by bobjonkman 30 May 2023
      I'd be more inclined to say "people voting the way the polls said they should..."
    • bobjonkman repeated a notice by hubert 30 May 2023
      RT @hubert I have to laugh and shake my head at Smith calling it a "Miracle on the Praries". No, you were leading in the polls pretty much the whole time. You're in a strongly conservative province. I mean, if you're saying that it's a miracle that the majority of Albertans chose to ignore your […]
    • bobjonkman repeated a notice by blacksam 28 May 2023
      RT @blacksam I’ve been getting more into the game Gaslands with my son and also with adult friends. It’s a Mad Max-esque tabletop game where you’re expected to create your own game pieces by kitbashing with toy cars. I already have all the crafting, painting and 3d printing supplies I need from my other wargaming […]
    • Favorite 28 May 2023
      bobjonkman favorited something by blacksam: I’ve been getting more into the game Gaslands with my son and also with adult friends. It’s a Mad Max-esque tabletop game where you’re expected to create your own game pieces by kitbashing with toy cars. I already have all the crafting, painting and 3d printing supplies I need from […]
    • Favorite 28 May 2023
      bobjonkman favorited something by blacksam: Here are a couple more cars I've made for #gaslands

What to do about compromised Hotmail passwords

Posted by Bob Jonkman on 18th November 2010

autoroute à emails

autoroute à emails by Biscarotte

I administer a number of e-mail systems, and I’ve been seeing a lot of spam coming from Hotmail accounts recently. And both friends and clients have been telling me that it’s not them who are sending spam from Hotmail (and ending up in my e-mail systems), their accounts have been hacked. One person asked me:

Is it just Hotmail? What else could I use? Can’t I just change my password?

Changing passwords is only an effective solution if the account was compromised by social engineering, eg. the legitimate user giving out the password in a phishing attempt or other direct means, or if a simple password was guessed or cracked.

There is evidence that Hotmail and Yahoo’s password recovery mechanism is flawed (eg. the Sarah Palin breach), so that malusers can acquire a new password for an account. I don’t think this is happening, because victims are not reporting being locked out of their accounts. Of course, if the service merely sends out the current password then this may be what is happening, and no amount of password complexity will protect the account.

If the passwords were compromised by an automated password cracker then I would expect only simple passwords to be breached, and accounts with strong passwords would be safe. I do not know what kind of passwords were in use by the people who have compromised accounts, but it is likely they were simple passwords.

While I have no evidence, I think the current rash of breaches is due to a more systematic attack by URL munging, or fuzzing the inputs on a POST request, or some other attack vector. These attacks do not require an authenticated login, and in that case no amount of password complexity will provide security either.

I haven’t heard of similar compromised accounts in Gmail, so that may be a suitable alternative for now. I’ve been recommending that people use the mail accounts provided by their ISPs, largely so that they can make use of the ISP’s technical support if their accounts do get compromised. And, of course, if they’re paying their ISP for a mail account then there may be immunity from liability (“My mail account was compromised and I was paying my ISP for security, so all this spam is their fault”).

–Bob.

Update 5 Feb 2012: I retract the first sentence in the last paragraph. E-mail Administrator friends have been telling me that Google Mail is just as vulnerable as Hotmail and Yahoo. Having just read “Hacked!” in The Atlantic I’m convinced the problem of compromised mail accounts is worse than I thought, and that no online providers (especially the “free” ones) adequately protect the e-mail of their users.

autoroute à emails by Biscarotte is used under a Creative Commons by-sa-v2.0 license.

Tags: , , , , , , , , , , , ,
Posted in email, Internet, spam | 1 Comment »

 
Better Tag Cloud