Being Hacked

Last week my Yahoo account was hacked and 5000 or so of my closest friends got infected emails from me. Yikes. How did this happen? Beats me. Somehow I had downloaded something nasty myself.

My Yahoo account has been around since several CEOs ago, and it isn’t an account that I do much with. I was surprised by several things that were present in my Yahoo profile though that gave me some pause. For example: my contacts list. I didn’t think that I had many email addresses in my contacts but I saw that I had 5000 entries now. Apparently, sometime ago I had experimented with the bulk import feature and had imported my contact list to this account. Gulp. Well, let’s fix that and I thought I would delete the entries. That produced a mysterious error message. Strike one.

Next, I saw that I actually had the right birthday in my Yahoo profile. Okay, lets change that. Well, you can’t. Or at least not that I could immediately see. Strike two.

Okay, well, at least I could just login and change my account password. That was fine until I realized that I picked a password that I had used on some other accounts. Oops. Strike three.

Alright, enough fooling around. This was crazy. Do I really need a Yahoo email account? Not at all, this isn’t an account that I use for any correspondence. I can create a new one for free anyway that doesn’t have any contacts at all. So let’s just close the darn account. Not so easy. I first had to change my password again and then visit a special page to terminate the account.

Before I did this, I went to the Yahoo Groups page where I run several email mailing lists. One of the lists had my Yahoo ID as the group “owner” which means that I have to assign the group to a new Yahoo ID. So I set up a new Yahoo email address and tried to transfer ownership to this new ID. That wasn’t enough – I still had no Yahoo ID attached to this account. Why? I have no idea. It was a Yahoo.com email address. You would think it would be obvious, but it wasn’t. I used to like Yahoo Groups, but now I was getting ready to just close all of them that I administer, I was so frustrated.

So far my security efforts have been to waste a lot of time signing in and out of Yahoo and trying to understand their systems. There is actually a helpful page of what you have to do if your account has been compromised. (Although it stops short of recommending any specific scanning products to see if your computer has been infected.)

Last week I wasn’t alone: the New York Times ran its own mea culpa article that describes how Chinese hackers targeted several reporters’ email addresses after it ran some critical articles last fall. I found the article interesting in that it specifically mentioned that the Times uses Symantec anti-virus software to protect its computers, only they weren’t really protected. There are lots more information in the piece about what happened and what it took for the Times to clean up after this exploit.

I have written about this before, how anti-virus has become outmoded, on my Dice Security forum that I manage.

I welcome your suggestions on a simple tool that can help in these situations. I haven’t found any that really work all that well.

Self promotions dep’t

Last week I had several articles posted on the various places that I write for. You might be interested in reading one or more of them.

If you want your telecommuter IT team members to feel like they’re part of the same team that works at the company offices, then take a look at these tips in a piece I wrote for a new Mendix blog.

You can read my report posted this month in Techtarget’s Modern Infrastructure ezine here about why the move to faster Ethernet is and isn’t happening across the land.

I tested one of their midrange devices last month and came away impressed. Overall, Cisco has done a superior job at its next generation of firewall technology. There is a written report and a screencast video.

When I travel, I remember to turn off the file sharing setting on my PC for precisely this reason. It is a simple step, but a critical one. Here is what happened to one of my fellow guests when he left sharing on his computer turned on. This was for Internet Evolution.

In this ebook for Fierce Enterprise Communications, I wrote articles talking about how you want to take the next steps from your voice over IP telephony and does SIP trunking really mean the end of the public switched phone network.

N.B. Looks like I wasn’t alone. This might be the explanation for the Yahoo hack:

Email attack exploits vulnerability in Yahoo site to hijack accounts

2 thoughts on “Being Hacked

  1. They don’t have to compromise your machine to compromise your Yahoo account. They can guess the password or run password cracking against it until they succeed, so your computer might be fine.

    Everyone in the security business knows that passwords aren’t very effective at protecting information, but they are the most prevalent. Unfortunately, people can’t remember a ton of different passwords, nor can they remember to change them frequently (or remember that it has changed). Few sites allow much longer pass phrases which turn out to be easier to remember and harder to crack with password crackers. Typically, strong password generation and rollover can only be handled if you have access to a program and storage that allows you to generate the passwords and store them so you can later get to them. Unfortunately, they are often protected by an unchanging password you give the password program or sometimes a fingerprint swipe.

    As to your article on anti-malware….

    Actually, virus scanners are still a surprisingly GOOD idea. You would be surprised at how much they actually do catch. The newer variants now also catalog known good software and eliminate it from scanning to improve performance and use crowdsourcing to build reputation databases to vet new software. Generic exploit signatures will help catch lots of stuff. Even without these newer improvements to scanning based on signatures, once out in the wild, the virii don’t go away, so signatures still work.

    I’ve been a beta tester for the Symantec anti-malware line for corporate users. Signatures, whitelists, generic exploit blocking, and crowdsourcing/reputation are just one of their ways of protecting your system. It is quite fascinating what they can (and can’t) do. Unfortunately, the bad guys generally have an advantage. The anti-malware guys publish all their stuff widely, show errata, etc. Bad guys can test against it and reverse engineer it. The bad guys may have lots of money or governments funding them.

    One of the major issues with modern software is the lack of compile or run time error checking when creating code. Overflow exploits are common, for example. And, if your program relies upon a common library or code base (like Java or PHP), then you take their warts with you.

    If you want extra protection for your PC, Adblock Plus and NoScript can help. Not only do they help secure my machine, they keep unwanted crap from hogging my bandwidth, etc. Nice.

    Oh, and don’t count on your firewall to save you. If you use antispam and attachment blocking techniques effectively, you will practically eliminate e mail borne virii. But, as far as other protocols like FTP and HTTP are concerned, it is like your front door to a vampire. The firewall door is a good one, but if you invite the vampire in via your browser or another program, well….

    Security is based on layers. The firewall is one. The workstation and its OS is another. But, the new trend is to attack through applications like Java, Flash, and browsers. These are also cross platform. The bad guys keep innovating. We’ll just have to keep improving our defenses…. At least it will keep me in a job because that is a lot of my business.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s