Password security

Many of us have lots of accounts on various networking sites, but how much attention do we pay to password security?
If you haven’t heard, someone managed to compromise the Associated Press’ twitter account today. Not only was the account compromised, but they put out a fake tweet claiming that there were explosions at the White House and President Obama was injured.
DowPlungeA funny prank? Maybe. But tweets like this have a real world effect. For instance, the stock market plunged 140 points after the initial reports, rebounding when people realized it wasn’t true.
It’s not clear how the AP twitter password was compromised. There are many possibilities including classic social engineering through to compromised machines inside AP with password sniffers on them.
The lesson here is that we’re all targets, even ‘soft’ seeming targets like social media accounts. Practice safe computing.

  1. Use strong passwords.
  2. Don’t reuse passwords across accounts.
  3. Don’t share accounts or passwords with other people
  4. Keep anti-virus software updated.
  5. Don’t click on links in emails.
  6. Disable Java on web browsers unless it’s explicitly needed.

Twitter isn’t the only social networking site under attack. Recently information has come out about a ongoing attacks against WordPress blogs to create a powerful botnet. Given most WordPress blogs are hosted on machines with large pipes, a botnet could create serious problems if used for malicious attacks against individuals, businesses, government or infrastructure.
Secure those passwords, folks.

Related Posts

Is any data safe?

Today another major retailer announced their customer files were compromised. This company had clearly implemented some security that kept hackers from getting too much information. Passwords were hashed and credit card numbers were kept on a separate server, which does signal that the company designed with security in mind. Nevertheless, personal information was compromised.
Is there anyway to keep information safe if it’s accessible from the internet? Some of my uber-security conscious friends would say no. I am beginning to believe them.

Read More

Another security problem

I had hoped to move away from security blogging this week and focus on some other issues. But today I see that both CAUCE and John Levine are reporting that there is malware spam coming from a Cheetahmail customer.
Looking at what they shared, it may be that Cheetahmail has not been compromised directly. Given mail is only coming from one /29, which belongs to one customer it is possible that only the single customer account has been compromised. If that is the case, then it’s most likely one of the Cheetahmail users at the customer got infected and their Cheetahmail credentials were stolen. The spammer then gained access to the customer’s Cheetahmail account.  It’s even possible that the spammer used the compromised customer account to launch the mail. If this is the case, the spammer looked exactly like the customer, so most normal controls wouldn’t have noticed this was a spammer.
This highlights the multiple vectors these criminals are using to gain access to ESPs and the mailing systems they use. They’re not just trying to compromise the ESPs, but they’re also attempting to compromise customers and access their accounts so that the spammer can steal the ESPs hard won and hard fought sending reputation.
Everyone sending mail should be taking a long, hard look at their security. Just because you’re not an ESP doesn’t mean you aren’t a target or that you can get away with lax security. You are also a target.

Read More

Get a helmet

There’s been a lot of interesting reaction to Steve’s security post yesterday. A lot of people seem upset that we have pointed out one of the ways that ESPs may be getting compromised. Complaints range from the message being overly simplistic, through to complaints that we just don’t understand how much of an issue security is, through to complaints that we’re not pointing out that some ESPs actually are secure. Some people have even provided counter examples of how simple it is to compromise any company, so why are we picking on ESPs.
Security is a problem any company faces. Some industries are bigger targets than others, and ESPs have really jumped up the target list. ESPs are getting lists stolen. ESPs are getting reputations stolen.
There’s one ESP I know for a fact that has lost multiple customer lists 3 times. Three companies I get email from are hosted there. When all three of those tagged addresses started getting spam, the only logical assumption was that the ESP was compromised. Again. Those are companies I want to hear from, though, and I changed addresses on their sites after every breach. What’s distressing, though, is the total lack of response from either the customer or the ESP to my notices about the breaches.  To be fair, the problem seems to have stopped more recently.
Silence and refusal to address an issue is a big problem. An address I gave a company on the Only Influencers list was stolen (I’m not going to say leaked because I actually trust them to not have violated their privacy policy) sometime back in early 2011. I didn’t notice right away because my spam filters were catching the mail, but eventually the spammers managed to get one into my inbox. When I saw it, I started checking and realized that address had been compromised a long time ago. I notified the company, with as much history of the address as I could. I ended my message with:

Read More