Incident of the Week: Ever-Growing Breach Involving Passwords for Hotmail, Gmail, Yahoo, AOL, Earthlink and Comcast

Posted on October 8, 2009 by Jeff Bone

What started out as an incident involving the leak of 10,000 user names and passwords for Windows Live Hotmail accounts continues to grow, both in terms of users and companies affected.  According to reports from the beginning of the week, more than 10,000 user names and passwords from Hotmail were posted by an anonymous user on the site pastebin.com.  The list was limited to accounts starting in A and B, leaving the fear that numerous more accounts had been affected.  The original reports speculated that the breach was the result of a hack of Hotmail or a phishing attack.  But more information is surfacing that indicates that the breach is much larger than many first thought.

Subsequent reports have revealed that as many as 20,000 accounts have been compromised across numerous email providers, including Yahoo, AOL, Comcast, Earthlink and others, and that .  These reports noted that the affected companies believed that the breaches occurred because of phishing attacks (although one researcher, Mary Landesman, who works for ScanSafe, has said that "it's more likely that the massive lists . . . were harvested by botnets that infected PCs with keylogging or data stealing Trojan horses."

As more details emerge, it seems that more questions remain to be answered.  Exactly how many passwords have been compromised, and from how many companies?  Was the breach due to a single massive phishing attack, multiple smaller fishing attacks, or some type of malware? Why were lists of affected users posted online?  Whatever the answers, it might be a good idea to take a few minutes to change your email passwords from a computer that has been swept for viruses and malware.

Links:

 

Tags: , , , , , , , , , , ,

Incident of the Week: Security Officer Indicted On Obstruction of Justice Charges For Shredding Evidence

Posted on September 18, 2009 by Gabriel M. Helmer

Thomas Raffanello, global director of security for Stanford Financial Group (SFG), now faces charges of obstruction of justice based on claims that he directed employees at SFG's Fort Lauderdale office to shred evidence of fraud. 

In February, the Securities and Exchange Commission (SEC) filed a complaint against SFG (.pdf) in Texas alleging that the double-digit returns it promised potential customers was part of a fraudulent scheme.  Prosecutors obtained a temporary restraining order (.pdf) that expressly prohibited any attempt to destroy documents (among a litany of other bad behavior).  In the indictment filed against Raffanello (.pdf), federal prosecutors allege that on the day SFG received the SEC's complaint and court order, Raffanello and another executive corresponded by email and planned to hire a commercial shredding service to pay a visit to SFG 's office so they could unload a 95 gallon container of evidence.

Apparently, during their hurry to destroy the evidence, they did not manage to delete the emails discussing their plan.  This reminds me of something a friend once told me: if you are setting out to bury the truth, remember to bury the shovel too.

Tags: , , , , , , ,

Incident of the Week: UAE Carrier Updates Blackberry Software With Spyware, Captures Outgoing User Emails

Posted on July 24, 2009 by Jeff Bone

On Tuesday, Research In Motion, Ltd. (RIM), the maker of Blackberry, posted a note on its website confirming that a software update offered to customers of its carrier Etisalat in the United Arab Emirates contained spyware.  According to the note, certain customers received an SMS message from Etisalat informing them of a software update (named "Registration") designed to improve performance.  However, RIM acknowledged, "[i]ndependent sources have concluded that Etisalat's Registration software application is not actually designed to improve performance of a Blackberry Handheld, but rather to send received messages back to a central server."

According to RIM, the software was not RIM-authorized and was not developed, tested, promoted or distributed by RIM.  On July 17, RIM sent a more detailed note to customers explaining that "Etisalat appears to have distributed a telecommunications surveillance application that was designed and developed by SS8," which is a California company that describes itself as "a leader in communications intercept and a worldwide provider of regulatory compliant, electronic intercept and surveillance solutions."  RIM has offered a new update to remove the spyware. 

The incident was discovered after customers who installed the software began complaining that it was draining the batteries on their devices.  According to an article in PC World, SS8 has not responded to telephone calls seeking comment, while Etisalat has described the problem as a "slight technical fault" that "has resulted in reduced battery life in a very limited number of devices."  An article from Wired notes that a security consultant in Asia named Sheran A. Gunasekera has released a white paper analyzing the code that made up the spyware.  According to Mr. Gunasekera, the spyware could only intercept outgoing e-mail messages.  It could not intercept incoming messages (whether they be e-mails, instant messages, PIN messages, phone calls, etc.), nor could it silently update itself with newer releases. 

Although this version of spyware apparently affected a limited number of Blackberry users, that is no cause for comfort.  Mr. Gunasekera believes that the source code used for "Registration" could easily be modified, improved and used in the future on unsuspecting Blackberry users.  In a New York Times article, Internet security and privacy consult Richard M. Smith of Boston Software Forensics was quoted as stating that smart phones are "perfect personal spying devices" and that the threat is "an evolving one.  As the technology advances, the security problems follow behind."  Given the ever increasing security risks in the information security world, it is likely only a matter of time before there is another, much larger incident related to smartphone security. 

Links:

 

Tags: , , , , , , , , ,