Technical Tidbits™

I was getting ready to write a post on the news of the month – so far, that is – regarding the hijacking of Gmail, Yahoo, Hotmail, and AOL passwords – to name a few.

According to the article: Gmail and Yahoo Mail passwords exposed | Security Central – InfoWorld:

Google’s Gmail and Yahoo’s Mail were also targeted by a large-scale phishing attack, perhaps the same one that harvested at least 10,000 passwords from Microsoft’s Windows Live Hotmail, according to a report by the BBC.

…..The BBC also said it has seen a list of some 20,000 hijacked e-mail accounts; the list included accounts from Gmail, Yahoo Mail, AOL, Comcast and EarthLink. The latter two are major U.S. Internet service providers.

Now, you’ll notice that the article states in the quote above, and then later reports by Google and Microsoft, that this hijacking was part of a large scale phishing attempt.

But wait! Not so fast Google and Microsoft!

Mary Landesman, a senior security researcher at San Francisco-based ScanSafe thinks there’s another explanation. And frankly, I have to agree with her!

In a follow-up article in Info World |Researcher Refutes Google’s Microsoft’s accounts of hijacked passwords Ms. Landesman states her case:

Landesman based her speculation on an accidental find in August of a cache of usernames and passwords, including those from Windows Live ID, the umbrella log-on service that Microsoft offers users to access Hotmail, Messenger and a slew of other online services.

That cache contained about 5,000 Windows Live ID username/password combinations, said Landesman, who found the trove while researching a new piece of malware. “From the organization [of that cache] and what the data looked like in raw form, I think it’s more likely that this latest was the result of keylogging or data theft, not phishing,” Landesman said.

She also goes on to point out that the sheer numbers of compromised accounts are beyond the norm for a phishing attack of any kind.

And to be honest with you, I agree with Ms. Landesman. The numbers are just too high to be indicative of a phishing attack – large scale or otherwise.

As I’ve stated in the recent Radio Show on Frontline-Results, in preparing course material for our security professionals course, I’ve demonstrated through a simple, and legal process called Google Hacking, that I’ve obtained files with personally identifying information from credit card numbers through social security numbers and CV numbers that are stored online – whether knowingly or unknowingly.  And our students will attest to that because they’ve found the same!

I don’t know how many times I need to repeat it, but you give your information away more than you know!

Either way, change your passwords to all your mail accounts!

Debbie Mahler