Friday, February 14, 2003

Some Yahoo hacks aren't even hacks at all.


New Architect: Cracking Yahoo, Closing Shop
One of the most frightening trends in security breaches has been the recent dramatic rise in hacks against personal accounts on Hotmail, Yahoo, and the like. Hotmail has long been notorious for its poor security, but hacked email accounts raise few eyebrows. With Yahoo accounts, however, things are a little dicier. Thanks to Yahoo's plethora of services, a hacked password can give you access to financial data, the ability to bid on items at Yahoo Auctions, or even a direct link into someone's small business.

Breaching Yahoo's security all comes down to knowing your target. Armed with a user ID and some personal information, such as date of birth and zip code, a hacker can reset a Yahoo password and have it mailed to an alternate address. While Yahoo users can also specify a "security question," whether it secures anything is iffy: The answer to a user's security question is usually either their mother's maiden name or their pet's name—both of which are about as easy to unravel as their zip code.

Some Yahoo hacks aren't even hacks at all. Recently, Chris Gore, publisher of the Film Threat site (filmthreat.com), checked his email only to find that a spam message had found its way onto the Film Threat mailing list, a newsletter hosted at Yahoo Groups. Even after he found the spammers (a Dallas politician and her husband, according to Gore; they did not return requests for comment), they denied responsibility. Gore threatened to sue, and the incident exploded into a nightmare of additional spam attacks and calls from Gore to the FBI and FTC. Gore is now filing a civil suit along with Yahoo.

How'd they do it? It looks like the oldest spammer trick in the book: When a mailing list's only security method is checking to see that the sender of the message is the moderator of the group, forging a few email headers is all it takes to hijack it.
http://www.newarchitectmag.com/documents/s=2443/na0303e/index.html

No comments:

Post a Comment

con·cept