Re
2013-02-07 by Gary Peters
Hey http://www.inxs-bg.com/fuwpbpxx/crx3j11b3ezndbssxcc3kvljumg6wtibqx002u02qx.png
Gary Peters
2/7/2013 3:30:56 PM
Gary Peters
2/7/2013 3:30:56 PM
Thread
Re
Re: [korgpolyex] Re
2013-02-07 by Eanna Butler
Spammer or hacked account...
Show quoted textHide quoted text
On Thu, Feb 7, 2013 at 2:30 PM, Gary Peters <chunkybeefpies@...> wrote:
Hey http://www.inxs-bg.com/fuwpbpxx/crx3j11b3ezndbssxcc3kvljumg6wtibqx002u02qx.png
Gary Peters
2/7/2013 3:30:56 PM--
EBu
Yahoo flaw - server or client side?
2013-02-08 by Michael Hawkins
IMHO, I think yahoo has a serious server side flaw that is being exploited by hackers/spammers.
I say this because I work in networks and information security and even my yahoo email was used to send spam. Now, I use MD5 hashes as my passwords, so they are all unique and very near impossible to guess. I was not logged in for days and I never open links of any kind, not even from people I know. I also run a Bluecoat AV and URL filtering appliance downstream from a squid proxy with the latest bad list and I only access the Internet via a Fedora LINUX workstation. This makes it damn near impossible to pick up any kind of malware whatsoever. And yet, my yahoo email was still used to send spam.
That tells me, that the problem is on Yahoo's server side. There have been many reports of this issue since early January. And even though Yahoo claims it is fixed, it obviously isn't.
Mike
I say this because I work in networks and information security and even my yahoo email was used to send spam. Now, I use MD5 hashes as my passwords, so they are all unique and very near impossible to guess. I was not logged in for days and I never open links of any kind, not even from people I know. I also run a Bluecoat AV and URL filtering appliance downstream from a squid proxy with the latest bad list and I only access the Internet via a Fedora LINUX workstation. This makes it damn near impossible to pick up any kind of malware whatsoever. And yet, my yahoo email was still used to send spam.
That tells me, that the problem is on Yahoo's server side. There have been many reports of this issue since early January. And even though Yahoo claims it is fixed, it obviously isn't.
Mike
Show quoted textHide quoted text
From: Eanna Butler <eanna.butler@...>
To: korgpolyex@yahoogroups.com
Cc: "ccso29_jtsp4895rjzg@..." <ccso29_jtsp4895rjzg@...>; "belindamann3@..." <belindamann3@...>; "fandm@..." <fandm@...>; "fandm@..." <fandm@...>; "verification@..." <verification@...>; "shawcamille@..." <shawcamille@...>; "andrew.kay@..." <andrew.kay@...>
Sent: Thursday, February 7, 2013 11:35 AM
Subject: Re: [korgpolyex] Re
To: korgpolyex@yahoogroups.com
Cc: "ccso29_jtsp4895rjzg@..." <ccso29_jtsp4895rjzg@...>; "belindamann3@..." <belindamann3@...>; "fandm@..." <fandm@...>; "fandm@..." <fandm@...>; "verification@..." <verification@...>; "shawcamille@..." <shawcamille@...>; "andrew.kay@..." <andrew.kay@...>
Sent: Thursday, February 7, 2013 11:35 AM
Subject: Re: [korgpolyex] Re
Spammer or hacked account...
On Thu, Feb 7, 2013 at 2:30 PM, Gary Peters <chunkybeefpies@...> wrote:
Hey http://www.inxs-bg.com/fuwpbpxx/crx3j11b3ezndbssxcc3kvljumg6wtibqx002u02qx.png
Gary Peters
2/7/2013 3:30:56 PM--
EBu
Re: [korgpolyex] Yahoo flaw - server or client side?
2013-02-08 by Gordon JC Pearce
On 08/02/13 03:14, Michael Hawkins wrote:
Show quoted textHide quoted text
> I say this because I work in networks and information security and evenAww, looks like I got something wrong. I wanted to make the point that
> my yahoo email was used to send spam. Now, I use MD5 hashes as my
> passwords, so they are all unique and very near impossible to guess. I
it's generally fairly easy to spoof email senders, but I suspect I got
filtered by Yahoo! Groups.
Anyway, md5 hashes of what? Do you mean your password is a longish
string of alphanumerics? That doesn't guarantee that the password is
secure. Unless you're using SSL it's fairly easy for a malicious user
on your network to sniff your passwords (but not as easy as people make
it out to be in the general case). This is why Kerberos is such a
complicated bugger to work out...
--
Gordonjcp MM0YEQ
Re: [korgpolyex] Yahoo flaw - server or client side?
2013-02-08 by Michael Hawkins
My point was that the password is unique. I never use the same password for any Internet login. Making your passwords obscure does help when determining the method by which an account is hacked.
I still am yet to find any genuine story where large numbers of passwords (>1000) were sniffed. It's just not feasible to do so in any decent large ISP. So for example, if you're in the domestic US (and I would posit, any western country) it's extremely unlikely anyone will ever sniff more than a handful of passwords. So this yahoo hack certainly isn't that.
What I am hearing (through the channels that I have access to) confirms my theory. Yahoo has some kind of a serious server side vulnerability that is allowing spammers to hijack accounts WITHOUT needing the users passwords. One of my yahoo email accounts was the source of spam but my password was not changed, I wasn't logged in at all when the spam was sent, I only ever log in to that Yahoo account using a LINUX machine and my password is a unique MD5 alphanumeric hash. The fact that I use a hash doesn't make it more secure but it does help to confirm that the hacking was server side.
Mike
I still am yet to find any genuine story where large numbers of passwords (>1000) were sniffed. It's just not feasible to do so in any decent large ISP. So for example, if you're in the domestic US (and I would posit, any western country) it's extremely unlikely anyone will ever sniff more than a handful of passwords. So this yahoo hack certainly isn't that.
What I am hearing (through the channels that I have access to) confirms my theory. Yahoo has some kind of a serious server side vulnerability that is allowing spammers to hijack accounts WITHOUT needing the users passwords. One of my yahoo email accounts was the source of spam but my password was not changed, I wasn't logged in at all when the spam was sent, I only ever log in to that Yahoo account using a LINUX machine and my password is a unique MD5 alphanumeric hash. The fact that I use a hash doesn't make it more secure but it does help to confirm that the hacking was server side.
Mike
Show quoted textHide quoted text
From: Gordon JC Pearce <gordon@...>
To: korgpolyex@yahoogroups.com
Sent: Friday, February 8, 2013 8:06 AM
Subject: Re: [korgpolyex] Yahoo flaw - server or client side?
To: korgpolyex@yahoogroups.com
Sent: Friday, February 8, 2013 8:06 AM
Subject: Re: [korgpolyex] Yahoo flaw - server or client side?
On 08/02/13 03:14, Michael Hawkins wrote:
> I say this because I work in networks and information security and even
> my yahoo email was used to send spam. Now, I use MD5 hashes as my
> passwords, so they are all unique and very near impossible to guess. I
Aww, looks like I got something wrong. I wanted to make the point that
it's generally fairly easy to spoof email senders, but I suspect I got
filtered by Yahoo! Groups.
Anyway, md5 hashes of what? Do you mean your password is a longish
string of alphanumerics? That doesn't guarantee that the password is
secure. Unless you're using SSL it's fairly easy for a malicious user
on your network to sniff your passwords (but not as easy as people make
it out to be in the general case). This is why Kerberos is such a
complicated bugger to work out...
--
Gordonjcp MM0YEQ