[ISN] Freemail Vulnerabilities

From: mea culpa (jerichoat_private)
Date: Thu Feb 11 1999 - 18:42:27 PST

  • Next message: mea culpa: "[ISN] Laptop owned by the Mossad's Deputy Chief gets stolen"

    Freemail Vulnerabilities
    By Ira Winkler  February 10, 1999
    If you have an account on Hotmail, Yahoo!, or Excite, it's vulnerable to
    Free email services are a common feature on portal sites, but some of them
    have serious security vulnerabilities-- specifically, Yahoo! Mail, Excite
    Mail, and Hotmail. 
    First, these three services allow an unlimited number of log-on attempts. 
    This means that malicious Internet users can perform password guessing and
    "brute force" password attacks against accounts on those systems. (After
    three failed log-in attempts, Yahoo! does ask the supposed user if they
    require help. However, additional log-in attempts are not prevented.) 
    Second, the user is not notified when a number of failed log-in attempts
    have occurred. If a password attack had been attempted against a user
    account, the user has no way of knowing. 
    These vulnerabilities affect a lot of Internet surfers. Free email
    services are extremely popular as a Web-based alternative to regular
    Internet service provider accounts. The ability to access mail from any
    Web browser and a certain level of Internet anonymity are great advantages
    that these accounts offer. Security, however, is a distinct disadvantage. 
    The problems probably are not limited to Yahoo!, Excite, and Hotmail. To
    test whether a particulare site is vulnerable to a brute-force attack,
    simply try entering incorrect passwords. If the system allows more than
    ten invalid password entries without locking out the account, then it
    probably allows an unlimited number of password-cracking attempts. 
    Password crackers attempt to obtain an account's password by exhaustively
    guessing word and number combinations. For example, an attacker may use a
    dictionary as the source of words. More sophisticated password crackers
    will use word-and-number combinations, such as star99. The most
    time-consuming technique is to try every possible combination of letters,
    numbers, and special characters. Such attacks can easily be automated.
    Password cracking is an extremely common hacker technique. 
    To prevent brute-force attacks, a security function should lock an account
    after an excessive number of failed log-in attempts, typically three to
    five. Once an account is locked, the user should be emailed about the
    failed log-in attempts and told to contact the system administrators, who
    will verify the user's identity. While this would cause a temporary
    interruption of service, it would prevent the account from being
    compromised. This is a basic security practice that is built into most
    computer operating systems. 
    Admittedly, these vulnerabilities are extremely basic. I was not expecting
    them to exist on all the systems I examined. I take their presence as an
    indication that security was not a crucial step in designing these
    While the sites all state that users should choose their passwords well,
    they do not account for attacks that can compromise even the best
    passwords.  This leaves users, who number in the thousands or even
    hundreds of thousands (industry numbers measure accounts, not the number
    of users), vulnerable to someone with even trivial programming and hacking
    While no attacks have been reported, it is likely that they were
    attempted.  It is also a given that they will be attempted and successful
    unless action is taken. 
    I contacted Yahoo! and Excite press liaisons about this issue and received
    no official reply. Hotmail could not be reached by telephone, and email
    messages to its technical support groups were not returned. 
    What You Can Do
    Users can't currently do much to prevent their accounts from being
    compromised. However, until the services redesign their log-in process,
    surfers should be aware that an attacker may be able to access email
    messages and other information stored on the system. Attackers may also be
    able to assume your identity online. Accordingly, you should delete all
    sensitive messages and not use the accounts to receive sensitive messages. 
    The best thing you can do is contact your service, let it know how
    important security is to you, and tell it that you expect it to correct
    this problem.  You can also recommend that it implement the secure socket
    layer (SSL)  protocol for log ins and accessing your information. SSL
    encrypts the data that you send and receive from a website and has no
    discernible effect on your system. This protects your information from
    being read by people using sniffers to read information on the Internet as
    it is being sent. 
    Picking a Good Password
    Although no one is exempt from a brute-force attack, taking a few
    precautions can make it significantly harder for others to guess your
    Many people pick passwords that they can easily remember. Unfortunately,
    that can translate into being easily guessed if someone has minimal
    knowledge about you. When you choose a password, make sure that it is
    unusual and not based on personal information or the website itself. For
    example, I'd imagine that hundreds of people have some variation of the
    word Yahoo for logging into Yahoo! Mail. 
    One scary aspect of free email accounts is the measures put in place to
    help users remember their passwords. Most Web portals realize that their
    visitors subscribe to many portals or visit the site infrequently, and
    they have a feature to help people who have forgotten their passwords.
    Basically, the service allows you to create clues that will remind you of
    your password.  Users can even use biographical information for a
    For example, the system will ask you what city you were born in. If you
    answer the question correctly, the service allows you to change your
    How hard is it to figure out where someone was born, or the name of their
    dog? In many cases, people might give this information out online in the
    course of casual exchanges of information. In response to my recent
    article on You've Got Mail, a woman described her experience being stalked
    by a former acquaintance. She said he was a brilliant hacker because he
    broke into her email account. 
    When I asked her if her stalker could have gained enough information to
    guess her password or access question, she indicated that it would have
    been easy for him to know the answer to the question. 
    My recommendation is that you think of an unusual and memorable answer for
    a typical question. Let's say you chose the question "What city were you
    born in?" Answer with the state as opposed to the city. Only you would
    know to try this unique answering approach. 
    Finally, when you send out email, try not to divulge private information.
    If you use a signature file at the end of your email message, remember not
    to include personal information. 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:18:42 PDT