[conspire] CABAL meeting tomorrow (also, webmail security discussed here)

Rick Moen rick at linuxmafia.com
Fri Sep 11 10:30:35 PDT 2009 

Hey, we'll be having another CABAL meeting Chez Moen, tomorrow
afternoon.  Be there, or be Linux-deprived and hungry.



Next, here's the text of an e-mail that purports to be from a friend who 
posts from GMail, and who runs one of the Bay Area's LUGs.  (I'm not
going to risk embarrassing my friend by naming him, here.  Besides, who
that friend is, is not relevant to my point.)

----- Forwarded message from my friend <[snipped]@gmail.com> -----

Date: Fri, 11 Sep 2009 23:41:30 +0800
From: [my friend]
To: [a long CC list that includes me]
Subject: hi

Dear friend,
i would like to introduce a good company who trades mainly in electornic
products.
Now the company is under sales promotion,all the products are sold nearly at
itscost.
They provide the best service to customers,they provide you with original
products
of good quality,and what is more,the price is a surprising happiness to you!
The web address: [snipped]

----- End forwarded message -----

My friend very obviously didn't write that.  Evidently, my friend's
GMail password has been stolen, and a Chinese spamhaus is sending out
crap under his name to various addresses shown inside his GMail profile
as previous recipients of his mail.

This pattern of activity has been extremely common, these days.
Somehow, a user is careless with his/her webmail credentials[1], they get
stolen and shipped off to the spammers, and then they login to your
webmail and start abusing everything and anything to which it indirectly
grants access, including your friends.

Searching the Web on "stolen gmail password" finds quite a few tales of
woe from people who've had _real_ problems following such compromises.  
I figure they have tended to commit one or more of three strategic errors:

o  You shouldn't also use your webmail password for _other_ things.
   Some of the victims report that the bad guys immediately leveraged
   their possession of the webmail account to break into other things.
o  You should take care that your webmail inbox, saved mail, drafts, 
   etc. don't have security-sensitive information (including but not
   limited to passwords to other things) in saved messages' body texts.
   Don't have your credit card information there, your Social Security
   number, your mother's maiden name, etc.
o  You should never set up a situation where mere access to your 
   webmail account gives a person authority to conduct business on 
   your behalf.

Part of the problem is that third parties, including businesses you deal
with, are stupid about these matters -- or, to be more precise,
basically don't care.  Plenty of companies will consider an e-mail 
exchange with you sufficient evidence that you are entering into a valid
contract with them.  Pity, that.  Don't make it easy.

If this sort of thing happens to you, report the incident to your
webmail provider's fraud department immediately.  You might want to send
a registered letter, so if necessary you can prove to other companies
that you reported a fraud and cannot be held to subsequent contracts
made in your name.

Read all the sent mail -- and the deleted mail.  Try to figure out what
the bad guys did with your account.

Write to all of the people in your webmail address book, explaining what
happened.

Be aware that "social engineering" is far too often fruitful:  The bad
guy can use your webmail account purporting to be you, write to various
companies in your name, and _will be believed_, even if, like the
example asshat, he can't even type a literate English sentence and has a
writing style utterly unlike yours.

Don't forget the damage that can be done at the same company that hosts
your webmail, e.g., Google Docs, Google Calendar, etc.  Check to see
that forwarding and filters haven't been messed with to hide the
evidence.

Never _give_ your credentials to some person who claims to be working
for your webmail company.  There's no legitimate reason for that
question.

If you make the error of using the same password for other services
(Facebook, Myspace, Twitter, ICQ, Jabber, YIM, AIM, MSN, Orkut, Linked
In, etc.), _they will figure that out_.  They probably even have the
attempt scripted.  So, don't make that error.

Oh, and for gosh sakes, use Firefox with NoScript, already.  You bunch
of fools who insisted that you needed Javascript and Flash video
everywhere, just so you can see dancing hamsters on YouTube, have gotten
your wish and the Web is now officially a sewer.


About passwords:  Your homo-sap brain wiring is not able to consistently
remember a dozen-plus complex passwords that you change from time to
time.  Mine isn't, either.  It's routine for security people to advise 
using unique, non-trivial passwords everywhere, and for everyone to
ignore them -- because the request isn't realistic.  People's memories 
just aren't good enough.

You need help.  Technology to the rescue:  If you use a PalmOS PDA as I
do, you need look no further than Keyring for PalmOS
(http://gnukeyring.sourceforge.net/).  It's a 3DES-encrypted
password/token store and password generator.

The majority of you who don't use PalmOS PDAs will have to find a
different solution -- but they're out there.  You just have to look.


[1] Could be MS-Windows malware, MSIE security holes, cross-site
scripting attacks against one browser or another, cross-site request
forgery, a keylogger on a public machine, lots of things.

More information about the conspire mailing list