Loading ...
Sorry, an error occurred while loading the content.
 

Re: [Y-Mail] Despite its efforts to fix vulne rabilities, Yahoo’s Mail users continue reporting hacking incidents - The Next Web

Expand Messages
  • Kenneth
    Perhaps a complicated password is more of a challenge for hackers, but that doesn t mean a simple password is safer.  They re not going to know whose
    Message 1 of 25 , Jun 18, 2013
      Perhaps a complicated password is more of a challenge for hackers, but that doesn't mean a simple password is safer.  They're not going to know whose passwords are more challenging until after the fact.  And if yours was less challenging, then they've just hacked yours sooner rather than later.


      From: Lorrie <minilorrie@...>
      To: Y-Mail@yahoogroups.com
      Sent: Tuesday, June 18, 2013 1:53 PM
      Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo’s Mail users continue reporting hacking incidents - The Next Web

       
      My password is really simple and not very secure.  I have had it for years.  Never had any problems.  I am just wondering if the more difficult you make your password, the more the hackers try and get it.  Maybe it gives them more of a challenge.  A lot of people that I have talked to that have been hacked say that their passwords were very complicated yet they were stolen numerous times.  Just my thoughts LOL.

      Lorrie

    • Jodi Upchurch
      A Few Of My Yahoo! Accounts, I Had To Change My Password For...............Hang In There From: Lorrie Sent: Tuesday, June 18, 2013 3:53 PM To:
      Message 2 of 25 , Jun 18, 2013
        A Few Of My Yahoo! Accounts, I Had To Change My Password For...............Hang In There
         
        From: Lorrie
        Sent: Tuesday, June 18, 2013 3:53 PM
        Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo’s Mail users continue reporting hacking incidents - The Next Web
         
         

        My password is really simple and not very secure.  I have had it for years.  Never had any problems.  I am just wondering if the more difficult you make your password, the more the hackers try and get it.  Maybe it gives them more of a challenge.  A lot of people that I have talked to that have been hacked say that their passwords were very complicated yet they were stolen numerous times.  Just my thoughts LOL.

        Lorrie

        Lorries Green World
        http://minilorrie.2itb.com
        Thompson, Manitoba, Canada

        --- On Tue, 6/18/13, Shal Farley <shal@...> wrote:


         

        Donna,

        > I am running out of password ideas!!!

        Generally speaking, password ideas are a bad idea.

        I use PasswordSafe to generate and store random passwords, a separate
        one for each service I use. It also helps protect against simple
        keylogging malware -- I never type my online passwords, PasswordSafe can
        fill in the username and password at most login pages, or copy/paste the
        password through the clipboard.
        <http://passwordsafe.sourceforge.net/>

        > Yahoo is loosing my confidence lately and I am thinking that I may
        > cancel payment to Yahoo email. I love my groups though so I am stuck
        > between a rock and a hard place!

        You don't need a Yahoo Mail address to run Yahoo Groups, and you
        certainly don't need a paid Mail Plus account. You need not feel stuck
        at all.

        -- Shal

      • Harryh
        The real risk of passwords lies in the fact that crackers can do them in short order - see
        Message 3 of 25 , Jun 18, 2013
          The real risk of passwords lies in the fact that crackers can do them in short order - see http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

          And should a hacker get into the user files where passwords are hashed, knowing a few facts can make the entire list vulnerable. Further since most users may use a similar password scheme for all their sites, banking may be at risk from an email hack.   I suspect that the only solution is a password generator that assigns a large random set of mixed characters per site.  Conversion to a generator can be painful but necessary.


          From: Kenneth <justkenneth@...>
          To: "Y-Mail@yahoogroups.com" <Y-Mail@yahoogroups.com>
          Sent: Tuesday, June 18, 2013 5:22 PM
          Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo’s Mail users continue reporting hacking incidents - The Next Web



          Perhaps a complicated password is more of a challenge for hackers, but that doesn't mean a simple password is safer. 
          <snip>

          From: Lorrie <minilorrie@...>
          To: Y-Mail@yahoogroups.com
          Sent: Tuesday, June 18, 2013 1:53 PM
          Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo’s Mail users continue reporting hacking incidents - The Next Web

           
          My password is really simple and not very secure.  I have had it for years.  Never had any problems. 
          <snip>






        • lena_kiev
          ... Trojans steal cleartext passwords - stored in the browser, or when the form is filled (form-grabbing). Complexity of passwords doesn t matter at all.
          Message 4 of 25 , Jun 18, 2013
            > From: Harryh <harryh89@...>

            > And should a hacker get into the user files where passwords are hashed

            Trojans steal cleartext passwords - stored in the browser, or when
            the form is filled (form-grabbing). Complexity of passwords
            doesn't matter at all. Strong (long, complicate, unique) passwords
            are stolen as easlily as simple ones. In case of this cracker+spammer
            strong passwords give false sense of security.
          • Chris J Brady
            The hackers of Yahoo accounts are not guys sitting at a PC keyboard randomly typing in characters like the proverbial monkeys typing in the complete works of
            Message 5 of 25 , Jun 19, 2013
              The hackers of Yahoo accounts are not guys sitting at a PC keyboard randomly typing in characters like the proverbial monkeys typing in the complete works of Shakespeare. Neither is it a computer generating random letter passwords and trying them until one fits. That's old skool. 

              The vulnerability is that a user having clicked on an embedded URL in an email is taken to a rogue webpage. Or maybe has not even clicked on an embedded URL and in the course of surfing has been  taken to a rogue webpage. This has installed a virus (a snippet of XML / Javascript / whatever / code) onto the user's PC. This is turn sends the the Yahoo cookie file containing the account name and password to the hackers. So it doesn't matter what the password is or when it is changed or how complicated it is the hackers get the latest version. 

              The virus script does two other things. Periodically - until removed - it sends an email out - with a one line URL to another roge website - to one, many, all contacts in the user's address book.

              Secondly it sends the entire address book to the hackers. This can be used to send out fraudulent emails appealing for cash because the user has lost his/her passport on a surprise trip overseas, or has been imprisoned in a foreign country and needs urgent cash to be released, etc.

              I have not found out how to remove the XML / Javascript / whatever code that represent the virus. Perhaps someone here can say. Virus protection apps will not detect it.

              However I understand that one protection is to ALWAYS log out of a Yahoo session after finishing which apparently then kills the cookie containing the user's account and password.

              But if the hackers have a user's complete address book then there's nothing to stop them from using the contents to send begging emails.

              CJB ..
                 

              --- On Wed, 19/6/13, Kenneth <justkenneth@...> wrote:

              From: Kenneth <justkenneth@...>
              Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo’s Mail users continue reporting hacking incidents - The Next Web
              To: "Y-Mail@yahoogroups.com" <Y-Mail@yahoogroups.com>
              Date: Wednesday, 19 June, 2013, 0:22

               

              Perhaps a complicated password is more of a challenge for hackers, but that doesn't mean a simple password is safer.  They're not going to know whose passwords are more challenging until after the fact.  And if yours was less challenging, then they've just hacked yours sooner rather than later.


              From: Lorrie <minilorrie@...>
              To: Y-Mail@yahoogroups.com
              Sent: Tuesday, June 18, 2013 1:53 PM
              Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo’s Mail users continue reporting hacking incidents - The Next Web

               
              My password is really simple and not very secure.  I have had it for years.  Never had any problems.  I am just wondering if the more difficult you make your password, the more the hackers try and get it.  Maybe it gives them more of a challenge.  A lot of people that I have talked to that have been hacked say that their passwords were very complicated yet they were stolen numerous times.  Just my thoughts LOL.

              Lorrie

            • Raymond B. Normandeau NYC
              Isn t this how Facebook and LinkedIn etc are able to see which of your friends are already members ? Are perhaps all the hack victims also members of one of
              Message 6 of 25 , Jun 19, 2013
                Isn't this how Facebook and LinkedIn etc are able to
                "see which of your friends are already members"?

                Are perhaps all the hack victims also members of one of the above?

                --
                Considering VistaPrint?
                See http://www.ripoffreport.com/directory/vista-print.aspx
                http://www.consumeraffairs.com/online/vistaprint.html

                --- On Wed, 6/19/13, Chris J Brady <chrisjbrady@...> wrote:

                From: Chris J Brady <chrisjbrady@...>
                Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo’s Mail users continue reporting hacking incidents - The Next Web
                ...
                 
                The vulnerability is that a user having clicked on an embedded URL in an email is taken to a rogue webpage. Or maybe has not even clicked on an embedded URL and in the course of surfing has been  taken to a rogue webpage. This has installed a virus (a snippet of XML / Javascript / whatever / code) onto the user's PC. This is turn sends the the Yahoo cookie file containing the account name and password to the hackers. So it doesn't matter what the password is or when it is changed or how complicated it is the hackers get the latest
                version. 
                ...
              • lena_kiev
                ... Right. ... Right. ... Not cookie, but yahooID and password, not hashed. Then another piece of malware uses a bot in another victim s computer (in a random
                Message 7 of 25 , Jun 19, 2013
                  > From: Chris J Brady <chrisjbrady@...>

                  > The hackers of Yahoo accounts are not guys sitting at a PC keyboard
                  > randomly typing in characters like the proverbial monkeys typing in
                  > the complete works of Shakespeare. Neither is it a computer
                  > generating random letter passwords and trying them until one fits.

                  Right.

                  > The vulnerability is that a user having clicked on an embedded URL
                  > in an email is taken to a rogue webpage. Or maybe has not even
                  > clicked on an embedded URL and in the course of surfing has
                  > been taken to a rogue webpage. This has installed a virus (a
                  > snippet of XML / Javascript / whatever / code) onto the user's PC.

                  Right.

                  > This is turn sends the the Yahoo cookie file containing the account
                  > name and password to the hackers.

                  Not cookie, but yahooID and password, not hashed.

                  Then another piece of malware uses a bot in another victim's computer
                  (in a random country) to give the yahooID and password to the
                  m.yahoo.com website (for mobile devices) and get an yahoo cookie
                  (containing a hash) in return. That leaves a line "Mobile Logged In"
                  in first victim's "Recent sign-in activity" (linked from Account Info).
                  Then (usually via the same bit, sometimes via another bot in another
                  country, but in under a minute) it uses that cookie to access
                  regular mail.yahoo.com website to harvest email address from
                  letters in Sent and Inbox folder (and possibly Contacts too) and spam them.
                  That leaves another line "Mail Access" in first victim's
                  "Recent sign-in activity".

                  I can't test myself because my country isn't in the list
                  (yahoo cannot send me a SMS).
                  Please somebody who "Set up your second sign-in verification"
                  Sign Out, then on the m.yahoo.com/mail website sign in,
                  preferably via another ISP.
                  Does the m.yahoo.com website (used by the felon too)
                  require to type something from SMS?

                  > The virus script does two other things. Periodically - until removed

                  Until the password is changed. The trojan which stole the password
                  doesn't send the spam, it only phones home the stolen password.

                  Another piece of malware does this:

                  > it sends an email out - with a one line URL to another roge
                  > website - to one, many, all contacts in the user's address book.

                  Or/and addresses harvested from letters in Send and Inbox folders.

                  > I have not found out how to remove the XML / Javascript / whatever
                  > code that represent the virus. Perhaps someone here can say. Virus
                  > protection apps will not detect it.

                  The felon tests the drive-by exploit kit
                  and (stealthy encrypted polymorphic) trojan it installs
                  aganinst multiple antiviruses
                  and makes sure that the exploit kit and trojan
                  can evade or disable all the antiviruses.
                  Antivirus vendors lost the war.

                  > However I understand that one protection is to ALWAYS log out of a
                  > Yahoo session after finishing which apparently then kills the cookie
                  > containing the user's account and password.

                  The trojan steals password, not cookie. So, to Sign Out is useless
                  in this case.
                Your message has been successfully submitted and would be delivered to recipients shortly.