Don’t let your email account get hijacked – tips

Email accounts are prime targets for spammers, who can no longer send spam directly from malware-infected computers because of improved spam filtering and steps that major providers like Verizon/Comcast/Cox have taken.  If a spammer can hijack an email account, he’ll be able to send spam at high speed from a legitimate account until he gets caught.  We’re good at detecting this, but when it happens it’s inconvenient for the legitimate account holder, since we have to change the password and the account owner will be locked out until they set the password again and update the password on their computer/phone/etc.

The most common ways that bad guys obtain login info are:

  • phishing email – the kind that takes you to a supposedly legitimate web link where you’re tricked into entering your email username and password.
    • Some of these messages are very real-looking.  Best practice:  never enter login info on a web page that you got to by clicking a link in email.
  • Hotel wi-fi or a public wi-fi hotspot and bad guys were sniffing the network.
    • We’ve seen quite a few of these cases.  Hotel wi-fi is particularly dangerous.  You’re better off using your phone’s wireless connection at hotels and coffee shops.
  • You’ve used the same username and password somewhere else (adobe.com, ebay.com, etc.) and that site got hacked.
    • This is probably the #1 way people get hacked.  Never use the same username and password on multiple sites.  You will get bitten if you do.
  • malware on your computer that’s sending your keystrokes & other info the the bad guys’ mother ship.
    • When this is what’s happening, your account will usually get hacked again quickly after you’ve changed your password.  Set your PC to scan for malware daily, and run a full scan every now and then so the anti-virus scanner will check everything (default scans usually scan only the most likely locations for malware).  Make sure your PC is set to receive automatic updates to virus definitions – there is a new virus every few minutes, so you need to update your definitions at least daily.
  • Your password is easy to guess.  Our systems lock out password-guessers quickly, but they get a few tries before they’re locked out and if your password is super simple (12345 / ILoveAndy / etc.) they might get lucky.

There are a lot of bad guys and they’re highly motivated, but if you’re careful, odds are your account won’t get hijacked.

 

eBay passwords compromised

According to Ars Technica, encrypted eBay passwords and other information have been stolen by cyberattackers.  If you have an eBay account, change your password ASAP.  If your eBay password is one you’ve used on other services, including your accounts with HIS, change those passwords too, and don’t use the same password on more than one service.

When password lists are leaked this way, even in encrypted form, the bad guys have very powerful tools for cracking the passwords, and the cracked passwords go into their database of passwords that are used somewhere and thus are probably also used somewhere else, increasing your likelihood of being hacked on another system if you’re using the same password there.

We know that it’s a pain to change passwords, especially email passwords where you might have several devices checking your account (a phone, a tablet, multiple computers), but it’s a bigger pain to get hacked.  When we detect a hacked account, we change the password immediately and there’s a period of time between then and when we can reach you when you’re without access to your account.   If you use strong passwords (mixed upper/lower case, numbers, punctuation) and you don’t use a password on more than one account, your odds of having your account hijacked are greatly reduced.

Resolved: spam.his.com backlog 5/19/2014

Starting at 6:30 AM on Monday, 5/19/2014, multiple servers were hit with a high-volume spam flood from a Russian botnet that had hijacked user email accounts.  The volume was so high that spam.his.com, which filters both incoming and outgoing mail, became backlogged and mail delivery became very slow.  We identified the problem shortly after 7 AM and blocked the botnet, but it took several hours to clear the unprocessed queue of this spam because we wanted to avoid accidentally deleting any legitimate mail.  This problem has been resolved and mail delivery was normal (about 3 seconds after receipt)  by 11 AM.

Our early-warning system caught this quickly, but the volume of spam from this large botnet was extraordinarily high, causing the backlog.  We’re looking at ways to detect hijacked email accounts more quickly.

Our servers do a good job of blocking the thousands of bots attempting to guess user passwords on each server every day, but if your password is a simple one, or is one that you’re using on some other system that has been compromised (Adobe, Twitter, Evernote, Dropbox, etc.), the bad guys can test and confirm your password on the first try and we won’t detect that as an attack.  If you’re using your password on any other system, consider changing it ASAP, and choose a strong password (mixture of upper/lower case letters, some numbers, some punctuation).

Heartbleed OpenSSL bug – should you change your passwords?

You may have read about the bug in OpenSSL that allowed attackers to access random 64k byte chunks of memory.  This bug was reported by CERT on Monday, April 7, 2014.  Software vendors supplied patches on April 7 and 8.  A few of our SSL servers were vulnerable, and we had all patches applied and were able to confirm that the patches worked on all servers April 7 and 8.

Many of the most popular internet sites were affected, including Google, Facebook, Youtube, Yahoo!, Bing, Pinterest, Blogspot, Instagram, Tumblr, Reddit, Netflix, Yelp, Blogger, Dropbox, and the Washington Post (to name a few).

This was a nasty bug – it left no traces in server logs, so there’s no way to tell whether it was exploited by bad guys.  There’s an XKCD cartoon that shows how the exploit worked.

We prefer to err on the side of caution, so we have replaced our own SSL certificates and have changed important passwords.  Odds of your password being exposed on a server that we host are low, but not zero, and since many people use the same passwords on multiple sites (a really bad idea – don’t do this), we’re encouraging everybody to change their passwords.  If you use the same password on, say, Facebook, that you use with your email account, and bad guys managed to get the password from Facebook, you’re exposed.

Our Zimbra email servers were not vulnerable, but we still recommend that you consider changing your password anyway in case you’ve used the same password somewhere else.  Instructions for customers on Zimbra servers are here (use the webmail URL for your domain).  If your email account is on a Plesk server, instructions are here.  If you need  help, open a ticket at https://support.his.com/home.

Changing your password isn’t mandatory, but it’s a good idea, especially if you think you may have used the same password anywhere else.

 

Microsoft Ending Support for Windows XP and Office 2003 4/8/2014

Windows XP has reached end-of-life, and there will be no updates or security patches for XP after April 8, 2014.  The bad news is that CERT estimates that 30% of all internet-connected PCs are still running XP, so a lot of people are going to be exposed to the latest malware with no help from Microsoft.

If you’re running Windows XP,  it’s time to upgrade (or change to Mac or Linux).

 

NCCIC / US-CERT

National Cyber Awareness System:

03/10/2014 10:56 AM EDT
Original release date: March 10, 2014

Systems Affected

  • Microsoft Windows XP with Service Pack 3 (SP3) Operating System
  • Microsoft Office 2003 Products

Overview

Microsoft is ending support for the Windows XP operating system and Office 2003 product line on April 8, 2014. [1] After this date, these products will no longer receive:

  • Security patches which help protect PCs from harmful viruses, spyware, and other malicious software
  • Assisted technical support from Microsoft
  • Software and content updates

Description

All software products have a lifecycle. End of support refers to the date when Microsoft no longer provides automatic fixes, updates, or online technical assistance. [2] As of February 2014, nearly 30 percent of Internet-connected PCs still run Windows XP. [3]

Microsoft will send “End of Support” notifications to users of Windows XP who have elected to receive updates via Windows Update. Users in organizations using Windows Server Update Services (WSUS), System Center Configuration manager, or Windows Intune will not receive the notification. [4]

Impact

Computer systems running unsupported software are exposed to an elevated risk to cybersecurity dangers, such as malicious attacks or electronic data loss.

Users may also encounter problems with software and hardware compatibility since new software applications and hardware devices may not be built for Windows XP or Office 2003.

Organizations that are governed by regulatory obligations may find they are no longer able to satisfy compliance requirements. [4]

Solution

Computers operating Windows XP with SP3 or running Office 2003 products will continue to work after support ends. However, using unsupported software may increase the risk of viruses and other security threats.

Users have the option to upgrade to a currently supported operating system or office productivity suite. The Microsoft “End of Support” pages for Windows XP and Office 2003 offer additional details.

There are software vendors and service providers in the marketplace who offer assistance in migrating from Windows XP or Office 2003 to a currently supported operating system or office productivity suite. US-CERT does not endorse or support any particular product or vendor.

Users who choose to continue using Windows XP after the end of support may mitigate some risks by using a web browser other than Internet Explorer. The Windows XP versions of some alternative browsers will continue to recieve support temporarily. Users should consult the support pages of their chosen alternative browser for more details.

References

Revision History

  • March 10, 2014 – Initial Release

FYI: CryptoLocker virus

CryptoLocker is a new virus that affects Windows PCs – if you get infected, a screen pops up telling you that your stored documents and images have been encrypted, and if you don’t pay $300 within 72 hours, the key required to decrypt your files will be destroyed and you’ll be out of luck.  There have been other ‘ScareWare’ viruses that popped up windows like this in the past, but this one actually does what it says.

Our spam filters do a very good job of blocking email that contains viruses, but since the bad guys are clever, it’s always possible for malicious email to get through until the spam filters figure out the new technique, and you could be exposed.  Also, if you have multiple PCs on your LAN, this virus can jump from an infected PC to the others over the ethernet or WiFi link, so you can be exposed that way as well.

Here’s the US-CERT announcement:    http://www.us-cert.gov/ncas/alerts/TA13-309A  Read this and follow their advice in the “Prevention” section of the writeup.

Other writeups on CryptoLocker:

Announcement: mail.his.com setting change for his.com and hers.com users

If you have a his.com or hers.com email address, check the settings in your email software (smartphone/tablet/laptop/computer/etc.) and make sure that mail.his.com is set as the hostname for both incoming and outgoing mail.  This has always been the correct setting, but for legacy reasons, using just his.com as the hostname has worked too.  Starting October 5, 2013, only mail.his.com will work as the hostname for his.com and hers.com users.

This change is being made for anti-spam reasons.  Some spammers (millions of them, actually) will attempt to bypass spam filtering by ignoring the official mail exchanger records in DNS and connecting to the hostname that resolves to the domain name.  We’re able to block most of this, but we need to block it all.

Summary:

  • this affects only users with his.com or hers.com email addresses.
  • check the settings in the email software on all your devices and make sure that mail.his.com is set as the hostname for both incoming and outgoing email.

We’ve been scanning the logs, and we think we’ve identified most of the folks who this applies to, and we’ve sent email everyone who we know needs to make the change.

his.com and hers.com users can access webmail as always at https://webmail.his.com

If you have any questions or need assistance, open a support ticket at https://support.his.com/contact

Barracuda update

spam.his.com is doing an excellent job of blocking spam without stopping non-spam – the only false positives we’re seeing involve mail from bulk sources (overstock.com, alert.ema.dc.gov, etc., where many messages with the same content come in at once, which is characteristic of spam – you may find that you need to whitelist these if they’re winding up in your quarantine.

The system is also learning, as we’ve had time now to train it with feedback about what’s actually spam and not-spam – we update this Bayesian database daily, and this helps fine-tune filtering accuracy.

Two major improvements over Postini:  little, if any, non-spam mail getting quarantined, and much faster reaction to new spam attacks that use new methods to get around filters.  Barracuda updates its filters three times/hour, vs. once every day or two on Postini, and we’ve seen the effect of this in action – it works.

We’ve made a few minor changes – you’ll no longer see mail marked “?SPAM?” in your inbox.  This was mail that Barracuda thought it might be spam but wasn’t sure so it didn’t quarantine it, but tagged it and passed it through.  In practice, we found that as much non-spam as spam getting tagged, so this tagging wasn’t helpful and we’ve turned it off. These messages are still passed through, but without the tag.

Zimbra users:  you have another layer of spam/virus/phishing filtering in Zimbra.  Mail that Zimbra thinks is spam will be put in your Junk folder, and this is separate from what spam.his.com does.  Check your Junk folder from time to time, and if any mail is there that isn’t spam, mark it as not-spam (you have to do this via webmail).  Likewise, if any spam gets past spam.his.com and you find it in your inbox, you can mark it as spam.  Zimbra’s spam filter learns from your feedback, and if you mark spam/not-spam for a week or two, its accuracy will improve.  Zimbra’s spam filter works at the individual mailbox level, so you do need to train it so it knows whether you agree with what it’s doing.

If you want, you can forward spam that gets to your inbox to spam@barracuda.com – this will help them recognize new spam tricks and update their filters.

If you have any questions, open a support ticket by clicking “Open a Ticket” at http://info.his.com/support/support.his.com.html.  Check our knowledgebase articles at https://support.his.com/kb/kb/browse/001925


											

Spam filter change: switching from Postini to Barracuda

We provide spam and virus filtering with all email accounts – you really can’t use email without it anymore.

We’ve used Postini for our premium spam filtering since 2001 (twelve years!).  Google bought Postini in 2007, and Postini continued to be excellent until about a year ago when we noticed that things were slipping – there were outages, a lot of mail that wasn’t spam started to get quarantined, things like that.  Then Google decided to discontinue Postini, along with quite a few other services.

We evaluated seven good alternatives, and Barracuda was the clear winner.  The spam/virus filtering is excellent – they push out updates to the filtering rules as often as three times / hour, so they do a great job of catching spam blasts that use new techniques to around the filters, and most people will find that they have few, if any ‘false positives’ (non-spam that gets quarantined).   We’ve been testing the Barracuda system and using it for our own email since February, and we think you’ll find it a real improvement.  We’re operating the Barracuda servers in our own cloud, so we have direct control of uptime and reliability.

We’re switching domains over in groups, and should have everybody switched by May 18.  You’ll get email announcing the change before your domain is switched.  The change will be almost completely transparent to you – the only real change you’ll have to make is the link to your spam quarantine, which will be in the announcement email.