teft of 18,000,000 mail accounts and passwords

Sun Apr 6 16:08:41 UTC 2014

On Sun, 6 Apr 2014 17:43:13 +0200, Matthias Apitz wrote:
> 
> Hello,
> 
> I have here a case which could be off-topic in first moment, but does
> not is, I think.
> 
> The German Govermental Office about Security in Information informs that
> the police got access to a database of 18,000,000 stolen mail accounts
> and they will inform on Monday how to inform the owners of the accounts
> http://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2014/Medienberichte_zu_Identitaetsdiebstahl_04042014.html
> (in German).

Nothing particularly new.

> What makes me bringing this up here is the question, how the criminals
> could get access to this amount of mail accounts and passwords and if we
> as FreeBSD users could be targeted by some of the methods. How they
> could get access to your (remote) mail account name and password?

You should direct those questions at the highly qualified
clerks of the BSI, but please wait until Monday, because
the offices won't be working after Friday 1 p.m. :-)

Okay, I stop kidding. The problem I have with the "announcement"
is that is quite as vague as what happened few months ago.
Questions still arent't answered: Which accounts? Of which
providers? Is this specific to ISPs? To mail providers?
Who has "stolen" them? How have they been "stolen"? Since
when exactly is this known to the officials?

> What comes to my mind as methods are:
> 
> - Installed key loggers on the local system;
> - Phishing attacs with faked URLs or with correct URL and DNS attack;
> - Using unknown backdoors or bugs in browsers to get the saved password;
> 
> Anything else? And how much we (as FreeBSD users) are in risk of this
> and what could be done to prevent it.

If we keep our boxes secure, our eyes open and our brains
intact, we should still be in a leading position regarding
security. Most attacks are focused on home users because
they have the most amount of attack vectors open. You
have mentioned a few. What would be, in my opinion, important
for those of us who are running servers: encrypt what you
can encrypt. For example for mail servers, force the use
of some kind of TLS, avoid plain text (e. g. FTP), and
keep your installed web stuff (especially the *AMP combinations)
up to date. Of course, sniffing network traffic is also
pssible. Even worse, maybe someone got a user database from
an ISP or mail provider! It's not _that_ complicated to do
if security is not a concern - which it actually is _not_ in
most business contexts - don't get me start talking, I can
tell you stories... "We don't do IT security here, we have
a contractor for that." ;-)

You surely know that several attack vectors have a "technical
taste", while others have a "human taste". Keyloggers, browser
backdoors, buggy programs and such are primarily technical,
while phishing attacks (with means such as fake "legitimate"
e-mails, XSS, a href fun, SQLi and such) aim at _people_ paying
no attention: "When the PC says I should enter my data here,
I will enter my data here."

By the way, does this sound familiar to the BSI's action of
"enter your data here, we'll check if your account has been
compromized and send you e-mail tomorrow"? ;-)

Also note, by carefully reading the article you pointed to,
that the BSI's "suggestions" seem to aim at the target group
I mentioned before: home users, or, to be more precise,
"Windows" users. From reality you know that "Windows" is
a massive threat to security and a welcome platform for
all the evildoers. Just think about the EOL of "Windows XP"
and all the unpatched boxes that will remain running...
In this context, the BSI's "suggesion" could be fully
worthless if it turns out that the "data theft" has taken
place at a (mail) service provider.

Summary: Essential and maybe critical information is still
missing because the officials of the BSI need to enjoy their
weekend. Wait and see.

-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...