From owner-freebsd-questions@FreeBSD.ORG Sun Apr 6 16:08:41 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 20B21A41 for ; Sun, 6 Apr 2014 16:08:41 +0000 (UTC) Received: from mx01.qsc.de (mx01.qsc.de [213.148.129.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B199DC14 for ; Sun, 6 Apr 2014 16:08:40 +0000 (UTC) Received: from r56.edvax.de (port-92-195-84-247.dynamic.qsc.de [92.195.84.247]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx01.qsc.de (Postfix) with ESMTPS id 41BA43CC8A; Sun, 6 Apr 2014 18:03:21 +0200 (CEST) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id s36G2GgH002182; Sun, 6 Apr 2014 18:02:16 +0200 (CEST) (envelope-from freebsd@edvax.de) Date: Sun, 6 Apr 2014 18:02:16 +0200 From: Polytropon To: Matthias Apitz Subject: Re: teft of 18,000,000 mail accounts and passwords Message-Id: <20140406180216.ac1dbe6f.freebsd@edvax.de> In-Reply-To: <20140406154313.GA3062@La-Habana> References: <20140406154313.GA3062@La-Habana> Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: Polytropon List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2014 16:08:41 -0000 On Sun, 6 Apr 2014 17:43:13 +0200, Matthias Apitz wrote: > > Hello, > > I have here a case which could be off-topic in first moment, but does > not is, I think. > > The German Govermental Office about Security in Information informs that > the police got access to a database of 18,000,000 stolen mail accounts > and they will inform on Monday how to inform the owners of the accounts > http://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2014/Medienberichte_zu_Identitaetsdiebstahl_04042014.html > (in German). Nothing particularly new. > What makes me bringing this up here is the question, how the criminals > could get access to this amount of mail accounts and passwords and if we > as FreeBSD users could be targeted by some of the methods. How they > could get access to your (remote) mail account name and password? You should direct those questions at the highly qualified clerks of the BSI, but please wait until Monday, because the offices won't be working after Friday 1 p.m. :-) Okay, I stop kidding. The problem I have with the "announcement" is that is quite as vague as what happened few months ago. Questions still arent't answered: Which accounts? Of which providers? Is this specific to ISPs? To mail providers? Who has "stolen" them? How have they been "stolen"? Since when exactly is this known to the officials? > What comes to my mind as methods are: > > - Installed key loggers on the local system; > - Phishing attacs with faked URLs or with correct URL and DNS attack; > - Using unknown backdoors or bugs in browsers to get the saved password; > > Anything else? And how much we (as FreeBSD users) are in risk of this > and what could be done to prevent it. If we keep our boxes secure, our eyes open and our brains intact, we should still be in a leading position regarding security. Most attacks are focused on home users because they have the most amount of attack vectors open. You have mentioned a few. What would be, in my opinion, important for those of us who are running servers: encrypt what you can encrypt. For example for mail servers, force the use of some kind of TLS, avoid plain text (e. g. FTP), and keep your installed web stuff (especially the *AMP combinations) up to date. Of course, sniffing network traffic is also pssible. Even worse, maybe someone got a user database from an ISP or mail provider! It's not _that_ complicated to do if security is not a concern - which it actually is _not_ in most business contexts - don't get me start talking, I can tell you stories... "We don't do IT security here, we have a contractor for that." ;-) You surely know that several attack vectors have a "technical taste", while others have a "human taste". Keyloggers, browser backdoors, buggy programs and such are primarily technical, while phishing attacks (with means such as fake "legitimate" e-mails, XSS, a href fun, SQLi and such) aim at _people_ paying no attention: "When the PC says I should enter my data here, I will enter my data here." By the way, does this sound familiar to the BSI's action of "enter your data here, we'll check if your account has been compromized and send you e-mail tomorrow"? ;-) Also note, by carefully reading the article you pointed to, that the BSI's "suggestions" seem to aim at the target group I mentioned before: home users, or, to be more precise, "Windows" users. From reality you know that "Windows" is a massive threat to security and a welcome platform for all the evildoers. Just think about the EOL of "Windows XP" and all the unpatched boxes that will remain running... In this context, the BSI's "suggesion" could be fully worthless if it turns out that the "data theft" has taken place at a (mail) service provider. Summary: Essential and maybe critical information is still missing because the officials of the BSI need to enjoy their weekend. Wait and see. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...