Media releases are provided as is by companies and have not been edited or checked for accuracy. Any queries should be directed to the company itself.

Imperva CTO comments on Hotmail vulnerability

  • 08 October, 2009 08:43

<p>Sydney, October 8: Amichai Shulman, Chief Technology Officer of data security leader Imperva, comments:</p>
<p>Yesterday the news story broke about a list of Hotmail user access credentials that found its way to the Internet. The list containing approximately 10K entries sorted in alphabetical order ignited some rumours about the entire Hotmail user directory being stolen. As indicated by others, a quick mathematical exercise can show that unless the Hotmail user community is approximately 100K in size--this is not true.</p>
<p>Speculations were made as to how the list was obtained by hackers. Microsoft was quick to announce that it cannot be related to their servers’ security since they do not store clear-text passwords but only their hashed / encrypted representation. While I tend to accept this claim—its not completely accurate. If an attacker compromised one of the many distributed Hotmail servers and infected it with a simple ISAPI filter that an attacker would be able to easily grab credentials while they perform authentication.</p>
<p>Another speculation was that this is the result of a massive (or possible several massive) Phishing campaigns. I find this too hard to believe. First, the list is extremely long with respect to the expected results of a Phishing campaign. Given the commonly acceptable estimation regarding the success rate of Phishing campaigns it seems unlikely to be able to collect a list of 100K credentials within a reasonable time period. Second, a careful evaluation of the list’s contents suggests otherwise.</p>
<p>My estimate is that the list was obtained through keyloggers infecting computers, not only home ones but also computers used for public access (e.g. Internet Café, University Campus, etc.). The size of the list definitely agrees with this type of attack (infection figures are estimated at tens of millions, with public access computers being a panacea for attackers). Also quite a few entries in the list show the same account name with slightly different passwords, or a slightly different account name with the same password indicating a series of typos at the time of login, with the keylogger just grabbing everything and passing on.</p>
<p>The risk to end users is not confined to the mere contents of their mailbox. In fact many users would use the same password for a number of services. More dangerous though is the fact that password retrieval procedure for many online applications rely on sending the recovered password to an email address set during registration. With control over a user’s mailbox an attacker can compromise other accounts of that user in different online applications (this have been shown to happen a couple of months ago to a Twitter executive whose GoogleDoc account was compromised after compromising her Hotmail account).</p>
<p>Can users avoid falling prey to such attacks? My constant advice to users is have your antivirus software up-to-date to avoid infections and stay out of dubious sites by using tools like Google’s Safe Browsing or Firefox built-in malicious site filters. Would that prevent infection? It would certainly reduce the chances. However the rate of new servers being infected with new strands of malware sometimes outpaces those signature based detection mechanisms.</p>
<p>Could Microsoft (or any other application provider) do anything to protect users against this type of attack? In my opinion: yes. For example some applications (including Gmail) can display recent account activity. This is mostly useless as account activity is given in the form of IP address. A better solution? Instead of showing you the IP address of your last login you’d see a pointer on the world map. This would give an immediate visual notification on any suspicious activity. Other measures can be more proactive. For example, I was able to find many different copies of the list on the web by searching through Google with different account names from it. By surrendering bogus credentials to Phishing campaigns and keyloggers, the security team can later look up those same credentials over the web using different search engines and put their hands on entire lists of compromised credentials, being able to take timely action with their rightful owners before the account is compromised.</p>
<p>About Imperva</p>
<p>Imperva, the Data Security leader, enables a complete security lifecycle for business databases and the applications that use them. Over 4,500 of the world’s leading enterprises, government organisations, and managed service providers rely on Imperva to prevent sensitive data theft, protect against data breaches, secure applications, and ensure data confidentiality. The award-winning Imperva SecureSphere is the only solution that delivers full activity monitoring from the database to the accountable application user and is recognised for its overall ease of management and deployment. For more information, visit</p>
<p>Media queries</p>
<p>David Frost
PR Deadlines Pty Ltd, for Imperva
Phone: +65.4341 5021
<p># # #</p>

Most Popular

Editor's Recommendations

Solution Centres


View all events Submit your own security event

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Media Release

More media release

Market Place