Last week my Yahoo account was hacked and 5000 or so of my closest friends got infected emails from me. Yikes. How did this happen? Beats me. Somehow I had downloaded something nasty myself.

My Yahoo account has been around since several CEOs ago, and it isn’t an account that I do much with. I was surprised by several things that were present in my Yahoo profile though that gave me some pause. For example: my contacts list. I didn’t think that I had many email addresses in my contacts but I saw that I had 5000 entries now. Apparently, sometime ago I had experimented with the bulk import feature and had imported my contact list to this account. Gulp. Well, let’s fix that and I thought I would delete the entries. That produced a mysterious error message. Strike one.

Next, I saw that I actually had the right birthday in my Yahoo profile. Okay, lets change that. Well, you can’t. Or at least not that I could immediately see. Strike two.

Okay, well, at least I could just login and change my account password. That was fine until I realized that I picked a password that I had used on some other accounts. Oops. Strike three.

Alright, enough fooling around. This was crazy. Do I really need a Yahoo email account? Not at all, this isn’t an account that I use for any correspondence. I can create a new one for free anyway that doesn’t have any contacts at all. So let’s just close the darn account. Not so easy. I first had to change my password again and then visit a special page to terminate the account.

Before I did this, I went to the Yahoo Groups page where I run several email mailing lists. One of the lists had my Yahoo ID as the group “owner” which means that I have to assign the group to a new Yahoo ID. So I set up a new Yahoo email address and tried to transfer ownership to this new ID. That wasn’t enough – I still had no Yahoo ID attached to this account. Why? I have no idea. It was a Yahoo.com email address. You would think it would be obvious, but it wasn’t. I used to like Yahoo Groups, but now I was getting ready to just close all of them that I administer, I was so frustrated.

So far my security efforts have been to waste a lot of time signing in and out of Yahoo and trying to understand their systems. There is actually a helpful page of what you have to do if your account has been compromised. (Although it stops short of recommending any specific scanning products to see if your computer has been infected.)

Last week I wasn’t alone: the New York Times ran its own mea culpa article that describes how Chinese hackers targeted several reporters’ email addresses after it ran some critical articles last fall. I found the article interesting in that it specifically mentioned that the Times uses Symantec anti-virus software to protect its computers, only they weren’t really protected. There are lots more information in the piece about what happened and what it took for the Times to clean up after this exploit.

I have written about this before, how anti-virus has become outmoded, on my Dice Security forum that I manage.

I welcome your suggestions on a simple tool that can help in these situations. I haven’t found any that really work all that well.

Self promotions dep’t

Last week I had several articles posted on the various places that I write for. You might be interested in reading one or more of them.

• 7 Tips for Managing Teleworking IT Staff

If you want your telecommuter IT team members to feel like they’re part of the same team that works at the company offices, then take a look at these tips in a piece I wrote for a new Mendix blog.

• Hurry up and wait for 40 GbE technology

You can read my report posted this month in Techtarget’s Modern Infrastructure ezine here about why the move to faster Ethernet is and isn’t happening across the land.

• A review of Cisco’s ASA CX firewall technology

I tested one of their midrange devices last month and came away impressed. Overall, Cisco has done a superior job at its next generation of firewall technology. There is a written report and a screencast video.

• Turn File Sharing Off When You Travel, Puh-Leaze!

When I travel, I remember to turn off the file sharing setting on my PC for precisely this reason. It is a simple step, but a critical one. Here is what happened to one of my fellow guests when he left sharing on his computer turned on. This was for Internet Evolution.

• The Benefits of SIP Trunking Services

In this ebook for Fierce Enterprise Communications, I wrote articles talking about how you want to take the next steps from your voice over IP telephony and does SIP trunking really mean the end of the public switched phone network.

N.B. Looks like I wasn’t alone. This might be the explanation for the Yahoo hack:

Email attack exploits vulnerability in Yahoo site to hijack accounts

Has this happened to you? I am staying at a hotel where the Wifi creates one flat network, and of course, there are numerous people who don’t know the first thing about basic security practice. Why do I know this? Because I can see several of them who have file sharing turned on for their PCs. They are listed by name in my Mac’s Finder (John Jones Computer, Sid Smith Computer, etc.) and it is a bit scary.

When I travel, I remember to turn off the file sharing setting on my PC for precisely this reason. It is a simple step, but a critical one.

So last night I was in this hotel in Silicon Valley and I was feeling somewhat puckish. I noticed that one person’s computer was listed. I clicked on his computer to see if file sharing was turned on. It was, and in a moment, I could see his entire hard drive, including a “private” folder filled with PDFs of his credit card and other banking statements, loads of business documents, and the bonus: before/after pictures of his wife’s implants. (I Had To Look. Nice work, btw.)

So I took one of my newfound friend’s documents, it was a boating license or something, and copied it to a USB key and printed it out at the business center. I put it and a note to my friend and left it at the front desk, suggesting that:

a) He turn off file sharing tout suite if he didn’t want anything else shared with the entire hotel for the rest of his stay and

b) He might want to invest in some hard disk encryption, particularly for all the stuff that he very conveniently left in his “private” folder for everyone to see.

Most hotels don’t really spend the time and energy to lock down their networks, and most business travelers don’t spend the time and energy to lock down their computers. The result is a boon for any corporate spy that has a laptop and minimal skills. Go to any center city convention hotel today and within minute you can collect Powerpoints, secret documents, and business plans on just about any industrial topic. And you don’t need any skill, other than showing up at the right time and place.

As I saw this week, many hotels typically don’t segment their guest LANs – meaning that everyone in the hotel is on the same segment, has the same access, and can see anything across the entire network. This is true for wired and wireless access. Obviously, if a wireless user can sit in the parking lot of the hotel and gain access to the entire hotel LAN, this is even more trouble waiting to happen. The best situation is to have every single guest on a separate virtual LAN so they can’t see anyone else’s traffic. This requires them to use more expensive switching hardware, of course.

How prevalent is all of this? Two colleagues, Lisa Phifer and Craig Mathias, traveled around the northeast and tested 24 hotels back in 2006. They found trouble almost everywhere they went. Just one in four sites could prevent wireless eavesdropping and block all notebook probes. Sadly, the situation isn’t much different in 2013.

“Hotspot users might be unpleasantly surprised to discover they are reachable from the Internet [when they choose public IP addresses]. We expected paid networks would protect users from each other or Internet attacks more often than free hotspots, but this was not the case. Several free hotspots had noteworthy exposures, but so did paid networks, including the most expensive sites. “

The only two Internet providers that passed all their security tests were I-Bahn and T-Mobile. They segregate traffic by user and prevent people from inadvertently sharing their connection. The others, including Guest-Tek, Passsym, Starwood, TurboNet, StayOnline, and Wayport, all had security problems when the pair did their original research.

So don’t forget the security basics when you travel. Don’t leave your USB key drives lying around with all sorts of private stuff on them. Use a simple PIN to protect your phones. This isn’t rocket science: it is just basic Security 101, or not even but still something that everyone should just do and internalize. And if you stay at a hotel that has a flat network, use disk encryption and a VPN to keep people like me from looking around your computer’s hard drive.

Here are links to some of my favorites from the trades in the past week. You can get more information on other links for security professionals, upcoming conferences, and security experts on Twitter to follow from my Dice Security Community here.

1. Protecting Data In The Cloud Without Making It Unusable
2. In ex-Soviet states, Russian spy tech still watches you
3. BYOD Policies Need Implementation, Enforcement
4. Don’t Click the Left Mouse Button: Introducing Trojan Upclicker
5. Poor SCADA security will keep attackers and researchers busy in 2013
6. PowerPoint about the Mayan “end of the world” secretly boobytrapped with malware
7. SDN: Is Big Data a Killer App?
8. Patching Metro apps on a wing and a prayer
9. Data Wiping: A New Trend in Cyber Sabotage?

Last month, security firm Imperva released its November Hacker Intelligence report “Assessing the Effectiveness of Anti-Virus Solutions,” which collected and
analyzed more than 80 unreported viruses against more than 40
anti-virus solutions. Imperva found that none of the tested anti-virus solutions
were able to detect previously unreported viruses and that 75 percent
of solutions took up to a month or longer to update its signatures.

That isn’t good news, but while Imperva obviously has some vested self-interest here, I think their report is worthy of a closer read nonetheless. What it means is that we have to depend on a variety of protective solutions to keep our computers safe and infection-free, and that as the bad guys get more sophisticated with their attacks, we have to get more sophisticated with our defenses.

Let’s look more closely at the tests that were done. First, the team at Imperva collected 82 viruses from various evil places. As the authors state, “A number of sources which assisted us in getting our hands on no small amount of relatively new viruses were forums in Russian, whose purpose was to enable hackers to discuss viruses and obtain assistance in developing them. The availability of malicious code and viruses in these forums was extremely high. Any kid could build a virus by themselves or download one ready-made.” That is pretty scary, but nothing new if you have been following security news postings over the past few years.

They then made sure that none of them had signatures that were already on their books or could be accounted for by their competitors, through a service called VirusTotal.com. This notion of signature matching is becoming obsolete, anyway. There are a number of virus construction kits that are readily available online that can customize a virus for each particular desktop, meaning that each virus has a separate and unique signature.

• Lag times are long. Imperva found that it can take typical AV solutions three weeks to update their databases to recognize one of the viruses in their collection, and some took up to a month or even longer. As the authors state, “the rate of update for their signature databases is very slow and even viruses that are already known to most anti-virus products are still not identified by these insufficient products.”
• Freeware is best. Imperva found the most optimal protection included two freeware anti-virus products, Avast and Emsisoft. Although for commercial products, both McAfee and Symantec also excelled in detecting their set of viruses.
• Behavior instead of signatures is needed. Imperva does not recommend completely eliminating it from an effective security posture. Instead, they suggest that “security teams should focus on detecting abnormal behavior such as unusually fast access speeds or large volume of downloads and adjust its security spend on modern solutions to address today’s threats.”

So what are the key take-aways for security teams? First of all, if all you have is AV, then you are exposed and you should quickly start to add additional protective technologies. Focus more on detecting badly-behaved apps, looking at those situations where you are doing massive downloads or fast flux conditions. Next, look for network-level intrusion detection and prevention products, and also beef up your desktop-based firewalls. Some of the more popular security products from Symantec and others have these features included in their desktop AV products too. Finally, don’t be complacent: security is a continuous process, and a constant challenge to stay ahead of the bad guys.

Each week I look for a few of the more interesting security news stories and highlight them on my Dice Security Community portal here. If you are looking for a new job in the security field, or just want to stay on top of the latest security news, conferences, and trends, go take a look. This week’s stories include:

• 5 Steps For Good Database Hygiene
• The Growing Dark Side of Cyberspace  and What To Do About It
• Spear-Phishing Emails Now Favorite Tactic for Advanced Malware Threats
• Tor network used to command Skynet botnet
• You receive the electronic reservation? Malware attack poses as hotel booking email
• Worm takes out several top Tumblr blogs
• Cisco’s Spending Spree: An Analysis
• New ‘Dockster’ malware targets Apple computers
• New Password Cracking Method