Via DarkReading, I just came across a lengthy post on webmail password “recovery” techniques by Gunter Ollmann from IBMs ISS.
For a while I’ve been pretty blasé about CAPTCHA hacking developments. I mean, why do I care if a CAPTCHA can be beaten?
Well, that’s because password “recovery” agents can employ distributed botnets to bruteforce web apps. And the typical response to too many invalid attempts in a certain amount of time is to throw up CAPTCHAs. Well, if those are being broken, what’s next?
Sure, you can do a lockout period or flag it somehow, but you either are going to introduce DOS scenarios to legit users or start some futile investigation into what you already know: botnet bruteforce, good luck! So, yeah, it drives home the significance of CAPTCHA breaking.
Towards the end, Gunter talks about what you can do to prevent this or minimize the damage. I’ll include those steps and some more here in my own list.
- Use a strong password.
- Probably change it regularly, especially if you have no way of knowing if someone is currently accessing your account or not.
- Delete your email archive/history. Do you really need all that garbage?
- Don’t keep passwords and “Welcome to site blah” emails. Keep them where you keep your passwords (PasswordSafe?) or bookmarks (uhh bookmarks?). This way your archive doesn’t give juicy leads on where to trigger password reminders from.
- Keep a few fake emails in your inbox with subjects like, “To reset your password go here,” or “here is your SSH connection info.” In these emails, provide an IP address of a server you control or can get the logs from, and see if someone other than you ever attempts to connect. Or maybe an email or two with embedded images from a remote web server that you control. If someone connects, alarm klaxons can sound.