Last Updated: 2014-09-02 16:13:12 UTC
by Rob VandenBrink (Version: 1)
No, we're not talking about 1940's literature today - I've been reading, as have many, that Microsoft is planning to finally stop the venerable MSN Messenger Chat service. I find it interesting that the press is touting that MSN has few users left. This might be true in our community, and I wouldn’t doubt that almost every demographic has moved away from MSN to other chat services like SMS on phones, Facebook, Skype, Twitter or whatever.
But maybe Toronto is an internet backwater or something – for every IPS stand up or egress filter I configure, in any company I’ll still find a handful of MSN Messenger users. While we're seeing generally low activity on the main port used by MSN (1863) , we still see spikes in traffic - https://isc.sans.edu/port.html?port=1863
Do internet services ever die naturally? It seems to me that folks hang on to what they know like grim death, and only give up services when they’re terminated forcibly.
As a penetration tester, these older services can be a gold mine. To me, older services (not to pick on any one service in particular) quite often are clear-text, so if you can get a clean packet capture then you've got a very good shot at harvesting credentials. And we know for a fact that folks will tend to re-use credentials - userid's are easy to derive, but if you can harvest passwords on one service, you've got an excellent chance at re-using them to compromise another application or service.
Again, I'm not sure if it's just me, but I also tend to see that users of these older "consumer" type applications like this for some reason seem to be clustered in the upper echelons of many companies. In other words, some of the best targets (politically at least) are using some of the most easily compromised applications.
Password re-use, prefering old/known applications to new ones, and "user clustering" around older apps - are you seeing this same trends?
Did xkcd get it right? http://xkcd.com/1305/
Please, use our comment form and let us know what you're seeing, both on MSN messenger or on other "old" internet applications!
Last Updated: 2014-09-02 11:57:52 UTC
by Rob VandenBrink (Version: 1)
There's lots of interest in the recent iCloud incident, where apparently several "celebrity" accounts were compromised.
Sorry to say, it's not a rumour. It's also something that could and should have been prevented. It turns out that the API for the "Find My iPhone" app did not have protections against brute force attacks.
This, combined with the first couple hundred lines of a common password dictionary (often downloaded as the filename "500 worst passwords") resulted in some targeted accounts being compromised. And of course once an account password is successfully guessed, all iCloud data for that account is available to the attackers. So no rocket science, no uber hacking skills. Just one exposed attack surface, basic coding skills and some persistence.
Having gone through that password file, you really wonder how much folks using any of those passwords valued their data in the first place.
Apple quickly fixed the vulnerability, so it is no longer in play (unless your account was compromised prior to the mitigation and you haven't changed your password). The code is on github if you are interested.
This just reinforces the common theme that - to put it mildly - trusting personal data to simple passwords is not recommended. If you can't use complex passwords (for me, that's greater than 15 characters) or don't have a second factor, then don't use the service.
If you have more information or corrections regarding our diary, please share.