Risk
9/29/2010
11:05 AM
Connect Directly
RSS
E-Mail
50%
50%

Microsoft Beefs Up Hotmail Security

Raft of new features aimed at blocking email hijackers and helping users reclaim compromised accounts.

Microsoft Internet Explorer 9 Beta Revealed
Microsoft Internet Explorer 9 Beta Revealed
(click image for larger view and for full photo gallery)
On Monday, Microsoft announced that it had improved Hotmail security, in large measure to help stop attackers from hijacking Hotmail accounts.

According to John Scarrow, Microsoft's general manager of safety services, "not too long ago, account hijacking was an issue limited mostly to financial service websites." Recently, however, such attacks have become responsible for "disrupting millions of accounts every year," he said, not to mention anyone in the hijacked account owner's address book. "This type of identity theft costs users and services billions of dollars every year."

The attacks are deceptively simple: an attacker gains access to an account -- perhaps one that hasn't been used in months or years -- then emails a request for money to everyone in the account's address book. One such message, for example, claims the sender was just mugged while on vacation in the United Kingdom, and urgently needs money to help settle bills. "I'm writing this with tears in my eyes," it says.

To help block such attacks, Microsoft said it's taken multiple steps, including actively purging attackers from compromised accounts, taking legal action against domains used by scammers, and now, improving Hotmail security. For starters, when using a public machine, a Hotmail user can have a one-time password sent to their cell phone. That way, even if a keylogger or malware is installed on the PC, once the user logs out, no one can use the password to again log in.

To guard against man-in-the-middle attacks, Microsoft said it now uses SSL to encrypt the start of every session, and later this year will offer SSL for the full Hotmail session.

Should your account become hijacked, Microsoft already offers a two-proof approach for taking it back. But Scarrow said that "only 25% of people with a secret question actually remembered their answer when needed."

Accordingly, Microsoft will now let Hotmail users tie their account to a specific PC, provided they've installed Microsoft Live Essentials. In addition, they can register a cell phone number to receive a special log-in password in the event that they report their account as having been hijacked. Either of these acts as a proof; an alternate email account or secret question can be another. One proof is required to change any of the anti-hijacking parameters, such as registering a cell phone number or adding an alternate email address.

Finally, Microsoft said it's also stepping up efforts to use heuristics to better spot when accounts get hijacked in the first place. For example, to thwart dictionary attacks aimed at guessing log-in passwords, Hotmail now will temporarily prohibit log-ins after a certain number of failed attempts. The precise number of attempts allowed "depends on the reputation of the IP address being used," said Microsoft, in large measure to help block botnets.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-3828
Published: 2014-10-22
Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter to views/graphs/GetXmlTree.php, (3) the session_id...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.