enrii.blog

A passionate programmer’s findings in the world of internet.

Email Security Issues

Thursday, August 6th, 2009

Email

Photo by Mzelle Biscotte

It all started with an notification on top of my Gmail account, asking me to reconfirm my secondary email account, which is my Yahoo Mail. The notification reminds me of the news of a Twitter employee got his Gmail account hacked:

About a month ago, a hacker was able to access a Twitter employee's personal email account, according to a blog post by Twitter cofounder Biz Stone. Once there, the hacker struck the mother lode: access to the employee's Google Apps account, which contained Docs, Calendars and other Google Apps that Twitter uses for sharing notes, spreadsheets, ideas, financial details and so on.

If you didn't follow the story, the hack happened through Gmail's password recovery procedure, which sends password recovery information to the user's secondary email, which is an expired hotmail account:

At Hotmail, Hacker Croll again attempted the password recovery procedure - making an educated guess of what the username would be based on what he already knew. This is the point where the chain of trust broke down, as the attacker discovered that the account specified as a secondary for Gmail, and hosted at Hotmail was no longer active. This is due to a policy at Hotmail where old and dormant accounts are removed and recycled. He registered the account, re-requested the password recovery feature at Gmail and within a few moments had access to the personal Gmail account of a Twitter employee. The first domino had fallen.

In fact, not only Gmail, but all email services has similar recovery process. Most of the time, things like this has to be learned the hard way. All free email accounts expire if you don't log in after some time, approximately 3 months.

Let me continue with my story. So, I believe Google gave that notification to all users to make sure everyone had a valid secondary email account (after somebody got attacked, of course). I thought it might be a good idea to check my Yahoo Mail to see if the account is expired or not.

When I logged on to Yahoo Mail, Yahoo said they found some suspicious activities with my account and forces me to change my password! I changed it.

Then I was brought to my inbox, I was greeted by the name "Heather", and my profile picture shows a girl, a hot babe! All my information in profile was changed!

The first question was how does this "girl" broke into my Yahoo? Why she did not change the password? Does she have any bigger motive after hijacking my Yahoo Mail?

Immediately, I changed the secondary email of my Gmail. Suddenly, I felt the internet is so insecure. Anything could happen overnight.

My advice (conclusion) to everyone:

  • Probably backup is good. Lifehacker has got a good guide on Gmail backup.
  • Strong password is important. Alphanumeric + symbols. Best password is a combination of easy to remember, hard to guess. Using first characters of words in a sentence to create a password seems to be a good way.
  • Avoid using same password across different websites!

Can you afford to lose your main email account? How do you prevent that from happening?

Transferred Expired Domain Name from Yahoo! to GoDaddy

Friday, October 31st, 2008

Because Yahoo! charging so high for domain names, I tried to transfer it to GoDaddy, after I received Account Suspension Warning from Yahoo!. I waited for 5 days and finally received an notification from GoDaddy telling that the transfer is successful! Please refer to this guide at GoDaddy if you need to do the same.

During the process, I learned that Yahoo! Small Business support is simply stupid, or they are just machines that only know how copy and paste information from their help pages.

I have done all the steps required and the status at GoDaddy was to wait for final confirmation from Yahoo, so that it can be transferred. Here are our email conversation, if you are interested:

--

I'm planning to transfer my domain (<a domain name>) at Yahoo to
Godaddy. I followed exactly the instruction at http://help.yahoo.com/l/us/yahoo/smallbusiness/domains/authcode/authcode-04.html

In the last step, it mentioned that "Once your transfer is complete,
we'll send you an email confirming the transfer". However, I'm not
receiving any email after so many days.

--

Hello Englee,

Thank you for contacting Yahoo! Small Business Support.

As per your Whois information, the admin email id used is:
engleeteh@gmail.com .You must receive any communication from go Daddy in
this email id.

http://whois.domaintools.com/<a domain name>

If you wish to change this email id then, if you are planning to update
your domain name's contact information can only be done through your
domain name registrar.

If you registered your domain name using Yahoo! Domains, the personal
information you provided in your order was used to register your domain
name. As required by ICANN, the Internet governance organization, this
information is publicly available via Whois database interfaces.

You can edit the Whois contact information associated with your domain
name by accessing your Domain Control Panel and clicking the
"Registration Information" link.

1. Log into your Yahoo! Domains account with your Yahoo! ID and password
by clicking on the "Sign In" link at the top of the page:

http://smallbusiness.yahoo.com/domains/

2. Click the "My Services" tab, then click on the Domain Control Panel
for the account you wish to edit.

3. Click the "View/Edit Your Domain Registration" link.

4. Click the "Edit button". Edit the fields for Domain Registrant and
Administrative Contact as necessary.

5. Click "Update".

Changes to your WHOIS record may take up to 24 hours to take effect.

Please note: If you registered your domain name through Yahoo! Domains
before January 22, 2001, your domain name registrar is Network
Solutions. You can update your contact information by going to the
Network Solutions web site.

Please do not hesitate to reply if you need further assistance.

--

Hi,

My question has nothing to do with admin email. I have access to that
admin email account and I have followed the instructions and completed
the transfer request. In the last part of the transfer, is the final
confirmation from your side.

I have waited for days but I haven't receive any confirmation of
transfer from Yahoo!.

Please let me know what else I can do.

--

Hello,

Thank you for contacting Yahoo! Small Business Support.
I have read your email and understand your concern.
To initiate the transfer process please provide the authorization code
to your new register.
To retrieve authorization code:
------------------------------

1. Log in to Yahoo! Small Business account with Yahoo! ID and password
at:

http://smallbusiness.yahoo.com/services/

2. Click on the Domain Control Panel for the account you wish to edit.

3. Click the "View Your Authorization Code" button to get your
authorization code.

Please retrieve the authorization code for all your domains.
Once you have retrieved your authorization you will have to cancel your
plan with Yahoo!.
Please note that if you decide to cancel your service:

* The service is non-refundable.
* All Files & Emails will be deleted from the Yahoo! network.

To cancel your Yahoo! Web Hosting account:-
1. Log into your account with your Yahoo! ID and Password at:
http://smallbusiness.yahoo.com/
2. Click the button "Small Business", next to "Manage your services", at
the top of the page.
3. Click the link "Cancel Plan" next to the plan you want to cancel.
4. Follow the onscreen instructions to complete the process.

When the cancellation is complete you will receive a cancellation
complete message.
After you have cancelled the plan please reply to this email with a
request to release the domain from the Yahoo! reseller list. After we
receive your request we will release the domain to our registrar
Melbourne IT.
Once the domains are released from the Yahoo! Reseller list your
transfer of the domains to Godaddy can be completed. Please provide the
authorization codes of the domains to Godaddy.

Please do not hesitate to reply if you need further assistance.

--

What do you think about their support?

Yahoo! is Charging USD34.95 for Domain Name?

Sunday, October 26th, 2008

Few days ago, I received an email from Yahoo! Small Business reminding me to renew one of my domain name with them. Then only I realised that the credit card I registered with them has been replaced few months ago. I didn't really do much as normally, GoDaddy (I have many domain with them) would remind me so many times to renew a domain.

Until yesterday, I received a similar email again, titled "Past-Due Payment Reminder", and the amount was 34.95. I thought it must be in Malaysian Ringgit, however it is still expensive it is showing in Malaysia Ringgit.

So, I think I should find out what actually happened. I found out that Yahoo! has announced that they had increased the price of a domain to USD34.95. Wow... Should I say I'm lucky because I have replaced my credit card? I would have been charged without any notice from them. I didn't receive any email from them telling me the new rates!

Is this a trap? Actually, I bought this domain few years ago from Yahoo! because they were selling a domain for only USD2.99.

Now, I believe the domain should be expired but the website seems to be still running. The email I received was actually came on the day the domain expired.

So, I try to transfer the domain to GoDaddy. GoDaddy seems to be making so much business from Yahoo's new domain price. They even wrote a PDF guide to help you transfer domain from Yahoo.

I'm still not sure whether it would work, since the domain is expired. Nonetheless, I have done everything stated in the guide. The final stage would be to wait for Yahoo registrar to approve the transfer.

Wish me luck!

(Anyhow, the domain does not have anything running, so I think if I were to choose between paying USD34.95 or lose it, I would prefer to lose it!)

Update: Transfer successful!

Yahoo! Photo Is Closing

Friday, August 17th, 2007

It's a bad news. The good news is when you need only 4 clicks to move to Flickr!

Click #1: Click on the Flickr logo (at bottom left) once you logged on to Yahoo! Photo.

Yahoo Photo is closing

Click #2: Click on "Move to Flickr!".

Clicked on Flickr

Click #3 and #4: Click on the checkbox to accept terms and condition, then click "Go".

choose-screen-name.jpg

After that, wait for Flickr to mail you when they have finished tranferring your photos from Yahoo! Photo to Flickr.

Re-login to Yahoo! Photo might be interesting. This is what I get:

Re-login to Yahoo! Photo

Update: Just got Flickr's email telling me that photo transfer is complete. Took approximately 2 hours to transfer.

Response from Yahoo! Publisher Network

Friday, May 18th, 2007

Finally get a response from Yahoo! Publisher Network, after applying for it 10 days ago.

Dear EngLee,

Thank you for applying for the Yahoo! Publisher Network beta program. It is currently in beta and we are accepting a very limited number of new publishers, but we will let you know when we launch to the general public or if we are able to invite you to join the beta before then. To maximize your chances for approval, please make sure:

  • You have a valid U.S. Social Security or Tax ID number, and web site content that is predominately in English and targeted at a U.S. user base.
  • Your site provides a good user experience. Please see our complete list of guidelines for a positive user experience here:
    https://publisher.yahoo.com/legal/prog_policy.php.
  • Your site does not contain problematic content. Please see our guidelines for displaying our ad results here:
    https://publisher.yahoo.com/legal/prog_policy.php.
  • Thanks again for your interest. We look forward to welcoming you into our program when it is open to the public.

    Sincerely,

    The Yahoo! Publisher Network Team

    Again, they mention about valid U.S. Social Security number. Looks like I'm just wasting my time.