PCWorld Forums: Three Steps To Avoid Getting Hacked Like Yahoo - PCWorld Forums

Post your comments for Three Steps to Avoid Getting Hacked Like Yahoo here

Isn't yahoo poor?

Expecting poor companies to do these things isn't practiceal.

Xira, on 13 July 2012 - 03:51 PM, said:

Before making comments like this, do your research.
Yahoo certainly isn't poorer than the average individual. And I don't think you know how much it costs to encrypt a password. $0.

Xira, on 13 July 2012 - 03:51 PM, said:

Obvious trolling is obvious =P

Mu understanding is that the hackers exploited an SQL injection. There is no excuse for allowing that to happen. SO that is a 4th serious mistake.

Many of these "new" technologies wanted to open wide doors for everybody.
It is like to remove the walls in your house but just small problem, some people can get to the bedroom where your wife is sleeping. Now, you need to stay at home 24x7 to monitor who is around.
With main frames we used to have layers and channels of access. A system programmer or a DBA had a different access channel. A user had access to an application but never to the infrastructure.

"Three Steps to Avoid Getting Hacked Like Yahoo"

how about 2 steps:

1. Don't use Yahoo.
2. see step 1.

"Three Steps to Avoid Getting Hacked Like Yahoo"

how about 2 steps:

1. Don't use Yahoo.
2. see step 1.

If these reports (especially that of the previous poster who mentioned SQL injection) are true, this is truly pathetic. Perfect security is a myth, but these are basic and above all EASILY AVOIDED vulnerabilities. They're pretty much on par with being burgled because pulling the door to when you leave is too much effort. Only it's not your stuff that gets stolen.

When it comes to protection, Yahoo is pathetic. They have add their a databases hacked more than once. Yahoo Groups is constantly getting hacked. A while back I had a complaint from some in my address list that I was sending them XXX spam. I did not, I even received some of that same spam (sent to me FROM ME). I checked the headers and saw it originated outside the US. I contacted Yahoo support and they accused me of being negligent, letting others use my computer carelessly, etc. In my initial contact, I pointed out that my wife and I live alone (she won't go near the computer) and nobody but me has access to it. After their bogus response, I forwarded the spam and told them to check the header and they could see it did not originate from my e-mail address and there was no way I passed on my address book to others. In fact, some of the addresses were no longer valid and I was getting e-mails to those addresses bounced back. After all the proof I had sent to Yahoo, there follow-on response was to ignore e-mails from me.

I don't know what they use for their servers (Windows Server maybe?), but I have had other negative experiences with Yahoo along these lines and they deny the problem is theirs. Yahoo needs to step up and take responsibility when there is a hacking problem.

it show how poorly most of the organization information is handled. its eye opener , at least now the companies should be more careful

If Yahoo does not know how to deal with mail, they do not know how to deal with databases when it comes to security.

A configured Postfix system to block Yahoo.com and reduce the amount of spam from others is all it takes.

Subset of /etc/postfix/main.cf:

smtpd_sender_restrictions =
  check_sender_access hash:/etc/postfix/sender_access,
  permit_sasl_authenticated,
  permit_mynetworks,
  reject_non_fqdn_sender,
  reject_unknown_sender_domain,
  permit
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
  permit_mynetworks,
  reject_non_fqdn_hostname,
  reject_invalid_hostname,
  permit
smtpd_recipient_restrictions =
  reject_unauth_pipelining,
  reject_non_fqdn_recipient,
  reject_unknown_recipient_domain,
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_unauth_destination,
  warn_if_reject,
  reject_non_fqdn_hostname,
  reject_non_fqdn_sender,
  reject_invalid_hostname,
  reject_rbl_client relays.ordb.org,
  reject_rbl_client opm.blitzed.org,
  reject_rbl_client list.dsbl.org,
  reject_rbl_client bl.spamcop.net,
  reject_rbl_client sbl-xbl.spamhaus.org,
  permit
header_checks = regexp:/etc/postfix/header_checks

/etc/postfix/sender_access:

/\.ru$/           DISCARD
/\.cn$/           DISCARD
/\.ch$/           DISCARD
/\.dk$/           DISCARD
/\.nl$/           DISCARD
/\.cz$/           DISCARD
/\.info$/         DISCARD
/\.biz$/          DISCARD
/\.au$/           DISCARD

/etc/postfix/header_checks:

/DRUGS_ERECTILE/ DISCARD
/DRUGS_ERECTILE_?/ DISCARD
if
!/^From:.*@graysonpeddie.com/
/^To:.*recipients*/ REJECT Please specify at least one address you are sending to.
endif
/^From:.*@yahoo.com/ DISCARD

Along with Postfix, I use Amavis, ClamAV (with clamav-clanfresh), and SpamAssassin. I have Zarafa Community Edition running with less privileges for the file system and database access. Above all, I am using strong password which will take 35 or more centuries to crack.

When it comes to creating my own website, I'll do everything to prevent character escaping/delimiting.

Well, at least I don't have any friends in Yahoo Messenger. I barely use it except when it comes to making relay calls (i711, Purple Relay, Sprint IP Relay, etc.) due to my hearing impairment.

Step 4: Don't hire orangutans as programmers.