Email

Social Media and the Downfall of the Password Reset Question

There have been a number of high profile account compromises due to the insecurity of password reset questions. Examples of two big ones off the top of my head are Sarah Palin Yahoo account compromise and the Twitter “Hacker Croll” fiasco. There have been many more compromises on accounts due to weaknesses in password reset questions, even if they are rarely as publicized in the main stream media like the previous two. The attacks are basically the same – primary e-mail accounts are typically secured by password, and the password can be changed by entering an answer to a password reset question.

Both of these account compromises were caused by weak password reset questions. And although Palin certainly was/is a high profile account, the Twitter compromise was caused by a low-profile IT Administrator who happened to store sensitive company documents in their Google Docs folder. This goes to show that everyone, from the CEO of a large company, to a low-level system administrator, is accountable for the security of their accounts.

Sample (bad) Password Reset Questions:

Many e-mail accounts use a typical range of password reset questions:

  • What is your mother’s maiden name?
  • What was your first pet’s name?
  • What is your favorite sport?
  • What is your oldest daughter’s name?
  • More Questions

Even questions regarded as “Good” on this list are easily guessable if you have access to the social networks of an individual. For example: What is the middle name of your youngest child? What is your oldest sibling’s middle name? Answers to these questions often appear on Facebook or other social media websites.

After coming up with the idea to write this article, I took a look at my own email account password reset question. It was set to my Father’s middle name. I had probably set this when I first signed up for a  beta account back in 2005 or so – I was not in the mindset that it would become my primary account and also be the gateway to a bevy of information. As with many folks, when I sign up for a new account on a website, it will often e-mail me my account information (including my password, boo!) to my e-mail account. And, as I suspect with most people, I do not follow best practices and use a different password for each account. Not to mention that many other accounts will send an email to your account on file in order to reset their passwords. Therefore, since not only the main account password at risk, there is a lot riding on the security of your email account. If someone can gain access to your email account, they also gain access to a lot of frequently used passwords and accounts. Domain hijacking has occurred using this method.

The Solution

The first step is that password reset questions must not be answerable by information available via social networking sites. For someone who is very active in social networking, this might be hard to come up with at first, but really is not hard.

A good password reset question is:
Not easily guessable from online or offline sources (secure)
Stays the same over a long period of time (stable)
Is readily recallable by authoritative person (obtainable)
Has only one answer (definitive)

My source for questions that satisfy these metrics is my wallet. I look for cards that have information that will stay the same for a long period of time, for example, a driver’s license, library card or other membership card.

You can then reset your password question to a value on those cards. If the site does not let you ask your own password reset question, you might try to replace a common one, such as “mother’s maiden name” with this. Just be careful you don’t get too tricky, or you might forget the correct question/response to the answer and lose access to your account for good.

For a sample answer, you might use the first 5 digits of your driver’s license ID, plus the last 6 of your gym membership card. Really you can use any information that you want that you do not share on social media websites.  Just make sure they follow the four guidelines above.

Do you have any tips for a good password reset question?

Add IP to whitelist for Postini Mail Filtering

I could not find any way to see how you could add an IP address as a ‘white list’ for our Postini installation. Mails coming from our mailing list manager kept getting caught in the Postini spam interface (which is probably a whole other issue, which I will need to address later).

To get Postini to white list an IP address, you need to go into the Batch editing mode and issue this command:

addallowedip organization name,domain.com:10.0.0.0

Full Postini Batch Reference

See page 30 for ‘addallowedip’ syntax and more information.

Outlook 2003 or 2007 Won’t Save Hosted Exchange Password

For many people using hosted Exchange services, password saving problems could plague you. That is mainly because Outlook doesn’t like it if the Exchange server’s domain doesn’t match your domain.

Fortunately there is a way around this, because by the default way it is set up, you would have to enter your password every time you open up Outlook.

First step is to change the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Change lmcompatibilitylevel to “2”

Here is the meanings of these numbers (source):

0 – Clients use LM and NTLM authentication, but they never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.
1 – Clients use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.
2 – Clients use only NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controller accepts LM, NTLM, and NTLMv2 authentication.
3 – Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.
4 – Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controller refuses LM authentication responses, but it accepts NTLM and NTLMv2.
5 – Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controller refuses LM and NTLM authentication responses, but it accepts NTLMv2.

I’ve uploaded a registry file which will automatically make the change here.

You then need to access the advanced user dialog properties (see my previous article on this if you do not see a tab in Control Panel -> Users & Accounts dialog). Click “Manage Passwords” and then add a new entry. This entry should be the Exchange server’s real name – the name that pops up in your password prompt windows. In my example, in is MAILXXX.mail.lan.

Advanced User Dialog Save Passwords

Finally, make sure that the Exchange server’s local name, MAILXXX.mail.lan, is in your hosts file. For most Windows XP folks, this is C:\WINDOWS\system32\drivers\etc\hosts.

The format is:

69.x.x.x MAILXXX.mail.lan

where the real accessible IP address is the first part, and the real Exchange server name is the section part. This allows your PC to locate the “Real” Exchange server name over the internet, even though it is not a real exchange server’s hostname on the internet.

Lyris Listmanager – Hacking the Web Frontend For Increased Functionality

Lyris Listmanager is a nice mailing list management system. However, there are a few features that are missing out of the frontend that make it hard to get by your day-to-day office job. Fortunately, most of it is written with TCL routines which are not encoded, which makes for easy updates to this code.

Of course this is not supported by Lyris and if you have problems with it after making your changes, don’t expect them to support it. Make backup of your files – in Linux this is /usr/local/lm

For this example, I’m going to add the Full Name field to survey results. By default, it shows the email address but not the name of the responding user.

Step 1:

Backup!

cp -R /usr/local/lm /usr/local/lm.bak

Step 2:

Open the file which holds the routine for the “Survey Details” page. This is in /htdocs/reports/surveys/.tml

vi /usr/local/lm/htdocs/reports/surveys/.tml

Step 3:

Modify the code to add in FullName:

In the routine surveyreports::page_all_answers

Change
set sql "SELECT lyrSurveyResponse.WebDocID, lyrSurveyResponseAnswers.ResponseID as ResponseID, lyrSurveyQuestions.UserQuestionNumber, lyrSurveyResponse.ResponseTime, lyrSurveyResponse.MemberID, lyrSurveyResponse.RespondingIP, lyrSurveyResponse.MailingID, lyrSurveyQuestions.QuestionText, lyrSurveyAnswers.AnswerText, lyrSurveyResponseAnswers.FreeFormAnswer, [dbinfo::members_name].[dbinfo::members_emailaddr]

to

set sql "SELECT lyrSurveyResponse.WebDocID, lyrSurveyResponseAnswers.ResponseID as ResponseID, lyrSurveyQuestions.UserQuestionNumber, lyrSurveyResponse.ResponseTime, lyrSurveyResponse.MemberID, lyrSurveyResponse.RespondingIP, lyrSurveyResponse.MailingID, lyrSurveyQuestions.QuestionText, lyrSurveyAnswers.AnswerText, lyrSurveyResponseAnswers.FreeFormAnswer, [dbinfo::members_name].[dbinfo::members_emailaddr] as EmailAddr, members_.fullname_ as FullName

Change

array set heading_labels "AnswerText {Answer} ResponseTime {Date} QuestionText {Question} EmailAddr {Email Address}"

to

array set heading_labels "AnswerText {Answer} ResponseTime {Date} QuestionText {Question} FullName {Full Name} EmailAddr {Email Address}"

Change

array set column_width "ResponseTime 15 QuestionText 25 AnswerText 25 EmailAddr 25 Action_ 10"

to

array set column_width "ResponseTime 15 QuestionText 25 AnswerText 10 FullName 15 EmailAddr 25 Action_ 10"

Change

set sortable {QuestionText AnswerText ResponseTime EmailAddr RespondingIP}

to

set sortable {QuestionText AnswerText ResponseTime FullName EmailAddr RespondingIP}

Save this file and that is it! You will now have full names in your survey responses.

Remove Duplicate Email Messages in Thunderbird 2.x

I used to use a Thunderbird addon to remove duplicate messages in Thunderbird. This is handy if your mail client becomes “de synced” from your mail server, whether it be an IMAP or POP3 connection. Also this can occur if you restore a backup or import mails and it creates duplicates.

However, after Thunderbird 2.0 was released, this old plugin was not compatible. Eyalroz re-released the plugin under GPL and with updates for Thunderbird 2.0. If you have a need to remove duplicate emails – this is the plugin you need! Get it:

Remove Duplicate Messages (alternate)

Postfix queue tools

Here are a few handy items for Postfix email server users:

1. If your system is acting as a spam / antivirus / relay server for secondary internal servers, and your destination mail server is down, postfix will queue your messages to resend at a later time. In order for postfix to instantly re-queue these messages you use:

postqueue -f

2. The mailq equivilant specific to postfix is

postqueue -p

3. If you want to delete specific messages in your queue, use an ncurses based open source software called pfqueue. It will give you a menu that shows mail currently queued, and allows you to delete specific emails.

SMTP Errors – 550 vs 450

Well I got a lesson in properly configuring your e-mail server’s error messages. Since setting up postfix as a anti-spam and anti-virus gateway for my exchange system (see my article Postfix as proxy to exchange server), I had left the option
soft_bounce = yes
enabled in my postfix configuration.

This worked fine for months. However, I was then “joe jobbed” – which means that some spammer used my domain name as the “from” or “reply to” address on their e-mails. This causes a flood of e-mails from mail servers, which messages such as, no user exists, this account has been deleted, etc. These e-mails are completely valid and authentic responses from e-mail servers.

Now – it is my personal opinion that mail servers should reject connections to users who are not real – not generate more messages and bandwidth sending out their rejection response. But I understand why some e-mail providers wish to keep this option on, and I think Exchange has it on by default. So trying to change peoples minds is not going to work – we need to deal with these rejection messages responsibly.

Here is where my server configuration showed its flaws. Here is the official definition of the 450 and 550 error messages:

450 Requested mail action not taken: mailbox unavailable (e.g., mailbox busy)
550 Requested action not taken: mailbox unavailable (e.g., mailbox not found, no access, or command rejected for policy reasons)

The difference between the two error codes is not really apparent at first glance. However, 400 level commands tells the remote servers that there is a temporary error, and it should try again later. How much later depends on each server’s settings. The 500 level commands tell the remote server that it is a permanent failure, and it should not try again later.

In the case of a joe job – you have thousands of servers responding to your server that addresses can’t be found (or any other error). When you have each of those servers “retrying” their e-mail connects every 10 minutes or so, your server will quickly find itself rejecting a whole lot of messages.

Fortunately, the fix is easy. Fix your server to respond with a 550 instead of 450. Look at the change in the graph below – almost immediately after I switched to the 550 message:

SMTP 450 vs 550 rejection rate

You can see the benefits of keeping the 550 message. In postfix, the change is simple, change the soft_bounce line to:

soft_bounce = no

You can also customize your rejection codes for particular errors as below.

unknown_local_recipient_reject_code = 550
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unknown_relay_recipient_reject_code = 550
unknown_virtual_alias_reject_code = 550
unknown_virtual_mailbox_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550

For more codes: Postconf manual