Microsoft rejecting emails as spam

Microsoft blocks emails from legitimate sources

Once again in the war on spam, there are friendly casualties. Many users are reporting that their emails are not getting through to Hotmail and Outlook.com users. Some of our clients are reporting that they are not receiving emails to their Microsoft email addresses from us. This of course risks users not receiving important emails about their domains and services. Read More

Why pay for email when Gmail is free?

This is a question we are often asked:

Why should I pay for email when I can get Google Mail for Free?

There are many reasons for this; we usually don’t need to mention more than a couple before people understand the importance of paid versus free email.

Firstly, I believe that if you use email for business then it is not a good sign for your business if you use insecure free email to keep customer data. The fact that you can’t or won’t attempt to look professional and keep the basics, email, secure as possible, is a big indicator of other parts of your business where you may not have adequate standards and for many that mean potential clients will be put off. I personally will not use anyone who uses a free email address for any type of business. Using your own domain and email is not necessarily expensive and is no guarantee of anything, but it is the first hurdle and if you fail here it doesn’t matter that you have any awards for this and that and customer comments and reviews because I will not entertain the idea. This is shared by many people that I know. Remember that fraudsters generally don’t bother to use their own domain name as they need to keep costs down and be able to change at the drop of a hat, so they use free email. Most people who sign up to us with free email accounts were just fraudsters trying their luck with us, that is why we no longer accept free email account signups.

Even if you don’t use it for work or business then it’s better to have your own domain and email that you can control. Anyone can get a free email from Google and most fraudsters use Gmail or some other free email account to con people all the time, so you really will put some people off from even looking at you if your email address is a free account. I know that I will not entertain any business that uses them and one of the main reasons is below.

Read More

About Mat Honan’s Epic Hacking

I am sure that you have all heard about Mat Honan’s very bad weekend by now, But just in-case you have not, here is an overview of what happened. There is a very good podcast that you can listen to if you want the full story or read the transcripts: http://www.grc.com/sn/sn-364.txt or you can read Mat’s story : http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/

If you regularly keep up-to-date with security news then you will have heard all about this story. This is intended for those who do not keep up with the news or find it too complicated or technical to follow, or just don’t have time to keep up to date with this stuff. As this is an important story, I have written this brief article about here.

Firstly, who is Mat Honan? He is reporter for Wired magazine and former senior reporter for Gizmodo. He knows a thing or two about technology.

This is a brief sumary about what happened to him a couple of weeks ago. Just so you can be aware and not make the same mistakes as he did. He thought he was safe because he used secure long gibberish passwords, but that did not help him in this case.

In the space of one hour Mat’s entire digital life was destroyed. Here is the order of things that were done:

  1. Google account taken over, then deleted
  2. Twitter account taken over
  3. Apple ID taken over and remotely erased his iPhone, iPad and MacBook

Here is how they did it and what you need to watch out for.

The hackers were only after his Twitter account as he has a nice handle (@mat). To get to this they destroyed his digital life. Firstly, they noticed that his Twitter account was connected to his personal website. On his personal website they found his GMail.com address. Using Google Mails account recovery they discovered that he had a @me.com address, which he used as the backup to receive password resets to.They also had his name and address, which they obtained form his website but could be obtained in a number of ways. Lets face it every time you order pizza you give your name and address, you probably chuck out lots of junk mail with your name and address on it. There are also numerous ways on line to get that information. So, with this information they phoned, yes phoned Amazon. Claiming to be Mat they said that they wanted to add a credit card to their account. With the Name and billing address they were able to do this and using a credit card number made up by a website devoted to generating numbers that conform to the algorithms used they added a card to his account. They then hung up and phoned back and said that they could not get in to their account (Mat’s account). They were then asked for their name, billing address and a credit card on file. Using the credit card they had just added they were then able to add a new email address to the account. They then went to the Amazon website and preformed a password reset to the new email address that they had just added.

They can now see all the credit cards that had been previously added to the account, including the real card that Mat uses. Granted it is only the last four digits of the card as that is what Amazon considers safe to show you (as do a lot of other companies). They now called Apple Care and said that they had lost access to their (Mat’s) @me.com account. Apple kindly helped this fake Mat to recover his password using a temporary password which they issue over the phone which you can then use to access the account and to change the password to the account. This was issued despite the fact that the hackers could not answer any of the security questions on file!! In the end all they needed was his name address and yes, you guessed it the last four digits of a credit card on file.

Once they had hacked in to his @me.com account they could send a password reset from his Twitter account which went to his @me.com address and they quickly reset his twitter account password. This was there intended goal as they could now tweet in his name and upset his followers, just for the fun of it!

Here is the horrible bit: In order to stop Mat from regaining control over his account, they did the following. Deleted his GMail account. Preformed a wipe on his iPhone, iPad and MacBook, thus deleting his entire and only copies of his daughters first year and a half pictures and pictures of relative who are no longer in this word. It was not the intention of the hackers to delete these things but just collateral damage to the main goal, his Twitter account.

You need to be aware of where your accounts lead to and what information you leak out on them. Information these days is very easy to get to because people do not protect it well enough.

Amazon has since confirmed that it will no longer accept information over the phone in this way. Apple has not confirmed yet that it has closed these obvious loop holes, however it did make immediate temporary message and stopped issuing temporary password over the phone, we are still waiting to see what their permanent fix will be.

It is important to note that the companies followed their procedures and the procedures let the customer down. We make it easy from a customer service point of view and that lets the bad guys get in too. It is a shame that we need to have any security at all, it would be nice if we could just have username and no need for a password, but we need passwords and we need to make sure that they are secure and the problem that most companies face is keeping the customer happy, wand secure and that is a tall order as most of the time convenience is the enemy of security. The easiest way to thin of it is a sliding scale with security on one side and convenience on the other. The more convenient we make it the less secure we make it.

Keep your personal data private and do not exposes it unnecessarily. As I have always said, best to have your own domain name and email address and not to use a free generic one for any of your key services, one that you can maintain complete control of and cannot be taken over in anyway by use of social engineering attacks, such as this one. Don’t get me wrong, there are uses for the free accounts but not as your main email address and not as password recovery addresses as these free accounts are constantly hacked in to by this and other methods. They are far too liable to this kind of attack.

 

CritchCorp.