Ice TV hacked?

Started by MikeKulls, June 03, 2012, 09:55:06 PM

Previous topic - Next topic

futzle

#15
I've been getting fake Facebook updates (I'm not on Facebook) to the IceTV address that I supplied only to IceTV (interactive and the forum) since July.  The username is 13 characters long and contains a hyphen.  Really, that's not guessable. If spammers were guessing users at my domain I'd be seeing a lot more other spam to the same domain, and the IceTV address accounts for about a tenth of the spam at my domain, which is a pretty high proportion for a 13-character username guessed randomly.

Interesting that these all started at about the same time.  That's not consistent with an exploit that attacks individuals, such as a JavaScript virus scraping history.  I'd also be seeing spam to some of the other four or five dozen custom email addresses that I've logged in with (Amazon, PayPal, Google, little tiny stores you've never heard of), and I'm not.

I'll change my IceTV username to something totally random.  Luke, how many bits of entropy would convince you that a future breach is legitimate?

What I'd like to know is: what else was on that server?  Real names? Billing addresses?  Whether you think you've been hacked or not, how much could an intruder have learned?

Edit: I suppose I'm saying that lobbing accusation-hand-grenades at 50 feet about each others' respective computer hygiene isn't productive.  The addresses are out there, one way or another, and hence are scorched earth.  What I'd like to do is cooperate with IceTV and create an experiment that can help to identify the weak spot, whosever it is.  Take as many variables out of the equation.  With any luck, this experiment will never produce results, and I don't ever get further spam.  But if I do get spam again, at least it will provide useful data.

lukem

futzle, I like your last edit, and we're happy to assist in anyway. PM what you have in mind.

http://en.wikipedia.org/wiki/Password_strength contains useful information to answer your question on entropy.


prl

One way to generate strong pseudo-random strings is to take some longish piece of text, preferably not from a book or similar, and run it through a strong cryptographic hash like MD5. Use the hexadecimal result as your random string. Truncate it or add characters as necessary to make it valid for the given purpose.

The MD5 hash for the above text (with a terminating newline), for example, is cf22e290808a0b13f4ea508bc275ce13.
Peter
Beyonwiz T4 in-use
Beyonwiz T2, T3, T4, U4 & V2 for testing

peterdeg

Quote from: futzle on September 13, 2012, 08:17:59 PM
I've been getting fake Facebook updates (I'm not on Facebook) to the IceTV address that I supplied only to IceTV (interactive and the forum) since July.  The username is 13 characters long and contains a hyphen.  Really, that's not guessable

Have to jump in here. The spammers aren't 'guessing', they're using botnets to generate email addresses using random names/letters/numbers/characters.
100,000 infected machines (a small botnet) generating 10 emails a second is a lot of emails per day (1,440,000,000). The vast majority of those are junk. A small proportion end up as valid and in all probability, that's what you're seeing.

Real world example. One spam forwarded to me recently (I'm in the IT security investigations group in a large IT company) was addressed to this list of email addresses:
jonathan_stern@___.com jonbrown@___.com jonesseanj@___.com jovannybisel@___.com jreqbhrpsz@___.com jstern@___.com justin_hildebrandt@___.com karen_taylor@___.com karlicoyan@___.com katbrown@___.com katieg@___.com kaylahbadman@___.com kentbekent@___.com

Four of those are legitimate and the legitimate ones aren't the ones you'd expect!
So personally, I don't believe there has been any compromise of IceTV.

futzle

#19
Quote from: peterdeg on October 25, 2012, 12:37:14 PM
The spammers aren't 'guessing', they're using botnets to generate email addresses [...] A small proportion end up as valid and in all probability, that's what you're seeing.

I failed to mention (sorry) that I own my own domain, and I have a catchall account that collects all email sent to futzle.com, even for nonexistent mailboxes.  From the perspective of a spammer, all messages sent to futzle.com are valid.  Try it, make up a username and send me an email.  I'll let you know what I get.

That's what I based my assertion that the ones sent to my IceTV-registered address were arriving out of all proportion to its guessability.

I'd buy your argument if I was using GMail or something, yes.

Edit, obTopic: I haven't received a new spam at that address for a number of weeks now.  That's the usual pattern.