Email	Print Reprint
	add to:
	Del.icio.us Digg Google Furl	Slashdot Y! MyWeb Blink

One of the most frightening trends in security breaches has been the recent dramatic rise in hacks against personal accounts on Hotmail, Yahoo, and the like. Hotmail has long been notorious for its poor security, but hacked email accounts raise few eyebrows. With Yahoo accounts, however, things are a little dicier. Thanks to Yahoo's plethora of services, a hacked password can give you access to financial data, the ability to bid on items at Yahoo Auctions, or even a direct link into someone's small business.

Breaching Yahoo's security all comes down to knowing your target. Armed with a user ID and some personal information, such as date of birth and zip code, a hacker can reset a Yahoo password and have it mailed to an alternate address. While Yahoo users can also specify a "security question," whether it secures anything is iffy: The answer to a user's security question is usually either their mother's maiden name or their pet's name—both of which are about as easy to unravel as their zip code.

Some Yahoo hacks aren't even hacks at all. Recently, Chris Gore, publisher of the Film Threat site (filmthreat.com), checked his email only to find that a spam message had found its way onto the Film Threat mailing list, a newsletter hosted at Yahoo Groups. Even after he found the spammers (a Dallas politician and her husband, according to Gore; they did not return requests for comment), they denied responsibility. Gore threatened to sue, and the incident exploded into a nightmare of additional spam attacks and calls from Gore to the FBI and FTC. Gore is now filing a civil suit along with Yahoo.

How'd they do it? It looks like the oldest spammer trick in the book: When a mailing list's only security method is checking to see that the sender of the message is the moderator of the group, forging a few email headers is all it takes to hijack it.

According to Gore, trying to resolve issues like these is a nightmare, one that will hurt the company before too long. "I don't think there are any humans at Yahoo," bemoans Gore. It certainly seems that way. Unless the lawyers get involved, it's hard to get a Yahoo rep on the phone. It took a week to get a canned response on this issue emailed to me by company rep Mary Osako. While Yahoo invoked its privacy policy to decline comment, Osako says it takes all issues of abuse "very seriously" and always takes "swift and appropriate action" in response.

Alas, not swift enough: Gore shut down the group altogether and started his own listserv. When enough compatriots follow suit, maybe Yahoo will figure out how to fill its many holes.

Over the last few days, New Architect has found itself inexplicably overwhelmed with fan mail. But as any editor will tell you, whenever something good like this happens, it's a sure sign of trouble. True to that theory, I have some bad news: The issue you're holding will be our final installment.

New Architect was born from Web Techniques exactly one year ago, a reaction to the need for more sophisticated coverage of how enterprise-level technologies impacted business strategy and, to be honest, a reaction to a dramatically shrinking ad market for low-level Web tools. Unfortunately, the advertising market isn't much better up here; certainly you've noticed many of your favorite tech magazines looking gaunt these days. And recovery still seems a bit too far off for a startup publication to keep riding it out.

I hope we've done some good by providing analysis, feature stories, and case studies that you just won't find anywhere else. With any luck, our unique brand of content will re-emerge as part of one of our sister publications, all of which I encourage you to check out at www.cmp.com/publist. Our Web site at www.newarchitect.com will stay live as well, with the complete archives of the magazine readily available.

As for you readers, I offer you the best of luck with the intense challenges facing IT today. As parting advice, I encourage you to keep your ship lean by investigating open-source alternatives and investing in employees who may have less experience but are eager to learn new skills. Wholesale infrastructure upgrades make little sense (and who can afford them?), so obsess over the bottlenecks and address them one by one. Your users will thank you. Your CEO will think you're a genius. Your staff will never want to leave. Keep the faith.

Christopher Null is editor in chief of New Architect.

RELATED ARTICLES Securing the Java Core Nozzle: Counteracting Memory Exploits Welcome To the World of Cryptographic Voting Klocwork Targets Productivity With Dev Tool Suite Fuzzing Security Testing Tool Released		TOP 5 ARTICLES No Top Articles.