March 5, 2013 at 13:46Just about mail security
This post has two goals. First: slightly open the veil over the rules of the game, which adheres to a large postal service in matters of security. We want the measures we take to protect users to become more intelligible to the community. The post was written based on the experience of Mail.Ru Mail, but the recommendations are universal and applicable to any mail service.
The second goal is to talk about how to protect the box. We will go through the basics and recall those points in the "security plan" that are rarely thought of. Perhaps the information in this article will be useful to you, and perhaps to your careless friend, parents or colleague. Perhaps we will even be able to make the calls “I seem to have a box hacked, you are a programmer, do something !!! 11” has become a little less.
In any case, if after reading someone makes a couple of changes in the settings of their email inbox, this will be the best result that the authors can count on. And if you already know all this, then we can only rejoice.
We will talk about how to break open mailboxes, to whom and why this may be needed, and describe how to prevent hacking (as well as what to doand where to go if all bad has already happened).
Why hack email
Why can your mailbox be of value to someone? Very often, users neglect basic precautions simply because they cannot answer this question. Of course, usually the ultimate goal of hacking is to get some kind of financial profit. But from whom can a cracker get money? There are several scenarios.
Most often, spammers are engaged in buying large mailboxes. Hacked mailboxes are used for mass mailings of messages like "Elite replicas of Swiss watches." Most hacks are committed precisely for this purpose.
Even if the hacker's main goal is to resell the box, immediately after gaining access, he will still look at the information contained in the box for something more or less valuable. This can be, for example, accounts of social networks, hosting, banks, electronic money, game accounts. If the box does not contain data about the passwords themselves, the attacker may request a password recovery to the box. Also, the attacker will surely check if your email password is suitable for accounts on other resources.
You can become a victim of blackmail - they will offer you to redeem access to the box or to your account on the social network. The subject of blackmail can also be personal information (correspondence, photos, scans of documents), which is contained in the box. Sometimes, to collect money from owners of hacked accounts, services for receiving paid sms are used. Unfortunately, not all sms-aggregators are quite scrupulous in this matter.
Hacking can be custom. Access may be needed by your competitor or former partner, employee, jealous spouse. Just note that hacks on order account for a very small fraction of the total.
From this we can draw a simple conclusion - any mailbox has value for a cracker.
How to hack mail
On the Internet you can find ads about hacking mailboxes on order. Prices range from a dozen to several hundred dollars. In most cases, the customer becomes the victim, who is deceived in one way or another or blackmailed with a promise to tell the victim about an attempted hack. If, nevertheless, it comes to hacking, then usually social engineering and, more rarely, the selection of a password and a secret question go into battle.
But usually hacks are done en masse and using botnets. The attacker has no purpose to crack a specific box; he has the task of breaking as many mailboxes as possible - for example, having a certain simple password. The situations of a truly serious hack, when, for example, 0-day security vulnerabilities in any browser were used against the victim, we have not yet encountered.
Below are the basic methods of gaining access to someone else's box and ways to protect against them.
Almost any Trojan, among other information, also removes passwords from email. According to various sources, up to 30% of computers are infected every year. Using Linux, MacOS X, any other operating systems or various phone and tablet platforms does not guarantee the absence of malware.
At the same time, remember that at first a malicious program appears, then someone infects it, and only after a while it gets into the anti-virus database. Thus, the antivirus does not guarantee 100% protection. However, this does not mean that you do not need to use antivirus programs. It’s enough not to prevent the antivirus from updating the database regularly, and it will not miss most of the threats.
It is not only about short passwords or passwords from the same digits. On the Internet you can find the base of popular passwords, which includes almost all passwords consisting of consecutive keys on the keyboard (qwerty) or easily alternating characters (1q2w3e). The same can be said about passwords consisting of a date of birth in any format, even if it is supplemented by some symbol or initials. Of course, the most common dictionary passwords are also known - they are selected literally from the dictionary. A set of Russian vocabulary words in the Latin layout is also not a guarantee of invulnerability. Such passwords are also easily selected according to the dictionary. Do not forget that if you are registered in social networks, then almost anyone can find out your date of birth or phone. The number of the car and the data of various documents are also quite easy to “break through”,
It is necessary to take the choice of password very seriously, the degree of security of your mailbox depends on it. Choose a sufficiently long password, consisting of uppercase and lowercase letters, numbers and symbols. The more the password looks like a random sequence, the better. But Russian words in the English layout are not what we need.
Now it’s fashionable to use a multi-word keyword phrase instead of a password. This is a good practice, but avoid famous winged phrases. The key phrase should not be heard, it is better if it is unique, and even better - meaningless.
We recommend changing your passwords regularly. This is effective, because if you have already used a “mail” password somewhere on another site (which we strongly recommend not to do), and the unsecured site has leaked base, your mail account is at risk.
In addition, this makes it difficult to select (brute force) the password if a targeted attack is sent to the mailbox and will help protect against accidental password leaks - for example, when the password was used from someone else's infected computer.
It is logical to change passwords in connection with such life events as a divorce, dismissal, loss of a phone or notebook, capture and elimination of a Trojan.
However, frequent change of passwords can lead to their weakening: the user either starts to select easy passwords, or writes them in an easily accessible place, or makes the next password similar to the previous one. Resist the temptation and do not be lazy when inventing a password - the password for the mail should remain complex.
Mail.Ru, for its part, implements password protection in the form of anti-brute force - a multi-factor system that eliminates attempts to automatically enter the box.
Using answers to a secret question is not a good practice from a security point of view. But often this is the only way to regain access to the mailbox for a user who comes into the mail very rarely and does not indicate any real information about himself. Therefore, we and other free postal services do not refuse this.
If your favorite dish is dumplings, your favorite book is Harry Potter, the name of your grandmother can be found on the list of relatives on the social network, and the name of your favorite cat is signed in the top post under his photo, you are literally half a step away from making a big mistake.
All that has been said about passwords also applies to answers to secret questions.
The only difference between the secret question is that together with the answer, as a rule, CAPTCHA is requested (a verification code that needs to be recognized and entered), and there is a more strict limit on the number of input attempts. This somewhat complicates brute force (selection) by machine methods. Otherwise, the answer to the secret question is equivalent to a password, and you should choose it just as carefully.
Social engineering is a method of unauthorized access to information or information storage systems without the use of technical means, exploiting the human factor. One of the varieties of social engineering is phishing. A typical example is to force the user to enter a password on a foreign site disguised as an authorization page design, for example:
This is not the only option. Also quite often we are faced with social engineering aimed at “extracting” from the user the data necessary for password recovery or access to the box. For example, they try to request passport data under the guise of winning a lottery. The answer to a secret question can be found out in a normal conversation in social networks ("Do you have a cat? What a handsome man! What is his name?"). Everything explains the classicjoke with Basha :
Connect: Listen, can we be relatives?
ALEXA: think ???
Connect: Well, maybe distant. What was your mother’s maiden name?
ALEXA: * Enko
Connect: Oh, you have 8 new letters)
ALEXA: in the sense ???
Phishing can be aimed not only at gaining access to your account. A phishing email may inform you that your account has been blocked and require SMS to be sent to a short number, which, of course, will be paid.
According to the phishers themselves, about 80% of women and 60% of men peck at attacks using social engineering.
Be very critical of the information that strangers tell you, and even more critical of the information that you tell them. Especially if you are rushed.
If we become aware that your account has been hacked, it is being used unauthorized, and we want to inform you of this, we will not ask an employee of any service to write you a letter. We will do something like this:
Do not follow the links from strangers, be careful about who the link came from and where it led you. Take the time to look into the address bar of your browser before entering any data. Unexpected effects, such as a login / password request when opening an email from an unknown sender, should also be alerted.
Attacks are carried out not only on the owner of the box: support staff are also constantly under pressure. The attacker is trying to "restore" the allegedly lost access to someone else's box. Sometimes you can read very interesting and intricate stories worthy of Latin American series, with a description of love polygons and detective situations, explaining why you need to give the author a password from someone else's box.
Support staff have strict instructions for recovering passwords, so if such a need arose, do not try to soften them; better provide as much objective information as possible, which will confirm that you are the owner of the box.
This is one of the most serious problems. Often, when registering on a forum, torrent trackers or website, the user indicates an email address and password that is identical to or slightly different from the password for the mailbox. The level of protection for forums and torrent trackers is usually low. In addition, many of them are built on the same popular engines. Upon detection of any security vulnerability in such an engine, thousands of sites can be hacked at the same time.
This is the first thing an attacker will check. For example, during the sensational hacking of LinkedIn, a number of users who used the same password on other sites suffered. Therefore, for different sites - different passwords. Is always. If inventing a unique password for each site seems to you an impossible mission, come up with a separate one, even for mail - because it is the "key" to many of your accounts on various services.
Often, several people use one box. Sometimes friends are asked to check their mail - for example, if the user himself does not have access to the Internet at that moment.
However, it is worth remembering that a person who used the box for some time can almost always restore access to it later. If the relationship goes bad, a dispute may arise around the box.
For the same reason, avoid buying boxes with beautiful names from anyone. If a dispute arises about the ownership of the box, preference is given to the one who registered it. That is why mail services are asked to register the box for themselves or for the company, and not for relatives, not for employees and not for comic book characters.
Sniffing is listening to network traffic. It’s quite easy to “sniff” traffic going through wireless networks - both via Wi-Fi and via satellite channel. When you connect to the Internet via Wi-Fi, an attacker can listen to all traffic through his device, since physically the data is transmitted via radio waves.
Many services now support the HTTPS protocol, use this. For example, authorization and work inside Mail.Ru Mail always occurs according to this protocol.
In e-mail programs, be sure to enable SSL / TLS when using the SMTP, POP, and IMAP protocols. At the same time, in Mail.Ru Mail, the work on the IMAP protocol is possible only on the SSL / TLS protocol. Be sure to respond to all warnings about certificate inconsistencies, especially if you use a wireless network or from an unfamiliar place - otherwise all cryptography does not make sense.
What are we doing
The weakest link in the security of any mass service, as a rule, is the user. But, of course, there are problems with the service. The high-profile hacks of recent months, when the database of the largest services' accounts got into the network (recall the same LinkedIn), remind of this. Not a single service is free of software bugs.
The measures taken by the postal service or social network are always a balance between functionality, comfort and security. You can prohibit any methods of password recovery: it will be safer, but then the user will not be able to restore access to his own mailbox. It is possible through restrictions to require very strong passwords - but in this case, users will forget them. You can block the IP address the first time you try to log in or recover your password; this will protect against the selection of passwords and secret answers, but subscribers of providers using dynamic addresses or NAT technology will not be able to enter the mail. It is possible to prohibit all potentially dangerous HTML tags in letters when accessing via the web interface, but this means that part of the letters will not be displayed correctly.
Поэтому мы используем компромиссные решения и комплексные алгоритмы, учитывающие совокупность факторов. Конечно же, мы не будем раскрывать детали реализации, поэтому и выдумали такую хитрую фразу. Все механизмы постоянно совершенствуются и это не отдельные изменения, а планомерный процесс. Например, опубликованная на Хабре статья, сравнивающая системы фильтрации HTML-тегов разных почтовых служб, на момент ее публикации уже была устаревшей — мы поменяли систему фильтрации буквально за день до выхода статьи и делали это уже неоднократно после ее выхода. Мы также проделали большую работу, чтобы HTTPS в Почте работал по умолчанию для всех пользователей.
We pay a lot of attention to the fight against automatic password selection, implementing and constantly improving anti-brute force algorithms.
We have a special department in the support service, which carries out targeted work to ensure the safety of users: it searches for fraudulent and phishing sites, reports them to hosting providers and domain registrars, informs search engines about fake resources in search results and contextual advertising, fights with SMS -fraudsters, exchanges information with CERT-commands and anti-virus vendors.
Of course, we protect our information system not only from the outside, but also from the inside. The work of the support service is structured in such a way that if one of the employees wants to “help” regain access to someone else’s mailbox, under no circumstances can he do it alone. We do not have a “nuclear suitcase”: even a high-ranking leader will not be able to lose a laptop, from which personal user data will be available. We do not keep passwords in clear text, but store them in the form of salted hashes from which it is impossible to recover a password.
Hacking Instructions: Before and After
Think about the fact that you might someday need to restore your account, and spend some time securing it.
At the moment, the most effective is to link the mobile phone to the box. We use user numbers only to restore access to the mailbox and notify about changes in registration data, and we do not send advertisements in any form to them.
The faster you learn about hacking, the better. We will send an SMS if the password or information for changing it is changed - this is another reason to bind the phone to the mailbox.
If you absolutely do not want to enter the phone, at least make sure that you have an urgent security question in your account, and the answer to it is really known only to you.
If you become aware of a hack, do not panic. Assess the possible consequences. First of all, try to prevent further development of the situation according to a negative scenario, such as hacking of accounts tied to this mailbox. At the same time, remember that as long as the cracker retains control of your mailbox, ill-considered actions can do more harm than good. For example, when you change the password on the social network, a notification about this will come to the hacked email box, which can lead to hacking of the account on the social network.
In no case do not succumb to blackmail, do not send paid SMS (even if it is written that they are free), do not follow any links, do not enter into negotiations with the cracker. Any negotiations do not guarantee restoration of access to the mailbox, and even more so do not guarantee that the hacking will not be repeated. And the one who paid once can pay the second. Do not become a cash cow for a blackmailer!
Check your computer for viruses, because while it is infected with malware, it makes no sense to restore access and change the password.
If a telephone number was tied to the mailbox, then most likely it will not be difficult. Usually, crackers do not risk deleting attached phones, as A message about this comes to the owner of the box. By the way, in Mail.Ru Mail, a phone number cannot be deleted instantly without entering a confirmation code from SMS.
You can also restore access to a secret question or to an additional email account, if indicated.
If you still haven’t tied the phone, and the answer to the secret question has suddenly disappeared from your memory, contact the support service. When contacting support, it is usually required to fill out a questionnaire, which should confirm the affiliation of the box. Keep in mind that any support service is under constant pressure from social engineering attacks, so you will have to prove that you are the owner of the mailbox. But you will almost certainly regain access within a few minutes if you provide as much information as possible that no one else can know.
As soon as you manage to recover the password and gain access to your account, first of all, change the registration information, first of all, the password that came to you from the support service. Change the security question and answer. And finally, tie the phone if it was not tied.
And
finally, the address of the Mail.Ru support service, of course, is not mailru-suppr1@hogmail.com, but support@corp.mail.ru. It is unlikely that we will write to you first with it, but we will definitely answer if you write to it for any problems with the box, including if you need to restore access to it. Although in this case it is better to fill out the recovery form http://e.mail.ru/cgi-bin/passremind - it immediately asks for all the necessary information.
If you have any suggestions for enhancing the security of our service as a whole, send a report about it to security@corp.mail.ru - or write in the comments to this post. By the way, we need security and anti-spam specialists - send your CV to hr@corp.mail.ru.
If you find a phishing site masquerading as any of the services, send us a message at antiphishing@corp.mail.ru, and we will try to take measures.
The second goal is to talk about how to protect the box. We will go through the basics and recall those points in the "security plan" that are rarely thought of. Perhaps the information in this article will be useful to you, and perhaps to your careless friend, parents or colleague. Perhaps we will even be able to make the calls “I seem to have a box hacked, you are a programmer, do something !!! 11” has become a little less.
In any case, if after reading someone makes a couple of changes in the settings of their email inbox, this will be the best result that the authors can count on. And if you already know all this, then we can only rejoice.
We will talk about how to break open mailboxes, to whom and why this may be needed, and describe how to prevent hacking (as well as what to do
Why hack email
Why can your mailbox be of value to someone? Very often, users neglect basic precautions simply because they cannot answer this question. Of course, usually the ultimate goal of hacking is to get some kind of financial profit. But from whom can a cracker get money? There are several scenarios.
Accounts may be resold in bulk
Most often, spammers are engaged in buying large mailboxes. Hacked mailboxes are used for mass mailings of messages like "Elite replicas of Swiss watches." Most hacks are committed precisely for this purpose.
Money can be extracted from the box itself ...
Even if the hacker's main goal is to resell the box, immediately after gaining access, he will still look at the information contained in the box for something more or less valuable. This can be, for example, accounts of social networks, hosting, banks, electronic money, game accounts. If the box does not contain data about the passwords themselves, the attacker may request a password recovery to the box. Also, the attacker will surely check if your email password is suitable for accounts on other resources.
... or get from the account owner
You can become a victim of blackmail - they will offer you to redeem access to the box or to your account on the social network. The subject of blackmail can also be personal information (correspondence, photos, scans of documents), which is contained in the box. Sometimes, to collect money from owners of hacked accounts, services for receiving paid sms are used. Unfortunately, not all sms-aggregators are quite scrupulous in this matter.
... or from another interested person
Hacking can be custom. Access may be needed by your competitor or former partner, employee, jealous spouse. Just note that hacks on order account for a very small fraction of the total.
From this we can draw a simple conclusion - any mailbox has value for a cracker.
How to hack mail
On the Internet you can find ads about hacking mailboxes on order. Prices range from a dozen to several hundred dollars. In most cases, the customer becomes the victim, who is deceived in one way or another or blackmailed with a promise to tell the victim about an attempted hack. If, nevertheless, it comes to hacking, then usually social engineering and, more rarely, the selection of a password and a secret question go into battle.
But usually hacks are done en masse and using botnets. The attacker has no purpose to crack a specific box; he has the task of breaking as many mailboxes as possible - for example, having a certain simple password. The situations of a truly serious hack, when, for example, 0-day security vulnerabilities in any browser were used against the victim, we have not yet encountered.
Below are the basic methods of gaining access to someone else's box and ways to protect against them.
Problem # 1: Trojan on a computer
Almost any Trojan, among other information, also removes passwords from email. According to various sources, up to 30% of computers are infected every year. Using Linux, MacOS X, any other operating systems or various phone and tablet platforms does not guarantee the absence of malware.
Solution: use antivirus software
At the same time, remember that at first a malicious program appears, then someone infects it, and only after a while it gets into the anti-virus database. Thus, the antivirus does not guarantee 100% protection. However, this does not mean that you do not need to use antivirus programs. It’s enough not to prevent the antivirus from updating the database regularly, and it will not miss most of the threats.
Problem # 2: password guessing
It is not only about short passwords or passwords from the same digits. On the Internet you can find the base of popular passwords, which includes almost all passwords consisting of consecutive keys on the keyboard (qwerty) or easily alternating characters (1q2w3e). The same can be said about passwords consisting of a date of birth in any format, even if it is supplemented by some symbol or initials. Of course, the most common dictionary passwords are also known - they are selected literally from the dictionary. A set of Russian vocabulary words in the Latin layout is also not a guarantee of invulnerability. Such passwords are also easily selected according to the dictionary. Do not forget that if you are registered in social networks, then almost anyone can find out your date of birth or phone. The number of the car and the data of various documents are also quite easy to “break through”,
Solution: Avoid Simple Passwords
It is necessary to take the choice of password very seriously, the degree of security of your mailbox depends on it. Choose a sufficiently long password, consisting of uppercase and lowercase letters, numbers and symbols. The more the password looks like a random sequence, the better. But Russian words in the English layout are not what we need.
Now it’s fashionable to use a multi-word keyword phrase instead of a password. This is a good practice, but avoid famous winged phrases. The key phrase should not be heard, it is better if it is unique, and even better - meaningless.
We recommend changing your passwords regularly. This is effective, because if you have already used a “mail” password somewhere on another site (which we strongly recommend not to do), and the unsecured site has leaked base, your mail account is at risk.
In addition, this makes it difficult to select (brute force) the password if a targeted attack is sent to the mailbox and will help protect against accidental password leaks - for example, when the password was used from someone else's infected computer.
It is logical to change passwords in connection with such life events as a divorce, dismissal, loss of a phone or notebook, capture and elimination of a Trojan.
However, frequent change of passwords can lead to their weakening: the user either starts to select easy passwords, or writes them in an easily accessible place, or makes the next password similar to the previous one. Resist the temptation and do not be lazy when inventing a password - the password for the mail should remain complex.
Mail.Ru, for its part, implements password protection in the form of anti-brute force - a multi-factor system that eliminates attempts to automatically enter the box.
Problem # 3: finding the answer to a secret question
Using answers to a secret question is not a good practice from a security point of view. But often this is the only way to regain access to the mailbox for a user who comes into the mail very rarely and does not indicate any real information about himself. Therefore, we and other free postal services do not refuse this.
If your favorite dish is dumplings, your favorite book is Harry Potter, the name of your grandmother can be found on the list of relatives on the social network, and the name of your favorite cat is signed in the top post under his photo, you are literally half a step away from making a big mistake.
Solution: Avoid Simple Answers
All that has been said about passwords also applies to answers to secret questions.
The only difference between the secret question is that together with the answer, as a rule, CAPTCHA is requested (a verification code that needs to be recognized and entered), and there is a more strict limit on the number of input attempts. This somewhat complicates brute force (selection) by machine methods. Otherwise, the answer to the secret question is equivalent to a password, and you should choose it just as carefully.
Problem # 4: social engineering, phishing
Social engineering is a method of unauthorized access to information or information storage systems without the use of technical means, exploiting the human factor. One of the varieties of social engineering is phishing. A typical example is to force the user to enter a password on a foreign site disguised as an authorization page design, for example:
This is not the only option. Also quite often we are faced with social engineering aimed at “extracting” from the user the data necessary for password recovery or access to the box. For example, they try to request passport data under the guise of winning a lottery. The answer to a secret question can be found out in a normal conversation in social networks ("Do you have a cat? What a handsome man! What is his name?"). Everything explains the classicjoke with Basha :
Connect: Listen, can we be relatives?
ALEXA: think ???
Connect: Well, maybe distant. What was your mother’s maiden name?
ALEXA: * Enko
Connect: Oh, you have 8 new letters)
ALEXA: in the sense ???
Phishing can be aimed not only at gaining access to your account. A phishing email may inform you that your account has been blocked and require SMS to be sent to a short number, which, of course, will be paid.
According to the phishers themselves, about 80% of women and 60% of men peck at attacks using social engineering.
Solution: do not talk with strangers
Be very critical of the information that strangers tell you, and even more critical of the information that you tell them. Especially if you are rushed.
If we become aware that your account has been hacked, it is being used unauthorized, and we want to inform you of this, we will not ask an employee of any service to write you a letter. We will do something like this:
Do not follow the links from strangers, be careful about who the link came from and where it led you. Take the time to look into the address bar of your browser before entering any data. Unexpected effects, such as a login / password request when opening an email from an unknown sender, should also be alerted.
Attacks are carried out not only on the owner of the box: support staff are also constantly under pressure. The attacker is trying to "restore" the allegedly lost access to someone else's box. Sometimes you can read very interesting and intricate stories worthy of Latin American series, with a description of love polygons and detective situations, explaining why you need to give the author a password from someone else's box.
Support staff have strict instructions for recovering passwords, so if such a need arose, do not try to soften them; better provide as much objective information as possible, which will confirm that you are the owner of the box.
Problem # 5: hacking other sites
This is one of the most serious problems. Often, when registering on a forum, torrent trackers or website, the user indicates an email address and password that is identical to or slightly different from the password for the mailbox. The level of protection for forums and torrent trackers is usually low. In addition, many of them are built on the same popular engines. Upon detection of any security vulnerability in such an engine, thousands of sites can be hacked at the same time.
Solution: do not use the same password for multiple accounts
This is the first thing an attacker will check. For example, during the sensational hacking of LinkedIn, a number of users who used the same password on other sites suffered. Therefore, for different sites - different passwords. Is always. If inventing a unique password for each site seems to you an impossible mission, come up with a separate one, even for mail - because it is the "key" to many of your accounts on various services.
Problem # 6: contentious issue around the account
Often, several people use one box. Sometimes friends are asked to check their mail - for example, if the user himself does not have access to the Internet at that moment.
However, it is worth remembering that a person who used the box for some time can almost always restore access to it later. If the relationship goes bad, a dispute may arise around the box.
Solution: do not use someone else's box and do not let anyone into your own!
For the same reason, avoid buying boxes with beautiful names from anyone. If a dispute arises about the ownership of the box, preference is given to the one who registered it. That is why mail services are asked to register the box for themselves or for the company, and not for relatives, not for employees and not for comic book characters.
Problem # 7: sniffing
Sniffing is listening to network traffic. It’s quite easy to “sniff” traffic going through wireless networks - both via Wi-Fi and via satellite channel. When you connect to the Internet via Wi-Fi, an attacker can listen to all traffic through his device, since physically the data is transmitted via radio waves.
Solution: use cryptography
Many services now support the HTTPS protocol, use this. For example, authorization and work inside Mail.Ru Mail always occurs according to this protocol.
In e-mail programs, be sure to enable SSL / TLS when using the SMTP, POP, and IMAP protocols. At the same time, in Mail.Ru Mail, the work on the IMAP protocol is possible only on the SSL / TLS protocol. Be sure to respond to all warnings about certificate inconsistencies, especially if you use a wireless network or from an unfamiliar place - otherwise all cryptography does not make sense.
What are we doing
The weakest link in the security of any mass service, as a rule, is the user. But, of course, there are problems with the service. The high-profile hacks of recent months, when the database of the largest services' accounts got into the network (recall the same LinkedIn), remind of this. Not a single service is free of software bugs.
The measures taken by the postal service or social network are always a balance between functionality, comfort and security. You can prohibit any methods of password recovery: it will be safer, but then the user will not be able to restore access to his own mailbox. It is possible through restrictions to require very strong passwords - but in this case, users will forget them. You can block the IP address the first time you try to log in or recover your password; this will protect against the selection of passwords and secret answers, but subscribers of providers using dynamic addresses or NAT technology will not be able to enter the mail. It is possible to prohibit all potentially dangerous HTML tags in letters when accessing via the web interface, but this means that part of the letters will not be displayed correctly.
Поэтому мы используем компромиссные решения и комплексные алгоритмы, учитывающие совокупность факторов. Конечно же, мы не будем раскрывать детали реализации, поэтому и выдумали такую хитрую фразу. Все механизмы постоянно совершенствуются и это не отдельные изменения, а планомерный процесс. Например, опубликованная на Хабре статья, сравнивающая системы фильтрации HTML-тегов разных почтовых служб, на момент ее публикации уже была устаревшей — мы поменяли систему фильтрации буквально за день до выхода статьи и делали это уже неоднократно после ее выхода. Мы также проделали большую работу, чтобы HTTPS в Почте работал по умолчанию для всех пользователей.
We pay a lot of attention to the fight against automatic password selection, implementing and constantly improving anti-brute force algorithms.
We have a special department in the support service, which carries out targeted work to ensure the safety of users: it searches for fraudulent and phishing sites, reports them to hosting providers and domain registrars, informs search engines about fake resources in search results and contextual advertising, fights with SMS -fraudsters, exchanges information with CERT-commands and anti-virus vendors.
Of course, we protect our information system not only from the outside, but also from the inside. The work of the support service is structured in such a way that if one of the employees wants to “help” regain access to someone else’s mailbox, under no circumstances can he do it alone. We do not have a “nuclear suitcase”: even a high-ranking leader will not be able to lose a laptop, from which personal user data will be available. We do not keep passwords in clear text, but store them in the form of salted hashes from which it is impossible to recover a password.
Hacking Instructions: Before and After
Think about the fact that you might someday need to restore your account, and spend some time securing it.
At the moment, the most effective is to link the mobile phone to the box. We use user numbers only to restore access to the mailbox and notify about changes in registration data, and we do not send advertisements in any form to them.
The faster you learn about hacking, the better. We will send an SMS if the password or information for changing it is changed - this is another reason to bind the phone to the mailbox.
If you absolutely do not want to enter the phone, at least make sure that you have an urgent security question in your account, and the answer to it is really known only to you.
If you become aware of a hack, do not panic. Assess the possible consequences. First of all, try to prevent further development of the situation according to a negative scenario, such as hacking of accounts tied to this mailbox. At the same time, remember that as long as the cracker retains control of your mailbox, ill-considered actions can do more harm than good. For example, when you change the password on the social network, a notification about this will come to the hacked email box, which can lead to hacking of the account on the social network.
In no case do not succumb to blackmail, do not send paid SMS (even if it is written that they are free), do not follow any links, do not enter into negotiations with the cracker. Any negotiations do not guarantee restoration of access to the mailbox, and even more so do not guarantee that the hacking will not be repeated. And the one who paid once can pay the second. Do not become a cash cow for a blackmailer!
Check your computer for viruses, because while it is infected with malware, it makes no sense to restore access and change the password.
Try to regain access to the box
If a telephone number was tied to the mailbox, then most likely it will not be difficult. Usually, crackers do not risk deleting attached phones, as A message about this comes to the owner of the box. By the way, in Mail.Ru Mail, a phone number cannot be deleted instantly without entering a confirmation code from SMS.
You can also restore access to a secret question or to an additional email account, if indicated.
Contact Support
If you still haven’t tied the phone, and the answer to the secret question has suddenly disappeared from your memory, contact the support service. When contacting support, it is usually required to fill out a questionnaire, which should confirm the affiliation of the box. Keep in mind that any support service is under constant pressure from social engineering attacks, so you will have to prove that you are the owner of the mailbox. But you will almost certainly regain access within a few minutes if you provide as much information as possible that no one else can know.
After the ball
As soon as you manage to recover the password and gain access to your account, first of all, change the registration information, first of all, the password that came to you from the support service. Change the security question and answer. And finally, tie the phone if it was not tied.
And
finally, the address of the Mail.Ru support service, of course, is not mailru-suppr1@hogmail.com, but support@corp.mail.ru. It is unlikely that we will write to you first with it, but we will definitely answer if you write to it for any problems with the box, including if you need to restore access to it. Although in this case it is better to fill out the recovery form http://e.mail.ru/cgi-bin/passremind - it immediately asks for all the necessary information.
If you have any suggestions for enhancing the security of our service as a whole, send a report about it to security@corp.mail.ru - or write in the comments to this post. By the way, we need security and anti-spam specialists - send your CV to hr@corp.mail.ru.
If you find a phishing site masquerading as any of the services, send us a message at antiphishing@corp.mail.ru, and we will try to take measures.