2016-03-19

Code to check if your Email Adresses where compromised

Yesterday, the Swiss Governmental CERT has published a press release stating that more than 6000 Email Accounts where compromised. They offer a tool to check if your address is compromised, which is, in my option very well designed. (Some people asked why the site is hosted at Cloudflare - the CERT claims thy did that for DDoS prevention. The Databse supposedly is based in Switzerland). To check an Email-Address is contained in the database, the site creates a SHA-265 Hash of the lowercase Emailadress and transfers this. This ensures that no real Emailadresses are transferred. The downside is that this way, it is not so simple to check a lot of Emailadresses (like all of your company). Below, I provide a simple Powershell script to check a list of Emailadresses. As an input, it requires a simple CSV of the format Email me@email.com I throttled the script quite a bit to be nice.
## This scipt does a check of all the email adresses given in a CSV File
# See also http://www.govcert.admin.ch/blog/20/leaked-mail-accounts
# Written by Daniel C. Oderbolz, 2016 using code by Jon Gurgul
# Blessing from https://github.com/endlesssoftware/sqlite3/blob/master/btree.c
# May you do good and not evil.
# May you find forgiveness for yourself and forgive others.
# May you share freely, never taking more than you give
# When resulting page contains
# <center><h1>Email Address <b>NOT</b> in Database</h1><br /></center>
# the adress is not in the DB
# The File has a simple Header: "Email"
$filepath = "users.csv"
$baseurl = "https://checktool.ch/index.php?hash="
#http://jongurgul.com/blog/get-stringhash-get-filehash/
Function Get-StringHash([String] $String,$HashName = "SHA256")
{
$StringBuilder = New-Object System.Text.StringBuilder
[System.Security.Cryptography.HashAlgorithm]::Create($HashName).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($String))|%{
[Void]$StringBuilder.Append($_.ToString("x2"))
}
$StringBuilder.ToString()
}
# Main Loop
Import-CSV $filepath -Header Email | Foreach-Object{
# Progress
Write-Host -NoNewline "."
# Get SHA256 Hash
$hash = Get-StringHash($_.Email.toLower().trim())
$url = $baseurl + $hash
# https://teusje.wordpress.com/2012/12/29/web-scraping-with-powershell/
$site = Invoke-WebRequest -UseBasicParsing -Uri $url
# Check if text is there (which is good)
$ok = $site.Content -match "Email Address <b>NOT</b> in Database"
if ( -not $ok)
{
$message = "WARNING: Address " + $_.Email + " Found in Database!"
Write-Host
Write-Host $message
}
# Trottle requests
Start-Sleep -milliseconds 500
}

What to do if an address of yours was compromised?

This could mean two things: either the actual Email-account is compromised (really bad) or some web account where this Email address was used is compromised (badness depends on if the service is critical AND if the same password was used elsewhere). I recommend the following:


  • Immediately Change the Password of said Email-Account
  • Change the password of all accounts where the Email address is used as a password
To do this properly, you need a list of your accounts and their passwords  - not on paper, but in a Passwordsafe like Keepass. A Passwordsafe also includes a strong password generator - each account must have its own password!

Keine Kommentare:

Kommentar veröffentlichen