Email login credentials and messages

In previous articles of mine, such as How To Secure Your E-mail, I've used the email example with Outlook. Check it out if you haven't yet.

Don't forget about web-based email. Like described earlier about non-secured sites, accessing web-based email without SSL encryption means your messages can be captured. Some email sites always offer secured access, while others can be optional or non-existent. Currently, the default for Gmail  is no encryption. Figure 6 shows an example of what an eavesdropper can sniff when you send an email from your Gmail account, using an unsecured connection.

Figure 6:

wi-fi eavesdropping

To find out if your web-based email provider offers encrypted access, throw a S after the HTTP. For example, instead of http://mail.google.com, it would be https://mail.google.com/. Securing POP3 accounts that use a client, such as Outlook, is a bit more involved. Refer to my article on securing email for more information.

Using WPA/WPA2 encryption on your private Wi-Fi network protects unsecured email from eavesdroppers. If you can't or don't want to secure your email when using public networks, you could use a VPN to encrypt your communications.

FTP login credentials and transferred files

If you upload or download files to or from a FTP server, on a unprotected network, sniffers can capture the file(s). Plus just like with the email server, the login credentials are also sent in clear-text (see Figure 7) for the eavesdropper to see.

Figure 7:

wi-fi eavesdropping

Unfortunately, it is not possible to secure or encrypt FTP connections. However, using FTP on your private network is fine when using Wi-Fi encryption. Unless you use a VPN, you should not use FTP connections while on public networks.  If you are the server administrator, you might look into other secure methods, such as SFTP.

Instant messaging conversations

Most instant messaging and chat programs, including ICQ and IRC, send and receive in clear-text. So if you are on a public network, eavesdroppers can see the conversations with your loved-ones, friends, or business associates. Figure 8 shows an example of an Yahoo Messenger IM and Figure 9 shows what it looks like in a sniffer. Again, to prevent this on unsecured networks, you can use a VPN.

Figure 8:

wi-fi eavesdropping

Telnet login credentials

Don't forget about Telnet; it also sends and receives in clear-text. Again, don't connect to servers or computers via Telnet on unencrypted networks, unless using a VPN. You should really look into using SSH instead, which is secure.

Keeping it secure

We've discovered several Internet and network services that are vulnerable to sniffing on unprotected and public networks. Anyone within range could possibly see websites you are visiting and the files you are downloading or transferring. Email messages, files transferred using FTP, and Telnet sessions are also vulnerable, along with their login credentials. Finally, we saw that instant messaging conversations can also be captured.

Figure 9:

wi-fi eavesdropping

I'll leave you with some tips on how to keep these types of services secure:

  • Enable WPA or WPA2 encryption on your network: Then you won't have to worry about the issues we've discussed, when on your own network.
  • Independently secure services: Try to use encryption for the services that can be optionally secured, such as your email. Use alternatives when possible, such as SSH instead of Telnet and send files via secured email instead of FTP. Plus make sure access to sensitive online accounts is via HTTPS/SSL.
  • Use a VPN when on a public network: This encrypts all your Internet communications from local Wi-Fi eavesdroppers on public and unsecured networks. AnchorFree offers free web-based SSL VPN service. Paid service is available from WiTopia and HotSpotVPN.
  • Don't use same password for everything: If your credentials for a particular service are comprised, you want to make sure the hacker can't get into your other services or accounts. There are password management utilities out there that can help you securely manage all your passwords.

Eric Geier is an author of many computing and networking books, including Home Networking All-in-One Desk Reference For Dummies (Wiley 2008) and 100 Things You Need to Know about Microsoft Windows Vista (Que 2007).