Modernizing Authentication — What It Takes to Transform Secure Access
In, I Was Hacked in Beijing, New York Times reporter Andrew Jacobs details the break-in of his Yahoo e-mail account while in China. As he described in a related story, Journalists’ E-Mails Hacked in China, his e-mail troubles were far from unique. He writes:
"In what appeared to be a coordinated assault, the e-mail accounts of more than a dozen rights advocates, academics and journalists who cover China have been compromised by unknown intruders ... The infiltrations, which involved Yahoo e-mail accounts, appeared to be aimed at people who write about China and Taiwan, rendering their accounts inaccessible ..."
The worst problems are the ones you don't know about. Reporters whose accounts were disabled, were relatively lucky. Jacobs, on the other hand had his e-mail silently diverted. As he puts it, "In the case of this reporter, hackers altered e-mail settings so that all correspondence was surreptitiously forwarded to another e-mail address."
Reporters covering China may be the worst case scenario, but they are not alone in needing to increase the security of their e-mail. What follows are some suggestions that apply to anyone whose e-mail contains information they consider sensitive.
Yahoo presents vulnerabilities
Using Yahoo for e-mail was, perhaps, the first mistake these reporters made. One victimized reporter said, "I’m angry at the Chinese, but I blame Yahoo for allowing this to happen." In fairness, there is no way to know who/what was at fault in these cases. But one reporter had his account disabled due to "an issue." What does this mean? The reporter contacted Yahoo and never got a reply. This reminded me of the story told by Alan Shimel of StillSecure in August 2008. He too, suffered frustration dealing with Yahoo about an e-mail problem.https://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=i
When I read that Yahoo was the e-mail provider, I wasn't surprised that there was a security issue.
My main gripe with Yahoo's e-mail system is the lack of SSL encryption. While all the major Webmail providers use secure HTTPS pages to encrypt the userid/password when someone first signs in, they immediately diverge. Gmail used to offer HTTPS/SSL encryption as an option for reading and writing Webmail. It was great security for the lucky users that knew about it. Now, however, all Gmail Web pages are secured by default. Good for them.
Yahoo Webmail offers the third alternative, no HTTPS encryption, ever. To me, this says they are not serious about security.
Another indication came to light last September when I wrote about a bug in Yahoo's e-mail system that let bad guys guess your password forever. This programming error was reported to Yahoo in 2007, and as of September 2009 it still hadn't been fixed (I don't know the current status).
Then too, there is the login page, which defaults to keeping users signed in for two weeks. There is a choice here between security (always forcing someone to login) and convenience (keeping someone logged in for an extended period of time) and Yahoo opts for convenience.
Also, I find that when I log in to my Yahoo e-mail account, I am often greeted by spam invitations to chat. I have never used Yahoo chat software and don't intend to. I don't know exactly how this happens, but I take it as another sign of poor security.
If someone learned the password of a Yahoo Webmail user and logged in to the account, the victim has no way of knowing that this occurred. In contrast, Gmail offers an audit trail of account accesses (more on this below). It's far from perfect, but any audit trail is a huge step up from none. On top of this, Gmail recently started looking at this audit trail and warning users of suspicious activity.
Finally, an issue that is very hard to prove, spam filtering. I've used both Gmail and Yahoo mail for a long time and my opinion (and this is only an opinion) is that Gmail's spam filtering is better than Yahoo's.
Thus, anyone interested in e-mail security is probably better off with Gmail than Yahoo.
The silent problem suffered by Mr. Jacobs involved e-mail forwarding. Messages sent to him were visible in his inbox, but they were also automatically forwarded to a bad guy. It's common to think of an e-mail message as a singular thing, but in this case, one incoming message became two, a copy at Yahoo and a copy for the bad guy.
There is no simple defense for this, making it a great mode of attack. After all, anyone who knows your e-mail password is, in effect, you, at least to your e-mail provider. The only thing you can do here is periodically check that your e-mail is not being forwarded. Users of Yahoo's free service are safe, they only offer forwarding as part of their paid service.
Here's how to check on the status of forwarding for three e-mail providers:
- Gmail: Settings -> Forwarding and POP/IMAP -> Forwarding section at top of page
- Yahoo: Options -> mail options -> POP & Forwarding
- EarthLink: Preferences -> General tab -> Email Forwarding
Movie character Gordon Gecko popularized the phrase "greed is good." When it comes to Webmail systems, it's fair to say that lying is good.
Every Webmail account is associated with a secret question (or two). Things like where you went to High School, the name of your favorite teacher, etc. If you are concerned with security, provide wrong answers to these questions. Better yet, don't even use words in the dictionary as your answer. Who says your favorite food as a child wasn't "123ice123cream?"
Sarah Palin learned this lesson the hard way. Her Yahoo mail account wasn't hacked as much it was guessed.
Making up words is also highly recommended for passwords. The last thing anyone should do is chose a password that can be found in the dictionary. Like to use "password" as a password? You're not alone. Try instead "x2password." It's not brutally secure, but it's a huge step up.
Avoid going public
Ever thought of playing Three-card Monte on the streets of New York? Of course not, it's a suckers bet. So too, are public computers.
Recently security expert Steve Gibson was asked if there was any way to reliably thwart hardware and software keyloggers and screen scrapers on a public computer. His response:
"I can't think of probably anything more frightening than using a public computer, that is, like a computer in a library or in an Internet cafe that is being used by lots of people, I can't think of anything more frightening than to use such a machine for critical, sensitive work ... I don't think there's any way you could argue that anything you could do as you approach that machine could make it safe ... There's nothing you can do to make it safe".
SSL provides encryption while data is traveling over the Internet, it does not protect data (such as passwords) on the computer before it's sent out. And there is no defense for a hardware keylogger in keyboard. If you must read e-mail on a public computer, then change the password as soon as you are back on safe territory. Also, check that your e-mail is not being silently auto-forwarded.
In one of the articles mentioned initially, Jacobs referred to "my e-mail program." Thus he was probably using e-mail software, such as Outlook, Thunderbird, Outlook Express, Apple Mail, Windows Mail, etc. These programs bypass Websites and directly connect you to the e-mail system run by your e-mail provider. And, by default, nothing is encrypted, not even the password. That is, their default behavior mimics HTTP rather than HTTPS.
Many e-mail providers offer secure options for connecting to their systems. Look for options, such as POP3S rather than POP3 or SSL on an alternate port. This is a hassle for sure, one that is doubled by the fact that security needs to be added separately for reading and sending e-mail.
Support for the secure/encrypted transport of e-mail is needed from both your e-mail provider and your e-mail software. Many people will have this as an available option, but some will not. If you use a smart phone for e-mail, this becomes all the more important.
Another option for encrypting e-mail into and out of your computer or smart phone is a Virtual Private Network or VPN. This is a step up the ladder of complexity, but provides encryption for everything, not just for e-mail. Personally, I recommend Witopia. For more see my article, What your mother never told you about VPNs.
Eyes in the back of your head
Shoulder surfing is yet another danger. Someone can learn your Webmail password by literally looking over your shoulder (this is not a problem for e-mail client software). Or, they may be sitting next to you in a public place, such as a coffee shop or airport terminal, when you check your e-mail.
Getting back to China, one of the guys on the Off The Hook radio show recently told about a trip to China. Something went wrong in his hotel room (the air conditioning perhaps) and when a maintenance person came to fix it, they had to remove tiles from the ceiling. Boring story, other than the fact that there was a lot of stuff, stuffed into the ceiling, much more than you might expect. Perhaps some of those wires were for cameras?
Webmail users can defend against shoulder surfers by letting their browser save their password. However, this makes the Web browser a potential security problem as anyone with access to the computer, can get at e-mail. Of course, anyone using an e-mail program is in the same boat and for many, this is an acceptable level of risk.
Finally, what if you're traveling to China or somewhere else where you suspect people may be actively trying to invade the privacy of your e-mail? Perhaps the best way to defend an e-mail password is to never use it. This doesn't mean being cut off from e-mail, just using a temporary account instead.
Suppose, for example, your normal e-mail address is GrouchoMarx@gmail.com. Create a new account called, perhaps, GrouchoMarxTraveling@gmail.com. Then use the spy trick in your favor, set your normal e-mail address to auto-forward incoming messages to the temporary account. Of course, also keep a copy of incoming mail in your normal inbox so it will be there when you return home. People you normally correspond with need to be told up-front about the temporary e-mail address.
If the password for the temporary account gets compromised, there is no e-mail history for the bad guys to troll through. And, if bad guys use the password to send e-mail as you, the people you forewarned know to be slightly suspicious. Anyone you did not tell about the temporary account, will see that it's from some other Groucho Marx, not you.
When you return to safe territory, you can change the password on the temporary account, delete all the e-mail in it and/or delete the account altogether. All the shoulder surfing and packet sniffing in the world can't uncover a password that is never used.
Michael Horowitz is a regular contributor to eSecurityPlanet.com.