Tag Archives: email

It’s amazing more email accounts weren’t hacked back in the 2000s

At a tech training session, I wanted to get access to some of my class-related email on the training computer. But I didn’t want to log into my primary email on an open network, or on someone else’s computer at all. I have no idea what they’re logging, whether they’re doing SSL inspection, whether there’s a keylogger on it — probably not, but who knows?

Heck, I didn’t even want to use my own device on the hotel Wi-Fi without a VPN, and that was at least secured by WPA2! (then again…)

I ended up forwarding the extra class materials to a disposable email account and logging into that one. No risk to other accounts if it got sniffed, at any level.

But I remembered how we all used to get at email when traveling back in the early 2000s, before smartphones, and before every laptop and every Starbucks had Wi-Fi:

Internet Cafes.

We’d walk into a storefront and rent time on one of their computers. Then we’d go to our webmail site and type in our primary email login and password over plain, unsecured HTTP without TLS.

I’d never do that today. Admittedly, I wouldn’t need to in most cases — I can access my email wirelessly from a device I own that I carry in my pocket. (Whether that’s a good thing remains up for debate.)

But more importantly, we know how easy it is for someone to break into that sort of setup. Even if your own devices are clean, someone else’s computer might have malware or keyloggers or a bogus SSL cert authority on their browser to let them intercept HTTPS traffic. An HTTP website is wide open, no matter whose device you use. And an open network is easy to spoof.

So these days it’s defense in depth: If it needs a password, it had better be running on HTTPS. If I don’t trust the network, I use a VPN. And I really don’t want to enter my login info on somebody else’s device.

Spamfighting vs. Privacy

Here’s a fascinating look back at the spam wars by former Gmail spamfighter Mike Hearn.

SpamI was involved for most of the previous decade as (among other things) the email admin for a small ISP. We used a mix of public blacklists, a private blacklist, virus filtering, SpamAssassin with both shared rules and local custom rules, and various other tools all tied together, some at the Sendmail level and the rest through MIMEDefang. It worked tolerably well, though of course it wasn’t perfect. I find it amusing that Gmail declared victory on spam in 2010, the same year that I changed jobs to a position that was more software developer and less sysadmin.

Privacy is a growing concern these days, so he also talks about the impact that widespread end-to-end email encryption would have on spam fighting. If you’re the mail handler, you can’t filter on, say, links found in the message, or characteristics of the writing or formatting, or anything else in the content. You can’t even run statistical analysis on all known spam and non-spam to see which the new message fits better. All you can do is look at where it came from and where it’s going.

Moving the spam filter to the client lets you do content filtering on your own mail, but you can’t take advantage of the larger volume of data that an ISP can, which means your filtering isn’t going to be as effective. And if your main email client is your phone, that’s really going to slow it down — and chew up battery.

Encrypting more of our communication is probably the way to go, but we’ll have to come up with new approaches to some previously-solved problems like this.

It got me thinking: Most of us not only accept that our email providers will look inside our mail to filter spam and viruses, we expect it. That’s weird. The idea of the post office looking inside our letters is so abhorrent that even tracking programs raise concerns. The idea of an actual person reading our email in transit creeps us out. Many people have problems with the idea of automated systems (like Gmail) reading our email for purposes of targeted advertising. But spam filtering? We get upset if it’s not happening!

That says something interesting about our priorities, and about how big an impact unfiltered spam has on our email.

Via ma.tt. Image by geralt.

Don’t Use Third-Party Links in Email – Object Lesson: Comic-Con Registration

If you’re trying to get a message out, or provide a service, analytics are great. They tell you what’s working and what’s not, so you can focus on what does work. Unfortunately, when it comes to email, a lot of organizations use a third-party click-tracking service, which registers which mailing the user clicked on, then redirects them to the real website.

Why do I say unfortunately?

Because it’s what phishing does: Sets up a link that looks like it goes one place, but sends you somewhere else instead. In the case of a legitimate email with a click tracker, you end up at the real site eventually. In the case of a phishing message, you end up at a fake login page that wants to capture your username & password, or a site with drive-by malware downloads. Using this technique in legit mail trains people to ignore warning signs, making them more vulnerable to the bad guys. And it makes it harder for security software to detect phishing automatically.

Now add another reason: You don’t control that click-tracking service, so it had better be reliable.

That’s what happened with Comic-Con registration today.

Getting tickets to San Diego Comic-Con used to be a breeze, but last year the system broke down repeatedly. It took them three tries, with multiple handlers, to open a registration system that didn’t melt in the first few minutes.

A few days ago, Comic-Con International sent out a message with the date and time registration would open, and a link to where the page would be when it went live. They went to a lot of trouble to make sure their servers could handle the load, as did the company handling registration. They built a “waiting room” to make sure that people trying to buy tickets would get feedback, and get into a queue, when they arrived, but could still be filtered into the registration system slowly enough not to overwhelm it.

The weak link: The click tracker.

Continue reading

If You Teach a Man to be Phished…

I’ve dealt with a couple of companies that try to plug the general lack of security in email by using a “secure email” service. The way this works is:

  1. The company sends you an email with a link to a third-party or co-branded website, asking you to click on it in order to read important information about your financial/insurance/whatever account. (Or better yet, the third party site sends you the mail on the company’s behalf.)
  2. You click on the link and open the site in your web browser.
  3. You register for the site (which usually involves entering your name, choosing a password, and possibly entering other personal detail like a reminder question.)
  4. You log into the site and actually read the message.

Can you see what the problem is?

That’s right: Steps 1-3 are exactly what you see in a phishing attack. Only in a phishing attack, the third-party site is a fake that’s trying to collect account information (like your login and password) or personal information (like your SSN).

So while they may be solving the immediate problem of “someone might intercept this message,” they’re perpetuating a broader problem by training people to fall for phishing attacks.

Sadly, this is not new.