Synopsis: If you want to save yourself a LOT of grief, then if you do one thing this week, make sure that all of your email connections are SSL enabled!
Back in the day when I started using email – when CompuServe was just starting to get into the UK market (yes, my beard is grey) nobody really worried about having their email account hacked. We were more concerned with master boot record viruses on floppy disks (remember those?) and getting more than 28kbit/s down our phone line.
These days, the story is different. The high speed internet has become a playground for misenthropes and malcontents who will exploit every opportunity to peddle porn, spam, or just disrupt your daily business for their own entertainment. The romanticised view of hackers depicted in The Matrix are somewhat departed from the reality. Attacks are becoming more commonplace and more severe, and as a hosting company we have to continually modify our tactics in an attempt to mitigate the worst effects.
Most recently we found a handful of email accounts on one of our servers sending out relatively low volumes of spam. It took us a few hours to track down the last of them, but by that time the server had been listed on SpamCop and other realtime black list providers.
Why did we not detect the unauthorised use of these accounts until it was too late? Because they were being accessed using the correct login username and password. And how did that happen, you may ask – well, that’s a good question, so let me explain.
Internet e-mail relies on a few protocols including (but not limited to) SMTP, POP3, IMAP. The problem with these protocols, like so many that were originally created decades ago, is that they are inherently insecure. That is to say, the information that go back and forth between your computer and the server is not encrypted. In tech-speak it’s called being sent “in the clear”. It’s a bit like sending all of your letters in the mail in a clear envelope – anyone can read it. Not only is the content of your email sent in the clear, but your username and passwords are also up for grabs (although we’re not discussing it here, your password is a strong one, isn’t it?).
You might have been using non-SSL email for years at home or in the office without any problem. This is because there is little opportunity for anyone to listen in on your wired connection, and most wireless internet hubs/routers supplied by ISPs to their customers are encrypted also, so between your computer and your phone line, you are reasonably safe. It’s also testament to the IT industry than nobody who works for the large telecoms providers has been arrested for stealing your account information by snooping your data at one of the large switching centres – but they could – quite easily. So how do your account details get leaked?
Dirty Wifi, dirty, dirty WiFi
Enter stage left, WiFi. Wireless networking is great isn’t it? I mean, you can go and enjoy a pie and chips at your local and still look like your working hard on answering support tickets… but I digress. The problem with Wifi is that it comes in many flavours, and some are more secure than others – and some are completely open. It’s now well known that Google, when it collected public WiFi information using it’s camera cars, it also collected countless usernames and password of email accounts.
Always be sure you know which WiFi network you are joining connecting to, and always make sure it asks for a connection password otherwise you may be open to snooping. I could go and setup a mobile WiFi network from my car and sit outside a Starbucks, and within an hour I could probably lure dozens of people to connect and capture their email account details. When was the last time you checked with the owner of the premises what their WiFi network was called?
When you go on holiday, and you connect to your friendly beach bar’s WiFi you might think you are secure because you had to enter a password. Sadly there are weak WiFi encryption systems (WEP was compromised long ago) out there that make it relatively trivial for someone else connected to the network to eavesdrop on your session. If you connect to an untrusted WiFi network (i.e. one that is not owned by you), then check the SSID (the name that comes up on your computing device) with the owner and also make sure you have to enter a password.
Super duper SSL to the resue
So, how do we protect against this invasion of our privacy?
SSL (Secure Sockets Layer) is a method by which your normal “in the clear” information is wrapped up inside an encrypted envelope. SSL is employed on the Web to secure ecommerce and baking websites, and it does much the same for your e-mail. The conversation between your email software and our email server is virtually uncrackable by people listening in. Even if you connected via a rogue WiFi network, your email connection would be safe as long as you were using SSL for both your incoming and outgoing connections.
The Post Mortem
In every case of a hacked email account on our systems, when we enquire with our customer regarding their email practices, they invariably reveal that they use mobile devices or laptops. Further, they admit to connecting to the internet from untrusted locations, WiFi hotspots and the like. They also invariably have not enabled SSL on those devices.
Not only does this cause massive inconvenience to us in tidying up the aftermath, but it can also mean that the customer concerned has to seriously consider the impact the attack has had on their personal security.
The hackers will also go back through all the email on the account, and may have found emails from banks, online retailers, medical/personal information etc, that might allow them to exploit the target’s personal identity in other ways, so really, if you do one thing this week – enable SSL on your incoming and outgoing email.
Your SSL settings are always available for your email account via your cPanel. Just follow these instructions to obtain them: