Email Passwords Getting “Popped” in Seconds even in 2015?


popInformation Security has been a very hot topic for the past few years, especially in 2015.  Every single day you can read about a new security breach at businesses that you frequent.  There are nearly 300 security requirements or “controls” that many companies must adhere to, but for this article I will only talk about one small item (or is it really small?).  Let’s talk about email.   We use email every day to communicate with friends, family, and for work.  I’d like to take a little deeper look at email and how important it is to us.  Your email account can really be though of as being the “Keys to the Castle”.  Why?  Let’s think about this for a minute.  If you want to reset your password for a website don’t you typically click “forgot password”?  Shortly after that click, you receive an email with either a temporary password or a link to reset it.  With that said, think of all of the different things that you log into.  I know for myself, I log into various accounts to process my online banking, paying my bills, or make a change to my healthcare coverage.  Hackers thrive to get access to these types of accounts.  If they have the ability to log into these accounts, they can pretty much take over your life.

So you have taken the advice of your friends and set a super hard password that nobody can guess.  Your are safe right?  Well unfortunately the lacking security of your internet provider puts you at extreme risk.  If you think for one second that they have you protected, well… don’t think that.  Way back in the olden days (like 1984) a protocol called POP (Post Office Protocol) was created that handled the authentication of your email.  When you checked email on your computer, this protocol was this mechanism that checked to make sure you are entering the correct username and password before it pulled the email onto your computer so that you could read it.  This protocol became very wide spread and adopted into many email programs such as Microsoft Outlook, Outlook Express, Thunderbird, Lotus, and many other email programs.  Even Android and iOS devices used the protocol.  POP became the standard protocol across the board for email.

The huge flaw in the POP was that it was a completely insecure protocol.  This was because POP communicated by what we call “in the clear”.  This means that when your email was checked, the POP protocol send your email username and password over the internet in a totally unencrypted format.  What does this mean?  It means that anyone sitting between you and the destination of your email servers can easily access your email credentials by sniffing the wire.  Sniffing is a process of watching communications going across the wire in order to find something specific.  They commonly use free tools that anyone can download such as Wireshark to sniff.  In this case, they are sniffing out your email username and password.  Imagine you are on the guest wifi at a Starbucks and you check the email from your phone or computer.  Did you know that everyone else on the wireless has the ability to sniff out your credentials?  Now imagine that you are at a hotel with hundreds or thousands of people on the same wireless network.  Hackers often sit at these locations to obtain your information.  Even worse yet, hackers can use very long range antennas and sit over a mile away.  Ok, so we have you a little skeptical about checking your email on public wifi, but it gets even scarier.  When you check your email from the safety of your home, it still goes through the internet.  Anyone in between you and that email server can potentially grab your username and password within seconds.

In the last two paragraphs you may have noticed that I was talking in past tense.  I wish I could say that this “used to be the way it was”.  Well, Unfortunately it is happening even in this day and age.  Many internet service providers are still using the POP protocol for email.  They are still walking you through the settings to get your email setup on your laptop or PC when you sign up for their service.  Your iPhones and Android devices are still setup to use the POP protocol to check your email.  In the end this leaves you extremely vulnerable.

Why is it that your internet provider even has POP email servers?  As a previous QSA (Qualified Security Assessor), this was an immediate fail when I walked in to do an audit on their network.  This simple protocol would have made them fail compliance that they had to adhere to.  Failure of compliance because of these vulnerabilities then led to hefty fines if they weren’t mitigated quickly.  However, these POP email servers still exist and you are probably still vulnerable.

How do you know if you are vulnerable?  Chances are, if you are using the email account that your internet company provided you with, there is a very good chance you are.

In order to protect yourself, you should find out if the email you are setup with uses the POP protocol.  If it does, you need to consider changing to another email address.  There several free email services that you can sign up for that use much more secure protocols.  Gmail is one of my favorites.

The first thing I think about when changing to a new email address is the inconvenience of changing over all of my online banking and bill pay accounts.  This can take a few hours.  It can also be very time consuming to let all of your friends and family know your new address.  This is definitely not convenient process.  However, as I have mentioned in many lectures, security is more important than convenience.

I’ll end on this note.  Imagine the inconvenience of your banking and other important accounts being taken over because your email was compromised.  Remember, your email address is your key to the castle.  If an attacker were to compromise your email account, they essentially have control of all your online accounts.

Article by Mike Miller

 

Picture by Joe the Goat Farmer on Flickr via ccl 2.0