Smashing Security podcast #014: Protecting webmail

Did you press record? Yes, I'm pressing record this time. Okay good. Who's Recorded Future? Recorded Future, they're marvelous. They are very generously supporting the podcast this week. Oh that's nice isn't it, great. Yeah, they are the real-time threat intel firm and they use machine learning technology to analyze the open and the dark web to give people greater insight into emerging threats, what's really going on out there.

And do they share that information with people like us?

Oh yeah. So you can either sign up to be one of their customers, obviously, or you can get their free Cyber Daily newsletter and get the latest insights in your inbox at no charge whatsoever. All you have to do is go to recordedfuture.com slash intel. Recordedfuture.com slash intel. That's right. And thanks to Recorded Future for their support of the show.

I fed you every line there, Graham. Hello and welcome to this special Splinter episode of Smashing Security. I'm joined today by Carole Theriault. Hello, Carole.

Hello, chaps. Hi there.

Now, I've brought you guys together today because we want to talk about something which I think probably is important to everybody listening to this podcast. Not everything to do with security is important to everyone, but this one I reckon is important because everyone's got an email address, haven't they?

Well, yes. I use email for everything. Email, I think, is my favourite form of communication. Actually, more than anything. Maybe more than face-to-face in some cases.

I wouldn't go that far, but electronically, I'm with you, Carole. It's very old school, and loads of people tell you, oh, I don't use email, it's so yesteryear. But I just like it because I don't have to be there. You ask me a question, if I'm not there, I can't answer in half an hour, there's no point. With email, I get that chance to reply later.

That's what I think too. I mean, it may be old, but it works. And I haven't seen anything which really works, for my style of working at least, any better than email.

I think this is a great topic because I think a lot of people want to know

So I'm sort of like, sure, I'm going to carry on using email. Works fine for me. Now, most people are using, I would argue, web mail.

how to do this. And it's just a bit daunting. You know, there's so many different things

They have some sort of web interface for accessing them. And of course, there are the big web mail services, the Gmail, the Outlook, Yahoo, you know, these great big giants. And that's probably where the majority of people have got their email right now.

that they have to think about. So if we can kind of go through the main things

There are third parties as well. So what I thought we'd do today is we'd look at how we can better protect our web mail accounts. Now, what techniques can listeners use to make sure that their accounts don't get hacked and their information isn't stolen?

they can do, they'll be much safer if they can actually turn these things on and configure it properly.

Because obviously that could be damaging to us.

Absolutely. And of course, even if you're one of the post email crowd, well, I've met anyone who doesn't have an email address and I haven't met anybody who doesn't want to speak to me by email if they don't find me on Twitter. And, of course, lots of people, if they've got the Twitters and the Facebooks and all the other social media services, probably have and need an email address that they rely on for the security of all those other accounts because they probably use it for password recovery and emergencies and password resets.

You're making such a good point because I have got friends under 25 and they may look at their email account maybe once a month. They don't use it for day-to-day communication. But absolutely it's a fundamental requirement for lots of accounts that you have to open so it's there. Recovery email, good point. So when the sugar hits the fan you're going to...

Yeah, that's when you really do need your email account isn't it, is to recover access to some of those other online accounts when sugar hits the fan. Well, I don't... You, Carole, you're the one who keeps on making... I like it.

I like it. TM Graham. I like it.

Is that granulated or cube? But okay, now listen, because, however, you can use emails for password recovery and things like that. Doesn't that make it so much more attractive to the cyber criminals as well to gain access to that? Because your email account, of course, could be the thing which helps them unlock so many other accounts that you have online. Absolutely. And of course, even for the post email generation, there is a number of services where only email will do for them to correspond with you. For example, your bank might be willing to send you an email saying there's something going on. You might have to log into their account. They won't put the details in the email, but they'll send that by email. They won't send you a tweet with that information in the same with in many countries with the tax office and so forth. And maybe that's useful, isn't it? We know to be suspicious if our bank manager suddenly starts Snapchatting with us. We can treat that with suspicion.

You know, a friend of mine actually?

I think suspicion is the wrong word there, but boggily is where my mind's going. No, but you were saying how important email is. I mean, a friend of mine just had her email hacked. My gut feeling is that, you know, although you're sort of responsible for the things you say online, it feels to me as though an email is much harder to deny if a crook gets in and then sends an email from you to someone else than tweets and other postings on other services. Because for a long time, we've accepted emails back and forth almost at a contractual level, haven't we?

Okay, let's get on with some of the tips. And I think probably the first and most obvious tip which we can give people, how to protect their web mail better is to choose a stronger, unique password.

Yeah, and we did an episode, didn't we? We did an episode all about passwords. Exactly, yes. We'll link to our previous podcast where we discuss passwords in depth, how to make them stronger and how to make them more secure. And complexity really means complexity, you know, I've met people who've they know jolly well that they've got a pet rabbit called Flopsy, they know they shouldn't use Flopsy as a password so they imagine Flopsy99 is okay instead. All the password cracking tools know to do that in the same way that using leetspeak, you know, where you put three instead of E and one instead of I or L. Yeah, but so listening to the previous podcast will really help. I think there's a lot of great advice there on how to create one. So, yeah, and well, what I would advise people is don't actually create the password yourself. I think my preference would probably be for most people with something as important as your web mail account, use a password manager to generate a long, complicated password for you. And that will have the benefit that it will also remember it and store it in a secure fashion so that you don't have to memorize it yourself. Yeah and if anything right that password manager the password for to access the password manager really has to be you know top dog in terms of strong and unique.

Yeah that's the objection most people have to a password manager. I quite understand it. And the answer to that is if you'd cross that bridge, if you decide you're going to put all your eggs in one basket, I've mixed a metaphor there, then lock that basket really, really carefully. At least you only have to do it once. So, Duck, you've just mentioned two-factor authentication and there's two-step verification as well. Many web mail services are now offering this feature as an additional layer of security. Effectively, what this means is that even if a hacker does manage to grab your password, when they log in, when they try and break into your account, they should be stopped.

Absolutely. It's like a second hurdle in the process. And again, it does take a tiny bit more time to have that, but the amount of security it gives you, in my view, is huge so I use it wherever I can. Yeah, it's the first few times you do it you think golly this is irritating and then after a while you watch somebody logging in and they don't reach for their phone or they don't check for some secondary factor typically they're either SMS's or something that comes up on an app which importantly is different every time so if a crook fishes it he gets one and only one go at your account. And when I see people logging in I think golly they seem to be taking a bit of a chance — it's much too easy and once you get used to it I mean I've heard all sorts of excuses why people don't want it. And I've heard some people complain, oh, you know, it's so irritating because I have to enter this every time I go into my email, so I'm not going to turn these features on. Many of the web mail services these days will give you the option of saying, look, only be reminded, only be asked this question maybe once every 30 days.

That remember me for 30 days, in my book, that's way too long. Cross the bridge, take the pain now, learn how to use it. It's not that onerous. When you think what a crook can do with your life, if they get your email password, they can mess things up. I don't disagree with you, but what I want is I want more people to turn this on. And I wonder if that's a stepping stone is just giving them that extra little bit of comfort so they only have to do it once a month. That's got to be better than not doing it at all.

Yeah. I mean, yeah. And I know lots of people that have it turned off because they find it painful and I haven't found a way really to convince them because they just say, "Oh, you're just spreading fear and doubt. You're just exaggerating the problem." And I find it really hard to communicate how important it is — 2FA multi-factor authentication. I think another thing that I've heard a lot, particularly when it comes to SMS-based authentication, which will probably go away because there's pressure from NIST in the US for public servants over there that they won't be allowed to use SMS two-factor authentication because it's too easy for a corrupt mobile phone shop to issue a new SIM that basically makes calls and messages go to a different device for a while until you notice. But they go, "I don't want to give, you know, Facebook or Twitter or whoever it is, my phone number because they'll just start spamming me."

So I think some other things which people can consider doing to better protect their webmail account, things like setting up this recovery phone number or recovery email address. So should you forget your account details? Should you be locked out for any reason? You have some method for your webmail provider to contact you and give you some mechanism for getting back in.

Therefore, and that other provider, your security and your password for that provider must be at least as good as the one for the one you're protecting of course that's the thing that people forget they go I just need this account I'll hardly ever use it so I can the one that's really really really important I'll do less and less work on security because I won't be using it a lot it doesn't work like that once is enough.

Yeah and there are a lot of people that have made their work email address their recovery email addresses and phone numbers so it's a good thing to kind of check on your important accounts to make sure the recovery information is up to date because people do change jobs. Yes. And do that before you change a job. You may find it difficult to change that recovery address otherwise. You know what? Sometimes those are spammed as well, right? Sometimes those are hoaxes.

Yeah, that's an interesting point. So yes, you need to be careful if you do receive an alert as to clicking on links, whether you're going to the real web mail service or you're going to a phishing site.

Also, Carole, a lot of these services, certainly the webmail I use, and I think you can do this with, pretty sure you can do this with Twitter and Facebook as well. Once you've learned how to navigate through the often Byzantine corridors of their security menus, many of them, they do have a page where you can log in yourself. And then you can go to that page, it'll say, show me what the last access is to my account and you can go back and you can have a look and see if that matches you. You can have one complicated password. Once you get used to it, you should be able to type it in fairly quickly. And remember, the idea of passwords, they're not meant to be a tiny little speed bump those ones with the gaps where cars can kind of go past them without going over. It's meant to slow you down.

So hey, your password manager will help a little bit there as well. And obviously be careful about any attachments.

So the in other words the email treat it like the emails that you get from some banks where they say you've got a statement and that's all they say and they say please know we haven't put a log in here but we're just saying if you go to the bank site and log in in your normal way using your normal trustworthy procedures you can find out what it is. So they use the alert isn't really an alert. It's kind of a notification. It's meant to make you stop, think, consider. And the fact that it is inconvenient and it takes a bit of time, and I'm sure we're going to get onto two-factor authentication in a minute, which is another side of the same coin. It's not meant to be completely easy to put in that master password. It's kind of having a lock on your front door that doesn't just open because you happen to tap it.

I can't see any legitimate reason why a web mail service would be sending you an attachment when it sends you those kind of alerts.

And then you actually go yourself in your own trusted way to the site to actually see what's going on.

Yeah, I think it's good. And similarly, there will be most likely a page on your web mail service, which will inform you about when the last account activity occurred and where the other logins have happened from. And it may even be able to see someone logged in from this country and whereas you always use a Windows computer this person was using a Mac and that may ring alarm bells on you thinking well hang on I'm not in Venezuela or wherever it is in the world where these logins are occurring from and so forth that must be suspicious and that can warn you that something bad is happening.

You're right the point is where these services are collecting this data where you can go in and have a look at those logins generally speaking a crook can go in and look as well but you know he can't make his own login disappear so if you go in there and review that on a regular basis that means that you've got a fighting chance even if it's a little while later even you know better to

Now do you guys remember when all these Hollywood celebrities were having their photographs stolen and pictures and all that sort of thing?

know a week later that somebody's been messing around in your email account than to find out months later yeah because it's all over the news.

You're not talking about the fappening, are you?

The fappening and celeb... Yes, the

Fappening. I never thought I'd say that word aloud.

And let's call it celebgate, I think it was also called. So one of the tricks which the hackers were using there was quite ingenious in a way because they managed to gain access to celebrity accounts and associates of these celebrities as well by using the normal techniques, things like phishing and using things like key loggers. However, once they'd gained access to an account, even if the owner of the account changed their passwords, they were still able to access the emails. And the reason for that, well, there's a couple of ways in which hackers can do that, which I think people need to be aware of. One is that you may have granted access to your account through some form of delegation. So your webmail service may have the ability to say, yes, you can access your account, But would you like someone else to be able to access your account as well? And that can be hidden away in the settings that, you know, it's the equivalent really of letting your personal assistant or someone like that go through your email.

So what would they look for? What would people look for?

Well, if you go into the settings of your email, it will be under something called maybe delegation. So you're granting access to other users to access these things. And the problem is, as I said, that even if you change your password, it doesn't mean that they can no longer access. The other way in which this can occur is that the hacker could have set up a rule inside your webmail to automatically forward email. And so the email could even still appear as unread in your own inbox, but it's actually secretly being forwarded to someone else's address. And who knows what they're going to do with it and what they plan to do with it. So you need to look for rules which are doing that.

And Graham, most of those forwarding rules also allow you to say forward this and then delete it from the original, don't they?

Yes. So a savvy crook can actually make sure that if there are emails that might turn you on to the idea that something bad is happening, you won't see those because they're off to the crooks who know jolly well that that's happening because they're doing it.

OK, but whoa, whoa.

Well, just ask Scarlett Johansson and Jennifer Lawrence is my answer to that. I think where it can happen is where an individual has been specifically targeted. Obviously a celebrity or maybe you have a stalker or let's put in quotes secret admirer who wants to know more about you, jealous partner and so forth.

How big of a problem is that, that mail is being forwarded without people knowing, do you think?

Also, Carole, don't forget that there's a sort of niche in the cybercrime world of people who don't really want to bother cracking accounts and they don't really want to do anything with the data they get. Maybe they will after things like credit card numbers, but they don't go making fake credit cards and trying to spend them themselves. They just go on to some underground forum and they get information about people, arbitrary information, and they just put it up for sale, even if it's 50 cents a go. So that's the problem. If your email is being bulk forwarded or bulk copied to somebody else, the problem is you never know what they might have done with it. And worst of all, it might be in the third, fourth, fifth party's hands as well because it might have been traded for something else like Bitcoin.

I think what's most scary about all this, though, is that even if someone goes and changes their password and turns on 2FA, this could still be a problem if the rule has been set inside their email.

Yeah, it is a worry. And so people need to check it.

And if you think of other online services, you know, the Twitters and the Facebooks, they don't call it delegation. They call them apps, even though the apps run somewhere else.

Same idea, isn't it? It is surprising how many third party services you can link in with your webmail. So they may be providing some sort of calendar functions, for instance. They may be trying to do something with your contacts. They may be trying to make your email more manageable if you're getting too much email and trying to sort it into different folders, for instance. And you are putting your trust in those third party services that they are going to do a good job and that they are not going to be hacked.

And they're sexy because they give you a better service. You know, that's often what they're selling to you, something that's just a bit more slick or a little smoother in its road. But yeah, they have full access after that.

So the classic example is Twitter. I use the app, which actually you can revoke in the website and the online website. And I haven't recently met a person who hasn't said to me, are you crazy? Use Twitter through its website. You don't use some third party app that lets you keep on top of all of this. So I'm in a minority, a tiny minority. So I'd say most people probably have in one of their important online digital life services delegation to somebody else to act on their behalf, whether that's reading email, sending email, reading tweets, sending tweets, posting to Facebook, whatever. Such a good point. And the crooks love that because when it comes from you, it looks like when it's a scam, people are more likely to click on it because they're going, OK, well, this guy did get his iPhone after all. No one ever does. But this and that's my buddy. Why wouldn't you believe it? It has that ring of personal truth.

I just love that we have a duck who tweets. I think that's terrific.

I might use that again, if you don't mind.

Feel free.

I was thinking that was a bit mediocre.

Well, it's good enough for Doug. Maybe he'll improve it. I'll tell you what, I'll use it. And if someone groans, I'll say, well, that was what Graham said. Exactly. Perfect. Love it.

Or archive it. Would that make it better as well? Is it hard to get access to, do you think, or not really?

You mean sort of archive it locally yourself? You could do that, yes. It may be a bit of hassle for the typical user who's used to just using the webmail interface. But this, of course,

Would be different from archiving it within the app or within your service. That's right.

And also consider that it's not just about your account security. It's about other people's, too, your friends, your colleagues, your family. Because, of course, if you're exchanging private sensitive emails with those people, which you probably are, then you can have battened down all the hatches. You can have all the security in the world. But if they've been sloppy about their security, it's still your information which is ending up in the hands of criminals. So do your little bit to spread the word about how to better protect accounts because you can do a little bit of good that way. The more history that a crook has on you, the more email that they can go back through and look at, the more copy and paste opportunities they have for creating something that really makes them look and sound like you. And that's the big trick with CEO fraud, which is hitting businesses small, medium and large all over where someone emails and it actually really is your CEO. It's your CEO's account emailing or your CFO's account, but it's not them. But it doesn't have all those telltale signs that a spam or a scam would have maybe 10 years ago. It's all written in exactly conversational English that your CFO would normally use because the crook went back a few months and picked a very similar email that the person wrote last time.

I think that's great advice. One final tip from me, one thing we haven't really spoken about in this particular edition is where you log in to your computer. So using your computer at your home providing you have an up-to-date antivirus and you've kept it patched and so forth may well be considered more secure than using a publicly shared computer. So be careful where you log in because there may be malware in the background, but also make sure you log out. Don't leave yourself logged in because the next person to use that computer may find it all too easy to gain access to your account. Yes, that's well said. My advice for internet cafes, you know, obviously with the modern mobile phone era, they're less well used, but sometimes you need one, is if you go into an internet cafe and you're sitting down at their console and you get to the point where you're about to log in to your webmail and you think, I wonder if this is secure. The answer is, it is not. Turn around and leave.

So our advice then, if in doubt, don't do it. Log out. Don't log in in the first place.

And thank you to Recorded Future for sponsoring the show. You can sign up to their Cyber Daily newsletter at recordedfuture.com slash intel.

And, yeah, well, thanks for tuning in. Tell all your friends. Follow us on Twitter. We're at Smash In Security. On Twitter, Smash In without a G Security. Until next time, toodaloo. Bye. Bye.