My review: The Hot Puppies - Blue Hands ►

◄ Site Update: A bit more on APASS

2009-03-06 📌 Email account security or a lack thereof

Tags 🏷 All 🏷 Tech

Believe it or not (I wouldn't) this is work related self-training to be more suspicious. Spotting anomalies and weaknesses in systems, etc. Starting with stuff I already basically know but have to think about in order to get it into one place.

Email accounts are usually used as a reference to open accounts on other sites — whether e-commerce, blogs, forums or whatever. Ergo it's particularly important to use strong passwords (minimum eight alphanumeric characters and ideally some punctuation characters as well, no dictionary words or names, etcetera) with them. They're the grail of malicious (and often criminally-inclined) attackers, and can facilitate obtaining credit card details or worse.

But let's assume a marginally more palatable hypothetical situation: parent is worried that offspring is being targeted by someone dodgy online. Wants to get into their email account. The following ramble might give you pause for thought the next you're setting up a free email account or wasting time in an internet café. I ought probably point out I've never actually implemented any of the below, it may not be legal even in situations in which you own the hardware and are legally responsible for the person you're snooping on, and this brainstorming assumes that morality has been put on hold. Nothing here is new; these techniques are widely used, just not necessarily widely-known amongst the larger computer-using population.

As with anything else technical, it all depends massively on how computer-literate the person is. Magic isn't possible, because you can't brute-force password attempts into most intelligently-designed login processes; they accept a few then force a timeout. However, there are other approaches.

I'm assuming our hypothetical concerned parent has already tried very likely passwords.

1. Security question

Involves the "I forgot my password" link on any webmail account. Using it and answering the question correctly will let you reset the account password. Like passwords, you usually have a limited number of attempts to enter an answer.

Pros: if you know someone you can often work out the answer. Even people who are usually quite sensible can have set something easy to guess, then forgotten what they put or even that there's even a security question on their account.

Cons: the person trying to break in doesn't get the password, it gets reset. Which is something of a giveaway. This can be mitigated by leaving or setting the security question to what it was, and hoping the user thinks it's a system problem (some not-particularly-technical people may actually fall for this.) For a parent with sufficiently grounded suspicion, this may be a useful one-use avenue of investigation.

2. Keylogging

Involves installing software to capture what's being typed and either store it on the machine or send it to an email address.

Pros: with some planning has plausible deniability. Technically illiterate people often install viruses and similar crap just by clicking on things accidentally or clicking "okay" every time they see a prompt. Or if someone were to email a custom-built keylogger attached to the installer for another piece of software, purporting to come from a friend, they wouldn't see anything amiss in running it (with the install privileges of their user account, remember) on their system.

Cons: decent anti-virus software such as AVG will tend to block the install of anything like this, especially something covert. A decent firewall will block attempts by a program to send out email. If a non-covert keylogger is used, people who know what they're doing may notice it even without anti-virus software helping them.

However, someone would only need to do it once — engineer a situation in which someone logs into an email account on a computer they have full control over (eg, a laptop on which anti-virus software could be disabled on if necessary) and have a keylogger running beforehand for the time it takes to get the login details wouldn't be a problem. With "honest" keylogging software of the type used by parents anti-virus software may not even notice it — being one simple example that some AV software may give a free pass to or allow you to ignore once it's installed, as it doesn't make any real attempt to hide itself, stores logs on the system rather than sending them out by email, can be uninstalled, etc.

How many times have you gone "can I just check my email quickly?" at a friend's house? Quite. Choose friends carefully, and you're still at risk if that friend is incompetent enough to not secure their system against viruses and trojans.

3. Packet sniffing

Not likely to be a directly fruitful avenue, as most email provider login processes use HTTPS rather than HTTP to handle exchange of passwords and authorisation. May be useful in some university setups where passwords are routinely transmitted in plaintext form, or for forum/blog passwords where login processes are HTTP-only. Since a lot of people reuse passwords, it's possible an attacker could compromise security by successfully targeting a weak link like this.

4. Paper trails

It's a watch-word that you should never write passwords down. But lots of people do. Kids and older people may simply not remember passwords, and in office situations where passwords are required to be strong and changed frequently some workers even write them on post-it notes.

5. Forgetting to log out / caching

This relies on an understanding of how web browsers work. Some these days, such as Firefox, have the ability to save the page or tabs you have open when the browser is closed, and re-open it all when the browser is next run — including anything you were logged into such as email accounts. If sufficient time is left, chances are the account will have automatically signed out due to inactivity, but if it's only an hour or so, this could be a security hole. Time-saving conveniences can also represent breaches; for example Opera doesn't refetch pages to check if there's a new version when you click its Back button... it pulls the page instantly out of its cache, so even if someone has logged out it may be possible to flick back through the webpages they've been browsing and look for incriminating stuff.

6. The mafia standby

Professionals who want access to information generally don't bother with subterfuge; they just threaten. Some kids will accept that parents are obliged to protect them. It's unlikely though, and forcing them to hand over information isn't helpful in the long run unless you want to wind up in a crummy nursing home years down the line. The same goes for if they catch you snooping.

💬 Comments are off, but you can use the mail form to contact or see the about page for social media links.