As always, it seems to be that web-related security is a never ending game of catch me if you can and email is no different. While you might use any one of a number of different applications, it is a fact that we users are more or less reluctant to change than we would ever care to admit to and so we tend to settle on one application and just use that. This can often be the cause of our downfall so let’s have a look at how not to become the next victim.
As always it seems to be that web-related security is a never ending game of catch me if you can and email is no different. While you might use any one of a number of different applications it is a fact that we users tend to settle on one and use just that.
We all seem to gain a sense of greater security with applications that we are familiar with. We also tend to use the same authentication credentials for multiple applications. Whether they are related in any way or not just doesn’t matter. Thus most users exhibit usage patterns characterized by the non-migratory use of applications with minimalistic authentication credentials.
The symptoms of this potentially dangerous type of use include:
- The use of passwords which are of the bare minimal complexity
- Using the same password and logon credentials across multiple applications and in multiple instances
- The use of their browser’s auto-complete feature wherever and whenever possible
- Knowing and unknowing disclosure of authentication related information and linked data via automatic software. This is probably the worst of all since an attacker can easily compromise and exploit this practice which usually occurs over unencrypted publically accessible networks like the Internet.
To illustrate this last point many users will use the automated “Find Friends” features of web sites (particularly social networking sites such as LinkedIn, MySpace and Facebook etc). These sites will require the user to supply their Gmail user name and password which is a really bad idea.
If you must use this type of feature then you are best to export your contacts list directly out of Gmail and save it as a CVS file (comma separated value). This can then be imported directly into the other application and guess what you never disclosed your Gmail user name or password. Very simple really and what’s more this file also serves as a backup for your contacts list should some out of the ordinary disaster strike.
Anyway the upshot of all of this is that the bad guys know this and will instigate numerous strategies to exploit these very traits. Those with expertise in the social engineering field have a multitude of tactics to use in their endeavors to part you from your more personal information including authentication credentials.
All that being said I admit it; I love using Gmail for my email and the thought of using another application doesn’t really enter my head. One of the biggest reasons being my long experience that Google do provide considerable support for their products and not surprisingly do not provide support to the same degree for other people’s competing products. I guess Google are not in the business of selling company XYZ’s goods just as company XYZ are not in the business of selling Google products.
One old example of this type of contra functionality raised its ugly head way back when Microsoft introduced Windows XP. My Microsoft keyboard and mouse worked just fine once the new OS was installed. My brother however had a nightmare trying to get digitally signed and functional drivers for his Logitech hardware which was working just fine until he upgraded the OS.
With all that said here are a few tips to significantly boosting your Gmail security and they really are worth doing. At least that’s what Google keep saying and for once they have got it right.
Hypertext Transfer Protocol Secure (HTTPS)
Always use HTTPS that has recently been introduced into Gmail. One way of invoking HTTPS is to simply replace the “http” at the beginning of a URL with “https”. Simple and sweet and works with all systems that support HTTPS regardless of the intricacies of the mechanics used to achieve it.
Gmail also gives you the option to configure using HTTPS by default once implemented. To do this you must go to “Settings” in Gmail and under the “General” tab in “Browser Connection” place a check mark in the “Always use https” checkbox. Then click save and you’re done. This gives your Gmail account an additional layer of security via encrypted communications channels.
Any eavesdroppers or would be opportunistic villains will only be able to intercept encrypted and to them realistically undecipherable garbage. They will simply move on to easier targets rather than spending the considerable resources and time necessary to “crack” your encryption. You have now made great progress in restricting the contents of your email from unauthorized access. In the security world this is what is referred to as confidentiality.
Configure, Set, Monitor and Check Your Email Filters
To date the Gmail vulnerabilities that have surfaced have all been related to the establishment of malicious filters and email auto-forwarding. Thus you should check your filters regularly for evidence of suspicious activity or entries that shouldn’t be there.
Obviously in order to know what shouldn’t be there you will need to know what should be there. To achieve this all you need to do is to set your filters and then take a screen shot of them. You can use this screen shot for comparative purposes at a later date.
Verify HTTPS
No matter where or when you log into your Gmail account it is important that you have a look in your browser’s address bar and verify that the URL does indeed start with https:// and not http://. Google recommend that you should only ever enter your Gmail sign-in credentials to web addresses starting with https://www.google.com/accounts, and never click-through any warnings your browser may raise about certificates.
You will also note that a little padlock icon will appear to the right of your address bar whenever you are using HTTPS. Most systems also display a similar padlock icon in the system tray (next to the clock) when https is successfully invoked.
Don’t Disclose Your Gmail Authentication Credentials
This includes your user name and password. I have already mentioned the direct issues associated with using the “find friends” features at such sites as LinkedIn, MySpace and Facebook. While you may choose to elect to trust these sites, make double-sure and be wary of other sites that propose the same service. They are not all trustworthy.
So your best bet is not to use this feature other than in the way mentioned above of using CSV files to transfer a list of contacts for the site to search. Remember that this CSV file is very valuable to many entities that you would prefer never to gain access to it.
For example it contains a list of your contacts which spammers can make use of if they get their hands on it. This means that other individuals would like to get their hands on it in order to sell it to the spammers. So the problem is compounded considerably since there are many levels at which an enterprising villain can turn a profit out of your contacts list. Social engineering is another as is the request for updated details scam.
Another factor you might want to take into consideration is that more than 90% of abuses of trust relating to personal information such as email particulars are actually perpetrated by “insiders”. Before you use these “find friends” types of services ask yourself these four questions:
- Do I implicitly trust LinkedIn, MySpace, Facebook and company?
- Do I implicitly trust every member of their staff including casuals, part-timers, outside contractors etc?
- Do I implicitly trust every individual that may ever visit their premises?
- Do I implicitly trust all of the users of their services?
If you answered NO to any of them then you shouldn’t be using that feature in the first place and if you continue to do so then you asked for it.
Requests for Disclosure or Confirmation of Gmail Credentials
Be very wary of any emails or other non-solicited requests for disclosure or confirmation of your Gmail credentials. Gmail’s policy is that they will never ask you for that, so you can be sure that any emails which do so are phishing emails which you need to stay away from.
What’s more you probably don’t have a very wealthy until now unknown relative living in Nigeria who wants to give you twenty million dollars. This too is a well-known scam often referred to as a Nigerian 419.
Backing Up Your Email
Since security relates to the integrity and accessibility and availability of your data backups are critical should the worst case scenario occur. It’s too late to put your finger in the hole when everything inside the hole has already escaped. You should always backup your emails and not rely upon third parties no matter how conscientious they may be to do it for you. I will be presenting a short article detailing how to do this very shortly.
Use No Browser for Gmail Access
Finally; a tip the more security paranoid user might want to consider is to not use a web interface for Gmail access. As with most web-enabled applications today the vast bulk of security related issues reported are browser-based. You may want to use another application such as POP or IMAP to open your Gmail. They work fine, are much more secure but don’t look as pretty.
Email Policies
Regardless of whether you a just an individual, small business or larger organization it is imperative that you develop an appropriate email policy, implement it and rigorously maintain it (including re-evaluation and amending). This becomes ever more serious for those wishing to implement ecommerce solutions and PCI compliance related matters will also come into the picture.
April 13th, 2009 at 4:08 pm
Thanks for sharing this informative article. I am guilty of using the same passwords with different sites. I will change that now.