Received this question:

• “How easy is it to either hack someone’s email or to create fake electronic correspondence?
• And if there was a hacking attempt, what are the warning signs that should alert the authentic owner of the email address?

https://www.ttcs.tt/blog/whether-email-accounts-can-be-hacked-and-how/ talks of the possible methods how your password to your email account can be leaked to unauthorised persons who can then access your email account. The common method is by a phishing email pretending to be from a person you know or organisation you know to click on a malicious link or run an attachment. See http://theonion.github.io/blog/2013/05/08/how-the-syrian-electronic-army-hacked-the-onion/ which has a screenshot of the phishing emails that were sent to the Onion’s staff members (one of whom fell for the phishing email and entered their username and password)

The method of phishing emails pretending to be from a friend or organisation you know underscores the ease of faking emails. The from field in an email can have any text (e.g “lldjlkdladajdlk@sdkaldjal”) that looks like an email address and not be from the “real” sender.

Sites like http://deadfake.com/Send.aspx allows you to create a fake email which you can send to yourself to further demonstrate the ease of faking the from field of an email message.

To detect hacking attempts, one should set up two factor authentication which improves the security of your email account. One common implementation of two factor authentication uses your cell phone. Whenever a new device or software is used to access your email account, the email provider prompts you to enter a second password that is sent to your cellphone via SMS. If you receive an SMS and you are not trying to access your email from a new device, then you are aware that someone else has your password and is attempting to access your account.

See a PC World article which illustrates how to set up two-factor authentication with Google, Facebook and Microsoft: http://www.pcworld.com/article/2036252/how-to-set-up-two-factor-authentication-for-facebook-google-microsoft-and-more.html

Detection of whether your email account is compromised without two factor authentication requires a regular review of your email account profile and/or settings.

You may also get a call from a friend or organisation asking you about the strange phishing email or “”the stranded traveler” scam email they supposedly received from your email address. Now these emails can be faked as mentioned earlier and your email and password is secure. However, undoubtedly hearing of these emails will raise concerns that your account was compromised or “hacked”.

First step : change your password to your account immediately. Then review your email account profile and/or settings to look for

• changes to your email filters to forward emails to strange email addresses,

• changes to the settings for a backup contact account (email and/or phone number) for the provider to contact you if you have problems with your account,

• access logs showing irregular IP addresses where the email account was accessed.

Changes to these settings not done by you are a strong indicator that your email account was compromised.

You should also change the security questions used to recover your password and if you use the same password on other sites (which you should NOT do – you should have unique, strong passwords for each of your services you use), also change the passwords for those sites.

The complete, strange emails that your friend alerted you to, should be kept for study by you or pertinent authorities to study for clues as to the IP address where the email was sent from.

This requires the preservation of the email headers which are typically not shown by email clients nor included in the email when emails are forwarded.  However, all email messages have e-mail headers. See http://www.emailaddressmanager.com/tips/headers.html which shows the typical email headers of a regular and a spam email for comparison.

Comments and suggestions to this post are welcomed.

Received a question asking “can email addresses be just a few characters?”

Yes.

Reference links

• http://www.faqs.org/rfcs/rfc2822.html
• http://tools.ietf.org/html/rfc5322#section-3.4.1
• http://tools.ietf.org/html/rfc6531#section-3.3

 

Many email providers limit how short or how long the email address can be.

As examples, Gmail (which provides addresses @gmail.com) rejects requested email addresses less than 6 characters to prevent spam.  See https://support.google.com/mail/answer/7993

Microsoft (Outlook.com and “Hotmail.com”) addresses can contain only letters, numbers, periods (.), hyphens (-), and underscores (_).

No special characters, accented letters, or letters outside the Latin alphabet.

If you are setting up your own email server, or using Google Apps, you can pick what you want to be a valid email address. For example, at the TTCS, we can have [email protected], or even [email protected] if we choose.

As long as it complies with Internet rules, any email provider can make their email usernames however they want.

 

 

Received a question asking “whether email accounts can be hacked and how”

Yes, email accounts can be hacked to allow unauthorized persons to access your email account .  Typically, this can be done by several approaches (or a combination of them):

(Update : 6:50 pm May 21 – switched article to headings instead of ordered list)

 

Phishing

This is when you are deceived into entering your username and password at a bogus website masquerading as the legitimate site. See “How the Syrian Electronic Army Hacked The Onion” http://theonion.github.io/blog/2013/05/08/how-the-syrian-electronic-army-hacked-the-onion/ as an example of a phishing emails used to get user credentials.

 

Installing malicious software or spyware

Spyware on a computer can monitor keystrokes and eventually obtain your email username and password as you use the computer to access the account.

Spyware is typically installed on your computer by

• software exploits – surreptitiously by taking advantage of software flaws or vulnerabilities (often the web browser and the addons installed in your web browser) on your computer. Such security flaws allows for software to be installed without your knowledge by visiting a malicious website.
• bundling such spyware with third party software obtained from unreliable sources
• deceiving the user to install software via banner ads or by forged emails from one of your friends or organisation you work with, asking you to view/run an attachment.

 

Social Engineering

Persons use email addresses to sign up for various online services/websites. Most (if not all) services allow for the password to user’s accounts to be reset, in case you have forgotten your password. Because such services use different details about you to verify your identify, information about you gleaned from one service (e.g your birthday posted on Facebook, WHOIS information from your domain name you registered) can be used by an attacker to obtain your password at another service. A Wired editor wrote a detailed article when this happened to him: http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/.  Another interesting article : https://medium.com/tech-talk/280c753b1145

 

Not logging out of your account from a shared or public computer

Not logging out of your account from a shared or public computer means that another person with access to the machine can access your account.

 

Poor password security practices

Email accounts has been hacked from people “guessing” the answers to the recovery/security question to reset the password. Easy questions like your spouse’s name or favourite pet can be gleaned from information published on social networks.

Other poor security practices include using simple passwords that are easy to guess (eg “password” for the password) and using the same username and password for multiple services. When one service is compromised resulting in their user accounts and password information being stolen or leaked on the Internet, all other services that use the same username and password are at risk.

 

Password sniffing

Typically many public wifi networks are not encrypted, which means that other devices on the wireless network can eavesdrop and monitor network traffic. This means that if you use your username and password on such a network, your login information can be copied for later use by such other devices.

 

 

 

Any suggestions for this post on how else can email accounts be hacked?