how easy is it to hack someone’s email or create fake emails? What are the warning signs to alert the user if their email was hacked

Received this question:

  • “How easy is it to either hack someone’s email or to create fake electronic correspondence?
  • And if there was a hacking attempt, what are the warning signs that should alert the authentic owner of the email address?

https://www.ttcs.tt/blog/whether-email-accounts-can-be-hacked-and-how/ talks of the possible methods how your password to your email account can be leaked to unauthorised persons who can then access your email account. The common method is by a phishing email pretending to be from a person you know or organisation you know to click on a malicious link or run an attachment. See http://theonion.github.io/blog/2013/05/08/how-the-syrian-electronic-army-hacked-the-onion/ which has a screenshot of the phishing emails that were sent to the Onion’s staff members (one of whom fell for the phishing email and entered their username and password)

The method of phishing emails pretending to be from a friend or organisation you know underscores the ease of faking emails. The from field in an email can have any text (e.g “[email protected]”) that looks like an email address and not be from the “real” sender.

Sites like http://deadfake.com/Send.aspx allows you to create a fake email which you can send to yourself to further demonstrate the ease of faking the from field of an email message.

To detect hacking attempts, one should set up two factor authentication which improves the security of your email account. One common implementation of two factor authentication uses your cell phone. Whenever a new device or software is used to access your email account, the email provider prompts you to enter a second password that is sent to your cellphone via SMS. If you receive an SMS and you are not trying to access your email from a new device, then you are aware that someone else has your password and is attempting to access your account.

See a PC World article which illustrates how to set up two-factor authentication with Google, Facebook and Microsoft: http://www.pcworld.com/article/2036252/how-to-set-up-two-factor-authentication-for-facebook-google-microsoft-and-more.html

Detection of whether your email account is compromised without two factor authentication requires a regular review of your email account profile and/or settings.

You may also get a call from a friend or organisation asking you about the strange phishing email or “”the stranded traveler” scam email they supposedly received from your email address. Now these emails can be faked as mentioned earlier and your email and password is secure. However, undoubtedly hearing of these emails will raise concerns that your account was compromised or “hacked”.

First step : change your password to your account immediately. Then review your email account profile and/or settings to look for

  • changes to your email filters to forward emails to strange email addresses,

  • changes to the settings for a backup contact account (email and/or phone number) for the provider to contact you if you have problems with your account,

  • access logs showing irregular IP addresses where the email account was accessed.

Changes to these settings not done by you are a strong indicator that your email account was compromised.

You should also change the security questions used to recover your password and if you use the same password on other sites (which you should NOT do – you should have unique, strong passwords for each of your services you use), also change the passwords for those sites.

The complete, strange emails that your friend alerted you to, should be kept for study by you or pertinent authorities to study for clues as to the IP address where the email was sent from.

This requires the preservation of the email headers which are typically not shown by email clients nor included in the email when emails are forwarded.  However, all email messages have e-mail headers. See http://www.emailaddressmanager.com/tips/headers.html which shows the typical email headers of a regular and a spam email for comparison.

Comments and suggestions to this post are welcomed.

Can email addresses be just a few characters?

Received a question asking “can email addresses be just a few characters?”

Yes.

Reference links

  • http://www.faqs.org/rfcs/rfc2822.html
  • http://tools.ietf.org/html/rfc5322#section-3.4.1
  • http://tools.ietf.org/html/rfc6531#section-3.3

 

Many email providers limit how short or how long the email address can be.

As examples, Gmail (which provides addresses @gmail.com) rejects requested email addresses less than 6 characters to prevent spam.  See https://support.google.com/mail/answer/7993

Microsoft (Outlook.com and “Hotmail.com”) addresses can contain only letters, numbers, periods (.), hyphens (-), and underscores (_).

No special characters, accented letters, or letters outside the Latin alphabet.

If you are setting up your own email server, or using Google Apps, you can pick what you want to be a valid email address. For example, at the TTCS, we can have [email protected], or even [email protected] if we choose.

As long as it complies with Internet rules, any email provider can make their email usernames however they want.

 

 

Whether email accounts can be hacked and how

Received a question asking “whether email accounts can be hacked and how”

Yes, email accounts can be hacked to allow unauthorized persons to access your email account .  Typically, this can be done by several approaches (or a combination of them):

(Update : 6:50 pm May 21 – switched article to headings instead of ordered list)

 

Phishing

This is when you are deceived into entering your username and password at a bogus website masquerading as the legitimate site. See “How the Syrian Electronic Army Hacked The Onion” http://theonion.github.io/blog/2013/05/08/how-the-syrian-electronic-army-hacked-the-onion/ as an example of a phishing emails used to get user credentials.

 

Installing malicious software or spyware

Spyware on a computer can monitor keystrokes and eventually obtain your email username and password as you use the computer to access the account.

Spyware is typically installed on your computer by

  • software exploits – surreptitiously by taking advantage of software flaws or vulnerabilities (often the web browser and the addons installed in your web browser) on your computer. Such security flaws allows for software to be installed without your knowledge by visiting a malicious website.
  • bundling such spyware with third party software obtained from unreliable sources
  • deceiving the user to install software via banner ads or by forged emails from one of your friends or organisation you work with, asking you to view/run an attachment.

 

Social Engineering

Persons use email addresses to sign up for various online services/websites. Most (if not all) services allow for the password to user’s accounts to be reset, in case you have forgotten your password. Because such services use different details about you to verify your identify, information about you gleaned from one service (e.g your birthday posted on Facebook, WHOIS information from your domain name you registered) can be used by an attacker to obtain your password at another service. A Wired editor wrote a detailed article when this happened to him: http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/.  Another interesting article : https://medium.com/tech-talk/280c753b1145

 

Not logging out of your account from a shared or public computer

Not logging out of your account from a shared or public computer means that another person with access to the machine can access your account.

 

Poor password security practices

Email accounts has been hacked from people “guessing” the answers to the recovery/security question to reset the password. Easy questions like your spouse’s name or favourite pet can be gleaned from information published on social networks.

Other poor security practices include using simple passwords that are easy to guess (eg “password” for the password) and using the same username and password for multiple services. When one service is compromised resulting in their user accounts and password information being stolen or leaked on the Internet, all other services that use the same username and password are at risk.

 

Password sniffing

Typically many public wifi networks are not encrypted, which means that other devices on the wireless network can eavesdrop and monitor network traffic. This means that if you use your username and password on such a network, your login information can be copied for later use by such other devices.

 

 

 

Any suggestions for this post on how else can email accounts be hacked?

 

 

“Latin American and Caribbean Cybersecurity Trends and Government Responses” Report published

From the Organization of American States’ (OAS) press release dated May 3rd 2013 :

The Organization of American States (OAS) through the Secretariat of Multidimensional Security (SMS) and the Inter-American Committee against Terrorism (CICITE) released today the report “Latin American and Caribbean Cybersecurity Trends and Government Responses.”

Prepared in collaboration with the company Trend Micro, the report illustrates and analyzes cybersecurity and cybercrime trends in the region. The document contains detailed information on cyberthreats in the Americas, and for the first time incorporates the perspectives and experiences of OAS Member State governments.

The Secretary General of the OAS, Jose Miguel Insulza, affirmed that “this research responds to the needs of regional governments to confront cybercrime, which is increasingly frequent and threatening, due to the accelerating evolution of technology.” He added that “to evaluate and effectively combat cyber threats, countries need detailed and reliable threat information, which this report provides. It represents a significant advance, considering that a study like this has not yet been carried out in our region. Organized crime now utilizes modern technology and in certain cases these criminals have more resources at their disposal than countries can dedicate to scientific development. We need to change this.”

The report found an overall increase in cyber attacks; an increase in “hacktivism,” or politically motivated hacking; internet-assisted money laundering; and attacks against critical infrastructure. Other trends discussed include levels of malware, spam, and wire fraud.

You can read the rest of the OAS press release at
http://www.oas.org/en/media_center/press_release.asp?sCodigo=E-173/13

Trend Micro has also blogged about the publication of the “Latin American and Caribbean Cybersecurity Trends and Government responses”

http://blog.trendmicro.com/trendlabs-security-intelligence/the-state-of-cybersecurity-in-latin-america/

PDF of the report can be downloaded at
Latin American and Caribbean Cybersecurity Trends and Government Responses (PDF ; 2.3MB)

Trinidad and Tobago Education Ministry to consider installing network cameras in 36 schools

According to a Saturday 16th February 2008 Newsday article, The Ministry of Education of Trinidad and Tobago is reviewing a proposal by the National Maintenance Training and Security Co Ltd (MTS) to install network cameras in 36 schools at a cost of $15 million TT. A pilot project has begun with the Barataria Secondary Comprehensive School (an 11 acre site with 15 buildings) with 10 network cameras. From the article :

The surveillance systems are meant “to enhance the safety and security” of the students, staff and school property as it transmits live camera feeds via the Internet from the respective sites to security booths as well as to a centralised location………The system includes panic buttons [and] intercom services

Newsday also has a photo of one of the network cameras being used.  It looks like a Axis 212 PTZ Network Camera which costs about $600 US.