August 8, 2007

Gmail And Yahoo! Mail Hacked - How To Protect Yourself

In front of a live audience at the Black Hat security convention, Robert Graham (CEO Errata Security) showed how it was possible to hack into popular email programs like Gmail, Yahoo! Mail and Hotmail without using any passwords. All he needed was an IP Address and username.

At the convention, Graham was able to hijack someone’s Gmail account during his unscripted demonstration.
The attack is actually quite simple. First Graham needs to be able to sniff data packets and in our case the open Wi-Fi network at the convention fulfilled that requirement. He then ran Ferret to copy all the cookies flying through the air. Finally, Graham cloned those cookies into his browser – in easy point-and-click fashion - with a home-grown tool called Hamster. -Source TG Daily

The attack is able to hijack sessions in just about any web application that uses cookies. He was able to successfully break into the big three: Gmail, Yahoo! Mail and Hotmail.

As Graham stated, “I see ten people’s cookies on my screen, I just need to click on the guy’s IP address and I’m in. Once you get someone’s Google account, you’d be surprised at the stuff you’d find."

How You Can Protect Yourself

What can you do to safeguard your email, especially in public Wi-Fi hotspots? Be sure to use a secure login (HTTPS instead of HTTP) every single time. This
will send your credentials over an encrypted Secure Sockets Layer (SSL), which will encrypt your login session and prevent your cookies from being cloned.

For Gmail: Use https://mail.google.com/mail/
For Yahoo!: Click the "Secure" link below the "Sign In" button.
For Hotmail: Click the "Sign in using enhanced security" link on the sign in form.

If you have any login pages (for any type of online account) bookmarked, be sure to check and see if they have secure login pages available. Then, update your bookmarks to those pages.

13 comments:

  1. Uh oh looks like I need up update my bookmarks! It amazes me that they don't they don't just make secure login mandatory/automatic on their systems. Google, Yahoo and MicroSoft should certainly know better!

    ReplyDelete
  2. Hello again Robert! I agree. If it were automatic then we wouldn't even have to worry about it or remember to login via SSL.

    And that's just why I mentioned CustomizeGoogle. With it, you don't have to worry about forgetting; it automatically does a secure login. Incidentally, it looks like Gmail is automatically forwarding to https:// now. Whether it was or not before, I don't recall.

    Shine on,
    Aaron

    ReplyDelete
  3. Geez. Just when you thought it was safe to go back into the water.

    ReplyDelete
  4. LOL. That totally cracked me up Bush! :P

    ReplyDelete
  5. Yeah, there are many ways to do it. I uncovered a way to do it using 2 linux pcs on 2 different IP's with a program called ettercap filters. I had to create a few custom scripts and stole my own password. Once done, I sent my method to my ISP and told them to be aware of this and they patched it soon after. Ettercap filters only works in a LAN. But with my method, the WAN becomes a LAN. Ettercaps designer I'm sure knows this but left it out of the instructions!

    ReplyDelete
  6. Very well done Bobby. There are many holes like that need to be patched. Slowly but surely right? ;)

    Shine on,
    Aaron

    ReplyDelete
  7. Hi Aaron,

    Just read about your interesting and very helpful warning against hackers.

    I found the way to a secure login for hotmail (which I rarely use anyway), but I DO NOT see one available on Yahoo. GMail worked great using https://.

    I also use my e-mail that came with my cable (Charter). Is this safer?

    Answers

    ReplyDelete
  8. Hi Answers (is this Nan?),

    Yahoo! mail now automatically forwards to a secure login page. If you go to yahoo.com and click on "My Mail" you'll see that it takes you to a secure (https) page.

    This is what Yahoo! says about it, "Look carefully at your browser's Address bar. A genuine Yahoo! sign-in page will always display https:// at the beginning and .yahoo.com just before the next forward slash."

    As for your Charter account, I don't believe that Charter is any more or less safe than the others. Regardless, the same rule should be followed; make sure that you're logging in on a secure page at all times.

    Shine on,
    Aaron

    ReplyDelete
  9. Hi Aaron,

    Yes, this is Nan. Thought you might recognize my user name.

    Just to keep your bloggers informed, we knew each other through a business forum. Great fun although it was a bit treacherous at times. LOL More like a G'ma, G'son relationship.

    Thanks for the update on Yahoo. That's great.

    Not sure how to make sure my Charter e-mail is secure. I tried checking it out at the web e-mail site, but do not see anything.

    Maybe I will just use gmail for my important things from now on.

    Avoid the side effects of prescription drugs and financial woes.
    http://todayshealthchoices.biz

    ReplyDelete
  10. Well hi Nan! Long time no see as they say! I thought perhaps that was you because of the user name. It's been a couple of years, so I guess my memory isn't all that bad. ;)

    If you can access your Charter email account via the charter.com site then it is secure. If you click "My Account" it will take you to https://update.charter.com. If you can sign in from that page, you're fine as it's secure (https://).

    But, if you have sign in via the charter.net site, then it doesn't appear to be secure. At least I can't find any secure login on there.

    Btw, when you leave a comment here you don't have to leave it as anonymous. You can select "Other" and put your name and your site URL in the fields. That way someone can click on your name and it'll take them directly to your site. :)

    Anyway, so glad to hear from you! Hope all is well. :)

    Shine on,
    Aaron

    PS: How did you find my blog?

    ReplyDelete
  11. Hi Aaron, Yes, it has been longer then I can believe (2 years wow).

    I knew of your site through Laura S. for a long time and did peek at it once or twice.

    But, I had a lady on Adlandpro that was wondering how to set up a Blog. I told her that this may not be as simple a one that she is thinking about, but she could get an idea.

    Soooo, when I came in here I saw that post about the security of e-mail.

    Thanks for the hint, too.

    Answers

    Avoid the side effects of prescription drugs
    and financial woes.
    http://todayshealthchoices.biz

    ReplyDelete
  12. Well thanks for stopping by! And I wish her good luck in getting her blog set up. Blogging is by far one of the most effective means of marketing there is today, so she's made a good choice by looking into it.

    Shine on,
    Aaron

    ReplyDelete

Thanks for visiting the Aaron Cook Dot Com™ blog! Please leave your awesome comment below! :)

Shine on,
Aaron