Did you press record?

Yes, I'm pressing record this time.

Okay, good. Who's Recorded Future?

Ah, Recorded Future. They're marvelous. They are very generously supporting the podcast this week.

That's nice.

Isn't it great?

Yeah.

They are the real-time threat intel firm, and they use machine learning technology to analyze the open and the dark web to give people— Yeah, I know. To give people greater insight into emerging threats. What's really going on out there?

There.

And do they share that information with people like us?

Oh yeah. So you can either sign up to be one of their customers, obviously, or you can get their free cyber daily newsletter and get the latest insights in your inbox at no charge whatsoever. All you have to do is go to recordedfuture.com/intel.

Recordedfuture.com/intel?

That's right. And thanks to Recorded Future for their support of the show.

I fed you every line there, Graham.

Smashing Security Splinter Episode: Protecting Webmail with Carole Theriault and Graham Cluley. Hello and welcome to this special splinter episode of Smashing Security. I'm joined today by Carole Theriault. Hello, Carole.

Hello.

How are you?

I'm very well, thank you. And we have a special guest who's returned to the show, Paul Ducklin from Sophos. Hello, Duck.

Hello, chaps.

Hi there. Now, I've brought you guys together today because we want to talk about something which I think probably is important to everybody listening to this podcast. Not everything to do with security is important to everyone, but this one I reckon is important because everyone's got an email address, haven't they?

Well, yes, I use email for everything. Email, I think, is my favorite form of communication, actually, more than anything, maybe more than face-to-face in some cases.

I wouldn't go that far, but electronically, I'm with you, Carole. It's very old school and loads of people tell you, oh, I don't use email, it's so yesteryear. But I just like it because I don't have to, it's like, I have to be there. You ask me a question, if I'm not there, I can't answer in half an hour, there's no point. With email, I get that chance to reply later.

That's what I think too. I mean, it may be old. But it works. And I haven't seen anything which really works for my style of working, at least any better than email. So I'm sort of like, sure, I'm going to carry on using email. Works fine for me. Now, most people are using, I would argue, webmail. They have some sort of web interface for accessing the mail. And of course, there are the big webmail services, the Gmail, the Outlook, Yahoo, you know, these great big giants. And that's probably where the majority of people have got their email. Right now, there are third parties as well. So what I thought we'd do today is we'd look at how we can better protect our webmail accounts. Now, what techniques can listeners use to make sure that their accounts don't get hacked and their information isn't stolen? Because obviously that could be damaging to us.

I think this is a great topic because I think a lot of people want to know how to do this and it's just a bit daunting. You know, there's so many different things that they have to think about. So if we can kind of go through the main things they can do, they'll be much, much safer if they can actually turn these things on and configure it properly.

Absolutely. And of course, even if you're one of the post-email crowd, well, I haven't met anyone who doesn't have an email address, and I haven't met anybody who doesn't want to speak to me by email if they don't find me on Twitter. And of course, lots of people, if they've got the Twitters and the Facebooks and all the other social media services, probably have and need an email address that they rely on for the security of all those other accounts, because they probably use it for password recovery in emergencies. Yeah, that's such a good—

You're making such a good point because I, you know, I have got, you know, friends under 25 and they may look at their email account maybe once a month. They don't use it for day-to-day communication, but absolutely it's a fundamental requirement for lots of, you know, accounts that you have to open. So it's there, recovery email. Good point.

So when the sugar hits the fan, you're going to, yeah, that's when you really do need your email account, isn't it? Is to recover access to some of those other online accounts.

When Sugar Hits the Throat.

Well, I don't— you, Carole, you're the one who keeps on making up these new idioms. I like it.

I like it. TM Graham. I like it.

Is that granular or cube?

But, okay, now listen, because, however, you can use emails for password recovery and things like that, doesn't that make it so much more attractive to the cybercriminals as well to gain access to that? Because your email account, of course, could be the thing which helps them unlock so many other accounts that you have online.

Absolutely. And of course, even for the post-email generation, there is a number of services where only email will do for them to correspond with you. For example, your bank might be willing to send you an email saying there's something going on. You might have to log into their account. They won't put the details in the email, but they'll send that by email. They won't send you a tweet with that information in. The same with in many countries with the tax office and so forth. So there are occasions where you're going to rely on email as your primary vehicle of communicating, maybe with state institutions and other services which relate to your finances, even if you don't use it day by day. So you're right, it's sort of double plus important.

And maybe that's useful, isn't it? We know to be suspicious if our bank manager suddenly starts Snapchatting with us. We can treat that with suspicion.

Do you know, a friend of mine actually—

I think suspicion is the wrong word there, but boggly is where my mind's going.

No, but like you were saying, how important email is. I mean, a friend of mine just had her email hacked. And as part of the hack, they deleted all her contacts inside her email. It's a complete nightmare for her. That was her only place where she had all those details. And they did that so that she couldn't go out and warn everyone of the hack because they were trying to collect money. They were saying she was in Malaysia and in dire need of money and just send it to this account, I think.

Yeah.

And my gut feeling is that, you know, although you're sort of responsible for the things you say online, it feels to me as though an email is much harder to deny if a crook gets in and then sends an email from you to someone else than tweets and other postings on other services. Because for a long time, we've accepted emails back and forth almost at a contractual level, haven't we?

Yeah, yeah, yeah, totally.

Okay, let's get on with some of the tips. And I think probably the first and most obvious tip which we can give people on how to protect their webmail better is to choose a stronger unique password.

Yeah, and we did an episode, didn't we? We did an episode all about passwords.

So exactly, yes, so we'll link to our previous podcast where we discuss passwords in depth, how to make them stronger and how to make them more secure. But it's so important, particularly if you're webmail, that it's a unique password. What we've seen happen time and time again are data breaches occur where the hackers will grab your username and password, and often your username will be your email address, of course, from the site which has been hacked. And then they will apply that password which they've grabbed to your actual email account, and they will be able to use that to unlock your email account. And because, as we've discussed, your email account is really the center, it's the heart of your online identity, so much more can then unravel. So you've got to choose a stronger unique password.

And complexity really means complexity. You know, I've met people who've— they know jolly well that they've got a pet rabbit called Flopsy. They know they shouldn't use Flopsy as a password, so they imagine Flopsy99 is okay instead. All the password cracking tools know to do that, in the same way that using leet speak, you know, where you put 3 instead of E and 1 instead of I or L. Well, that makes it a bit longer for password cracking, but all password cracking tools I've seen just treat, you know, A and 4 or E and 3 as effectively interchangeable in their cracking. So that really doesn't buy you much at all.

Yeah, but listening to the previous podcast will really help. I think there's a lot of great advice there on how to create one. So yeah, and well, what I would advise people is don't actually create the password yourself. I think my preference would probably be for most people with something as important as your webmail account, use a password manager to generate a long, complicated password for you. Yeah, and if anything, right, that password manager, the password to access the password manager really has to be, you know, top dog in terms of strong and unique.

Yeah, that's the objection most people have to a password manager. I quite understand it. They say, well, if I put all my eggs in one basket, then what happens? And the answer to that is, if you cross that bridge, if you decide you're going to put all your eggs in one basket, I've mixed a metaphor there, then, you know, lock that basket really, really carefully. At least you only have to do it once. You can have one complicated password. Once you get used to it, you should be able to type it in fairly quickly. And remember the idea of passwords, they're not meant to be a tiny little speed bump like those ones with the gaps where cars can kind of go past them without going over. It's meant to slow you down. It's meant to make you stop, think, consider. And the fact that it is inconvenient and it takes a bit of time, and I'm sure we're going to get on to two-factor authentication in a minute, which, you know, is another side of the same coin. It's not meant to be completely easy to put in that master password. It's kind of like, you know, having a lock on your front door that doesn't just open because you happen to tap it.

So, Duck, you've just mentioned two-factor authentication, and there's two-step verification as well. Many webmail services are now offering this feature as an additional layer of security. Effectively, what this means is that even if a hacker does manage to grab your password, when they log in, when they try and break into your account, they should be stopped. There should be a message which comes up and says, "Oi, hang on a moment, we don't recognize this computer or where you're coming from. Can you enter your 6-digit number which we've just sent to your authenticator app or whatever the gizmo is that's receiving that number as an additional verification?" And I think we'd all recommend that people turn that on, right?

Absolutely. It's like a second hurdle in the process. And again, it does take a tiny bit more time to have that, but the amount of security it gives you, in my view, is huge. So I use it wherever I can.

Yeah, it's like the first few times you do it, you think, golly, this is irritating. And then after a while, you watch somebody logging in and they don't reach for their phone or they don't check for some secondary factor. Typically, they're either SMSs or something that comes up on an app, which importantly is different every time. So if a crook phishes it, he gets one and only one go at your account. And when I see people logging in like that, I think, golly, they seem to be taking a bit of a chance. It's like, that's much too easy. And, you know, once you get used to it, I mean, I've heard all sorts of excuses why people don't want it. Oh, well, I don't like the SMS-based one because, you know, I might not have my phone with me. Well, if you don't have your phone with you, you're not going to be able to use the authenticator app either. Maybe you're probably not going to be on the internet if your phone's your access point. Or people say, oh, well, the SMS, it's not that secure because someone could port my SIM or swap my SIM and then they'd get the message. And so that's a reason for not having any second factor at all. I don't quite buy that. I think anything you can do, particularly when that second factor is essentially a password that's different every time, that greatly reduces the risk that someone can get your password today and then drain your account or attack your mail for months afterwards.

Yeah, it really limits your exposure.

And I've heard some people complain, oh, you know, it's so irritating because I have to enter this every time I go into my email, so I'm not going to turn these features on. Many of the webmail services these days will give you the option of saying, look, only be reminded, only be asked this question maybe once every 30 days. So what you will have is a trusted browser on your particular computer and it remembers, okay, this computer is allowed to log into the webmail. But if someone tries to log in from Venezuela or somewhere like that, then they will be prompted for this verification code. So you can get rid of some— a little bit of the pain if you do find that irritating, but you still get all that security.

That Remember Me for 30 days, in my book, that's way too long. Cross the bridge, take the pain now, learn how to use it. It's not that onerous when you think what a crook can do with your life if they get your email password. They can mess things up.

I don't disagree with you, but what I want is I want more people to turn this on. And I wonder if that's a stepping stone, is just giving them that extra little bit of comfort so they only have to do it once a month. That's got to be better than not doing it at all. You know, we've seen this complaint with other technology, and I think people should consider this. I mean, certainly people recognize when they're moving money from their bank accounts, when they're transferring cash, that if they're sending it to somebody new, most banks these days will ask you to go through this verification process, this two-factor process. And I think people, they think, oh, it's a bit of a pain. But you remember, that is protecting your bank account. Well, your web email is really equivalent in many ways to your bank account. It's that important to your online life.

Yeah, I mean, yeah. And, you know, I know lots of people that have it turned off because they find it painful.

Yeah, I think another thing that I've heard a lot, particularly when it comes to SMS-based authentication, which will probably go away because there's pressure from NIST in the US for public servants over there that they won't be allowed to use SMS two-factor authentication because it's too easy for a corrupt mobile phone shop to issue a new SIM that basically makes calls and messages go to a different device for a while until you notice. But they go, oh, I don't want to give, you know, Facebook or Twitter or whoever it is my phone number because they'll just start spamming me. Well, I suppose there is that risk, but in my experience, those bigger social networking companies and webmail companies, they have been pretty straightforward about when they take your mobile phone number to use it to help you with security and when they take it so they can send you stuff. And I don't think the better services really mix them up.

And I haven't found a way really to convince them because they just say, oh, you're just spreading fear and doubt. You're just spreading— you're just, you know, exaggerating the problem. I think that's And I find it really hard to communicate how important it is, 2FA, multifactor authentication. a bit of a furphy. Yeah.

So I think some other things which people can consider doing to better protect their webmail account, things like setting up this recovery phone number or recovery email address. So should you forget your account details, should you be locked out for any reason, you have some method for your webmail provider to contact you and give you some mechanism for getting back in.

Therefore, and that other provider, your security and your password for that provider must be at least as good as the one for the one you're protecting. Of course, that's the thing that people forget. They go, oh, I just need this account, I'll hardly ever use it, so I can— the one that's really, really, really important, I'll do less and less work on security because I won't be using it a lot. Doesn't work like that. Once is enough.

Yeah. And people, there are a lot of people that have made their work email address their recovery email addresses and phone numbers. So it's a good thing to kind of check on your important accounts to make sure the recovery information is up to date because people do change jobs.

Yes. And do that before you change a job. You may find it difficult to change that recovery address otherwise.

Exactly.

And also, you know, if there's an ability to receive alerts when your password changes, some services may send these automatically, others you may have to enable, or if they spot suspicious activity, clearly you want to receive those kind of alerts and you want to act upon them. Don't just ignore them, don't just shove them in the bin.

Okay, but you know what? Sometimes those are spammed as well, right? Sometimes those are hoaxes.

Yeah, that's an interesting point. So yes, you need to be careful if you do receive an alert as to clicking on links, whether you're going to the real webmail service or if you're going to a phishing site. So hey, your password manager will help a little bit there as well. And obviously be careful about any attachments. I can't see any legitimate reason why a webmail service would be sending you an attachment when it sends you those kind of alerts.

Also, Carole Theriault, a lot of these services, certainly the webmail I use, and I think you can do this with— pretty sure you can do this with Twitter and Facebook as well. Once you've learned how to navigate through the often Byzantine corridors of their security menus, many of them, they do have a page where you can log in yourself and then you can go to that page. It'll say, show me what the last N accesses to my account, and you can go back and you can have a look and see if that matches you.

Yes.

So the, in other words, the email, treat it like the emails that you get from some banks where they say you've got a statement and that's all they say. And they say, please note, we haven't put a login here, but we're just saying if you go to the bank site and log in in your normal way using your normal trustworthy procedures, you can find out what it is. So they use the alert, isn't really an alert, it's kind of a notification. And then you actually go yourself in your own trusted way to the site to actually see what's going on.

Yeah, I think that's good. Yeah.

And similarly, there will be most likely a page on your webmail service which will inform you about, you know, when the last account activity occurred and where the other logins have happened from. And it may even be able to see someone logged in from this country, and whereas you always use a Windows computer, this person was using a Mac. And that may ring alarm bells and you're thinking, well, hang on, I'm not in Venezuela or wherever it is in the world where these logins are occurring from, and so forth. Well, that must be suspicious, and that can warn you that something bad is happening.

You're right. The point is, where these services are collecting this data, where you can go in and have a look at those logins, generally speaking, a crook can go in and look as well, but he can't make his own login disappear. So if you go in there and review that on a regular basis, that means that you've got a fighting chance, even if it's a little while later. If, you know, better to know a week later that somebody's been messing around in your email account than to find out 3 years later.

Yeah, yeah, quite.

Because it's all over the news.

Now, do you guys remember when all these Hollywood celebrities were having their photographs stolen and pictures and all that sort of thing?

You're not talking about the Fappening, are you?

The Fappening and celeb— yes, the Fappening.

I never thought I'd say that word aloud.

And let's call it Celebgate, I think it was also called.

Celebgate.

So one of the tricks which the hackers were using there was quite ingenious in a way because they managed to gain access to celebrity accounts and associates of these celebrities as well by using the normal techniques, things like phishing and using things like keyloggers. However, once they'd gained access to an account, even if the owner of the account changed their passwords, they were still able to access the emails. And the reason for that, well, there's a couple of ways in which hackers can do that which I think people need to be aware of. One is that you may have granted access to your account through some form of delegation. So your webmail service may have the ability to say, "Yes, you can access your account, but would you like someone else to be able to access your account as well?" And that can be hidden away in the settings that, you know, it's the equivalent really of letting your personal assistant or someone like that go through your email.

So what would they look for? What would people look for?

Well, if you go into the settings of your email, it will be under something called maybe delegation.

Okay.

So you're granting access to other users to access these things. And the problem is, as I said, that even if you change your password, it doesn't mean that they can no longer access. The other way in which this can occur is that the hacker could have set up a rule inside your webmail to automatically forward email, and they could auto— so the email could even still appear as unread in your own inbox, but it's actually secretly been forwarded to someone else's address. And who knows what they're going to do with it and what they plan to do with it. So you need to look for rules which are doing that.

Graham, most of those forwarding rules also allow you to say, forward this and then delete it from the original, don't they?

Yes.

So a savvy crook can actually make sure that if there are emails that might turn you on to the idea that something bad is happening, you won't see those because they're off to the crooks who know jolly well that that's happening 'cause they're doing it.

Yeah.

Okay, but whoa, whoa, how big of a problem is that, that mail is being forwarded without people knowing, do you think?

Well, just ask Scarlett Johansson and Jennifer Lawrence is my answer to that. I think where it can happen is where an individual has been specifically targeted.

Exactly.

So it's obviously a celebrity or maybe you have a stalker or let's put in quotes, secret admirer who wants to know more about you, jealous partner and so forth.

Also, Carole, don't forget that there's a sort of niche in the cybercrime world of people who, you know, they don't really want to bother cracking accounts and they don't really want to do anything with the data they get. Maybe they were after things like credit card numbers, but they don't go making fake credit cards and trying to spend them themselves. Yeah, they just go on to some underground forum and they get information about people, arbitrary information. They just put it up for sale. Yeah, even if it's 50 cents a go. So that's the problem. If your email is being bulk forwarded or bulk copied to somebody else, the problem is you never know what they might have done with it. And worst of all, it might be in the third, fourth, fifth party's hands as well because it might have been traded for something else bitcoin.

I think what's most scary about all this though is that even if someone goes and changes their password and turns on two-factor authentication, this could still be a problem if the rule has been set, you know, inside their email.

Yeah, it is a worry, and so people need to check it.

And if you think of other online services, you know, the Twitters and the Facebooks, they don't call it delegation, they call them apps, even though the apps run somewhere else. Same idea, isn't it?

And it is surprising how many third-party services you can link in with your webmail and kind of— so they may be providing some sort of calendar functions, for instance. They may be trying to do something with your contacts. They may be trying to make your email more manageable if you're getting too much email and trying to sort it into different folders, for instance. And you are putting your trust in those third-party services that they are going to do a good job and that they are not going to be hacked.

And they're sexy because they give you a better service. You know, that's often what they're selling to you, something that's just a bit more slick or a little smoother in its road. But yeah, they have full access after that.

So the classic example is Twitter. I use the app, which actually you can revoke in the website and the online website. And I haven't recently met a person who hasn't said to me, are you crazy? You use Twitter through its website? You don't use some third-party app that lets you keep on top of all of this? So I'm in a minority, a tiny minority. Yeah. So I'd say that most people probably have in one of their important online digital life services delegation to somebody else to act on their behalf, whether that's reading email, sending email, reading tweets, sending texts, posting to Facebook, whatever.

Such a good point.

And the crooks love that because when it comes from you, it looks like when it's a scam, people are more likely to click on it because they're going, okay, well, this guy did get his iPhone after all. No one ever does, but this— and that's my buddy. Why wouldn't you believe it? It has that ring of personal truth.

I just love that we have a duck who tweets. I think that's terrific.

I might use that again, if you don't mind. If I can have it.

Feel free.

I was thinking that was a bit mediocre.

It's good enough for Doug.

I know, I know.

Maybe he'll improve it.

I'll tell you what, I'll use it, and if someone groans, I'll say, well, that was what Graham said.

Exactly.

Perfect.

Love it.

So let's try and wrap this up with a few more tips. One is don't leave loads of old incriminating email with lots of sensitive stuff you no longer need lurking in your webmail account. If you have no longer a purpose for it— and I understand some things do need to be kept for a long time— maybe it makes sense to erase it. Of course, we are given almost limitless amounts of storage these days with some of these webmail services, but it may make sense to delete it.

Or archive it? Would that make it better as well? Is it harder to get access to, do you think, or not really?

You mean sort of archive it locally yourself? Yeah. You could do that, yes. It may be a bit of hassle for the typical user who's used to just using the webmail interface, but—

Yeah, but this of course would be different from archiving it within the app or within your service. Exactly.

That's right. And also consider that it's not just about your account security, it's about other people's too. Your friends, your colleagues, your family, because of course if you're exchanging private sensitive emails with those people, which you probably are, then you can have battened down all the hatches, you can have all the security in the world, but if they've been sloppy about their security, it's still your information which is ending up in the hands of criminals. So do your little bit to spread the word about how to better protect accounts, because you can do a little bit of good that way.

The more history that an attacker has on you, the more email that they can go back through and look at, the more copy and paste opportunities they have for creating something that really makes them look and sound like you. And, you know, that's the big trick with CEO fraud, which is hitting businesses small, medium, and large all over where someone emails and it actually really is your CEO. It's your CEO's account emailing or your CFO's account, but it's not them. But it doesn't have all those telltale signs that a spam or a scam would have maybe 10 years ago. It's all written in exactly conversational English that your CFO would normally use because the crook went back a few months and picked a very similar email that the person wrote last time. So when you're leaving your history behind, you're also— that's gold dust to social engineers because it's free fodder for how you communicate and the kind of words you're likely to use.

I think that's great advice. One final tip from me, one thing we haven't really spoken about in this particular edition is where you log in to your computer. So using your computer at your home, providing you have an up-to-date antivirus and you've kept it patched and so forth, may well be considered more secure than using a publicly shared computer. So be careful where you log in because there may be malware in the background, but also make sure you log out. Don't leave yourself logged in because the next person to use that computer may find it all too easy to gain access to your account.

Yes, that's well said, Graham. My advice for internet cafes, you know, obviously with the modern mobile phone era, they're less well used, but sometimes you need one, is if you go into an internet cafe and you're sitting down at their console and you get to the point where you're about to log in to your webmail and you think, I wonder if this is secure, the answer is it is not. Turn around and leave. I know it's a bit of a pain, and you know, there may be some extreme emergency situations where you have no choice, but don't do that. Not airport kiosks, not anything. You don't know where that jolly thing has been, or who has used it before, or who's got access to the cheap lock on the little wooden door that leads— could have let them put in a USB key. For goodness' sake, if banks can have trouble with people modifying the software on their ATM so it'll disgorge money without coming from an account, then how much less secure do you think an internet cafe's computer is going to be?

So our advice then, if in doubt, don't do it. Log out, don't log in in the first place. Pleasure. Thanks for having me.

Thank you, Carole, as well. It's been terrific chatting to you guys, and I hope that some of those tips have been useful to everybody listening. If you have enjoyed the show, subscribe to us on iTunes and leave a review. We're also on Google Play Music, Stitcher, TuneIn, Overcast, and other podcast apps.

And thank you to Recorded Future for sponsoring the show. You can sign up to their cyber daily newsletter at recordedfuture.com/intel.

And yeah, well, thanks for tuning in. Tell all your friends, follow us on Twitter. We are @SmashingSecurity on Twitter, Smashing without a G Security. Until next time, toodaloo.

Bye. Bye.