Friday, 18 December 2009

Hacked Email Accounts, Phishing etc

A colleague of mine was concerned today because she noticed funny stuff happening related to her Hotmail account. She was not tech savvy but knew something was wrong because she thinks her emails have been deleted from her inbox and also she had a reply from a friend thanking her for an email she did not send. I decided I would write a guide to email safety for people who have little or no technical knowledge.
The first important point is that email is generally extremely insecure. Although it is possible to use techniques mechanisms to make it better, in general email is sent in plain readable text over public networks. On top of that, the way in which email is sent is archaic and easy to spoof.
For instance, when you receive an email that says: from: markysmith@hotmail.com, you assume that the email is from that person. You assign an amount of trust to the information in it depending on how well you know Marky Smith so you might click on links to various sites, "check this out" or go to a product page at a shop. The problem is that you have no guarantee that the email is from the real Marky Smith even if it is the correct email address.
Firstly, the from address can be set to anything so I can send an email and change the from address to "bill.gates@microsoft.com". You must not trust the from address by itself.
Secondly, people often obscure information in emails to make them look trustworthy. They might pull actual images from, say, a bank website and create an email that looks like it comes from a bank. If it is sent to a million people then chances are some of those will believe it to be genuine. The sender might use web links that look real such as ebbay.com so that a quick look and all appears to be correct. Also, it is possible to write a link that looks like www.microsoft.com but make it direct you to a totally different site (the idea is to hide horrible looking links and make them friendly like "click here" but it can be used the other way round).
Thirdly, these various problems can be used by people who write viruses, especially ones that can read address books, and they can send email pretending to be from person a to person b while actually coming from the computer of person c so that Mr Evil can lure you into a sale or a site that will infect your PC.
What can you do?
1) Make sure you have an up-to-date virus scanner if you use Windows or Mac. I cannot stress enough that your PC can cause massive harm if it connects to the internet and gets infected by something. Harm to you, obtaining your personal data or launching some sort of attack against someone else. This will prevent many situations where you might accidentally get a virus.
2) Use a site like opendns or software like Net Nanny to prevent accidental or deliberate navigation to dodgy web sites, many of which could harbour viruses with the promise of "free nude piccies". You might need someone to set it up for you but talk to your local PC shop (not PC World!) about what options are available.
3) Never trust emails. No official body ever needs to send links in emails but if they do, try and navigate to it by opening a browser and going to the home page directly (don't click the link). Only click email links if you are expecting the email, such as just having registered for something and having to confirm it. Use a browser like Firefox (free download) which will warn you if the link you are clicking is not the same as the text displayed (i.e. it is dodgy). If you send emails with links in to your friends, get in the habit of typing something in the email that proves you are who you say you. Phrases like "click here" could be genuine but could easily be bogus whereas "Hi Sallykins saw this vides, reminded me of our night in town" is more likely to be genuine.
4) Educate your friends and family. Even youngsters are not getting taught very good web etticate at school. The more people who wise up, the harder it will be for people to get their way.
5) Change passwords every few months and try and keep them different. It would be better to write them down somewhere at home suitably obscured (I sometimes hide them in addresses in address books) than to never change them for fear of forgetting. Also use strong passwords with numbers and characters, you can make simple words doing this, such as @lbatr0ss

Be safe!