Monday, January 26, 2009

Preventing Gmail account hacks

I no more work at Google, but just my two cents/paisa about the
whole problem about being gmail accounts being hacked. I am not a security expert, but whatever I have written here is rehashing basic stuffs to make more sense for your security.

The blog content below is a reply to this mail by my friend:
Anyone working in google now???
Few of my friends' gmail passwords are getting hacked frequently now..

And one of my frnd got her password back in orkut posted by that hacker under the name 'Ethical hacker' from australia.. he has included lotsa friends in her list by that time..
Any ways to protect the account from hacking?And can google track that person thru his gmail account?
Please reply

In general, its not so easy to figure out if an account is hacked. If
the hacker is located at a different location (as in the case that you
said - like in australia) its possible to make an educated guess and
ask the person to prove himself. (Like show a prompt to say, what was
his mother's maiden name or something like that) However, it is
believed that more than 60% of all hacking attempts for passwords often
happen from same location/area (because, people in same area, or
someone who has interest in the account, is the one who often hacks
it). So, that also does not do much help.

Cases of email password hacks can be of several types:
1) Compromise at the user end.
2) Compromise in the network (man in the middle).
3) Compromise at the server end.

3) can be generally ruled out, since its not possible to hack into
Google network easily. There is enough infrastructure and security
audit done to assume that its near zero possibility to hack something
at Google end. This applies to most "good enough" email providers,
unless they are foolish enough to do something known in the industry
as a bad security practice.

2) is more common, because people generally dont enable https in their
gmail account. What that means is that, even though your username and
password is securely processed, once you get logged in, the
transcaction is through http. If someone can do "cookie hijack", they
can steal the session. Once session is stolen, one can change the
password, or do something similar to that.
So, the remedy (or closest to a solution) is to enable https (look in
settings inside gmail)

1) Compromise at user end is the most prevalent. There is no point
enabling https, when there is keylogger installed in the machine. Most
spywares are all interested in your keystrokes, since they need your
credit cards and other details. They would gleefully record your
keystrokes all the time and try to send it to some remote location.
Also dont download random software. Be cautious, when someone sends a
forward with ppt or pps and asks you to go through. Dont ever execute
an exe in your machine, unless absolutely needed. ask yourself 10
times before you click on joke.exe or something like that. If someone
sends the same message that he can type in email, in a word document,
discourage it. Avoid opening attachments in emails. Avoid using IE
when you goto unreliable sites.

Sometimes unsuspecting exploits remain. Let me give you an example of
Adobe Acrobat Reader. Most of us might have it installed. There was a
vulnerability in 8.0 version of it, that allowed remote attacker to
send a specific signature PDF and cause running of malicious code.
When any user who visits the site, since its a PDF file, PDF opener
will automatically open (more so in IE) and suddenly you will see
acrobat page, and you get infected. This is something that you cant
even press stop button and prevent loading, because more often it
happens quite quickly.

Install an antivirus, schedule a scan every week. More often, these
scans are scheduled at 12 AM on Sunday night. The problem is that most
of us never keep our computer on at that time, which means, that the
scan never happens. Also, keep your firewall armed all the time.
"Keep your antivirus updated".

There could be still zero day exploits lurking all the time. Consider
using Linux, if you just want to browse, and keep it updated too!.

If you are still paranoid, consider using VMWare and run windows
inside it. After you do your work, just reboot the vm image to a fresh
stock windows install. That way you just dont have to worry about some
spyware hurting your system.

Search this site