Official Guide General E-Mail Security Considerations.

Discussion in 'SteamRep Guides' started by DataStorm, Dec 21, 2012.

  1. DataStorm

    DataStorm Retired Staff

    Messages:
    3,448
    First the problems with E-mail, and what can be used to mitigate them after.

    Problems:
    • E-mail addresses are relatively easy to hack, especially live/hotmail.com has been subject to a lot of hacking attempts, and a load have been successful by abusing vulnerabilities.
    • Once such a hacker knows your email address he/she can target such a account.
    • Every piece of information about you can be used to find out more.
    • Web mail addresses have some standard vulnerabilities, like yahoo, live, gmail etc.
    Email addresses are used for a wide variety of purposes:
    • Corresponding with friends, family, work, etc. In such emails, a lot of personal info is displayed. (deleting mail that you have read and are finished with is a good advice, and don't forget your "send" folder).
    • Steam Verification
    • Origin
    • Paypal
    • Steam Support
    • Any site you authenticate to.
    So the email address bound to so many services becomes a valuable asset. So what is exactly needed to gain access to such a email addres:
    • Username
    • Password
    • Optional: Gmail's 2-step authentication.
    Thats it... Well, if your email address is known to other ppl, the hacker knows already half of what he needs. Passwords are in general not a real problem, takes often less then a week to gain access to them by a average hacker with a good password list (and those lists can be bought).

    Tactics one can use to lower risk:
    • Obscuring (nobody knowing the addresses you use).
    • Splitting (not all uses on 1 address, but instead each use a separate mail address)
    • Making the email address hard to "guess" by using a random combination of letters and numbers.
    • Check the vulnerabilities in settings.
    • Use secure passwords, and don't re-use them.
    • Secure the computer with Anti-Virus / Anti-Malware.
    Obscuring:
    This is easy, never use the address for anything else, letting NOBODY know of it. Especially: never send any mail with it. With obscurity these 2 issues are addressed:
    • Hijacker knowing your email address (which is half of getting into your account)
    • By not knowing the address, it cannot use other means of attacking your email address, which are:
      • Brute force attacking the account with a password list/generator.
      • Abusing vulnerabilities in the security of a webmail site to gain access to a specific account.
    This needs a clarification. Microsoft's Hotmail/Live is notorious for their vulnerabilities, which allowed hackers into email addresses. This is a whole different kind of vulnerability. Where a hacker can get access to a email without having the password.

    Therefore I say that anybody knowing your email address knows half of how into your email account. If they gain access via your password, hacking, or via the "secret" questions of what your first pet's name was. All the while this is all on your Facebook with pics of the long deceased animal in "memorial of". So they can also name the race, the color and its birth year/date. Or who your first employer is, they look this up on your Linkedlin. Its not hard to find such information.

    Splitting:
    I generally advice to make 3 or 4 email addresses with each their own use:
    1. 1. "spam" address, anywhere new you register to, or need a email for, use this one. Once that site is deemed "legit" change it to a address you use more secure.
    2. 1 Public address, used to email with your friends, family, work, etc
    3. 1 less public address, used for your paypal, only given when you recieve a payment, keep knowledge of it low key, don't use for other purposes.
    4. Steam Guard mail, never mail, nobody but YOU knows it.
    5. 1 for other accounts, like Steam Support, Origin etc. Same policy, nobody get told.
    For emails nobody knows, keep checking them like once a week, treat any incoming email as hostile on those, and check if they are phishing or not.

    Hard to guess:
    The addresses you use that are obscured, don't have to mean anything. A address like:

    [email protected]/@yahoo.com/@live.com/@wherever.some

    That isn't going to be guessed by anybody. Make sure that with Gmail / MS Live and such, that all services are disabled (blog, Youtube w/e) otherwise some automatic pages are public from those.

    Yes, its hard to remember, but I don't do such myself, I keep a spreadsheet file in a Truecrypt volume. TrueCrypt is a encryption program, which makes a virtual drive out of a truecrypt file, or it can encrypt complete hard disks. The reason for a truecrypt file is that I can make a copy of it every once in a while, and put that on a external hard disk, and drop it at somebody's house. So if my house goes down in fire, I still have my access to various places. That person cannot open the truecrypt without a password, only me. I gave 2 other trusted ppl each a half of that password with the instruction to give that to a specific family member of mine (who got a simple "uncrypt" of the password parts) if some happens to me.

    Check Vulnerabilities:
    When your e-mail was hijacked, you have to check for vulnerabilities where the hijacker may have abused in your webmail.
    • Email forwards, a hijacker would place email forwards in a email address, in the hope those aren't removed once the owner regains their email account.
    • Hijackers may be able to form E-mail "rules" or "filters" forwarding to a external address (theirs), depending on your mail provider.
    • POP3/IMAP access open, one can use a mail client like Microsoft Outlook to collect email from various mail providers. If you don't use those, and you have the option: Disable them. If they give the option to use such, but no options in your settings, give feedback to them you want to be able to lock that access off.
    • A hijacker may have added a "fail-safe" email account, a email account is as safe as the fail safe account is, anybody having access to the fail safe will be able to reset password and gain access to the email address.
    • Secret questions. Those are often changed by a hijacker. I make those answers password grade (see below for secure passwords). There is no point to give a easy answer there vs a secure password. Then your password might as well be "password" (most used password)
    • Secret Questions v2: Some websites allow other info to be entered, like real name, birth date, address etc. For such secure email addresses, insert FICTIONAL information, and record it along with your password in a spreadsheet. Using the real info might risk that one finds that and can find your other information. By using fictional information, you avoid that. Does mean you have to record it for if you need it one day.
    • Gmail has an additional vulnerability one can abuse. You can point to another account and give that account access to your email. Basically that person can read along any that is "allowed" by this system. Its a hugely neglected thing that people don't check.
    • Yahoo has default the SSL function disabled, so not all communication between you and them is encrypted. (Options, General, scroll down to bottom While Gmail uses default https)
    • Check all the specific options in your email client. If you don't understand the option, read about it, check the help or support pages, Google it, etc.]
    If your email was hijacked, change email on any service you use by using a 3rd intermediary email address. Why a intermediary address? Well, with changing an email address on most services you receive a email on the old address that the account was changed from X to Y. By using Y as a temporary address, you leave maybe a trail that a hijacker may follow, or has received from X, but on the Y address, you can change again to Z, and delete those emails on Y. Even if he gains access to Y, the hijacker cannot find out to what email address you changed it, for you deleted the emails on Y. I tend to use one of those temporary email services for that. (to leave no traces)

    Secure Passwords:
    Well, what requirements to a password...
    • Minimum lenght 7 characters, recommended 10, longer is better. 20+ is good.
    • Consisting of a lot of different type of characters:
      • Contains numbers 1-0: 1234567890
      • Lower case a-z: abcdefghijklmnopqrstuvwxyz
      • Upper case A-Z: ABCDEFGHIJKLMNOPQRSTUVWXYZ
      • Signs like "`[email protected]#$%^&*()_+[]\{}|;':",./<>?"
      • Special characters on AEIOUY characters like: "áäàâÁÄÀÂéëèê
      • And other "reachable" characters like çǃ€
        CTRL-ALT-"1" up to "=": ¡²³¤€¼½¾‘’¥×
        CTRL-ALT-"Q" up to "\": å®þ«»¬
        CTRL-ALT-"A" up to "'": ßðø¶´
        CTRL-ALT-"Z" up to "/": æ©ñµç¿
      • Space: " "
      • And alt codes: ƒ ø£Ø (various, for what one can remember)
    • Make it RANDOM fully, don't use words you know and swap just l3tt3r5 4 nurnb3r5 for those swaps are very easy to guess by a brute force tool: "1" = "L" or "I", 2 = two or to, 3 = "three" or "e", 4 = "for" or four, or "a", 5 = S, 6 = G, 7= T, etc etc etc The number must stand on its own, not being a dependency of a word to form. Any word is bad anyway.
    This should make the range of different charracters per position about 150 or more. The difficulty of the password would then be: "number of possible characters" to the power of "number of characters".
    with 150 possible characters, and a password lenght of 20, the number of posibilities is:

    3,3252567 x 10^43 or 33 with 42 zero's behind it.

    There are sites generating secure password of specified length and difficulty, also there some programs out there that generate/store them. There are also in-browser solutions/plugins to secure those etc.

    Now, a good password isn't everything, see Obscurity notes above, but at least having that high up, you wont be easily lose the battle to a script-kiddy.

    PS: Default the browser stores in a way that they can be decoded, if your browser get hijacked by a java app, it can read those etc.

    Anti-Virus/Anti-Spyware
    Once you have your email addresses secure, the biggest risk one has is spyware/keylogger on their computer, which would defeat your defense against a hijack via your email.
    I'll look and make/revise a topic on this, and I'll link it from here, for its a topic on itself.

    Legend:
    • Hacker: a actual person that writes their own code to attempt to access a service without being granted access. Not many of those around.
    • Script-kiddy: A person using publicized tools (bought from above hackers) with small variations to abuse such access on the system they want to target. Mayority of any hijacker.
    ----------------------------------------

    An example of how this made me know things ahead:
    I have Diablo 3, which I played for a while. I had my Batttle.net account bound to a email address that is not known to others. At a certain time I get emails from "Blizzard" doing some action for a free weekend for Diablo 3 for I was such a "Commemerable WOW" player (never played/had it). Checking the links of the email I noticed:
    • Sender address was not to battle.net/blizzard. (They made the name show "Blizzard Entertainment" but its mail address wasn't to Battle.net or blizzard.com or w/e)
    • While most links linked to Battle.net, the link to the "action" was some other unknown site not related, this page was probably showing a fake battle.net page, I Googled the URL, and found warnings.
    • There was no mention of such action on the website of Battle.net or w/e. (Any commercial company will want to make some goodwill/publication out of such a action, and get non-members to like them for it, ppl to join up etc)
    My reaction to this was:
    • Changed my bound battle.net account to a temp email address. (to slow hijackers down, and see if that address would gain new phishing mails).
    • Changed password of my Battle.net account. (to prevent their access if they had gained access to that)
    • I made a support ticket to Blizzard telling them that they where hacked, somebody had gained the email address list from their site. A week later Blizzard announced that they where hacked and such:

      http://files.steamrep.com/1/2012-12/2012-12-22_03-12-33.png (there is more b4 and after, but I'm not sharing all that)

      http://www.forbes.com/sites/erikkai...l-blizzard-hacked-account-information-stolen/
      .
      . . . .
    • I waited for a bit, for blizzard to clean their act up, and once I tho they had, I changed the bound email address for my Battle.net account again to a more permanent address to be sure.
    • Changed password of my battle.net account again.
  2. DataStorm

    DataStorm Retired Staff

    Messages:
    3,448
    added/edited:
    - Formatting adjustments, the write up of it wasn't fully formatted.
    - edited the "Check Vulnerabilities" section. rewording, correcting stuff and expanding.
    - Edited the "hard to guess" section, some additions.
    - blaaaaah, way more edits I care to name.
    /edit: and again busy on some corrects...
  3. TemioMAN

    TemioMAN New User

    Messages:
    177
    Steam:
    STEAM_0:1:45707254
    Guide is awesome incredible good read helped me alot because i was wondering how to further secure my gmail
    +rep
  4. Melkor

    Melkor New User

    Messages:
    277
    Steam:
    STEAM_0:0:45978671
    Thank you very much for posting this.
    Didn't log in the battle.net a few days. Going to change my pass now...

    Edit: Changed
  5. DataStorm

    DataStorm Retired Staff

    Messages:
    3,448
    Battle net was hacked like 4 months ago. Check the date of the article for that, and its about 2-3 weeks before the article that it happened. I made my ticket like on the 30th of Juli the article was on the 9th of august.
  6. Evanescence

    Evanescence New User

    Messages:
    418
    Steam:
    STEAM_0:1:19459148
    Since you locked the other tread so i can't reply in it or cant even PM you.

    I just wanted to tell you that the email was JUST received.
    And a tons in my friends list didnt knew about crytek security breach.

    Even if you are forced to change your pass, if the ones who hacked crytek manage to get the pass without encryption then its why its would be important to change pass for a lot of website just in case.
  7. DataStorm

    DataStorm Retired Staff

    Messages:
    3,448
    I didn't lock it, You are the one did, as admin I can still reply, and I did, with fuller info on the issue.

    I intentionally disabled PMing to me on this forum, I can to others and then they can reply, but others cant to me (except admins, and think mods can too).

    As I state above in this manual, one should have different passwords for each service they use.
  8. Sebastian Nielsen

    Sebastian Nielsen New User

    Messages:
    36
    Steam:
    STEAM_0:0:5443765
    Another good idea is to host your own email.
    Then you can lock down the email to only be accessible from 192.168.1.0/24
    Actually, the email adress in question does not even need to be sendable (for example if your ISP blocks outgoing port 25), its enough that its receivable, since Steam never requires you to be able to send email, just receive.
    You just need to check that you are able to receive connections on *incoming* port 25 (most ISPs block *outgoing* 25), by opening it and then use a web based port scanner to scan yourself.

    Then:
    Its simple as purchasing a domain, and then setting up a Postfix server on a 24/7 machine in your apartment (could even be a raspberry pi). Then you set up a A record pointing to your public IP, and a MX record for @ pointing at your A record. The domain account of course need to have a very secure password, that you store in like a home safe, as you will unlikely need to be accessing this account for any other reasons than renewing its IP or domain payment, but you can also set a high initial TTL, to prevent someone from hijacking your email, as the TTL will have to time out before the domain is changed.
    Some registrars also allow a cool-down period where you can cancel a change before its applied by clicking on a email sent to you, use this facility then!
    Very important: Make sure you configure Postfix to prohibit ALL relaying/sending through (remove any authentication options and set reject all on relay), it should only accept incoming email to your domain, this to avoid your server to become a open relay.
    After that, you forward incoming port 25 to your email server.
    You could even configure your email server to only accept email from steam and such to avoid incoming spam.

    Then how you read your email is up to you, if you prefer to SSH into the machine, or if you set up a IMAP/webmail.
    The important thing is that you don't forward any ports for IMAP or webmail, so the mail cannot be accessed outside from home.

    Thats a super secure way to set up Email, as the email is not accessible outside of your home.

    -----

    About passwords:
    I however, do NOT recommend using any special characters in the password outside of A-Za-z0-9 and some safe characters like -, ., and a few more. (unless you are 100% sure that the service in question accepts "foregin" characters)

    The reason is that some email services prohibit certain characters at login, but not at password change, which can leave you with a account that you are locked out from because the login form does not accept the characters that you did use in your password. Be extra careful here, and make sure you have a easy recovery way (like a temporary secret question with a easy answer) so you can recover your account if the login form disallow "foregin" characters, if you still are going to use "foregin" passwords. After you have verifyed your complicated password works to login with, you can remove/disable/change the secret question, so you just have the "easy" secret question for a couple of minutes.

    Also be on the wary because some email services may truncate your password (or have a maxlength on the password field, which may not be immediately visible that its not accepting more characters if the field is as long as the max length and passwords show up as *******, so you think you write more) if they think its "too long", without telling you. Follow all instructions, and if your password don't work and you didn't use any "strange" char in password, try removing a char at the end and then try the password to login with again. Somewhere you will be able to login again since you have removed enough characters that it match the max length, and you are able to login.

    Being permanently locked out from the account can be as worse as getting it hijacked.
    Last edited: May 2, 2016
  9. SilentReaper(SR)

    SilentReaper(SR) Retired Staff

    Messages:
    11,992
    SteamRep Admin:
    STEAM_0:0:89705646
    Hosting your own e-mail server has severe downsides. Most of those windows service email ones aren't really hardened. The Linux ones are actually good, but do require quite some configuring to get it right.

    Most email providers online (yahoo, gmail, MS's hotmail/live/etc, have several "filters" in front of them (spam, sandboxes, etc). You really will not be able to get that level of security on it. The counter is that if nobody knows the email (say you have domain: lkfhjng9o8h24aouhnj32pkotafalkjg.com or w/e ) and you don't use it for outgoing, it won't get directed email. But the regular port probing on the internet will find the open port for it and email services are a popular target for hacking attempts.

    Personally, yeah, I would be able to do so, but the problem is that such servers often are not updated frequently enough to mitigate problems with them to do the risk with it.

    As for the password issues, that should not be a problem with any (larger) provider, for they should not have the password directly. If they have, then that is a HUGE sign to run like hell to another one. Why? well... technical, but basically:
    • Password provided should be encrypted within the client's browser, the server should only get a hashed code to store (like MD5 or probably much better ones that aren't reversible, and are salted).
    • All the server then receives is the hashed password. If the hashes of the password and password check boxes are different it should give a error (should already be handled by the JS on the webpage, not by the server, but anyways...)
    • Once the client tries to login again, again the hash is generated & salted. That hashed & salted "number" is then given to the server for verification, it checks the hashed and salted password with the stored one, and if its the same, it will allow it to login.
    • If the server has the issue that it cannot recognize all typed characters for the password, it basically means the password will be stored without hashing in the server's database and that means the server isn't secure. Run away from it, that server is very easy for hacking.
  10. Sebastian Nielsen

    Sebastian Nielsen New User

    Messages:
    36
    Steam:
    STEAM_0:0:5443765
    @SilentReaper(SR)
    No, I would strongly advise against client side hashing (unless you do double-hash, one on server and one on client), as this makes the server vulnerable to the pass-the-hash attack. (Eg, if you manage to steal the hash, you can use it to login)

    I have actually stumbled upon certain ISP email providers, that do hash the password (on server), but still does limit which characters that can be used for the password. Their support response to this was that it was to prevent vulnerabilities and exploits in the webserver software itself.
    And here, a problem can appear if they don't use the same filter for the password change field as for the login field.
  11. SilentReaper(SR)

    SilentReaper(SR) Retired Staff

    Messages:
    11,992
    SteamRep Admin:
    STEAM_0:0:89705646
    imo just a reason to file a bug report to that mail provider....their problem to fix. If not: run....

    And regarding "pass the hash attack", well, if its send in clear text, then its even easier for the attacker.... so it should be hashed already when sending it from browser to server. If not... well...
    Such connections should already be in https so it can't be eavesdropped (easily). ...
  12. Skinigxe_Alice

    Skinigxe_Alice New User

    Messages:
    6
    Steam:
    STEAM_0:1:179519773
    It's realy helped and I have changed it to the safe way.