Internet Security Systems - AlertCon(TM)

Protecting your Webmail - Updated (Twice)

Posted by Tom Cross on September 19, 2008 at 5:34 PM EDT.

I had an interesting conversation yesterday with Ben Worthen at the Wall Street Journal's Business Technology Blog in wake of Gunter's awesome post on email breakin services. Ben asked me whether there was any way to tell if someone had broken into your webmail account. If they accessed your account by compromising a password recovery feature, which seems like it might have been the case for Sarah Palin, your old password won't work anymore. Thats certainly a warning sign. Furthermore, if you associated another email address with the account, you might have gotten email notifications that your password was reset, another obvious red flag. However, if they guessed or stole your password there is often no way to tell.

It occured to me after I spoke to Ben that for years people have configured UNIX shells to tell you the date, time, and IP address of your most recent access when you log in. For example, this is what I see when I log into my personal web server:

login as: tcross
tcross@pumpkin's password: 

Last login: Mon Sep  8 19:05:32 2008 from ip-XXX-XXX-XXX-XX.iss.net
[tcross@pumpkin ~]$

If webmail systems (and other web based services) provided a similar notification, it might help observant users figure out when something is amiss. Providing a complete log of prior accesses might also useful if suspicion arises after the fact.

Its possible that providers don't do this today because inexperienced users might misinterpret this data and insist that their accounts have been compromised, but it seems to me that unnecessary support emails could be avoided by providing people with a link to change their password and set up a secondary address for security notifications if they suspect that something is wrong.

Given the publicity of the Sara Palin breakin, perhaps there may be demand for such a feature from major webmail providers. If you know of a webmail provider that does this today, email me (tcross@us.ibm.com), and I'll update this post.

Unfortunately, the case of cookie theft is a bit more challenging to identify. This attack would occur while you are accessing your webmail, and you'd suddenly be asked to reauthenticate. There are enough different reasons why that can happen that by itself it might not be enough to arouse suspicion. Furthermore, a simple log of previous logins won't help you, as the attacker isn't actually logging in, and may be coming from the same IP address that you are if you are both using the same wireless network.

I think a good cookie algorithm should reject authentication cookies that come from a different IP address than they were issued to, but I'm not sure how well most web services live up to that. Certainly, users on wireless networks should use the https interfaces for their webmail accounts.

I also thought it was worth mentioning that the person who is claiming to have broken into Sarah Palin's email account claims that he was able to guess the answers to her password recovery questions by Googling about her. These days, its not just public officials who have lots of details about their personal lives available online. Many of us maintain blogs, social networking profiles, and personal web pages that are strewn with breadcrumbs about our identities that could help someone figure out answers to these kinds of questions. I thought this article over at Lifehacker offered some decent advice for building secure password recovery answers, as long as you don't forget what you did!

Update: Fernando Lantes wrote in to tell me that Portuguese webmail provider SAPO mail has a feature like this. As of now, this is the only example I've heard of.

Second Update: Apparently Google rolled out a feature like this in Gmail a few months ago but I had not noticed!

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.