Wednesday, July 09, 2008

GMail now shows IP address log

Google is updating Gmail to allow users to see if anybody else is reading their e-mail.

This is one of the things I recommended for dealing with SideJacking. When hackers steal your password or your session-id, there is no way for you to know that they are reading your e-mail. It's the scariest sort of hacker attack since it's completely invisible.

Now, apparently, Google has made this visible.

I'm constantly sidejacking Dave's Gmail session cookies. We connect to the same network, I'm always sniffing the network, and Gmail will sometimes disclose session cookies in the clear even when using SSL (there is no way to use Gmail securely in a way that cannot be sniffed). I've never actually used the session-ids to log onto Dave's account, but how can he trust me?

With this feature, he'll know. He can use this feature to verify that nobody else has accessed his account.

The Gmail blog post does not mention "hackers". This is for a good reason. About 20% of the population is stupid and paranoid. When they see information on Google's page they don't understand, they will assume it's a hacker. Worse, a certain percentage of hard-core paranoids will fit this into their conspiracies no matter how benign the information. As a result, this is going to become a headache for Google as people call them about hackers in their account.

If you suspect that somebody else has been accessing your account, there are a number of other things you should look at.

First, look at your password. If you are like most people, you use the same password for everything. A lot of hackers get into your Gmail because they've hacked some other website were you've created an account (with your e-mail address and password), and simply checked to see if the passwords work for Gmail as well. Change your password to something unique that you only use for Gmail.

Second, check your "Filters" and "Forwarding" account settings. A lot of hackers aren't going to read your e-mail through your account, but are instead going to configure Gmail to forward copies to another account.

Third, check your "POP/IMAP" account settings. It's easier for hackers to download all your e-mail through POP/IMAP because it only takes a few minutes, rather than spend days browning through your mail by hand. I think POP and IMAP might be enabled by default, so you should disable them. If these get re-enabled, then it might mean somebody has hacked your account.

Fourth, I suggest that you use "https" instead of "http" so that your sessions are encrypted most of the time. Google will still sometimes send things unencrypted, but at least this will reduce your exposure.

Showing concurrent and past logons is such a useful feature, it should be considered a requirement for all Web 2.0 applications, whether they are PHPBB, eBay, your local bank, or your online e-mail. If you suspect a hacker, it's a sure fire way to see if something unusual is going on -- despite the ignorant paranoids that will confuse everyone by insisting there's evidence for a hacker where none exists.

6 comments:

Abuse said...

But how can he trust you won't steal his MAC and get the same IP from the DHCP server while you browse his gmail :P

Karl said...

Are you using the CustomizeGoogle Firefox extension? It has a setting that makes Gmail use https.

Neil said...

"With this feature, he'll know."

...as long as you aren't behind a proxy or a NAT device and, thus, sharing the same IP address.

AdamV said...

"A lot of hackers get into your Gmail because they've hacked some other website were you've created an account ... and simply checked to see if the passwords work for Gmail as well"

...or of course they may simply own an unscrupulous site, offer something great for free (such as exam braindump material, let's say) but you have to sign up for it and create an account. Bingo! hotmail, gmail, yahoo email addresses and likely passwords.

I recently set up POP for my sister to download her Gmail, and it was off by default. Whether this is the case for newly-created accounts I don't know.

Mike Myers said...

"there is no way to use Gmail securely in a way that cannot be sniffed"

Maybe not with a web browser, but you can use IMAP/SSL and a real email client for secure access.

Dkwhite said...

This is all fine and good, but Gmail will not truly be secure until it begins offering email encryption as part of it's service.

It's not just "hackers" that people have to worry about anymore. With warrantless wiretapping and Corporate ISP's sniffing out everything passing through their networks, now more than ever we need a safe and secure way to encrypt things like Email.

It's not even a question of whether we're doing something wrong or not. It's a question of maintaining our RIGHT TO PRIVACY, and standing up to our out-of-control government using 9/11 to snoop and spy on Americans. Everyone from ISPS to wireless carriers, the MPAA and RIAA, to our own Government is using this as an excuse to snoop into our private lives.

We have to take a stand somewhere.