Wednesday, February 24, 2016

Early Internet services considered harmful

This journalist, while writing a story on the #FBIvApple debate, got his email account hacked while on the airplane. Of course he did. His email account is with Earthlink, an early Internet services provider from the 1990s. Such early providers (AOL, Network Solutions, etc.) haven't kept up with the times. If that's still your email, there's pretty much no way to secure it.

Early Internet stuff wasn't encrypted, because encryption was hard, and it was hard for bad guys to tap into wires to eavesdrop. Now, with open WiFi hotspots at Starbucks or on the airplane, it's easy for hackers to eavesdrop on your network traffic. Simultaneously, encryption has become a lot easier. All new companies, those still fighting to acquire new customers, have thus upgraded their infrastructure to support encryption. Stagnant old companies, who are just milking their customers for profits, haven't upgraded their infrastructure.

You see this in the picture below. Earthlink supports older un-encrypted "POP3" (for fetching email from the server), but not the new encrypted POP3 over SSL. Conversely, GMail doesn't support the older un-encrypted stuff (even if you wanted it to), but only the newer encrypted version.

Thus, if you are a reporter using Earthlink, of course you'll get hacked every time you fetch your email (from your phone, or using an app like Outlook on the laptop). 

I point this out because the story then includes some recommendations on how to protect yourself, and they are complete nonsense. The only recommendation here is to stop using Earthlink, and other ancient email providers. Open your settings for how you get email and check the "port" number. If it's 110, stop using that email provider (unless STARTTLS is enabled). If it's 995, you are likely okay.

The more general lesson is that hacking doesn't work like magic. The reporter's email program was sending unencrypted passwords, and the solution is to stop doing that.

Update: No, Earthlink doesn't support STARTTLS either.


Mike Crews said...

There is a way to secure Earthlink email. Create a new email account at a email provider with TLS support, then set your Earthlink account to forward all your Earthlink mail to it.

George Binaca said...

EarthLink supports SSL if you change to IMAP access, but it uses non-standard ports.

f5e01c22-dd0d-11e5-bb32-2b02e120a356 said...

AOL also supports SSL with IMAP on port 993

James Brickley said...

EarthLink!?!? Didn't even know they were still around, guess so. Still it's not rocket science for GoGo to implement isolated wifi where users cannot even see each other. Still users need to use VPN or encrypted SSL connections to email, etc.

shouldbe q931 said...

GoGo_is_ at fault, they should have implemented client isolation, as this is possible on even home WiFi APs these days, the probability is that it simply wasn't configured...