Early Internet stuff wasn't encrypted, because encryption was hard, and it was hard for bad guys to tap into wires to eavesdrop. Now, with open WiFi hotspots at Starbucks or on the airplane, it's easy for hackers to eavesdrop on your network traffic. Simultaneously, encryption has become a lot easier. All new companies, those still fighting to acquire new customers, have thus upgraded their infrastructure to support encryption. Stagnant old companies, who are just milking their customers for profits, haven't upgraded their infrastructure.
You see this in the picture below. Earthlink supports older un-encrypted "POP3" (for fetching email from the server), but not the new encrypted POP3 over SSL. Conversely, GMail doesn't support the older un-encrypted stuff (even if you wanted it to), but only the newer encrypted version.
Thus, if you are a reporter using Earthlink, of course you'll get hacked every time you fetch your email (from your phone, or using an app like Outlook on the laptop).
I point this out because the story then includes some recommendations on how to protect yourself, and they are complete nonsense. The only recommendation here is to stop using Earthlink, and other ancient email providers. Open your settings for how you get email and check the "port" number. If it's 110, stop using that email provider (unless STARTTLS is enabled). If it's 995, you are likely okay.
The more general lesson is that hacking doesn't work like magic. The reporter's email program was sending unencrypted passwords, and the solution is to stop doing that.
There is a way to secure Earthlink email. Create a new email account at a email provider with TLS support, then set your Earthlink account to forward all your Earthlink mail to it.
EarthLink supports SSL if you change to IMAP access, but it uses non-standard ports.
AOL also supports SSL with IMAP on port 993
EarthLink!?!? Didn't even know they were still around, guess so. Still it's not rocket science for GoGo to implement isolated wifi where users cannot even see each other. Still users need to use VPN or encrypted SSL connections to email, etc.
GoGo_is_ at fault, they should have implemented client isolation, as this is possible on even home WiFi APs these days, the probability is that it simply wasn't configured...
Post a Comment