[UCI-Linux] check your mail, lose your identity

Harry Mangalam harry.mangalam at uci.edu
Wed May 2 08:46:43 PDT 2007


[Since I already prepped this for a more general audience, it occurred 
to me that other Linux users could use a reminder as well.  Therefore 
some of this is phrased more simply than it would be for a Linux 
audience.]

There have recently been a number of articles which have emphasized 
the ease with which your email address and passwords can be stolen 
when using unencrypted public wireless networks (which is the type 
that UCI uses, tho it is MAC-restricted).  Note that if you use 
UCI's /mail service/ via UCI's wireless net, they force encryption of 
email service including your login and password, so your email is 
secure, even if you are using an insecure wireless net.

However, if you check your email from Cox (and most other ISPs), your 
login name AND your password AND the contents of the email is sent 
completely in the clear.  

So if you send your son or cousin an email containing sensitive 
information, all it takes is a laptop, a wireless card and some very 
easy-to-use free software to sniff your email from the air.  If you 
use the same password and/or login name for your bank or online 
accounts (which can also be detected in your email stream), you are 
setting yourself up to have those accounts cleaned out or your 
identity stolen.

Unfortunately, Cox does not support the encrypted email that UCI does 
(and I've sent them (unencrypted) email complaining about this).  You 
can set your own email to be encrypted when sending via the PGP 
plugins that most emailers support, but it requires some nontrivial 
configuration and the recipients have to be able to decrypt it as 
well, which can be trying.  Further, this approach does not hide your 
login/password, just the contents.  However, if you really want your 
email contents to be protected end-to-end, this is the best way to do 
it.

I was recently in a coffee shop which supplied free wireless and in 
showing my sister how easy it was to view wireless packets, I was 
horrified to see my own email login and password fly out unencrypted 
because my email client was set to check the Cox server regularly. 
I hurriedly changed my password and closed my email app to avoid this 
in the future.  This can be a huge security hole in protecting your 
online accounts.  (I also find that my productivity is increased by 
not getting interrupted every 10 minutes by 'you've got mail' 
notices.)

I'd strongly advise setting your email client NOT to check for email 
automatically (only when you tell it to) and not to check email at 
all from accounts that are not encrypted (ie forward all your email 
to your UCI email account and pick it up from there, or use a secure 
web client to check your email - gmail is secure, for example - you 
can usually tell via the URL - if it begins with 'https://' as 
opposed to 'http://', it implies secure communication, even over an 
insecure connection.

If none of these are available to you and you have a machine you can 
connect to at UCI, here's how to set up your email to use an ssh 
tunnel to shield against wireless sniffing:

Use ssh with the -L flag to remap the port connection.  To check a POP 
server (on port 110), use a commandline like this:

ssh -L 2110:your.pop.server.com:110 you at sshserver.dept.uci.edu

The above line establishes an ssh-encrypted tunnel 
via 'sshserver.dept.uci.edu' to port 110 on 'your.pop.server.com' 
using localhost port 2110 (has to be above 1024 for regular users to 
be able to use it).  

You also have to configure your mail client to use localhost:2110 
instead of pop.west.cox.net:110 as your mail server.  Most email 
clients allow you set up multiple POP servers to check and you can 
simply set this one up for use when you're using insecure wireless.

-- 
Harry Mangalam - Research Computing, NACS, E2148, Engineering Gateway, 
UC Irvine 92697  949 824 0084(o), 949 285 4487(c) 
harry.mangalam at uci.edu


More information about the UCI-Linux mailing list