Radardan
join:2003-08-15
Scottsdale, AZ
| [ALL] Wash Post criticizes Cox over email security In Sunday's Washington Post, Cox is criticized for allowing unencrypted passwords when using webmail thus allowing your email password to be stolen. This would allow, of course, complete access to all of your Cox email.
»www.washingtonpost.com/wp-dyn/co···114.html
The article says Cox claims it is going to fix lack of encryption this quarter, but obviously using Cox webmail should be completely avoided.
Maybe like me you abandoned Cox email long ago due to the SPAM.
But until it is fixed, Cox should immediately post a large warning on webmail, shouldn't they?
It is my perception that security vulnerabilities in Windows are being exploited at a even higher relentless, frenetic pace right now. Cox needs to be part of the solution and not contributing to the problem. | |
|
 
NoVA_CoxUser
Stand back from the cage -- The RF bites
Premium
join:2004-07-06
Alexandria, VA
1 edit | Re: [ALL] Wash Post criticizes Cox over email security And to make matters worse, your "base" e-mail password IS your Cox online account management password!  | |
|
 | 
pbvan
join:2003-02-09
Fairfax, VA
| Re: [ALL] Wash Post criticizes Cox over email security NoVa_cox user ..... when logging into cox.net, the »https:// page is where I log into for my email accounts. The actual page showing my email boxes is ». When I want to view my account both login and the page displaying my account info is »https://.
Does this mean that my login info IS secure regardless of my inbox NOT being secure? I don't use my Cox mailbox for anything other than its an active email for those sites that require one that I don't care about.
I have email accounts with earthlink using server port 587. Now are these emails also NOT secure?
I too read the Post article and was somewhat surprised that Cox doesn't use SSL when viewing emails. I know just enough to look for that lock or »https:// when transmitting personal info.
Also I am now using a MacBook Pro using Safari (its ok, better than IE6) and the Mac Mail program now. | |
|
| |
NoVA_CoxUser
Stand back from the cage -- The RF bites
Premium
join:2004-07-06
Alexandria, VA
 ·Cox HSI
4 edits | Re: [ALL] Wash Post criticizes Cox over email securitysaid by pbvan  : ... when logging into cox.net, the » https:// page is where I log into for my email accounts. The actual page showing my email boxes is » . I think you might find the explanation provided in the following page helpful: »www.michaelhorowitz.com/securesubmit.html
To summarize:
1) Just because the page where you enter personal info is SSL-secured, doesn't mean that your personal info will be (or won't be) SSL-secured in-transmission when you click "login" ...
... It CAN however give you some assurance that the page which you are viewing is "genuine" if you verify the certificate's name and signing chain -- in other words, just because you have an SSL connection to a site doesn't necessarily mean that it's to the site to which you mean to be SSL-connected.
What IS important is whether the code underlying the "login" button is "http" or "https". (explained in the "Bad News" section in the earlier link)
2) Similarly, just because the "post-login" pages you receive from a site aren't SSL-secured, doesn't necessarily mean that your UID/Password was transmitted "in the clear"
Our own DSLR "SSL Log in" is one such example:
While your actual username/password are SSL-secured when transmitted ... specifically by this section of the page ...
FORM ACTION="https://secure.dslreports.com/r3/login"
Unfortunately, Cox's webmail authentication is only insecure, so regardless of what page you're reaching it from, your username/password is always transmitted "in the clear." | |
|
| | |
pbvan
join:2003-02-09
Fairfax, VA | Re: [ALL] Wash Post criticizes Cox over email security Thanxs for the link. Your condensed version was great and the link provided further explanation in terms I could understand. | |
|
| short09
join:2006-07-21
| said by NoVA_CoxUser :And to make matters worse, your "base" e-mail password IS your Cox online account management password! yup......that makes it twice as easy for a hacker to steal the password.....a hacker could have complete access to a subscribers account if they wanted to | |
|
| | 
coxengr
Premium,VIP
join:2002-03-09
Atlanta, GA | Re: [ALL] Wash Post criticizes Cox over email security I can confirm this is in the works. Will be forthcoming shortly..... | |
|
| | | 
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
|  Re: [ALL] Wash Post criticizes Cox over email security
said by coxengr :I can confirm this is in the works. Will be forthcoming shortly..... Any updated information to share?
--
"When all else fails, read the instructions..." | |
|
chemaupr
join:2005-06-06
Alexandria, VA | i don't even known what is my cox email... never used, never will... | |
|
|
| robertfl
Premium
join:2005-10-10
Mary Esther, FL
 ·Cox VOIP
1 edit | Re: [ALL] Wash Post criticizes Cox over email security Maybe like me you abandoned Cox email long ago due to the SPAM.
---
Spam will con't to exist as long as people think HTML looks pretty in e-mails.
Spam bots will con't to exist while people's pc's while poeple allow them.
ISP's can't work on the problem but they can help by EDUCATING
the end user about Windows security. Stop offering such cheap software to protect the end users PCs and offer FREE and MORE reliable software that WORKS better then what ISP's offer.
ISP's can help stop the spam. If they want to and doing things like blocking port 25 isn't the bloody answer.
I'm not an expert but I have done my reserch and I do talk to people who clean computers for a living who are professionals they gave me (FREE) software that literally saved my PC a few times.
Rob | |
|
| | 
state
stress magnet
Premium,Mod
join:2002-02-08
Hampton, VA
clubs: 
Host:
Webhosting
Sonic.net
UK Broadband
Washington & Balti..
UK Chat
| Re: [ALL] Wash Post criticizes Cox over email security said by robertfl :ISP's can help stop the spam. If they want to and doing things like blocking port 25 isn't the bloody answer. I'm going to have to disagree with you there. Blocking port 25 outbound from non-business customer accounts is a huge step in the right direction to stop spam.
Millions upon millions of customer computers (not just Cox customers) get infected with trojans/viruses that have the capability to send out unsolicited bulk email. Closing port 25 puts internet service providers in a much better position to monitor and control that sort of traffic since it must flow through their SMTP servers. | |
|
| | | 
stanley_qaz
Premium
join:2003-03-17
Gilbert, AZ
 ·HughesNet Satellit..
·Cox HSI
| Re: [ALL] Wash Post criticizes Cox over email security Maybe I'm missing something here?
Closing port 25 means I can't send e-mail via any server other than Cox's unless I can get them to open a port other than 25 for me.
Cox on the other hand appears to still have their server set up to discard some of my outgoing e-mail without notice coming back to me.
Even while dumping my outgoing mail and refusing to let me use an outside server (without special configuration) Cox does not require authentication to send via their SMTP server allowing some spam to go out over it.
I wouldn't be so unhappy with the situation if Cox would at least make the minimal effort to let me know they decided my mail was undeserving of delivery and that they had trashed it. | |
|
| | | |
state
stress magnet
Premium,Mod
join:2002-02-08
Hampton, VA
clubs:
Host:
Webhosting
Sonic.net
UK Broadband
Washington & Balti..
UK Chat
1 edit | Re: [ALL] Wash Post criticizes Cox over email security said by stanley_qaz :Maybe I'm missing something here? No, I don't think so. Your points seem pretty accurate. My response to robertfl was solely addressing the open port 25 issue.
said by stanley_qaz :Closing port 25 means I can't send e-mail via any server other than Cox's unless I can get them to open a port other than 25 for me. Correct. In order for a botnet or spammer application to be effective it would need to send mail to the remote MTA on port 25. If the spammers used an alternate port (say 26 for example) they would need a mailserver setup to listen on that port and relay the messages. This would require quite a bit of overhead - updating zombied machines as their SMTP relays were either blocked or taken down, etc.
Too complicated for spammers to easily set something like this up. They're looking for a quick and dirty solution.
said by stanley_qaz :Cox on the other hand appears to still have their server set up to discard some of my outgoing e-mail without notice coming back to me. I've seen scattered reports about this, but have not experienced it firsthand.
said by stanley_qaz :Even while dumping my outgoing mail and refusing to let me use an outside server (without special configuration) Cox does not require authentication to send via their SMTP server allowing some spam to go out over it. Absolutely correct. To relay mail through Cox's SMTP server (from their network of course) there is no authentication required.
But again, I'm only addressing the outbound port 25 issue. | |
|
| | | | |
Radardan
join:2003-08-15
Scottsdale, AZ
| Re: [ALL] Wash Post criticizes Cox over email security said by state :said by stanley_qaz :Too complicated for spammers to easily set something like this up. They're looking for a quick and dirty solution. I think your analysis may be a little old fashioned meaning "last year". (Hey, I'm an older guy so not casting aspersions on anyone.) I think spammers and other online criminals are much more sophisticated today so a simple change like using an alternate port for SMTP is considered part of "quick and dirty". But to use the default port via Cox is a no-brainer as well. My domain has certainly been "Joe-Jobbed" so as long as Cox sees a real return address (it doesn't have to be on Cox.net) Cox's SMTP will accept it. We all "assume" of course that they have some upper limit of sending email that will get an account flagged for security. FWIW my impression of online criminals this year is that they are very sophisticated and one can no longer judge the validity of software processes or spam based on the poor capitalization or spelling. They hijack known program names just like they hijack my domain as a return address. "Quick and dirty" has morphed into criminal gangs employing man-in-the-middle phishing scams and using known vulnerabilities to install software behind the users back. I've learned first hand by seeing infected Windows boxes that security must be policy with no exceptions like for passwords being transmitted unencrypted. | |
|
| | | | | |
stanley_qaz
Premium
join:2003-03-17
Gilbert, AZ
·HughesNet Satellit..
·Cox HSI
| Re: [ALL] Wash Post criticizes Cox over email security said by Radardan :said by state :said by stanley_qaz :Too complicated for spammers to easily set something like this up. They're looking for a quick and dirty solution. I think you oopsed the quotes there, looks like that one came from state. Spammers like quick and dirty but considering the big bucks to be made in sending spam they are willing to spend some major money getting the code they need written. Trying to mickey mouse a simple fix isn't going to work long term. However, regardless of the port used the ISP must implement some form of access restriction. Most good ISPs require a user name and password to access their outgoing mail server. This does two things, first a spammer or spam program must find and use your userid and password to send mail through their server, second any message sent can be traced back to the user that sent it directly by account name instead of having to track them back by IP. Since the mail server tracks by userid it is simple to have it drop access for a userid that is spamming and send the user a message telling them why their mail sending was shut down. It could be done by IP but not as cleanly and with worse side effects. Middling good ISPs implement something like POP before SMTP that only lets you send mail within a short window after you check it. That really is a pain in the behind! A Joe job does not need to originate from your ISP, it can be sent from anywhere there is access to an SMTP server. Any security policy that allows the use of Windows to connect to the Internet isn't a "security" policy, its just a policy that gives you a warm fuzzy feeling until you get infested. | |
|
| | | | NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
 ·Pacific Bell - SBC
| said by stanley_qaz :osing port 25 means I can't send e-mail via any server other than Cox's unless I can get them to open a port other than 25 for me. I can send email through:
smtp.aim.com
smtp.aol.com
smtp.gmail.com
smtp.myrealbox.com
I can do that despite an AT&T port 25 block. How? Message Submission ports. Any email service worth using will offer SMTP access through Message Submission ports; typically either port 465, or port 587.
No, spammers won't easily abuse those ports. They will need accounts with the providers, and will quickly lose those accounts if they spam through them.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum | |
|
| | NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
·Pacific Bell - SBC
| said by robertfl :ISP's can help stop the spam. If they want to and doing things like blocking port 25 isn't the bloody answer. Maybe not, but...
Comcast uses selective port 25 blocking. They block customers identified as having abusive port 25 traffic. I see fewer Comcast zombie connections to my mail server than Verizon zombie connections. Verizon has half as many customers as Comcast, but half again as many zombie connections. Verizon does not block port 25 at all.
Back when it was still SBC, I got more zombie connections from them than from Comcast; though Comcast had more customers. Then they implemented full port 25 blocking. SBC zombie connections attempts dropped significantly subsequently. Today AT&T (the renamed SBC) connection attempts are significantly lower than Comcast zombie connection attempts (by a factor of 10), even though AT&T now has more customers.
No. I guess port 25 blocking isn't all that effective after all........
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum | |
|
| |
Zucson
join:2006-09-13
Tucson, AZ | I gave up on Cox's long ago too.
If I had other options, I'd use them, but alas, stuck with them I am, and shall stay. | |
|
Noremac
join:2005-01-15
Alexandria, VA | It isn't just Webmail that exposes your UN/pswd unencrypted. Any POP client does the same in basic configuration. | |
|
|
NoVA_CoxUser
Stand back from the cage -- The RF bites
Premium
join:2004-07-06
Alexandria, VA
·Cox HSI
4 edits | Re: [ALL] Wash Post criticizes Cox over email security said by Noremac : ... Any POP client does the same in basic configuration. Good point!
I'll take that opportunity to "plug" a few more more of Fastmail's strengths  ...
... secured authentication, secured webmail sessions, and secure IMAP client-access. | |
|
Radardan
join:2003-08-15
Scottsdale, AZ
| Here are some chilling details of how a cyber crook monitored a victim's compromised email account to determine when the victim would likely not be checking his investment account obsessively.
From Wired
»www.wired.com/news/technology/0,72515-0.html
. . . a cyber thief who went by the nick "desertmack" had gained access to his e-mail account and had been watching him for weeks. The Mexico wedding was the break desertmack needed. He'd been hoping a little tequila and sunshine would distract Campbell from obsessively checking his brokerage account long enough to steal the money and send it to Brussels, where an accomplice would withdraw it. | |
|
|
|
|
