 MacGyverDon't Waste Your EnergyPremium,ExMod 2003-05
join:2001-10-14
Canada
kudos:1
 ·TekSavvy DSL
| Beware Hotel WiFi I run a tight network ship at home for the family. We just got back from four days on the road, including two nights at a hotel. We used the hotel wifi to keep connected, including my wife checking her Gmail account via our iPad. Upon our return, my wife found a warning from Gmail that somebody from China had attempted to login to her account. This was confirmed by looking at the login details in her Gmail account.
I didn't have this problem as I use my Blackberry to check my Gmail.
Just a reminder to all, never use hotel wifi to login to any account that you value! It's worthwhile using a separate address you only access from home or work for your sensitive stuff like banking and domain registration. |
|
|
|
davePremium,MVM
join:2000-05-04
not in ohio
kudos:8 | gmail doesn't use https? |
|
MacGyverDon't Waste Your EnergyPremium,ExMod 2003-05
join:2001-10-14
Canada
kudos:1 Reviews:
·TekSavvy DSL
| This was with the iPad's built-in email app. I don't know if it uses HTTPS login like the web login forces.
I have no concrete proof, which isn't unexpected with most security breaches, but I think it's just too much of a coincidence that this hack occurred on the same day we checked out of the hotel. |
|
 HankSearching for a new FrontierPremium
join:2002-05-21
Burlington, WV
kudos:1 | reply to dave
said by dave:gmail doesn't use https?
Did a Google search and several articles came up. Here is an example.
»howto.cnet.com/8301-11310_39-200···account/
I don't use gmail so I have not experience with it. |
|
| reply to dave
IMAP and POP use SSL or TLS |
|
davePremium,MVM
join:2000-05-04
not in ohio
kudos:8 | I was assuming (incorrectly) that the access was via a web browser.
POP and SMTP *can* use secured connections but it's not mandatory in the protocol and for all I know, gmail doesn't insist. I myself use Verizon, and they offer but do not require the use of secured connections (you configure your client for a different port number). |
|
 StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2
·CenturyLink
| said by dave:POP and SMTP *can* use secured connections but it's not mandatory in the protocol...
Yup. POP/SMTP are plain-text (including passwords) protocols. Many providers now allow it over SSL/TLS (encrypted) connections but some don't.
Most hotel/hotspot Wi-Fi is unencrypted so users using POP/SMTP over that show everything to anyone looking.
--
Don't feed trolls--it only makes them grow! |
|
| reply to dave
I was talking about IMAP and POP connections to google/gmail, they require SSL or TLS |
|
peterboroAvatars are for posersPremium
join:2006-11-03
Peterborough, ON | reply to MacGyver
Someone tried to hack my Gmail Dec. 1st. Maybe they are targeting us nice Canadians and it is a coincidence. 
»Google gibberish? |
|
davePremium,MVM
join:2000-05-04
not in ohio
kudos:8 | reply to Napsterbater
Ah, ok. So we're left with not really knowing how the exposure happened - since IMAP and POP require SSL/TLS, and HTTPS is at least possible.... |
|
StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2 Reviews:
·CenturyLink
| Well if a Chinese hacker had access to hotel Wi-Fi and the user was using an encrypted connection to get their email (SSL/TLS/HTTPS/VPN etc) they'd have seen nothing but gibberish. The email address would be unknown by the hacker. If standard (unencrypted) POP/SMTP was used they'd have seen the email addy and the password (as clear text). With the latter no "hacking attempts" would've been required--they'd simply log in.
In short it's probably coincidence.
--
Don't feed trolls--it only makes them grow! |
|
 wa2ibmPremium
join:2000-10-10
San Jose, CA | reply to MacGyver
You might want to check if your home ISP offers VPN services (mine does). Then if you're on a public network (hotel, coffee shop, etc.), you simply log into your ISP's VPN first, then everything you do through the local network is encrypted. There are VPN clients for most every platform (PC, Mac, iPhone, Android).
--
- Bill |
|
TheMGPremium
join:2007-09-04
Canada
kudos:1 | reply to MacGyver
Setup your own VPN server at home or on your router (if it has this capability). Then, always use the VPN while using untrusted networks.
I do this all the time now. It also has uses beyond security/privacy, as it effectively allows you to stop any html injection, DNS redirection, blocked sites, blocked ports, etc. For me it's just like being at home, minus the speed, since the download speeds over the VPN are limited by my home connection's upload speed (a measly 1Mbps). |
|
| reply to MacGyver
I had the same gmail problem, about a week or two ago... but from the US and google warned of suspicious activity... turns out something sent junk URL to some contacts from my gmail. However, I figure this was my fault since I foolishly logged into my gmail from a somewhat 'public' machine. Since this was just my personal gmail account, this was very low-risk for me, I use a different password for my more sensitive accounts anyways, but have moved to a password manager, (lastpass).
I figure a bot/rootkit or some type of logger picked up my password, my gmail password was somewhat strong... was 10 chars total, with four numbers, and a mix of upper and lower case letters, so i'm confident it was not brute force. |
|
 cacrollEventually, Prozac becomes normalPremium
join:2002-07-25
Martinez, CA | reply to MacGyver
People are constantly attempting to login to my GMail / Google account. Google offers two factor login, to counteract this problem.
I enabled two factor login, some time ago. This protects me from people in China, and other countries - but it causes occasional inconvenience.
If you enable two factor login, be sure to always carry your cell phone (or whatever token you choose). If you move location / change browser / change computer frequently, when using GMail, plan to have times when using two factor login can cause stress.
--
Cheers,
Chuck
Nitecruzr Dot Net
Google+ - Nitecruzr |
|
MacGyverDon't Waste Your EnergyPremium,ExMod 2003-05
join:2001-10-14
Canada
kudos:1 Reviews:
·TekSavvy DSL
| A much better idea in my opinion is the setting of one-time use passwords. You set them in advance in your GMail account while you are at home using your regular password, then if you have to login in an insecure environment, using a one-time password that is no good afterwards ensures your account can't be hijacked. |
|
 AVDRespice, Adspice, ProspicePremium
join:2003-02-06
Onion, NJ
kudos:1 | said by MacGyver:A much better idea in my opinion is the setting of one-time use passwords. You set them in advance in your GMail account while you are at home using your regular password, then if you have to login in an insecure environment, using a one-time password that is no good afterwards ensures your account can't be hijacked.
how to? (or is this the one time pad for 2 step authentication)
--
* seek help if having trouble coping
--Standard disclaimers apply.-- |
|
 trparkyApple... YUMPremium,MVM
join:2000-05-24
Cleveland, OH
kudos:2 | I have a VPN setup on my home router as well. I use that while connected to open WiFi hotspots. Either that, or I tether my device to my smartphone that has tethering built in. |
|
MacGyverDon't Waste Your EnergyPremium,ExMod 2003-05
join:2001-10-14
Canada
kudos:1 | reply to AVD
It's an idea I pitched to Google. |
|
OZOPremium
join:2003-01-17
kudos:2 | reply to MacGyver
Assuming that it's working as described. How one time log in is much better idea than anything? What if you will have to check your gmail account again in a half of hour and so on? And you'll have to think twice (or even more than that) before you log out... It's not practical at all.
--
Keep it simple, it'll become complex by itself... |
|
