Maybe you’ve never given much thought to your online security, or maybe you only think about it when you’re pulling out your credit card to buy something on eBay. It’s enough just to shop at reputable sites and not email your credit card or social security numbers to people, right? Wrong. Let me show you something you have probably never seen before:
Response: +OK POP3 server ready <32ac45f8-deb7-4cde-a94b-96910799aa9e>17
Request: USER josh@fakeserver.com
Response: +OK User:'josh@fakeserver.com' ok Request: PASS my_password Response: +OK Password ok Request: LIST Response: +OK 2 messages (24390 octets) Continuation Request: UIDL Response: +OK 2 messages (24390 octets) Continuation Request: QUIT Response: +OK POP3 server signing off
Can you see what this is? This is the actual exchange that happens between my mail client and my mail server every 10 minutes, sniffed off the network using a program called Wireshark. Anyone on my network could use a program like this to see my email username and password, as well as the text of any of my emails, without breaking a sweat. The same goes for IM conversations, website form data (including search engines!), basically all the traffic between my computer and the rest of the internet is wide open and in plain text for anyone with eyes to see. Still feeling safe?
Well my goal is not to scare you. I have an incredible amount of control over who has access to my network, and lucky for me the packet dump above is staged using a fake email server. Most people know who is using their network, but there is always a risk that someone may compromise your security and gain access, especially if you have wireless access. Given that the worst has happened, however, there are still a few steps you can take to ensure that your data is still secure from prying eyes.
- Use an email service that allows encrypted communication. Gmail is one example, however Google has been accused of several privacy violations.
- Encrypt your email yourself. The GnuPG project has a plugin for almost every mail client that will sign and encrypt your email. See the complete list here.
- Use IM clients and protocols that support encryption. Pidgin supports PGP encryption of conversations through a plugin over any protocol that will carry it, but only when talking to other Pidgin users. There are add-ons for the standard AIM client that will also encrypt your conversations.
- Always check the URL before you enter sensitive data. Some phishing sites have gotten smarter now and are using fake security certificates to provide a link that looks secure when it is not.
Only shop on sites you trust, and if possible use a service like PayPal which provides some fraud protection. Avoid entering your social security number online if at all possible. No amount of encryption or security certificates can protect you from yourself. Use common sense and if in doubt, put that card away and go somewhere else.
December 6th, 2007 at 9:42 am
[...] Original post by Josh [...]