Testing Your Login Security

Most folks log into their internet service accounts, email accounts, ... assuming their passwords are secure against prying eyes. Sadly, many of these accounts transmit passwords "in the clear" - meaning that anyone nosing around on the network could potentially grab your account information and conduct all sorts of nefarious activities IN YOUR NAME. Even some banks and other sites that deal with financially sensitive matters still don't adequately protect your login information. This is how folks end up having their accounts hijacked and even being locked out of them. No doubt this contributes to the rising tide of ID theft cases we hear about in the media, news reports, ...

A Potentially Eye-Opening Experiment
Here's a good exercise for the proactive reader:
Install a good packet sniffer such as Wireshark on your PC. There are other packet sniffers besides Wireshark, but this is widely available for us LINUX users, is full-featured, and works well. Simply Google "packet sniffer"+"whatever name of your operating system" for software that should work for you.

After installing the packet sniffer, start it and get familiar with its interface. When you are comfortable using it, open a separate window and log into your email account, or blog account, ... and watch what happens. Using Wireshark, one can see whether or not the communication is encrypted - as it will tell you so. If the data is properly encrypted you will see "gibberish" in the "capture window"; THIS is what you want. If it isn't, the data sent - likely including BOTH your screen name AND your password - will appear readable in the "capture window". If this is happening you are a sitting duck for someone hijacking your account!!

What To Do Now
At this point you MAY want to consider complaining to the provider of the service in question. It is inexcusable in these times for logins to not be properly encrypted! That said, you will want to CAREFULLY word your complaint - as most folks are still woefully illiterate where computers and the Internet are concerned and you DO NOT want the entity to which you are complaining to think YOU are hacking them! You could do as I did with my ISP a while back (see my previous post) and allude to some "diagnostic software" that turned up the problem. I've found that being tactful, but firm, works best. "Your mileage may vary", but until enough people complain loudly enough to ISPs, account providers, and software vendors, we will continue to suffer with shoddy, insecure systems and services. If you have a choice you can always switch providers.

Legal Issues
I want to emphasize the need to use packet sniffers and other such tools in a LEGAL manner. It is legal to use these "hacker" tools to test and "harden" your own PC or network, but using them on anyone else's systems or network without expressed permission is unethical, illegal, and potentially dangerous.

Usage Considerations
After conducting a test using your packet sniffer - shut it off. Packet sniffers can, in some cases, cause security issues of their own, so use them judiciously.

While what I have just described does NOT, by far, address ALL possible compromises to your online identity, this one is a BIGGIE.

A quick Word On Firewalls
Many folks still do not use a firewall to protect their computers - but they should. In simplified terms, a firewall is a piece of hardware or software that allows certain types of communication between your PC and the Internet, while stopping other types of traffic. Some firewalls strictly do "packet filtering" - while others, namely some software firewalls, also have settings that control which applications may access the Internet. For firewall software, windows users can choose from Zone Alarm, Black Ice Defender, Trend Micro, and a number of others. Most, including the firewall that ships with windows, have well-documented problems. There are sites on the Internet which compare them; some prior research can save money, time, and headaches. Many DSL "modems" and even some wireless (wi-fi) access points contain a "hardware" firewall. The advantage of the hardware firewall is that it is physically between the Internet and your PC - so many problems may be stopped BEFORE they ever reach your PC. In order to do their job, hardware and software firewalls must be configured properly. Many firewalls, when left in their default configurations, do NOT adequately protect you against some common attacks.

It is beyond the scope of this post to detail configuration of all the different firewalls out there; you will want to do your own research and consult the instructions with whatever system you use.

In a later post I will discuss some methods you can use to test your firewall.