Google Mail Security

gallery

Every year, hackers gather at the DefCon convention in Las Vegas to show off their latest tools. At the last DefCon event, one of the attendees, 'Hamster' showed off how the cookies sent by your computer when signing into a Google account can be copied, allowing the account to be cloned by the hacker, and all the implications that carried.

I'm pretty sure this happened to me whilst travelling through London's Heathrow Airport recently. All was well when I boarded the flight home, but on landing, I had lost access to my Gmail account, the principle email account I use. A new password was in place, the secondary email (for password recovery) had been altered, and my security questions wiped.

Google carries more of my online service than any other company. It carries my email, and I rely on the auto-complete for many addresses; Google Docs hosts a number of shared documents for myself and projects I'm involved in; and Google Calendar gives me access to the timetable of the community radio station I'm involved in. In short, not only could I not get access to my day to day life, or three years of archives... someone else had.

Luckily I've never committed any passwords or financial information into Gmail - so beyond a failed attempt to get into eBay and PayPal, I didn't suffer any financial damage. Google returned access to me within 48 hours of reporting the account as 'compromised,' but it's a timely process that, given the number of people using Google for business critical tasks, you can't take for granted will work in your favour. So what should you be doing?

Gather information

If your account is compromised, Google's Help Centre will be looking for information to prove that you are the owner. Glance at this form just now and if you can't answer all the questions (without looking at your Google account) then find them out, write them down and keep it somewhere safe (and not in a Google-based repository).

My major concern, if I had to start from scratch again, was my contacts and email addresses. Gmail allows you to export these as a vCard or CSV file - click on Contacts on the left hand side of the web interface to get this option. There's no reason not to get this file on your hard drive today.

Be careful when browsing

While Google signs you in via a secure web page, the online applications will use regular http, which the RABBITT hack (as detailed by Hamster from DefCon) exploits. The simple workaround is for you to always type https://mail.google.com/ (note the s after http) when logging into Gmail, and similarly forcing https with the other services. This will keep the entire session on a secure http connection, not just the login. It's always important to log out as well, to end the session and effectively 'expire' your connection.

The exploit requires you to be browsing over Wi-Fi, so crowded and popular hotspots (such as Heathrow...) should be avoided. If you have to check your mail, consider using Google's java client for a smartphone, or using a POP3/IMAP mail client rather than the web browser interface. If wireless connectivity is essential, consider investing in a 3G data modem for use in your country of origin. In the UK, monthly subscriptions start at £10 for 3G data services, including the hardware needed to connect.

Email to a friend

Print this page