EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

Reply
 
Thread Tools
Old 3 Oct 2019, 08:49 AM   #1
gardenweed
Cornerstone of the Community
 
Join Date: Jun 2008
Location: Perth
Posts: 664
General Security & ANU Hacking

The article in this link describes email hacking that happened to Australian National University (ANU).

It says that:
Quote:
The cyber attack was so sophisticated it didn’t even need the person to click on a link or open a document to compromise decades worth of private information.
and
Quote:
A person working closely with that staff member previewed the email before deleting it — but it was too late. Merely previewing the email was enough for hackers to steal a username and password that opened the first door into the ANU network.
Although this is general discussion about email security, I am raising here in the context of Fastmail usage and what FM offers for protection.

I'm curious as to how "previewing" an email could result in login details being stolen.

I use the FM web interface 95% of the time, however every now and then I have a reason to use my FM account with MS Outlook or Thunderbird. Obviously they have the required App passwords.
Also, for web login, I have 2-factor set with hardware key.

I'm wondering what the circumstances would have been to allow so called previewing of an email (what does this even mean) to allow stealing of login credentials and whether my usage of FM could place me in the same vulnerable position.

Welcome discussion on this....
gardenweed is offline   Reply With Quote

Old 3 Oct 2019, 04:04 PM   #2
Terry
The "e" in e-mail
 
Join Date: Jul 2002
Location: VK4
Posts: 2,995
I find the preview part a bit strange, I wondered if they actually opened it.
Terry is offline   Reply With Quote
Old 3 Oct 2019, 08:39 PM   #3
JeremyNicoll
Essential Contributor
 
Join Date: Dec 2017
Location: Scotland
Posts: 483
There was a discussion elsewhere about this. People there thought the article might be being deliberately vague to give other institutions time to fix holes in their infrastructure.

Also, people tend to think that the mail in question was possibly viewed by a webmail system and - maybe - the malware that leapt into the viewer's computer wasn't in fact part of the email they were looking at, but was something hosted on the webmail server ... that made the jump just like any other bit of 'drive-by' malware. But it's hard to tell.
JeremyNicoll is offline   Reply With Quote
Old 3 Oct 2019, 11:04 PM   #4
TenFour
Master of the @
 
Join Date: Feb 2017
Location: USA
Posts: 1,683
Can anyone link to an article that explains how just previewing an email is dangerous? I know it was a thing back in the day, but I thought all major email providers long-ago prevented any scripts etc. from running via the preview window. On the other hand, I can see someone clicking on a link in the preview window, which could possible take you to a malicious page. It would seem that if the preview pane is a danger we would be reading about many exploits using it since a very high percentage of email clients, desktop or web, are set up with the preview option.
TenFour is offline   Reply With Quote
Old 4 Oct 2019, 11:35 AM   #5
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 8,917
See the full report here:
https://imagedepot.anu.edu.au/scapa/...port_web_2.pdf

On page 11, note this comment:
Quote:
The first phishing email was designed to be interaction-less and likely used some form of scripting. It is assumed the actor anticipated a high degree of security awareness on the part of the intended recipient. Unfortunately, a copy of this email was not recoverable, so further analysis is not possible.
The report mentions use of legacy email systems. My guess is that ActiveX / Flash or other scripting was used so that code was executed when that email was opened. Fastmail has prevented this for over 5 years. See this post from 2014:
https://fastmail.blog/2014/05/09/mak...n-more-secure/

Bill
n5bb is offline   Reply With Quote
Old 4 Oct 2019, 11:44 AM   #6
Terry
The "e" in e-mail
 
Join Date: Jul 2002
Location: VK4
Posts: 2,995
Quote:
Originally Posted by n5bb View Post
Fastmail has prevented this for over 5 years. See this post from 2014:
https://fastmail.blog/2014/05/09/mak...n-more-secure/

Bill
Thank you, that is nice to know....I bet not many users know that.
Terry is offline   Reply With Quote
Old 4 Oct 2019, 12:05 PM   #7
gardenweed
Cornerstone of the Community
 
Join Date: Jun 2008
Location: Perth
Posts: 664
Quote:
Originally Posted by n5bb View Post
See the full report here:
https://imagedepot.anu.edu.au/scapa/...port_web_2.pdf

On page 11, note this comment:
The report mentions use of legacy email systems. My guess is that ActiveX / Flash or other scripting was used so that code was executed when that email was opened. Fastmail has prevented this for over 5 years. See this post from 2014:
https://fastmail.blog/2014/05/09/mak...n-more-secure/

Bill
Thanks for your input Bill.
I read the FM blog post but it was somewhat beyond my understanding.

Good to know that it covers the issue though.

Does the FM protection also apply to that type of scripting attack if the receiver of the email is using Outlook from Office 365 or similar?
Or does the FM protection only apply when using the FM web UI?

Again - thanks for sharing your understanding of all this.
gardenweed is offline   Reply With Quote
Old 4 Oct 2019, 12:30 PM   #8
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 8,917
Quote:
Originally Posted by gardenweed View Post
...Does the FM protection also apply to that type of scripting attack if the receiver of the email is using Outlook from Office 365 or similar?
Or does the FM protection only apply when using the FM web UI?...
Their best security protections are when you are using their system to read your email (Fastmail app on a mobile device or their web interface). But they do automatically block all messages which are detected to contain a virus from your Inbox. In general, I think that it's the responsibility of the email client to protect you from embedded scripting or remote image downloading security issues.

Bill
n5bb is offline   Reply With Quote
Old 4 Oct 2019, 01:06 PM   #9
gardenweed
Cornerstone of the Community
 
Join Date: Jun 2008
Location: Perth
Posts: 664
Quote:
Originally Posted by n5bb View Post
Their best security protections are when you are using their system to read your email (Fastmail app on a mobile device or their web interface). But they do automatically block all messages which are detected to contain a virus from your Inbox. In general, I think that it's the responsibility of the email client to protect you from embedded scripting or remote image downloading security issues.

Bill
Thanks Bill.
That's what I suspected. The best protection is provided when using the FM UI...
...and that if using an email client, one is relying upon the email client to detect/capture other nasties/scripting if using an email client.
gardenweed is offline   Reply With Quote
Old 4 Oct 2019, 04:32 PM   #10
janusz
The "e" in e-mail
 
Join Date: Feb 2006
Location: EU
Posts: 4,933
Quote:
Originally Posted by n5bb View Post
Their best security protections are when you are using their system to read your email. But they do automatically block all messages which are detected to contain a virus from your Inbox.
Stating the obvious: these protections will not work for a new type of attack or virus.
janusz is offline   Reply With Quote
Old 4 Oct 2019, 10:02 PM   #11
TenFour
Master of the @
 
Join Date: Feb 2017
Location: USA
Posts: 1,683
A quick Google search finds lots of articles like this one that claim just previewing or opening an email is safe. Also, I believe as a general rule webmail is considered to be much safer than most desktop clients.
Quote:
No mail client now allows code to be executed when you open an email, and they haven’t allowed this for well over a decade. So, unless you’re using a very, very old, unpatched email client (think Outlook Express circa 2000 on a Windows 98 machine) your mail program simply won’t allow code to execute when you open an email.
https://www.howtogeek.com/413435/is-...ew-your-email/
TenFour is offline   Reply With Quote
Old 5 Oct 2019, 11:56 AM   #12
emoore
Essential Contributor
 
Join Date: Apr 2002
Posts: 280
Quote:
No mail client now allows code to be executed when you open an email, and they haven’t allowed this for well over a decade
is probably thinking in terms of executing code in the message body. However, many email clients have a option to always display attachments inline. Displaying it executes the contents of the attachment.
emoore is offline   Reply With Quote
Old 5 Oct 2019, 09:04 PM   #13
TenFour
Master of the @
 
Join Date: Feb 2017
Location: USA
Posts: 1,683
Quote:
However, many email clients have a option to always display attachments inline. Displaying it executes the contents of the attachment.
I don't believe showing attachments executes the program. For example, if a PDF is attached all I can see is its title. In Outlook you can Preview the file, but you have to select an option and click on it to do it. I have to double click to actually open it. You can set many email clients to not automatically download images, and then you won't see those unless you select to.

Last edited by TenFour : 5 Oct 2019 at 09:16 PM.
TenFour is offline   Reply With Quote
Old 5 Oct 2019, 11:47 PM   #14
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 8,917
One issue is viewing a remote image or PDF embedded inside an email. If the browser or email client pulls down that file directly, the source can discover your IP address. That’s why Fastmail let’s you block images from unknown senders and also downloads such files using a special Fastmail IP (rather than yours).
n5bb is offline   Reply With Quote
Old 6 Oct 2019, 10:11 AM   #15
Terry
The "e" in e-mail
 
Join Date: Jul 2002
Location: VK4
Posts: 2,995
That should be listed as a sales feature and benefit.

For us here that is a big bonus feature.
Terry is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 02:00 PM.

 

Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy