|
FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc. |
|
Thread Tools |
3 Oct 2019, 07:49 AM | #1 | ||
Cornerstone of the Community
Join Date: Jun 2008
Location: Perth
Posts: 664
|
General Security & ANU Hacking
The article in this link describes email hacking that happened to Australian National University (ANU).
It says that: Quote:
Quote:
I'm curious as to how "previewing" an email could result in login details being stolen. I use the FM web interface 95% of the time, however every now and then I have a reason to use my FM account with MS Outlook or Thunderbird. Obviously they have the required App passwords. Also, for web login, I have 2-factor set with hardware key. I'm wondering what the circumstances would have been to allow so called previewing of an email (what does this even mean) to allow stealing of login credentials and whether my usage of FM could place me in the same vulnerable position. Welcome discussion on this.... |
||
3 Oct 2019, 03:04 PM | #2 |
The "e" in e-mail
Join Date: Jul 2002
Location: VK4
Posts: 3,029
|
I find the preview part a bit strange, I wondered if they actually opened it.
|
3 Oct 2019, 07:39 PM | #3 |
Essential Contributor
Join Date: Dec 2017
Location: Scotland
Posts: 490
|
There was a discussion elsewhere about this. People there thought the article might be being deliberately vague to give other institutions time to fix holes in their infrastructure.
Also, people tend to think that the mail in question was possibly viewed by a webmail system and - maybe - the malware that leapt into the viewer's computer wasn't in fact part of the email they were looking at, but was something hosted on the webmail server ... that made the jump just like any other bit of 'drive-by' malware. But it's hard to tell. |
3 Oct 2019, 10:04 PM | #4 |
Master of the @
Join Date: Feb 2017
Location: USA
Posts: 1,742
|
Can anyone link to an article that explains how just previewing an email is dangerous? I know it was a thing back in the day, but I thought all major email providers long-ago prevented any scripts etc. from running via the preview window. On the other hand, I can see someone clicking on a link in the preview window, which could possible take you to a malicious page. It would seem that if the preview pane is a danger we would be reading about many exploits using it since a very high percentage of email clients, desktop or web, are set up with the preview option.
|
4 Oct 2019, 10:35 AM | #5 | |
Intergalactic Postmaster
Join Date: May 2004
Location: Irving, Texas
Posts: 8,929
|
See the full report here:
https://imagedepot.anu.edu.au/scapa/...port_web_2.pdf On page 11, note this comment: Quote:
https://fastmail.blog/2014/05/09/mak...n-more-secure/ Bill |
|
4 Oct 2019, 10:44 AM | #6 | |
The "e" in e-mail
Join Date: Jul 2002
Location: VK4
Posts: 3,029
|
Quote:
|
|
4 Oct 2019, 11:05 AM | #7 | |
Cornerstone of the Community
Join Date: Jun 2008
Location: Perth
Posts: 664
|
Quote:
I read the FM blog post but it was somewhat beyond my understanding. Good to know that it covers the issue though. Does the FM protection also apply to that type of scripting attack if the receiver of the email is using Outlook from Office 365 or similar? Or does the FM protection only apply when using the FM web UI? Again - thanks for sharing your understanding of all this. |
|
4 Oct 2019, 11:30 AM | #8 | |
Intergalactic Postmaster
Join Date: May 2004
Location: Irving, Texas
Posts: 8,929
|
Quote:
Bill |
|
4 Oct 2019, 12:06 PM | #9 | |
Cornerstone of the Community
Join Date: Jun 2008
Location: Perth
Posts: 664
|
Quote:
That's what I suspected. The best protection is provided when using the FM UI... ...and that if using an email client, one is relying upon the email client to detect/capture other nasties/scripting if using an email client. |
|
4 Oct 2019, 03:32 PM | #10 |
The "e" in e-mail
Join Date: Feb 2006
Location: EU
Posts: 4,945
|
Stating the obvious: these protections will not work for a new type of attack or virus.
|
4 Oct 2019, 09:02 PM | #11 | |
Master of the @
Join Date: Feb 2017
Location: USA
Posts: 1,742
|
A quick Google search finds lots of articles like this one that claim just previewing or opening an email is safe. Also, I believe as a general rule webmail is considered to be much safer than most desktop clients.
Quote:
|
|
5 Oct 2019, 10:56 AM | #12 | |
Essential Contributor
Join Date: Apr 2002
Posts: 280
|
Quote:
|
|
5 Oct 2019, 08:04 PM | #13 | |
Master of the @
Join Date: Feb 2017
Location: USA
Posts: 1,742
|
Quote:
Last edited by TenFour : 5 Oct 2019 at 08:16 PM. |
|
5 Oct 2019, 10:47 PM | #14 |
Intergalactic Postmaster
Join Date: May 2004
Location: Irving, Texas
Posts: 8,929
|
One issue is viewing a remote image or PDF embedded inside an email. If the browser or email client pulls down that file directly, the source can discover your IP address. That’s why Fastmail let’s you block images from unknown senders and also downloads such files using a special Fastmail IP (rather than yours).
|
6 Oct 2019, 09:11 AM | #15 |
The "e" in e-mail
Join Date: Jul 2002
Location: VK4
Posts: 3,029
|
That should be listed as a sales feature and benefit.
For us here that is a big bonus feature. |
Thread Tools | |
|
|