Its nice that my cable and telephone company Cox is fixing a few their security problems, but it would be nice if they’d let people know that the ability to be more secure is available. Back in July 2007 I wrote about Cox adding POP3 over SSL. In November 2008, I wrote about Cox enabling SMTP/SSL. So I kind of laughed when I saw a Cox customer “Dave” complaining in cox.internet.discussion.email that not only did Cox not make a general announcement regarding these new features, their instructions are inconsistent in offering the option. Vista instructions include the secure options, Mac instructions did not.
I guess Cox figures that the few customers who know what this feature does will keep up on Cox news by reading forums. I admit, I figured it was Dave’s fault for not keeping up with the news. Then it happened to me.
In March 2008, I wrote about my displeasure that Cox was putting my PIN number on my bill. I wrote Cox, explaining that I felt this was poor security. This month while checking out my Cox account settings, I found there is now an option to suppress including the PIN on the bill! After making the change, my bill now shows xxxx instead of the actual PIN. So now I’m echoing Dave. Why didn’t you tell me this option, and why is insecure the default choice?
Posts tagged ‘Cox’
Cox (Lack of ) Communications
Cox SMTP / SSL
Cox has enabled SMTP over SSL and apparently is now allowing authenticated SMTP email from outside the Cox network.
Instructions are here.
Its a simple matter of changing the outgoing server port to 465 and checking the use SSL box. Additionally you need to enable authentication for SMTP (same credentials as POP3). Even from the Cox network, you must use authentication to send on port 465.
I dont really use the Cox email accounts for much. I primarily use my personal domains or my gmail account. While I’m not interested in sending Cox email while off network, I do like keeping the first hop of the messages journey encrypted. It would be nice if they offered opportunistic SSL/TLS if in addition to offering customers the chance to use SSL/TLS.
I wonder if they plan to implement DKIM now that Cox has provided the opportunity for customers to send email though Cox servers even when they are off network.
Google Docs Viagra Spam
I was going through my Cox inbox and found Viagra spam with a link to http://doc.google.com/View?id=dfpqm7ft_0tt6xhdd2.
Its nothing new that spammers have been taking advantage of Google. Its just kind of annoying to me that this message was sent on October 30th, today is November 10th and the linked Viagra Google doc is still up (“consult a physician if the link stays up longer than 4 weeks”). Am I to believe that no one has reported this link to Google?
The paranoid part of me wonders if when I went to the link Google Docs helpfully checked my Google cookie and provided my Google email address to the spammer who previously only had my Cox email. Next time I’m clearing cookies and using a safer browser when following unsafe links. But I digress, the real point here is Google is woefully slow in responding to spam compared to Yahoo. What’s up Google? use some of that 20 percent time to stop hosting spammers.
The Caching Proxy and the ISP Webmail
Last Friday, one of the guys in the department noticed that when he signed into Cox webmail he would access Cox mailboxes belonging to other employees. He was even able to open messages in those accounts.
I went back to my office and created a test account. There is an awful lot of potential confidentiality violations here. Although I never repeated the results I saw on my co-worker’s screen, I did find I would see the cox inbox for other employees when I selected logoff.
We use BlueCoat SG 810-B to provide HTTP/HTTPS security in web browsing. This additionally provides a proxy cache which in theory saves on bandwidth costs. We haven’t had problems previously with Cox Webmail, nor have we had problems with any other webmail or logon based website.
To resolve the problem, I disabled proxy caching on the BlueCoat for webmail.east.cox.net. Immediately the problem went away.
Just to be on the safe side, I checked with my BlueCoat Sales Engineer. He says that cookie based webmail normally works fine as the cookies are non-cacheable by default. Otherwise the webmaster needs to do a better job marking things a non-cacheable. By marking the entire site as non-cacheable I resolved the problem quickly.
Cox PIN
My cable company Cox is now using a PIN to authenticate users when they contact support. Their KB article on the subject says this was required by the FCC to prevent pretexting.
To make things easy for the customer and for themselves, they print the PIN on the first page of the cable bill. How many customers do you think use one PIN for everything? For them Cox just wrote on paper their ATM PIN, building access code, and bike lock combo. That doesn’t seem like a great idea to me.
Cox adds SSL for Webmail
Back in February I repeated Rob Pegoraro’s announcement that SSL for Cox Webmail would be occurring in the first quarter of 2007.
In July, Cox enabled POP3 over SSL and indicated that SSL for Webmail was coming soon as well.
Cox has finally enabled SSL for Webmail, but it is only protecting the credentials at login.
There are several problems with this.
1) When you type in your login credentials, you are at a non-SSL site. You cannot verify the authenticity of the site to which you are providing credentials.
2) When you read your email it doesn’t go over a encrypted link.
3) It may be vulnerable to a cookie replay attack such as the one announced against Google Mail at Blackhat 2007
Things I did not know – Cox Pop over SSL
In George Ou’s blog entry titled “Email Security Has been around forever, you just have to turn it on” George asserts
“My current DSL provider AT&T like most ISPs supports SSL encryption on POP3 and SMTP and it’s as simple as a checkmark and using ports 995 for POP3 and 465 for SMTP instead of the usual ports 110 and 25″
I wasn’t aware that my ISP, Cox Communications, offered POP over SSL so I decided to give it a try. Its actually listed in their support site. I just wasn’t aware of it. It looks like they started this about a week or two ago.
I placed a check in the “this server requires a secure connection” box and changed the pop3 server name to spop.east.cox.net and I was set.
Now if only cox would enable ssl for webmail communications like they said they would do 7 months ago. According to posts from Cox employees at Broadband Reports webmail SSL will be coming soon.
Some users would like SMTP over SSL. Currently Cox does not use authentication for SMTP so what is there to protect? If you argue the data of the message, I would suggest if the data is so important use S/MIME. Because Cox SMTP is used on network only, you’re less likely to be sending mail from a insecure location requiring client to server SMTP encryption.
SSL for Cox Webmail
In his Fast Forward Help File earlier this week in the Washington Post, Rob Pegoraro is asked about the security implications of ISPs not using encryption on their Webmail logins.
Rob reports that Cox is planning to offer SSL webmail the first quarter of this year.
Rob comments that “The biggest reason to look for the visual cues of a secure login is to help spot phishing scams — phony pages that, unlike the sites they impersonate, almost never use encryption.” I think its a dangerous oversimplification to trust all sites protected by SSL without verifying the certificate, who its signed by and preferably whether its been revoked or not. In my experience most users don’t know to be worried about SSL errors. To be fair, the newer browsers do a better job of giving a dire warning.
People dont understand SSL and what it offers. Over at broadband reports a user commenting on the need for Cox to provide SSL login says,
“It is my perception that security vulnerabilities in Windows are being exploited at a even higher relentless, frenetic pace right now. Cox needs to be part of the solution and not contributing to the problem.”
Unfortunately SSL does nothing to keep you from being exploited if you haven’t patched. It does nothing to detect a keystroke logger on your computer that collects your passwords to financial websites.
SSL is designed to preserve the message confidentiality. Without client side certificates it only provides authentication of the servers identity claim. The main risk this addresses is the risk of a rogue lan administrator sniffing passwords. This is an important consideration if you use webmail anywhere outside of the cox network and also if you use a unencrypted wireless connection at home.
I wonder if Cox is going to offer POP3 over SSL. Webmail isn’t the only way passwords are passed in cleartext.
Rainbow Tables
I’m downloading rainbow tables to go along with with my password cracking software. I ended up getting almost every user account just using alpha-numeric tables. I want to go for the whole shabang so I’m downloading rainbow tables with alphanumeric and special characters and spaces. I just noticed I’ll be over quota. Hope I dont get a nasty email from Cox. Well at least I found one thing that can be legally downloaded via bittorrent.
