The following are true stories, but false names are used to ensure
the victims' anonymity.
When "Lucy" and "Ricky" exchanged wedding vows, they said nothing
about email privacy. During their marriage, Lucy found it easy to
guess Ricky's email password. After all, she was his wife and knew
how his mind works.
One day Lucy began to suspect that Ricky was being unfaithful to
her, and reading his email confirmed her suspicion. She never told
him that she was intercepting his email, and he never suspected
that's how she discovered his infidelity. Even after their divorce,
she still keeps tabs on him by reading his email: he still doesn't
know.
When personal relationships go bad, a boyfriend, girlfriend, spouse
or other significant other may access their partner's email for a
variety of reasons: curiosity, suspicion, evidence-gathering, and
revenge are just a few. The person doing the accessing is in an
ideal position to either know the email password outright – having
been told it or having seen it being typed – or to guess it using
intimate knowledge gained during the relationship.
There are also a variety of ways that such email account access
can be abused. A hostile person could merely read headers or names
of senders. Or, they could read the emails themselves. Or delete
messages. Or reply to messages, impersonating the sender. Or
worse.
 | | | | | If you trust someone with your
life and most intimate secrets, shouldn't you also trust them with
your passwords?
, |
| | | | | |
| |
|
When "Fred" and "Ethel" separated, Fred knew Ethel's email password
– and she never changed it. After Ethel started an affair with a
fellow teacher, Fred exacted his revenge by forwarded Ethel's
clandestine messages to her principal and colleagues, damaging her
career and reputation.
Mike Rothman, president of Atlanta-based security industry
analyst firm Security Incite, noted that damage to email isn't as
bad as some other behaviors in similar situations, such as emptying
bank accounts and maxing out credit cards. "However," he said, "we
have noticed that partners snooping in each others' email is
increasing in scope."
While these examples of a violation of email security are
serious are often personally devastating, they affect primarily the
individuals involved. Such a violation though could easily be more
far-reaching. For example, many Web sites use email addresses as
usernames. A hostile person could gain access to any of these Web
sites, using their partner's username and knowing or guessing their
password, to spread the damage to bank accounts, investments,
online forums and more.
An angry partner could also use the hijacked email account for
social engineering attacks. Pretending to be the genuine user, they
could send emails to anyone, gaining information, spreading
disinformation, or any of dozens of worse tricks.
Such tactics become especially dangerous when a business or
corporate email account is involved. In this situation, the hostile
person can not only damage their former love, but also the security
of his or her business. That could mean obtaining and divulging
sensitive information, ruining relationships with coworkers,
partners and customers and disrupting normal business operations
irreparably. This interference could continue for weeks or months
without being detected.
This is a type of attack that is extremely difficult for any
security officer to defend against. When a trusted user – which the
hostile person impersonates – performs allowed actions using
permitted access, there is no sure-fire way to stop them. The one
hope is to detect the pattern of damage and contain it as quickly
as possible.
There is only one defence and, from a purely rational point of
view, it is simple. Regardless of their relationship status,
individuals can protect against these nightmarish scenarios by
changing passwords frequently and not revealing them to anyone. In
some cases, doing so might be viewed by a spouse or partner as a
violation of trust. If you trust someone with your life and most
intimate secrets, shouldn't you also trust them with your
passwords?
Rothman suggested that security officers use email education to
help head off problems. "Proper use of passwords is important," he
said, "but users also must separate personal use of email from work
email."
In addition to maintaining strong passwords, perhaps the only
sensible guideline from an enterprise perspective is to advise
trusted users to establish strict boundaries between accounts they
use for business purposes and personal ones. When a relationship
deteriorates to the point where suspicion and separation replace
trust and intimacy, it may be impossible to protect one's emotional
self, but at least corporate information security won't be the
victim of a broken heart.
Edmund X. DeJesus is a
freelance technical writer based in Norwood, Mass.