When relationships end, so does security

Edmund X. DeJesus explains that when personal relationships go bad and partners can access each other's accounts, trust can quickly give way to betrayal, and corporate information security can pay the price.

The following are true stories, but false names are used to ensure the victims' anonymity.

Security Watercooler
When "Lucy" and "Ricky" exchanged wedding vows, they said nothing about email privacy. During their marriage, Lucy found it easy to guess Ricky's email password. After all, she was his wife and knew how his mind works.

One day Lucy began to suspect that Ricky was being unfaithful to her, and reading his email confirmed her suspicion. She never told him that she was intercepting his email, and he never suspected that's how she discovered his infidelity. Even after their divorce, she still keeps tabs on him by reading his email: he still doesn't know.

Security Watercooler

Security Watercooler articles are designed to get you thinking -- and talking -- about issues facing information security professionals. Please Sound Off below with your opinions.
When personal relationships go bad, a boyfriend, girlfriend, spouse or other significant other may access their partner's email for a variety of reasons: curiosity, suspicion, evidence-gathering, and revenge are just a few. The person doing the accessing is in an ideal position to either know the email password outright – having been told it or having seen it being typed – or to guess it using intimate knowledge gained during the relationship.

There are also a variety of ways that such email account access can be abused. A hostile person could merely read headers or names of senders. Or, they could read the emails themselves. Or delete messages. Or reply to messages, impersonating the sender. Or worse.

If you trust someone with your life and most intimate secrets, shouldn't you also trust them with your passwords?
When "Fred" and "Ethel" separated, Fred knew Ethel's email password – and she never changed it. After Ethel started an affair with a fellow teacher, Fred exacted his revenge by forwarded Ethel's clandestine messages to her principal and colleagues, damaging her career and reputation.

Mike Rothman, president of Atlanta-based security industry analyst firm Security Incite, noted that damage to email isn't as bad as some other behaviors in similar situations, such as emptying bank accounts and maxing out credit cards. "However," he said, "we have noticed that partners snooping in each others' email is increasing in scope."

While these examples of a violation of email security are serious are often personally devastating, they affect primarily the individuals involved. Such a violation though could easily be more far-reaching. For example, many Web sites use email addresses as usernames. A hostile person could gain access to any of these Web sites, using their partner's username and knowing or guessing their password, to spread the damage to bank accounts, investments, online forums and more.

An angry partner could also use the hijacked email account for social engineering attacks. Pretending to be the genuine user, they could send emails to anyone, gaining information, spreading disinformation, or any of dozens of worse tricks.

Such tactics become especially dangerous when a business or corporate email account is involved. In this situation, the hostile person can not only damage their former love, but also the security of his or her business. That could mean obtaining and divulging sensitive information, ruining relationships with coworkers, partners and customers and disrupting normal business operations irreparably. This interference could continue for weeks or months without being detected.

This is a type of attack that is extremely difficult for any security officer to defend against. When a trusted user – which the hostile person impersonates – performs allowed actions using permitted access, there is no sure-fire way to stop them. The one hope is to detect the pattern of damage and contain it as quickly as possible.

There is only one defence and, from a purely rational point of view, it is simple. Regardless of their relationship status, individuals can protect against these nightmarish scenarios by changing passwords frequently and not revealing them to anyone. In some cases, doing so might be viewed by a spouse or partner as a violation of trust. If you trust someone with your life and most intimate secrets, shouldn't you also trust them with your passwords?

Rothman suggested that security officers use email education to help head off problems. "Proper use of passwords is important," he said, "but users also must separate personal use of email from work email."

In addition to maintaining strong passwords, perhaps the only sensible guideline from an enterprise perspective is to advise trusted users to establish strict boundaries between accounts they use for business purposes and personal ones. When a relationship deteriorates to the point where suspicion and separation replace trust and intimacy, it may be impossible to protect one's emotional self, but at least corporate information security won't be the victim of a broken heart.

Edmund X. DeJesus is a freelance technical writer based in Norwood, Mass.

Read more on IT risk management