When relationships end, so does security

One day Lucy began to suspect that Ricky was being unfaithful to her, and reading his email confirmed her suspicion. She never told him that she was intercepting his email, and he never suspected that's how she discovered his infidelity. Even after their divorce, she still keeps tabs on him by reading his email: he still doesn't know.

Security Watercooler Security Watercooler articles are designed to get you thinking -- and talking -- about issues facing information security professionals. Please Sound Off below with your opinions.

There are also a variety of ways that such email account access can be abused. A hostile person could merely read headers or names of senders. Or, they could read the emails themselves. Or delete messages. Or reply to messages, impersonating the sender. Or worse.

If you trust someone with your life and most intimate secrets, shouldn't you also trust them with your passwords? ,

Mike Rothman, president of Atlanta-based security industry analyst firm Security Incite, noted that damage to email isn't as bad as some other behaviors in similar situations, such as emptying bank accounts and maxing out credit cards. "However," he said, "we have noticed that partners snooping in each others' email is increasing in scope."

While these examples of a violation of email security are serious are often personally devastating, they affect primarily the individuals involved. Such a violation though could easily be more far-reaching. For example, many Web sites use email addresses as usernames. A hostile person could gain access to any of these Web sites, using their partner's username and knowing or guessing their password, to spread the damage to bank accounts, investments, online forums and more.

An angry partner could also use the hijacked email account for social engineering attacks. Pretending to be the genuine user, they could send emails to anyone, gaining information, spreading disinformation, or any of dozens of worse tricks.

Such tactics become especially dangerous when a business or corporate email account is involved. In this situation, the hostile person can not only damage their former love, but also the security of his or her business. That could mean obtaining and divulging sensitive information, ruining relationships with coworkers, partners and customers and disrupting normal business operations irreparably. This interference could continue for weeks or months without being detected.

This is a type of attack that is extremely difficult for any security officer to defend against. When a trusted user – which the hostile person impersonates – performs allowed actions using permitted access, there is no sure-fire way to stop them. The one hope is to detect the pattern of damage and contain it as quickly as possible.

There is only one defence and, from a purely rational point of view, it is simple. Regardless of their relationship status, individuals can protect against these nightmarish scenarios by changing passwords frequently and not revealing them to anyone. In some cases, doing so might be viewed by a spouse or partner as a violation of trust. If you trust someone with your life and most intimate secrets, shouldn't you also trust them with your passwords?

Rothman suggested that security officers use email education to help head off problems. "Proper use of passwords is important," he said, "but users also must separate personal use of email from work email."

In addition to maintaining strong passwords, perhaps the only sensible guideline from an enterprise perspective is to advise trusted users to establish strict boundaries between accounts they use for business purposes and personal ones. When a relationship deteriorates to the point where suspicion and separation replace trust and intimacy, it may be impossible to protect one's emotional self, but at least corporate information security won't be the victim of a broken heart.

Edmund X. DeJesus is a freelance technical writer based in Norwood, Mass.