Webmail dangers and what you can do about it.
A recent article in the New York Times ‘I was hacked in Beijing‘ highlights some of the problems with storing your email or documents in the much-promoted cloud. In this case it seems the journalist was using a Yahoo online mail account which was hacked, most likely by the Chinese government or someone acting ‘patriotically’ on their behalf.
It highlights the downside of most ‘cloud’ storage – even in its simple form of a webmail account. Sure, webmail is cheap and easy to access, but it’s also a security risk. You might not be ‘of interest’ to the CIA, MI6, FSB or Chinese MSS, but everyone has details online that they don’t want other to see.
Cloud storage, is a stationary target for hackers that they can try to crack 24/7. That includes webmail and online document editing.
The makers of cloud storage have generally focused on accessibility and functionality , not security – much in the same way that Microsoft Office used to.
We now know that Google ‘single password login’ system was hacked back in January so that the attackers could have accessed any data in Google’s cloud. That’s not to single out Google – the same thing could have happened to another cloud system like Windows Live login.
Office Web Applications – the ‘Office in a browser’ coming from Microsoft falls into this trap. Once someone has hacked your Windows Live account they can view all your Skydrive/OWA documents. Microsoft does not allow password protected documents to be used on their new online service. That’s a pity because password locked docs could be another level of protection against prying eyes.
Webmail and cloud storage is convenient but it’s also accessible to others. Data stored on your computer isn’t as available to outsiders, especially if you use the tools available to you in Windows like Encrypted File System, Bitlocker, password login. If used correctly, your data is secure even if someone steals the entire computer.
What can you do?
Strong passwords – yeah I know you’ve heard it before but at least use unique passwords for critical accounts like online banking and webmail.
Use webmail as interim storage for newly arrived messages. Setup your email program to grab email from the online storage and delete the online copy – this is the default for POP accounts setup in Outlook.
Get a digital certificate and use it to encrypt emails to others. Encrypted messages can only be read by the sender and recipient with appropriate software like Outlook / Outlook Express etc. Even if someone hacks your online storage all they’ll see is a mess of characters.
What should they do?
Online services should have the option to login by personal certificate backed up by name/password. A login history should be available – when, the IP address, apparent location etc. Even a ‘login alert’ function to let you know via email or SMS when someone logs into your account.
Staff working in sensitive areas – like a foreign correspondent – should be using something better than Yahoo mail. Microsoft’s Exchange Server has webmail access called ‘Outlook Web Access’ which can be setup for tight security (login requiring a digital certificate, VPN login etc).
We’re very aware of security issues having just finished the latest Office-Watch.com ebook – Privacy and Security in Microsoft Office. Getting a digital certificate and using it to sign and encrypt emails is covered in step-by-step detail
- Simple and free email signatures for Outlook
- Avoiding the ‘Google’ mail hack
- Live Mesh, Live Sync and Skydrive
- Privacy and Security in Microsoft Office
- Qualifying for Office Web Applications
- Getting started with Office Web Applications