Other issues in this category (24)
A mailbox is a box, not a safe
Thursday, December 1, 2016
People often store important information in their mailboxes—and therein lies a certain danger. Mail frequently becomes inaccessible due to hardware faults and failures, services getting shut down, or mail providers finding something suspicious…
How can we securely store information we’ve exchanged via email?
First, let's try to determine what puts our correspondence at risk.
We won’t examine what happens when users create their own mail servers. In terms of information security, such endeavors only work out well when the users involved are information security specialists. Unfortunately, most people aren’t. Let’s suppose that our mailbox is located on a remote server (most likely, on a mail service), and that it doesn’t matter what service we use—the risks are generally the same for all of them.
So, the risks are as follows:
Your computer could be infected. Here, it’s important to acknowledge the fact that the risk of any commercial secrets being leaked is low (so long as you weren’t singled out for an attack). Intruders are primarily interested in passwords to various services and gaining access to your films/videos and photos. Most intruders are only interested in what they can sell, the quicker the better. Information that may be of interest to just one or two buyers worldwide is of no value to them.
Important! In this case, we’re talking exclusively about an accidental infection of an ordinary user’s computer. If we were talking about a company network, it’s quite possible that the attackers would collect totally different information, for example, data related to the network’s structure so they can spread malware in it.
As criminals sift through our correspondence, what types of things might interest them?
- Credit card information. Sometimes multiple people use the same credit card, so it is quite possible to find the credit card number, the cardholder’s name, the card expiry date, and the CVV.
- Attackers can easily collect addresses from email or instant messenger databases to sell them to spammers. Email accounts don’t just facilitate access to a mail archive with all its secrets, including bank account passwords. Once in control of an account, an intruder can request many passwords on your behalf and on behalf of your friends, and quite possibly obtain them.
- Social network accounts. These are valuable to attackers because they can be used to distribute spam internally on social networks for various fraud schemes (for example, requests to transfer money); to increase traffic, “likes,” and other relevant advertising indicators; and to steal other accounts belonging to the same user (because the same passwords were used).
- Online game accounts. Once they’ve obtain access to such accounts, attackers can move valuable virtual objects out of virtual worlds and into the real world.
- Personal photos. These can be sold or used for blackmail.
- Saved films and distributions (if anybody still saves them). Reports of films being leaked before their release are not uncommon.
- Passport information.
- Correspondence can be intercepted during transmission. In wired networks this is highly improbable (although this method is used for targeted attacks), but entirely possible for wireless networks.
- Fraudulent schemes that go through a technical support service can be used to hack a mail service or steal a mailbox.
The Anti-virus Times recommends
- Use complex passwords that are unique for each service. Or, at least use a set of a complex password for important services and a simple one to log into accounts that have no such requirement.
- While working with mail or instant messenger services, use the latest anti-spam and anti-virus versions. Scan everything you send or receive. Justifications like "I didn’t notice” or "a virus is to blame" reflect rather badly on you.
- Use protected protocols for sending/receiving emails, especially when communicating via wireless networks.
Send your secret information in sections. For example, you can send your email address and its password in different emails in the form of a password-protected archive or via several different systems (for example, send the login in an email and the password using a protected instant messenger).
If your computer is corrupted, this precautionary measure will not prevent attackers from "seeing" how you enter your data, and intercepting it.
- Some messengers are able to transmit information without keeping a record of it; enable this option.
- Do not store important information in your mailbox only; make back-up copies.