Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Sarah Palin demonstrates the peril of webmail

A hacked webmail account highlights the risk of trusting too much information to a service that may not be as secure as you.

If you needed any more reminders about why it isn't a good idea to use external mail services to conduct critical business, the recent break-in to US Republican Vice-Presidential candidate Sarah Palin's gov.palin@yahoo.com Yahoo inbox should be it. Of note is that following the disclosure of the inboxes the compromised address and another address, gov.sarah@yahoo.com, have been suspended.

US politics has been stung by a range of inappropriate email usage incidents, including the use of non-government email accounts to conduct official business. From the images presented as proof of email compromise, it seems that Sarah Palin was also doing this.

Various Information Security mailing lists have from time to time been filled with claims of inbox compromise, usually for free webmail services and it is always two parts voyeurism, two parts fear that it could be you next whenever someone has had their email exposed so publicly.

Some companies have decided that the economy of scale offered by services like Gmail are worth it to have their email needs handled through them rather than maintaining their own in-house systems and servers. The risk, as has been proven time and time again, is now that it only takes a simple password recovery to have your email exposed to all.

Password recovery procedures are an area where the balance between security and usability is so blurred that most times the security aspect is non-existent, despite appearances. The leading theories about how the breach to Sarah Palin's account came about were that it was through the password recovery options associated with the Yahoo webmail interface.

Even if a user has selected non-standard secret questions, or has linked other email accounts, this sort of information isn't going to take a determined hacker very long to dig up, especially if the target is already someone in the public eye. Even if the target is not a public identity, the rise of social networking sites and personal blogs means that it shouldn't take too long to dig up enough information about someone to have a better than average chance at correctly guessing the answers to most secret question choices.

Once the account has been compromised, it then becomes a matter of what the attackers are going to do next. Some attackers have used compromised email accounts to take control of other assets belonging to the legitimate email owner, including Web sites, or have used the inbox access to spread malicious content to the contacts of the real owner.

Since most of these compromises have been about the ability to boast that they have done it, or for short term gain, the real risk of inbox compromise hasn't really been explored very well. The biggest risk following a compromise is from the disciplined attacker. They will not highlight their presence through splashing email content around the place, nor highlight their presence by sending objectionable material to all and sundry. Instead, they will use their access to amass critical information on their target (be it corporate espionage, personal blackmail, or other leverage) or send the occasional message and hope that it is infrequent enough to not be noticed.

Many companies try to block access to webmail services through their corporate networks in an attempt to limit the risk of employees sending sensitive corporate information through channels that can not be managed by the corporation.

It isn't so much to stop employees from wasting time on personal email through webmail, rather it is a risk management practice validated by this most recent compromise. Even if a company has implemented the block to prevent employees wasting time, the risk reduction is a beneficial side effect.

If you are busy using external webmail or email hosting providers, perhaps you should take another look at just how hard it is to gain anonymous access to that information and ensure that you have properly assessed the risk/benefit tradeoffs associated with using the services.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Yahoo
References show all

Comments

1

hack into facebook account

Tue 10/03/2009 - 19:53

hack into facebook account

Excellent, professional, and very fast service that's <a href="http://www.rayahari.com/">hack into facebook account</a>. Thank <a href="http://www.rayahari.com/hack-Facebook-passwords.php">http://www.rayahari.com/hack-Facebook-passwords.php</a> very much . I know the truth now, although it is not as bas as I feared. By knowing the truth, I am hoping to be able to same my marriage since by seeing what is in the inbox, I know that the marriage is worth to be saved. I pray for the peace of all cheated spouses in the whole world... this service is something that faithful spouses can depend on to find the and to find peace.. If you are unsure of <a href="http://www.rayahari.com/how-to-hack-facebook-passwords.php">facebook hacking password</a> , you can visit www.rayahari.com<br><br>

BTW, I found another website that can <a href="http://www.milanorosa.com/how-to-hack-into-yahoo-hack-someones-yahoo.php">hack yahoo passwords</a> and other one specialized in <a href="http://www.activehackers.com/how-to-hack-into-hotmail-accounts-password-for-100.php">hack into hotmail passwords</a>.<br><br>

Diane Calhoun, Lincoln<br><br>
England

2

John32

Wed 23/06/2010 - 14:17

Don't pay that guy to hack your hotmail password, you can get the same hotmail password hack program he uses at http://www.hotmailpasswordhack.net Don't fall for it like me!

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: sarah palin
Latest Blog Posts
Whitepapers
  • How progressive companies are using social technologies
    Social networks and collaborative technologies are now commonplace in many workplaces. Having first been used “on the quiet” by highly-networked employees, in increasing numbers they are now being proactively used by businesses keen to connect more effectively with their internal and external audiences. Web collaboration is now viewed as critical to company success and as having multiple benefits and applications to the business. Read on.
    Learn more »
  • Spear Phishing Attacks - Why they are successful and how to stop them
    There's been a rapid shift from broad, scattershot attacks to advanced target attacks that have had serious consequences for victim organisations. The increased use of spear phishing is directly related to the fact that it works, as traditional security defences simply do not stop these types of attacks. This paper provides a detailed look at how spear phishing is used within advanced attacks and the key capabilities organisations need in order to effectively combat these emerging and evolving threats.
    Learn more »
  • The mobile print enterprise - How IT consumerisaton is driving anytime, anywhere printing
    As the office extends to an ever-wider range of work locations and businesses find themselves supporting a diverse range of mobile platforms, the print infrastructure is extending to the mobile worker, improving both employee and business productivity. Even in the era of smartphones and tablets, businesses continue to rely on printing. Quocirca’s research reveals that there is certainly the appetite for mobile printing, with almost 60% of respondents stating that their organisations would like to print from their mobile devices, with around 25% currently investigating mobile print solutions. Read more.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.