It seems that email has been in the news a lot lately, from phony IRS emails and celebrity hacking (phishing) to the latest monthly installment of State Department emails. While each sheds light on a different aspect of information security, they also share a common thread – confidentiality. The preservation of confidentiality is so fundamental to information security that it is the one of the legs of the well-known framework called the “CIA Triad” – confidentiality, integrity and availability.
Phishing emails, in which the sender tries to induce the recipient into giving up account information are a form of hacking known as social engineering. Popular entertainment often portrays hackers as elite but misguided technical savants, but the reality is distressingly pedestrian. As a case in point, consider the cautionary tale of Andrew Helton of Oregon, who, according to a press release from the U.S. Attorney’s Office in the Central District of California, pleaded guilty to a felony violation of the Computer Fraud and Abuse Act (CFAA) after hacking into hundreds of victims’ online accounts, including unnamed celebrities.
By what kind of sorcery did Helton hack these accounts? He simply sent official looking emails purportedly from Apple or Google asking unwary recipients to “verify” their accounts. Clicking an embedded hyperlink sent them to equally official-looking, but counterfeit, login pages into which the victims dutifully entered their account credentials. Voilà, account “hacked!” From there, it seems the artful Helton simply helped himself to the victims’ contacts to harvest even more email addresses, setting off a chain reaction of bamboozlement.
Not long ago, a client approached me, concerned they too had been hacked in this way. A clerical employee at the firm had received an email on one of the firm’s shared email accounts ostensibly from a client wanting to share documents on Dropbox. The link opened a web page that looked like Dropbox, but was merely a credential collection page soliciting an email address and password. Fortunately, the client quickly caught on to the game and changed the password before the account could be accessed by an intruder. However, the close call caused them to rethink their security practices, especially staff training.
When considering password safety, the most common piece of advice is generally to use long passwords, so that the time required to brute-force them (trying every combination) becomes unfeasible. However, since far more hacking is done by social engineering than by purely technical exploits, password length, while important, may not be the primary consideration. It doesn’t matter how long your password is if it’s no longer secret. That’s why some people only reuse passwords among sites they consider trivial (and there is no shortage of trivial sites on the Internet) and others rely on what’s called multifactor authentication.
You can think of a factor as one of three categories: something you know (i.e., a password), something you have (i.e., a cell phone), or something you are (i.e., a fingerprint). This is one of the reasons websites increasingly ask users to register a mobile phone number. Once you enable multifactor authentication, even if a hacker has your password, they can’t login to your account or change your password unless they can also receive your text messages.
Another of my recent cases highlighted a different social engineering risk. The client had used email addresses from one of the popular free email providers (such as Hotmail, Yahoo and Gmail). Free email addresses are convenient, but there is no guarantee that the email address actually belongs to the person it appears to, creating the opportunity for mistaken identity or outright impersonation. In my case, an interloper exploited that vulnerability by creating a lookalike email account, differing from the real account by only one character. The fake account was so visually similar to the original that the scammer was able to deceive some of the other participants in a business transaction. Predictably, the deception led in due time to litigation, which was when my services were called for.
Using specialized digital forensic software, I was able to unravel the mystery by examining and comparing the contents of email headers. Email headers, though invisible most of the time, contain a wealth of data that may be of investigative value, including Internet routing information in the form of Internet protocol (IP) addresses. With the help of account creation details produced by the email provider in response to a subpoena, I was able to establish a clear correlation between the bogus email address and the emails of one party to the negotiations. The moral of the story? Registering your own domain name keeps out the riffraff because it gives you control over who can create email addresses using your name.
Peter Steiner’s iconic cartoon, published in The New Yorker in 1993, popularized the phrase, “On the Internet, nobody knows you’re a dog.” Over a decade later, the sentiment still rings true. For many of us, preserving confidentiality still depends a lot on knowing that emails and websites are authentic. You can protect your email data by disclosing passwords only to trusted sites, using multifactor authentication and using a custom domain name so others can’t impersonate you.