Cyber Security Awareness Month - Day 4 - Managing EMail

Published: 2010-10-04. Last Updated: 2010-10-11 17:43:30 UTC
by Daniel Wesemann (Version: 1)
5 comment(s)

We covered phishing and other nefarious fraudulent emails in yesterday's diary. Today's entry is about preventing unauthorized access to your email and some email handling issues.

Unauthorized Access to your email can occur for a number of reasons

  • you picked a simple password, and someone guessed it
  • you picked a good password, but someone guessed the "password reset" question (remember "Wasilla High" ?)
  • you accessed your email account from an unsafe public terminal
  • you accessed your email account from a safe personal computer, but did not use SSL

Derived from this are a few steps you can take to make things harder for snoops:

  • Pick a good long password. And do change it every now and then. I am certainly no fan of "change your password every xx days" rules, but for online email, changing it on occasion actually makes good sense -- it is your only chance to lose any "stalkers" you might have picked up over time. Your ex, your dorm roomie, etc, might know your password, and can passively snoop your inbox without you ever noticing. Only changing the password shakes them off.
  • Actually go through the "I forgot my password" routine once. Just pretend that you don't remember the password. And then watch carefully how hard (or not) it actually is to regain access. There are still mail providers out there who require you to have a 10-character password, but at the same time force you to use "The color of your first car" as a password reset question. Having a password reset option is good (heck, I also forget passwords if the vacation is good and long :), but the reset option should be as hard to guess or fake as the original sign-on. If you got the choice, pick a provider that allows you to write your own question/answer pair and that includes some sort of out of band notification like SMS.
  • For the unsafe public terminal, well, don't log into your email there. Within a couple months, all of us will anyway carry web enabled mobile phones, and those shady airport and hotel PCs will hopefully then follow the "internet cafe" into merciful obscurity.
  • If you are already using a mobile phone or *pad or *book for email access "on the go", make sure that your email client is set to use SSL/TLS. HTTP, IMAP and POP3 should all be avoided if they are not paired with SSL/TLS for encryption (HTTPS, for example). Remember, WiFi signals can be intercepted and recorded by everyone in range. Without encryption, eavesdroppers get to see your login credentials and all the email that you download and read.


EMail Handling

"Reply to all" was not invented for people who click faster than they think. On occasion, these embarrassing broadcasts of a person's naiveté make everyone at the office cringe. Thus, if you are using "reply to all", check carefully who is on the recipient and cc: lists. And do everyone a favor and never reprimand a hapless reply-to-all person by also replying to all with an admonishment. 

"Unsubscribing" also has its pitfalls. If you try to unsubscribe from some list that you never actually subscribed to, chances are that you just confirmed to some spammer that you actually read their email. Only use "unsubscribe" on things that you vaguely remember ever having signed up to, and use "mark as spam" for all the rest.

Last but not least, EMail is a poor medium to convey irony or sarcasm. As useful as email is, the more contentious a discussion gets, or the more back-and-forth replies pile onto replies, the better off you likely are by picking up the phone, and having an old-fashioned talk.

If you have other tips on how to keep email safe and secure, please comment below or use the contact form.

5 comment(s)

Comments

The from line cannot be trusted. Therefore e-mail cannot be trusted. Be suspicious of the links and attachments of any e-mail.

Don't bother replying to an e-mail which is out of character and possibly malicious from a friend. It is only their e-mail address which is guaranteed to have been lost, there computer may or may not have been infected. It never hurts to scan with AV or advise your friend to do so.
Providing you have a system so that *you* can remember what the answer was, you can answer password reset questions with almost any answer. So when you are asked for "The color of your first car", you answer "fish". If you think that is still too simple, use random words (e.g. futureproof) or put together two totally unrelated things and/or include punctuation (e.g. fish-airplane!). In this way, you can still have secure password resetting without being able to choose your own questions. In fact, it is probably better than choosing your own questions in that people will still tend to choose questions that they (and potentially fraudsters) can easily answer.
Great article. I would only add one more thing to your point on using mobile devices. Make sure you have installed and updated anti-malware software on all your mobile devices.
I read somewhere (I can't now figure out where and Google had been no help in trying to find it again) a report on a psychological study where they found out that things said "in print" (including email and forum posts) is taken two degrees more harshly than the writer intended. This contributes to the escalation of arguments that result in the piled on replies mentioned in the article.
Yes, this is because you cannot see the facial expression / mimic and the gestures of your counterpart.

Diary Archives