Security of Personal Email Accounts

Last week, former Secretary of State General Colin Powell became the latest public figure to have his personal email account hacked and his messages exposed publicly, to great embarrassment to himself and others. He joins a long list of political, government, and entertainment figures who have endured this same fate. Organizations cannot ignore the potential impact of such an incident occurring to one of their personnel, especially senior management in highly visible roles.

The good news is that this type of incident is avoidable. The majority of these incidents have happened when a user's password was guessed, obtained via keystroke monitoring or other snooping, or reset via social engineering. The social engineering method that has been used against many prominent people, including the Director of the CIA and the Director of National Intelligence, was to contact their Internet provider or phone company and request a password reset. These methods can be largely defeated using the recommendations below.

Key considerations for securing personal email accounts:
  • Use a good email provider. Generally speaking, the big webmail providers are more secure than the mail account provided by your ISP. If you have your own personal domain name that you want to continue using, that is not an issue; Google can host your email at your own domain name for a small fee.

  • Use multi-factor authentication. This is offered by all major webmail providers, including Gmail, Microsoft (Hotmail, Outlook), Yahoo, and AOL. If you have a web-based account that stores or manages anything important, you should be using multi-factor authentication.

  • Multi factor authentication means that after providing your password you provide a second code that is different every time. This can be done in different ways; using an app on your smartphone, such as Google Authenticator (works with Gmail, Microsoft) or getting a code via text message are the most common.

  • Choose your "recovery options" carefully. Providers need some way to contact you if you forget your password and/or lose your phone (and therefore your ability to use multi-factor authentication). One option for most providers is a phone number they can call to validate you; the best bet is to use a work or home landline rather than your cell number, especially if you're using that same device for your primary multi-factor method.

  • If your provider uses "verification questions" like "What was the model of your first car?" for password reset, choose very carefully. Choose a question that nobody else is likely to know, or else provide a made-up answer. Otherwise these questions become an easily-exploited weak link.

  • Ensure that key accounts, such as email, banking, and Internet provider, are set up to email you and text you when a change is made to your account settings. This way, you will get a text and/or email if someone makes an unauthorized password change, etc.

  • Avoid re-using passwords for any accounts, and use long, complex password for each account. The best way to make this manageable is to start using a secure password manager, such as Dashlane, LastPass, or 1Password. These will securely store your passwords in the cloud for you. It may seem like putting all your eggs in one basket (and it sort of is), but these are very secure and proven baskets. The benefit of using strong, unique passwords for everything are worth it.

Comments

Post a Comment

Popular posts from this blog

Weekly Infosec News Brief: 14-20 March

Image
Major Media Websites Caught up inNew Malicious Advertising Attacks Last week multiple major advertising networks, including Google's DoubleClick, AppNexus, Rubicon, and AOL were abused by attackers to serve up malicious advertisements on major media sites. These malicious advertisements were redirecting to the "Angler" exploit kit, which uses multiple means to attempt to compromise a browser and install malware. While such malicious ads are common on smaller websites, they are not unheard-of on major media sites. This outbreak, however, was unusually large and long-lived, lasting at least the better part of two days. Given how common malicious web ads are, some security experts are recommending the use of ad blocking technology in web browsers. http://www.computerworld.com/article/3044565/security/advertising-based-cyberattacks-hit-bbc-new-york-times-msn.html Malicious Macros in Word Documents Used to Install Malware with No Files Needed Everything old is new a
Read more

Weekly Infosec News Brief 20-26 July

Image
FBI Sees Massive Increase in Espionage, Including Industrial Espionage, Against the US The FBI on Thursday issued a press release discussing what they believe is an increasing threat of economic espionage against US companies. They estimate that such espionage may cost the US as much as "hundreds of billions" of dollars a year. This espionage is not just directed against large industrial companies, but any place where trade secrets and innovations might be found, including third-party organizations (e.g. business partners, vendors, consultants, lawyers, etc.) affiliated with targeted companies. A key take-away is that the threat is more widespread than most people think, and that few organizations are immune. https://www.fbi.gov/news/pressrel/press-releases/fbi-announces-economic-espionage-awareness-campaign http://www.cnn.com/2015/07/24/politics/fbi-economic-espionage/ Microsoft Releases Out-of-Cycle Patch for Critical Font Driver Bug A flaw uncovered in connecti
Read more

Weekly Infosec News Brief: 22-28 February

Image
Ransomware Observed to Jump from One Device to Another via the Cloud Researchers described last week an incident where they observed malicious "ransomware" propagating from one device to another via cloud-based file synchronization. When the ransomware encrypted files on one machine that synchronized files to a specific folder, it spread to other PCs that synchronized to that same folder. This type of phenomenon is simply another reason for organizations to serious consider limiting or eliminating the use of such file-synchronizing software within their networks. http://www.scmagazine.com/researchers-confirm-cases-of-ransomware-encryption-jumping-devices-via-cloud-apps/article/479572/ New OpenSSL Patches Soon to Come The OpenSSL project team announced last Thursday that they are working on patches to fix at least two "high" severity vulnerabilities in OpenSSL. This is the software that powers the cryptographic security layer of many web servers, browser
Read more