Rhodri Marsden: The true cost of email security

Cyberclinic

I have a friend called Jenny. I don't receive many emails from her – for some reason we don't have that kind of relationship – but the ones I do get are worded awkwardly and tend to urge me to buy stuff. This isn't what I'd expect from her, frankly. She's highly literate and a bit of a closet hippy, and this doesn't square very well with her references to exciting new "electornic" gadgets, and insisting that this is a "really good chance for shoping". Sadly, Jenny has become one of thousands of "malware mules", whose email account details and passwords are available on the black market from anywhere between 65p and £13. A down payment of this piffling sum gives you access to her online address book (including my own details) and thus the unmissable opportunity to send me messages masquerading as friendly communiqués from Jenny that begin with the words "Hello Dear" before immediately segueing into a sales pitch for a popular brand of training shoe.

The evil masterminds behind all this figure, quite rightly, that we're more likely to open messages from people who are embedded within our address books – even if the subject lines of their emails are suspiciously reminiscent of spam, eg, "you'll be the super lover". Not only that, the message is far less likely to be rejected in the first place by spam filters, which are, thankfully, getting better at rejecting random missives from non-existent humans advising us of tempting ways to boost our flagging sexual appeal. This hijacking of email accounts is just one contributory factor towards the ever-increasing level of spam that mail servers are having to deal with: up 6 per cent in the first three months of this year over the same period in 2009.

But spam is only one of the problems faced by the malware mules. We store all kinds of personal information in our webmail. Login details to various websites, including online banking and credit card sites, can get lodged in online inboxes without us even thinking; perhaps we've sent them to a trusted friend so we can access said sites on their computer, or just emailed them to ourselves as a reminder. But once we've done that, they sit on the email server for perpetuity – unless we delete them – and the only barrier to them being accessed is the guessing of one password. And a recent analysis of breached passwords showed that hundreds of thousands of people worldwide still consider the password "123456" to be a pretty clever security device. It isn't.

Security software firm Symantec has just highlighted this issue in one of its regular, and by their nature slightly harrowing, Internet Security Threat Reports. Con Mallon from the company underlines the dangers by stressing that all our passwords could thus be obtained for less than a pound. For this scenario to occur you'd have to be pretty unlucky, and a bit stupid, but many people, including me, can easily fall into that category from time to time. And with cyber crime having recently overtaken the international drug trade as the most lucrative illegal global business, we'd do well to take Symantec's advice, change our passwords, and stop using our email accounts as pathetically insecure filing cabinets.

***

Another example of malfunctioning security was exposed on Monday, when Apple inadvertently revealed its new iPhone model about three months early, thanks to an employee who went out for the night in Redwood City with a prototype in his or her back pocket, and ended up leaving it on a bar stool. Many of us have lost a phone after two drinks too many, but few of us have had to face the wrath of our employers on Monday morning as a direct result. The fate of the unfortunate employee isn't known, but before Apple remotely disabled the device the new owners were able to ascertain that it was running the hitherto unseen iPhone 4.0 software, at which point they handed it over to technology website Gizmodo. As Apple's powers stop short of being able to remotely retrieve the device via some gigantic geolocating magnet (the company is reported to "want it back") Gizmodo treated us to a YouTube showing-off: it has a front-mounted camera for video chatting, a larger battery (thanks to the other components slimming down) and a squared-off construction faintly reminiscent of a Braun gadget from circa 1972. It's atypical for Apple to have scuppered a big reveal moment in this fashion – but predictably, it hasn't stopped people wanting one. Now, when's my upgrade due?

Comments