Web Informant #173, 25 October 1999:
Email paranoia

http://www.strom.com/awards/173.html

My friend Fred Avolio makes his living being paranoid. (He's a security consultant.) And he warns me that while I boast about not carrying a laptop when I travel, I still should be careful where and how I get my email when I am on the road. Especially at computer industry conferences. Here's why.

Most conferences now provide a group of public-access computers, so attendees can check their email and get work done during the show. But few really understand the implications of using these public PCs, or the importance of deleting any traces of your electronic correspondence when you walk away from the keyboard. That can be a problem. Because in truth, public PCs are one of the worst places to read email.

For starters, data could be captured intentionally (or not) by someone demonstrating a packet sniffing device elsewhere on the show floor. Someone might be trolling for passwords just when you login for your email. The only way to avoid this is to encrypt your session using a virtual private network, which isn't usually available on public PCs.

David uses MailAndNews.com's web mail service: at the bottom of the home page is a link to establish a secure session to read your email. You should always use this option and get the extra protection, even though it still doesn't hide your password. To do that, try email programs such as Eudora, which provide a mechanism called APOP to avoid sending unencrypted passwords. But few ISPs support this mechanism.

Speaking of passwords, you should change them today when you have a moment before you have to head out on the road to your next conference. If your email password is the same as your dial-in or login password, you are running a big risk. Use different passwords for each, and aim for ones you can memorize, so you don't have to write them down.

Of course, your company should have an information security policy that the circumstance in which employees can use public PCs for company business. I almost always read email from my hotel room if I cannot read it over an encrypted connection. Even then, it can be a problem. At the last hotel I stayed in, each room had its own Ethernet jack. Who knew what lurker was capturing what data over THAT network? Even at less equipped hotels, someone could be bribed to tap into your dial-up connection. The likelihood of this happening is directly related to the business you are in and how much the information is worth to, say, a corporate spy.

Another problem is the public PC's configuration. You can't tell if you are using a real copy of IE or Netscape or a facsimile holding a Trojan horse that captures your password information or data. Granted, this is an unlikely scenario, but it has happened.

Even if the public PC you are using is pristine, you still have to clean up after yourself. For example, if you change the personal information in the browser (name, email address, POP mail account, password, etc.), remember to delete all this before leaving the PC. If you forget, the next person can download email from your account or send messages masquerading as you.

Similarly, if you downloaded and read any email, delete it all before leaving the PC. Otherwise anyone stopping by will be able to read your correspondence. Lastly, don't forget to clean out the In, Out, Sent, and Trash mailboxes. Some software prompts you to delete the messages in each mailbox and empty the trash before exiting the program. Some don't.

Finally, if you are using the more recent vintage of either browser, make sure that they are not set to store passwords or to fill in forms automatically before you type in personal information. These browsers can recall this information for the next user.

It is amazing how many people forget these last steps. I have seen many PCs with mail from the previous user. It is more likely than you think. So be a little paranoid and protect your email correspondence. And enjoy your next conference!

To subscribe, send a blank email to
webinformant- subscribe@egroups.com

To be removed from this list, send a blank email to
webinformant- unsubscribe@egroups.com

David Strom
david@strom.com
+1 (516) 944-3407
back issues
entire contents copyright 1999 by David Strom, Inc.
Web Informant is ® registered trademark with the U.S. Patent and Trademark Office.
ISSN #1524-6353 registered with U.S. Library of Congress.