Tuesday, April 5, 2011

Email Security what an Oxymoron

I have always realized that any and all information you send over email should be sent as though it is public information.  I used to work for a rather large company (that features main frame computers) where they were very stringent on the idea that any email sent that was private, or company confidential, needed to be encrypted.  We had an in-house standard, which was a mutation of the very popular PGP encryption.  This allows you to have two special keys; a public key and a private key.  You would encrypt your email with the private key, send it to those who needed to read it, and they, having your public key from a company public key vault, would be able to decrypt and read it.  Very effective.






So why do I write about email security and encryption, well about a year ago, the email account that I have used for over ten years was hacked.  I started getting weird emails from myself pushing advertising.  But it gets worse!  Everyone in my contacts list received the same type of email, from me, pushing this same advertising.  The entity that broke into my email used it to send junk mail to all of my contacts.  Needless to say, I sent emails to all my contacts letting them know what had happened and to ignore the "innocently looking" emails from me with the ominous link to click.  Lucky for me, the solution to this problem was to change my email account password.  That fixed the problem, preventing whomever it was from accessing my account. 


Earlier this week I received the following email:

Dear Valued Customer,

Today we were informed by xxxxx, our national email service provider, that your email address was exposed due to unauthorized access of their system. xxxxx uses xxxxx to send marketing and service emails on our behalf.

We deeply regret this has taken place and any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information. We were advised by xxxxx that the information that was obtained was limited to email addresses only.

Please note, it is possible you may receive spam email messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties. We ask that you remain alert to any unusual or suspicious emails.

As always, if you have any questions, or need any additional information, please do not hesitate to contact us at customersecurity@xxxx.com.

Sincerely,


xxxxxxxx

This email was from a client who had my email address stored in their system.  I also received similar emails from Hilton and Marriott.  Since I do consulting work, I have quite a few clients and I typically stay at either Hilton or Marriott hotels when possible (rewards programs).  After receiving these emails, I realized that an email service provider had been hacked.  I did a bit of investigation and discovered that the company that was breached is an outsourcing company that has over 2500 companies as clients.  The notification emails claim that only customer email addresses were compromised.  Hopefully that is the case, because getting any deeper would compromise credit card information and date of birth information.  Here are links to two more articles about the breach: one and two.

If you, like me, have been affected by this breech, it is important to never open any email that you don't recognize the senders address.  If you do open the email, do not click on any attachments or links contained within the email.  For ideas of what to do in this type of situation, look here.

Lastly, I need to give a promotion for a company that seems to really get it in the security arena.  If you want to transfer something say, from New York to San Francisco, and you want it to get there with 99.999% reliability and if for some reason it doesn't get there have the transfer insured for complete replacement then InterComputer has the technology for you.  A lot of other companies rely on the security of SSL, InterComputer takes security to a whole new level, plus insures each and every transfer.

Till next time,
Bill

No comments: