.gif)
While email is an extremely useful technology, it is not very secure, warns Chris Hammond-Thrasher, a local IT security professional.
And he suggested that the best advice to follow is “to always assume that all of your emails are being read by others”.
Hammond-Thrasher is University of the South Pacific library systems manager, a former Canadian information security consultant, and is an internationally Certified Information Systems Security Professional (CISSP).
The warning was reiterated by Pacific Islands Chapter of the Internet Society (PICISOC) vice chairman Franck Martin who also highlighted that e-mails can be intercepted between the source and destination on the wire.
“The mail servers hosting the e-mails can be compromised as well as your mail client on your computer,” he warned.
This week internet service provider, Connect released a statement re-assuring business people and individuals that their emails are safe after many of their clients expressed fear of their emails being hacked by outside parties.
The company maintained that their information is secured by the best technology in Fiji.
Late last month, Fiji Television revealed the contents of private e-mails that formed the basis of the deportation of the Fiji Sun publisher from the country. The emails were between Russell Hunter and Fiji Sun’s London-based correspondent Victor Lal.
It is unclear how the private emails were obtained.
Hammond-Thrasher said emails could be compromised if either the sender or receiver's PCs were insecure or if their email servers were insecure.
Emails could also be compromised by the administrator of the email server or in transit by packet sniffers (digital wire taps), he added.
Connect had earlier said that emails are hosted on secure BSD servers which it said was renowned for its rock solid security.
Martin says the only thing certain in life is death and taxes. “BSD servers by design are known to be very secure if you follow industry standards (security is not something you set up and forget) then you have some very secure systems.”
For his part, Hammond-Thrasher said email server security was only part of the picture to keeping emails confidential. As he pointed out, hackers look for the easiest method to achieve their goal.
“Why would they take weeks to plan a sophisticated attack if they can just trick you into giving them your password or key, or if they can take advantage of a well known software flaw on a server that has not been updated for a couple of months?”
Asked whether hacking was a problem in Fiji, Hammand-Thrasher confirmed that as yet, it was not. “However, we only have to look at the computer crime statistics in countries with higher levels of broadband Internet penetration to predict what is coming.”
Martin believes mostly the fault is on the people using their PC at home or on their desk. “They lack understanding and awareness, they are the ones most likely to give away their login and passwords, if you can talk them into it (social engineering).”
He pointed out the e-mails that tell people that their banks needed login and password again. “It is amazing how many people can give this information without check, like giving money to any staff collection, without knowing exactly why.
“Also your computer can be compromised at home and send all your passwords to hackers. It happens very often when you don't use a personal firewall on your computer or do not keep it updated (updates are every couple of days).”
Connect had also highlighted that the single biggest risk to information is basically people gaining physical access to computers, back up servers and data coverage areas or files on servers.
Connect said highlighted that companies needed to put as much emphasis on physical security as they did on electronic security.
Hammond-Thrasher said physical security was extremely important. He cites the dangers of the common practice of “writing your password on a sticky note on your PC, leaving your PC unattended while you are logged into email and other services, and allowing others to watch over your shoulder while you type in your password”.
He goes on to say, “If information security is a chain, then physical security is one link
in that chain along with network security, anti-virus/anti-spyware, password security, software patch management, and simple user security awareness.”
He agreed with Connect that if emails were highly sensitive then they be encrypted. “Users should assume that all unencrypted emails could be read by someone other than the intended recipient.
"Using the free gnupg utility <http://www.gnupg.org/> or the free hushmail service http://www.hushmail.com/> are good places to start.”
* Get local and international rugby news & live updates/results on your phone. Txt VRUG to 333 now.
