Tuesday, August 08, 2006

This Is What Happens When You Don't Encrypt Your Email.

COMPANIES are being warned they risk losing vital business information to snoopers because they are failing to encrypt e-mails.

A leading expert in computer security says unauthorised interception of e-mails is a simple task for fraudsters searching for confidential details.

Advert for scotsman.com's weekly money newsletter

The latest figures indicate that incidents involving snooping and reading private e-mails are on the increase.

Computer users are increasingly wary of IT threats such as spam e-mails, and "phishing" attacks, which involve sending spoof e-mails in an effort to dupe users into handing over bank details.

But few bother to encrypt their data, and instead happily swap confidential details in the belief they cannot be read.

Jim Lee, the director of security firm Campbell Lee Computer Services, said: "We've all become aware of computer security and have anti-virus software and firewalls and don't open rogue e-mails. The worry is we're still sending e-mails containing sensitive information without encrypting it first. So we protect it on our computers but allow it to be read by anyone when it is being sent by e-mail."

He added: "All e-mail addresses are understood by computers as being made up of a series of three-digit numbers, separated by dots.

"A hacker can analyse the numbers and work out which servers were used to send the message.

"From there it is relatively straightforward to hack into servers to read the data or even arrange to have a duplicate copy sent to him.

"You can't rely on hoping your confidential data will be ignored because there's so much e-mail. Computers make it easy to store millions of e-mails and search quickly for the one with useful data in it."

Although figures for the scale of e-mail interception are only rough estimates, a study published last year shows the problem is on the increase.

The analysis, published by the international IT security firm MessageLabs, revealed that in 2004 its own systems detected about 125 targeted attacks designed to sniff out the contents of e-mails, while the number of attacks in the previous year had been "negligible".

The report added: "MessageLabs is seeing a new wave of security threats for businesses, with much more sophisticated and malevolent techniques at their disposal.

"Old-style virus proliferation has been superceded by new targeted e-mail attacks from criminals aimed at defrauding business, stealing intellectual property or extorting money."

One industry insider said: "I was speaking to a guy who managed to reel off all the details of an ongoing divorce case. I looked at him and said: 'You could only have got that from reading the e-mails,' and he said 'Yes'."

Shirley Fairall, communications director for IT security firm Identum, said: "As our machines and technology are getting better and cleverer, we are allowing ourselves to become more stupid.

"Most of us have very good protection from viruses and spyware, but sending out unencrypted e-mail is the equivalent of writing your information on a postcard and just hoping that no one will read it. If you want it in the equivalent of an envelope then encryption is available and is becoming much easier to use and much harder to break into."

A spokesman for the Department of Trade and Industry, which regulates online commerce, said that the DTI encouraged firms to encrypt vital data.



Anonymous Mila said...

Great blog, finally touches on a problem that is not addressed often enough.
Government agencies and private businesses especially should pay attention to how they send email. They are responsible for making sure that citizens' and clients' information stays secure, which means using encryption in COMBINATION with email anti-theft software (which prevents redistribution without the author's consent).

11:57 AM  
Anonymous M360 said...

Where I work we don't generally send encrypted information over the net..but could implement.

2:27 PM  

Post a Comment

<< Home