The debate over climate change—and what is fact versus what fits the agenda of one side or the other-is raging in the wake of hacked emails alleging that facts were covered up. I’ll let the climate change rivals battle that out, but let’s take a closer look at the security aspects of email and how attackers were able to acquire these messages.
A server at the Hadley Climate Research Center in the United Kingdom was breached and the attacker was able to acquire thousands of e-mail messages and sensitive documents which were subsequently uploaded to an FTP server in Russia and have since been publicly shared and analyzed around the world.
Officials have not commented on the authenticity of the data, although at least portions of it have been confirmed as legitimate. In a statement, officials did confirm the breach, though: “We are aware that information from a server in one area of the university has been made available on public Web sites.”
Of course, this isn’t the first time that potentially damaging information has been leaked due to an e-mail hack. You might recall Sarah Palin’s personal Yahoo email account getting hacked during the Presidential campaign last year.
Twitter has been victimized twice this year. First, in January some prominent Twitter accounts were compromised, leading to fake messages like the one allegedly from CNN anchor Rick Sanchez that said “i am high on crack right now might not be coming into work today.” Then in May an attacker was able to compromise internal documents and employee salary information and post it to the Web.
These attacks are, unfortunately, not all that isolated or unique. In the case of the Palin hack, and at least one of the Twitter breaches, the weak link can be traced back to security controls on Web-based e-mail services. Attackers were able to exploit the system in place for users to recover lost usernames and passwords, and instead use it to gain unauthorized access.
The Hadley climate change breach, and the compromise of sensitive documents at Twitter, though, demonstrate why it is important to encrypt data—even data at rest on internal servers that are not intended to be exposed to the public Internet. Improved security controls to prevent unauthorized access in the first place would be nice as well, but encrypting the data trumps all else and virtually ensures it won’t be compromised.
All of the breaches, hacks, compromises, and attacks highlight another point as well-if you write it, record it, photograph it, or in any way document or archive something, assume that it will be seen by the general public someday. With virtually endless amounts of digital storage, and social nature of online communications, its not possible to guarantee the data will never be disclosed.
I am not saying the ‘sky is falling’ or declaring that security is dead. With strong passwords, solid security practices, and sufficient encryption, most data will never see the light of day. I am saying, though, that it is possible that the information could be disclosed despite your best efforts, and that you should think twice about what you write in an e-mail or post in a Facebook status update, lest it become a smoking gun skeleton in your closet.
Make sure you have security controls in place to prevent unauthorized access. Encrypt the data so that it can’t be compromised even if the security controls fail. And, ultimately, don’t write things in e-mails that you wouldn’t want broadcast on the big screen in New York’s Times Square.
Hope for the best, but plan for the worst.
Tony Bradley tweets as @PCSecurityNews, and can be contacted at his Facebook page .
Original story - www.pcworld.com/article/182825