Recent server breaches at big-name companies indicate hackers are once again targeting e-mail addresses in their attempts to get their hands on your private information.
Dennis O'ReillyFormer CNET contributor
Dennis O'Reilly began writing about workplace technology as an editor for Ziff-Davis' Computer Select, back when CDs were new-fangled, and IBM's PC XT was wowing the crowds at Comdex. He spent more than seven years running PC World's award-winning Here's How section, beginning in 2000. O'Reilly has written about everything from web search to PC security to Microsoft Excel customizations. Along with designing, building, and managing several different web sites, Dennis created the Travel Reference Library, a database of travel guidebook reviews that was converted to the web in 1996 and operated through 2000.
Earlier this week, German software vendor Ashampoo warned users of its products that the company's servers had been hacked and some of its users' e-mail addresses had been stolen. (CNET's Elinor Mills describes the breach in her InSecurity Complex blog.)
Ashampoo didn't disclose the number of addresses lost, but the breach likely pales in comparison to the e-mail addresses exposed in the massive hack of the servers at e-mail marketing service Epsilon, which was disclosed in the first week of April.
Malware purveyors may not need to hack a company's server to get their hands on your e-mail address. Security researcher Samy Kamkar--he of the infamous Samy MySpace worm from several years back--recently disclosed a technique for discerning the business e-mail address of almost anyone, whether or not they've made it public. Jennifer Valentino-DeVries described the program in a recent post on the Wall Street Journal's Digits blog.
Kamkar claims the free Peepmail tool isn't intended to allow people to harass company executives but rather to demonstrate how easy it is for hackers--or anyone else--to discover a person's corporate e-mail address. While I didn't try out the program, Valentino-DeVries reports that it was apparently successful in discovering the unintuitive e-mail addresses that many top executives use. And the messages she and her colleagues sent to these addresses appeared to get through to the recipients.
E-mail addresses become valuable commodities
In a Workers' Edge post from December 2008, I updated my tips for securing your e-mail. In that article I stated that you're more likely to encounter malware when you visit a Web site than when you open an e-mail. This is probably still the case, but e-mail-borne viruses remain a threat, particularly because phishers have become more adept at targeting their attacks.
That explains why e-mail addresses have become such a hot commodity in malware circles. Most people who have used computers for any length of time are aware of the security threat posed by e-mail, and e-mail service providers have improved the defenses built into their systems to scan messages and attachments for malware automatically and block it or warn users when suspicious mail arrives.
But as with many aspects of technology, users' careless behavior is the weak link in the security chain. We still click links in e-mail despite being told repeatedly to open the site in a new window and navigate to the page in question manually. We still download and open attachments without ensuring that they aren't executable files or scripts--sometimes masquerading as harmless image or text files.
One bit of e-mail security advice I read repeatedly is a warning to open e-mail attachments only from people you know. Unfortunately, the accounts of friends, coworkers, and colleagues you trust may have been hacked, so even if you regularly receive attachments from the people and are expecting a file from them, you must still download and open the file with caution.
The safe way to open attached files
As I mentioned, nearly all e-mail services and programs automatically scan attachments for malware. Likewise, your PC's security software will analyze files you've downloaded before opening them and warn you of potentially dangerous files before allowing you to proceed. For an added level of protection, right-click downloaded files and choose the option to scan the file manually with whatever security program you use.
Take advantage of Gmail's built-in protections
Last November I explained how tointegrate your Outlook, Thunderbird, Gmail, Hotmail, and Yahoo Mail accounts so you receive all your mail in any or all of these programs and services. I admit that duplicating mail receipts in different inboxes isn't for everyone. But doing so not only provides built-in backups of your messages, it also lets you take advantage of the spam blockers and malware catchers the various services provide.
(Another advantage of an integrated inbox is that if one service or program is unavailable for some reason, you can access your mail from another.)
The benefits of this approach became apparent to me when I realized that spam blocked in my Gmail account was being delivered to my other account inboxes. In fact, since I began using Gmail as my primary e-mail service several years ago, I rarely think twice about spam, despite having a very public address.
The Gmail Help site provides a five-step Gmail Security Checklist that covers securing your PC, your browser, your Google account, and Gmail itself. The main Google security page offers tips for message forwarding and filtering, account recovery settings, and ensuring that you're using a secure connection by default whenever you access your account.
The arms race between malware purveyors and computer security professionals continues unabated. New threats--and new takes on old threats--are sure to continue. The first line of defense is our own behavior. It's a fact of modern life that our everyday use of technology requires care and caution with every click and keystroke.