EXPERT RESPONSE
There are many different ways of checking email in a public place, but let's start with the Internet café scenario where you are using a Web browser on the coffee shop's personal computer. The default setting for most Web browsers is to store all Web pages, including a user's message and other information, in a cache from which it is retrievable with relative ease, whether the email account is with Gmail, Yahoo, Hotmail or a corporate webmail server.
Fortunately, it is also relatively easy to clean out this cache and other information related to your Internet café session, including cookies, after your session. You can use the browser menu (Tools/Internet Options in IE and Tools/Options in Firefox). In fact, this should be second nature to anyone who uses a public terminal to check email. A responsible Internet café will remind you of this; some even provide an automated end-of-session cleanup process. To be safe, however, make sure to do it yourself. You can also set a browser not to cache any pages, but this setting can slow performance, and it may not be available on a public terminal.
Some readers will be aware that Web pages themselves can be created with a "no-cache" setting. You can verify such restrictions when you view the page source of a message in Yahoo Mail, for example. The "no-cache" instruction is generally respected by the browser cache and caching servers used by ISPs. The latter are another place from which your email could be illicitly retrieved by someone with sufficient SRM: skills, resources and motivation. Anyone checking email in public places should have an "SRM index" in mind. Is the email so sensitive that someone would apply a serious amount of skills, resources and motivation to obtain it?
The specific vulnerability involving Gmail and Microsoft Internet Explorer, recently publicized by application security vendor Cenzic, requires serious SRM. Other attacks could be easier, like putting a keystroke logger on a public computer or "shoulder-surfing" to capture messages as a user types them.
If you are accessing email wirelessly in a public place, someone could be sniffing the airwaves. Therefore, your precautions and countermeasures should be appropriate to the sensitivity of the data that is potentially exposed. For example, if you have internal sales data that must be transferred securely, encrypt the information and send it as an attachment to a message that says something innocuous like "Here is the data you requested."
In other words, risk is relative. A good rule of thumb is not to send or receive mission-critical data from a public place via webmail unless your company has put some serious rules and safeguards in place and cleared you to do so.
More information:
Visit SearchSecurity.com's Messaging Security School.
Learn about the webmail flaws found by researchers at Black Hat Conference 2007.
|
