The Wall Street Journal on Protecting Email Accounts from Attack

On July 8th, 2005, Wall Street Journal columnist Jeremy Wagstaff published an article about protecting personal email accounts from attack.

He used the example of Falun Gong practitioner Songfa Liu's experience with a high-tech computer attack: "Songfa Liu is a geologist working for the Australian government in Canberra. He's also a former Chinese citizen and is a practitioner of Falun Gong, the spiritual practise banned in his former homeland. In October 2003, somebody tried to break into his Australia-based email account by pummelling it with different passwords 400 times in one hour. The attempted break-in -- what's called a 'dictionary attack' because it involves trying one word after another in the hope of finding the password -- came via an Internet address in South Korea, and it all happened in the evening, when Mr. Liu was at home with his family and nowhere near his computer."

The article continued, "Mr. Liu isn't alone, at least among followers of Falun Gong. He says he knows of two other cases in his circle; his email provider, FastMail, confirms the incident and says there have been several other such attempts, all unsuccessful. Jeremy Howard, chief executive of the Melbourne-based email provider, says there is no way of confirming the users' suspicions that agents of the Chinese government are behind the attacks, but he says that whoever has been doing it is highly professional. 'The people involved in this case were more competent and more determined than anybody else we've seen.' "

Mr. Wagstaff then addressed the problem of e-mail account vulnerability and how the issue relates to the general public: "... as large-capacity Web-mail services such as Google's Gmail proliferate, email accounts are going to become more attractive as a target. Google and others hope you'll store your whole life online (they will make money by firing ads at you every time you read an email that you've stored on their computer). This all sounds great, but it isn't without risk. Think of all the sensitive information in one gigabyte's worth of emails, from online orders, to credit card numbers, to commercially sensitive information that could benefit a competitor or leave you open to blackmail.

"And, to get technical for a second, it isn't just Web-mail that is vulnerable. Many email services use a process called IMAP, which stores at least two versions of your mailbox -- one on your computer (or computers) and one on their remote server. When you connect your computer to the online mailbox, they synchronise with each another. This is great if you use more than one computer, meaning you always have an up-to-date mailbox wherever you are. It's also great for backing up, since if you lose one computer to theft or damage, you've still got your mailbox online. But there's a downside too: If someone can guess your password, they can break into your online mailbox. The bottom line in either the Web-mail or IMAP case: You may not have powerful enemies, but if you do store your email online, you're still at the mercy of anyone who figures out your email address."

The column stated that, "the Falun Gong cases highlight a problem that is only going to get worse. For whatever reason -- political, personal, commercial or merely criminal -- your online email account is as vulnerable as your password."

The Wall Street Journal offered practical solutions to the problem of email security: "First line of defence is a good password. 'If you pick a good password, you're pretty safe,' says Sydney Low, who runs an online email service called Alien Camel (aliencamel.com). I won't bore you with how to choose a good password, but the most obvious advice is not to have one that people who use the 'dictionary attack' might score a direct hit on. In other words: Choose a combination of letters and numbers that you can remember, but which isn't a word you might find in the dictionary.

"Secondly, if you're going to store valuable emails online (and remember, everything might be valuable to someone) you might want to check what your host does about backing up your data. This means that even if someone does break into your account and cause mischief, you haven't lost your data. Alien Camel, for example, has a full backup on another computer in a different location. 'That's probably more than most business's backup strategies,' says Mr. Low."

The article mentions that many Falun Gong practitioners, from Canada to Australia, use a secure service like FastMail: "Mr. Liu switched to FastMail on the recommendation of a fellow practitioner, who warned that his email account was vulnerable to attack. A few months later, when his email account was bombarded, he was grateful for the advice. 'I didn't take (the warning) very seriously until this happened,' Mr. Liu says.

"FastMail vets the passwords of its customers to check they can't be guessed as easily, a move that ensured Mr. Liu's inbox remained intact. Then someone from FastMail helped him shield his email account by setting up what are called 'alias' accounts. In short, an alias is like a post office box address you can give out to anyone you like without them being able to find out your real address. So, while my real email address may be [email protected], I wouldn't tell you that; I would only give you an email address like [email protected]. Emails sent to either address will get to me, but if you don't know my real address ([email protected]), you won't be able to find my online inbox. So you won't be able to hack into it. That's exactly what Mr. Liu and other Falun Gong users of FastMail have done, and none of them have reported any subsequent attacks.

The Wall Street Journal column offers the following advice: "Never give out the email address you really care about. After all, if that email address gets into the hands of spammers, you'll never get rid of them. Here are two simple tricks worth trying out, depending on what features your email provider offers:

"If you can, set up aliases each time you have to give your email address to a service, or person, you aren't sure about. Alien Camel, for example, allows you to create up to five "disposable email addresses" that will feed into your normal email account, but which you can trash when you no longer need (or when they fall into the hands of spammers).

"Some companies offer a more sophisticated version of this kind of service: Check out Texas-based Privacy Inc., which offers a free version of its Opaque software that lets you add a limited number of aliases as and when you need them."

The column ended with the following guideline to ensure e-mail safety: "Don't give out your work or private email addresses to anyone, online or offline, unless they are people you know. Instead, give them a Gmail or other Web-mail address that isn't that important to you."