This week’s Los Angeles Times story about a hacker being indicted for allegedly breaking into the email accounts of several celebrities is interesting because most of the victimized celebrities were apparently using Apple as their email provider. Other free, consumer grade email systems from Google and Yahoo were also involved.
This story points out the clear trade-off between the great convenience of these free email systems and the poor security that they can provide. The free services made it very easy for skilled cybercriminals, or “hackerazzis” in this case, to reset the account passwords using information that was easily obtained from celebrity web sites.
The reason that these free email programs are such ripe targets for hackers is that they provide little to no notification of invalid logon attempts by unknown people; virtually no control over what devices can access email data; and no publicly available audit data.
As the president and CEO of a software security vendor, I know that the agents and studios of most celebrities generally use secure, commercial email systems for their transactions having fully understood the limitations and risks of consumer grade email services. In commercial email systems the public information that you could find on a celebrity web site would rarely provide an easy means to compromise these systems.
The lesson to be learned is that while free, publicly available consumer grade email may be easy to use and devoid of the expense of an IT department’s support, these services are simply not designed for secure communication. If you value the security and privacy of your messages, a commercial grade email system is a necessary investment.
On a sidenote, the LA Times article states that this hackerazzi is subject to a potential sentence of up to 121 years for his email intrusion: http://latimesblogs.latimes.com/lanow/2011/10/man-who-hacked-scarlett-johansson-didnt-plan-to-sell-nude-photos.html
I don’t condone the actions of hackerazzis like Christopher Chaney, but 121 years of prison time seems disproportionate to the behavior being alleged. Granted, this high profile case may give FBI personnel a chance to mingle with celebrities – but perhaps the agents’ time might be better spent dismantling the criminal botnets and overseas scams that are inundating so many thousands of US citizens. Surely that would be a more beneficial project.
What are your thoughts on the security versus convenience trade off of free, consumer-level email systems? Share your thoughts on the blog or email me directly at firstname.lastname@example.org. You can also follow me on Twitter: @liebsoft.