Web Informant #173, 24 October 1999
My friend Fred Avolio makes his living being paranoid. (Hes a security consultant.) And he warns me that while I boast about not carrying a laptop when I travel, I still should be careful where and how I get my e-mail when I am on the road. Especially at computer industry conferences. Heres why.
Most conferences now provide a group of public-access computers, so attendees can check their e-mail and get work done during the show. But few really understand the implications of using these public PCs, or the importance of deleting any traces of your electronic correspondence when you walk away from the keyboard. That can be a problem. Because in truth, public PCs are one of the worst places to read e-mail.
For starters, data could be captured intentionally (or not) by someone demonstrating a packet sniffing device elsewhere on the show floor. Someone might be trolling for passwords just when you login for your e-mail. The only way to avoid this is to encrypt your session using a virtual private network, which isnt usually available on public PCs.
David uses MailAndNews.coms Web mail service: at the bottom of the home page is a link to establish a secure session to read your e-mail. You should always use this option and get the extra protection, even though it still doesnt hide your password. To do that, try e-mail programs such as Eudora, which provide a mechanism called APOP to avoid sending unencrypted passwords. But few ISPs support this mechanism.
Speaking of passwords, you should change them today when you have a moment before you have to head out on the road to your next conference. If your e-mail password is the same as your dial-in or login password, you are running a big risk. Use different passwords for each, and aim for ones you can memorize, so you dont have to write them down.
Of course, your company should have an information security policy regulating the circumstances in which employees can use public PCs for company business. I almost always read e-mail from my hotel room if I cannot read it over an encrypted connection. Even then, it can be a problem. At the last hotel I stayed in, each room had its own Ethernet jack. Who knew what lurker was capturing what data over THAT network? Even at less equipped hotels, someone could be bribed to tap into your dial-up connection. The likelihood of this happening is directly related to the business you are in and how much the information is worth to, say, a corporate spy.
Another problem is the public PCs configuration. You cant tell if you are using a real copy of IE or Netscape or a facsimile holding a Trojan horse that captures your password information or data. Granted, this is an unlikely scenario, but it has happened.
Even if the public PC you are using is pristine, you still have to clean up after yourself. For example, if you change the personal information in the browser (name, e-mail address, POP mail account, password, etc.), remember to delete all this before leaving the PC. If you forget, the next person can download e-mail from your account or send messages masquerading as you.
Similarly, if you downloaded and read any e-mail, delete it all before leaving the PC. Otherwise anyone stopping by will be able to read your correspondence. Lastly, dont forget to clean out the In, Out, Sent, and Trash mailboxes. Some software prompts you to delete the messages in each mailbox and empty the trash before exiting the program. Some dont.
Finally, if you are using the more recent vintage of either browser, make sure that they are not set to store passwords or to fill in forms automatically before you type in personal information. These browsers can recall this information for the next user.
It is amazing how many people forget these last steps. I have seen many PCs with mail from the previous user. It is more likely than you think. So be a little paranoid and protect your e-mail correspondence. And enjoy your next conference!
Copyright © 1999, 2000 media.org.
Web Informant copyright 1999 by David Strom, Inc., reprinted by permission
Web Informant is ® registered trademark with the U.S. Patent and Trademark Office.
ISSN #1524-6353 registered with U.S. Library of Congress.