Safe From Attack

Wall Street Journal Online; July 8, 2005

How would you feel if someone hacked into your online email account and snooped around your life?

Songfa Liu is a geologist working for the Australian government in Canberra. He's also a former Chinese citizen and is a practitioner of Falun Gong, the spiritual practice banned in his former homeland. In October 2003, somebody tried to break into his Australia-based email account by pummeling it with different passwords 400 times in one hour. The attempted break-in -- what's called a "dictionary attack" because it involves trying one word after another in the hope of finding the password -- came via an Internet address in South Korea, and it all happened in the evening, when Mr. Liu was at home with his family and nowhere near his computer. "So I knew it wasn't me doing it," he says.

Mr. Liu isn't alone, at least among followers of Falun Gong. He says he knows of two other cases in his circle; his email provider, FastMail, confirms the incident and says there have been several other such attempts, all unsuccessful. Jeremy Howard, chief executive of the Melbourne-based email provider, says there is no way of confirming the users' suspicions that agents of the Chinese government are behind the attacks, but he says that whoever has been doing it is highly professional. "The people involved in this case were more competent and more determined than anybody else we've seen." In Beijing, an official at China's Public Information and Internet Supervision Department of the Ministry of Public Security denied responsibility, saying "it is impossible for the Chinese government to attack those overseas accounts. We won't take any measures against those email accounts registered outside China, even those spreading Falun Gong information to domestic email users." OK, so what has this got to do with you? Well, unless you've got powerful enemies, it isn't likely that someone is going to hack directly into your email account. This sort of approach isn't considered a worthwhile tool by the Internet's criminal fraternity, and you probably aren't the kind of person to upset large and powerful governments. Yet. But as large-capacity Web-mail services such as Google's Gmail proliferate, email accounts are going to become more attractive as a target. Google and others hope you'll store your whole life online (they will make money by firing ads at you every time you read an email that you've stored on their computer). This all sounds great, but it isn't without risk. Think of all the sensitive information in one gigabyte's worth of emails, from online orders, to credit card numbers, to commercially sensitive information that could benefit a competitor or leave you open to blackmail.

And, to get technical for a second, it isn't just Web-mail that is vulnerable. Many email services use a process called IMAP, which stores at least two versions of your mailbox -- one on your computer (or computers) and one on their remote server. When you connect your computer to the online mailbox, they synchronize with each another. This is great if you use more than one computer, meaning you always have an up-to-date mailbox wherever you are. It's also great for backing up, since if you lose one computer to theft or damage, you've still got your mailbox online. But there's a downside too: If someone can guess your password, they can break into your online mailbox. The bottom line in either the Web-mail or IMAP case: You may not have powerful enemies, but if you do store your email online, you're still at the mercy of anyone who figures out your email address.

Sadly, the Falun Gong cases highlight a problem that is only going to get worse. For whatever reason -- political, personal, commercial or merely criminal -- your online email account is as vulnerable as your password. So, is there a solution?

Luckily, yes. First line of defense is a good password. "If you pick a good password, you're pretty safe," says Sydney Low, who runs an online email service called Alien Camel (aliencamel.com). I won't bore you with how to choose a good password, but the most obvious advice is not to have one that people who use the "dictionary attack" might score a direct hit on. In other words: Choose a combination of letters and numbers that you can remember, but which isn't a word you might find in the dictionary.

Secondly, if you're going to store valuable emails online (and remember, everything might be valuable to someone) you might want to check what your host does about backing up your data. This means that even if someone does break into your account and cause mischief, you haven't lost your data. Alien Camel, for example, has a full backup on another computer in a different location. "That's probably more than most business's backup strategies," says Mr. Low.

Indeed, it isn't a coincidence that quite a few Falun Gong practitioners, from Canada to Australia, use a service like FastMail: It's secure. Mr. Liu switched to FastMail on the recommendation of a fellow practitioner, who warned that his email account was vulnerable to attack. A few months later, when his email account was bombarded, he was grateful for the advice. "I didn't take (the warning) very seriously until this happened," Mr. Liu says.

FastMail vets the passwords of its customers to check they can't be guessed as easily, a move that ensured Mr. Liu's inbox remained intact. Then someone from FastMail helped him shield his email account by setting up what are called "alias" accounts. In short, an alias is like a post office box address you can give out to anyone you like without them being able to find out your real address. So, while my real email address may be jeremy@home.com, I wouldn't tell you that; I would only give you an email address like pseudonym@home.com. Emails sent to either address will get to me, but if you don't know my real address (jeremy@home.com), you won't be able to find my online inbox. So you won't be able to hack into it. That's exactly what Mr. Liu and other Falun Gong users of FastMail have done, and none of them have reported any subsequent attacks.

Of course, I'm not suggesting this could ever happen to you. But it's a cautionary tale worth remembering, especially if your email is stored online.