Hacked Climate Change E-mails Highlight Security Concerns

The debate over climate change--and what is fact versus what fits the agenda of one side or the other--is raging in the wake of hacked e-mails alleging that facts were covered up. I'll let the climate change rivals battle that out, but let's take a closer look at the security aspects of e-mail and how attackers were able to acquire these messages.

A server at the Hadley Climate Research Center in the United Kingdom was breached and the attacker was able to acquire thousands of e-mail messages and sensitive documents which were subsequently uploaded to an FTP server in Russia and have since been publicly shared and analyzed around the world.

Officials have not commented on the authenticity of the data, although at least portions of it have been confirmed as legitimate. In a statement, officials did confirm the breach, though: "We are aware that information from a server in one area of the university has been made available on public Web sites."

Of course, this isn't the first time that potentially damaging information has been leaked due to an e-mail hack. You might recall Sarah Palin's personal Yahoo e-mail account getting hacked during the Presidential campaign last year.

Twitter has been victimized twice this year. First, in January some prominent Twitter accounts were compromised, leading to fake messages like the one allegedly from CNN anchor Rick Sanchez that said "i am high on crack right now might not be coming into work today." Then in May an attacker was able to compromise internal documents and employee salary information and post it to the Web.

These attacks are unfortunately not all that isolated or unique. In the case of the Palin hack, and at least one of the Twitter breaches, the weak link can be traced back to security controls on Web-based e-mail services. Attackers were able to exploit the system in place for users to recover lost usernames and passwords, and instead use it to gain unauthorized access.

The Hadley climate change breach, and the compromise of sensitive documents at Twitter, though, demonstrate why it is important to encrypt data--even data at rest on internal servers that are not intended to be exposed to the public Internet. Improved security controls to prevent unauthorized access in the first place would be nice as well, but encrypting the data trumps all else and virtually ensures it won't be compromised.

Ben Rothke, senior security consultant at BT Global Services notes that these types of attacks are simply a perfect storm, where hacktivists, broadband, poor security and cheap storage meet.

All of the breaches, hacks, compromises, and attacks highlight another point as well-if you write it, record it, photograph it, or in any way document or archive something, assume that it will be seen by the general public someday. With virtually endless amounts of digital storage, and social nature of online communications, its not possible to guarantee the data will never be disclosed.

I am not saying the ‘sky is falling' or declaring that security is dead. With strong passwords, solid security practices, and sufficient encryption, most data will never see the light of day. I am saying, though, that it is possible that the information could be disclosed despite your best efforts, and that you should think twice about what you write in an e-mail or post in a Facebook status update, lest it become a smoking gun skeleton in your closet.

Rothke says "The message is that every organization needs to take security seriously. But contentious organizations or those that store controversial data, be it a bank, embassy, developer of an operating system, or political organization, need to be extra diligent in securing their infrastructure."

Make sure you have security controls in place to prevent unauthorized access. Encrypt the data so that it can't be compromised even if the security controls fail. And, ultimately, don't write things in e-mails that you wouldn't want broadcast on the big screen in New York's Times Square.

Hope for the best, but plan for the worst. As Rothke puts it "Until they do that, the University of East Anglia will be just one of many such attacks. Get used to it."

Tony Bradley tweets as @PCSecurityNews, and can be contacted at his Facebook page.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
  
Shop Tech Products at Amazon