Gallery

Webmail: the ugly truth

Posted on 6 May 2008 at 12:32

When it comes to free webmail services like Gmail, Davey Winder is more than a little concerned by how little attention people seem to be giving to security.

How quickly times change when it comes to technology. It wasn't so many years ago that the mere thought of a business using free webmail as part of its mobile email strategy would have provoked nervous laughter from anyone who understood anything about the internet. Now, vast numbers of small businesses rely upon the likes of Google Mail as their de facto out-of-office email service. I'm something of a convert myself, using Gmail accessed either from a Nokia N95 8GB mobile while out of the house or via my 16GB Apple iTouch when I'm at home in bed or on the loo.

This makes a certain amount of sense, especially economically: a Gmail account is free both to set up and use, it provides instant access to a huge archive of email messages and anything else you want to throw into the free storage space it gives you (mine's currently 6,568MB, of which I'm using "only" 42%) and, when configured properly, it can even become an effective part of your email backup strategy. But there's an important aspect of all this freebitude that the average small business or home user fails to account for when faced with the attractiveness of the deal, and that's the ugly matter of security.

To help illustrate my point, I'm going to kick things off with an anecdote that could be filed under the heading "really should have known better". Last year, I attended the annual InfoSecurity convention - the biggest IT security event in Europe, which attracts heads of corporate and governmental security worldwide, plus a swarm of journalists - and I popped into the press room for a cup of coffee and to do a quick online check on a company whose security director I was due to interview. The press room provided free web access for just this purpose, so I sat down and fired up Internet Explorer (no Firefox: black mark for the organisers). I was shocked, if not all that surprised, to be presented with a Gmail login screen that clearly showed ready-filled details for the person who'd been using the computer before me...

It so happens that prior user was a journalist specialising in IT security, who'd checked their email via the web and had totally forgotten to clear the cache so as to remove such login data before handing the PC over to me. I mention this because if a professional security expert can get it that wrong, you can bet your average user can - and will - too. This isn't a problem limited to Gmail, of course - any web-based email access comes with the same risks.

Lazy phishers don't need to dream up elaborate social engineering scams to trick their marks into revealing valuable personal data. They don't even need to invest in an off-the-shelf phishing kit to distribute and install Trojans to steal that data for them. Nope, all they need to do is pop into any internet café and try out one or two PCs, and the chances are good they'll find one with a cache that's brim-full and ready to auto-fill the webmail login form for them.

I'd usually recommend going the whole hog and using the Delete Browsing History tool (the first entry on the Tools menu), rather than just relying on logging out of the webmail system and closing the browser, which in 99% of cases is likely to be IE in such environments. And I mean delete the lot: temporary internet files, cookies, history, form data and passwords. Don't forget, though, to still close down the browser after you've done all this, so as to clear those cookies that are still in memory from your current browsing session! The same applies with Firefox: just use the Tools | Clear Private Data option instead.