I don’t think it matters which political side you lean to, we can all be saddened by the affects of South Carolina Governor Mark Sanford’s actions on his family. Having lived in SC just about all of my life I’m deeply upset by what he’s done to the image of South Carolina around the nation and the world. I don’t intend to delve into the personal or political fallout of Sanford’s revelation yesterday but there could be some email security implications worth exploring.
We know that The State newspaper in Columbia has had email purportedly between Governor Sanford and this Argentinian woman since as early as December of last year. The paper says that it did not publish the story because there was no way to corroborate the authenticity of the messages. While there are many important specifics we don’t know, The State says it was sent the emails “from the governor’s personal e-mail account by an anonymous person.”
Given this revelation, its easy to see why The State held the story. Let’s take a look at a couple of email basics:
- An email is just like a letter in the sense that you can write whatever you want on the return address and there is no way to determine if that information has any relation to the real sender. (Yes, we do have some newer options to help like SPF and domain keys but they aren’t foolproof and you have to be in control of the receiving server to use these tools).
- Sending a regular email message is just like sending a postcard. If anyone at the post office (or in this case any person in control of any router at any ISP that the data stream is routed through) wants to flip it over and read the back, they can.
- If you have truly sensitive information, it should be encrypted using TLS or another email encryption technology.
- Even if you encrypt a message, if someone has username and password access to your email client they’re going to be able to read your mail.
Now, lets pick our story back up. If The State was sent these messages by an anonymous person, the authenticity of the messages would be no more reliable than the credibility of the person producing them as he or she could have easily forged the information and created them out of thin air. So, it seems reasonable for The State to have sat on the story with no other corroborating data.
But, how did they get Gov. Sanford’s email messages in the first place? By “personal email account” we’re going to have to assume this was not an email account under control of the SC State Government since all of those messages would be subject to archiving and state disclosure requirements as well as under the control of an IT administration department. We assume the Governor must have known this and was using some other email account.
Given this assumption we have to conclude that the ‘anonymous’ person was either 1) a rouge admin at an ISP (seems highly unlikely) or 2) someone with close personal knowledge of the situation that had access to Governor Sanford’s email. I’ll have to leave that with you to ponder until we know more about ‘anonymous’. In the mean time, here are a few email security tips to safeguard the content of your email:
- Always use TLS encryption on your email server. If you don’t host your own, be sure your provider uses TLS to transmit your messages across the Internet.
- If you connect to your email server using a web client, make sure you use a secure connection such as SSL (look for the ‘https’ in the address bar of your browser)
- If you connect with a client such as Outlook make sure you are using a secure connection as well.
And finally,
- Whatever you do, don’t use “password”, “pass” or your username as your password. Create a password that is a combination of numbers, letters and symbols.
