Gordon Brown’s hacked emails – the lessons to be learnt

According to a report in the Independent newspaper, these revelations follow police examination of around 20 computers seized from private investigators. It should not, of course, be a surprise. As long ago as the summer of last year Brown suggested that his computers had been targeted. “Amassed against these guiltless victims and against a succession of other victims of crime whose names I know about and have seen, and have yet to be made public,” he announced in parliament, “was the systematic use of base and unlawful methods - new crimes with new names: blagging, hacking, Trojans to break into computers and not just phones...”

What is emerging is not so much news that email hacking has happened, but that it was a matter of course in British journalism. Email hacking is easier and more prevalent than most people realize; and if journalism can cost-justify the illegality, then organized crime and industrial espionage will most certainly be involved. For the time being the police are declining to give details. "We are not prepared to give a running commentary on an ongoing investigation,” they told the Independent. 

“Gaining access to email accounts is one of the main goals for attackers, typically using techniques such as spear phishing combined with social engineering to compromise machines or accounts,” comments Paul Hennin, a director at Proofpoint (an email security company). “Email appearing to be from colleagues and business partners is trusted – this makes users vulnerable to targeted attacks. Firms need to protect employees from this network of trust by proactively stopping inbound phishing and malware attacks. This means using systems that deploy multiple layers of inspection and reputation analysis techniques.”

There are two other steps that users should consider. The first is obvious: use different passwords for different accounts. The internet is awash with lists of passwords stolen from hacked websites. Where a user has a single password and that password is stolen from an obscure account only ever used once, then all of that user’s more important and sensitive accounts, including email, can be accessed.

The second is encryption. “It is probably safe to assume the attackers got the emails in unencrypted form. If strong encryption had been used a brute force crack would probably still be in progress now,” explained Hennin. “Anyone in the public eye should be using automated encryption for their email to ensure their privacy.” That advice holds for any person or business that has anything to lose from the content of emails.

What’s Hot on Infosecurity Magazine?