ABU DHABI // Government officials must break their "dangerous" habit of discussing state affairs through web-based e-mail systems, security experts warn. Risk analysts are urging ministries and municipalities to ban workers from corresponding about business through free e-mail services, such as Hotmail or Gmail, as the practice makes them susceptible to attack.
"This is a big problem," said Fadi Aloul, a computer security analyst who lectures at the American University of Sharjah. "What needs to happen is companies and each governmental office should restrict [employees] from using free e-mail accounts for any business. Otherwise, they are actually allowing others to hack into their accounts and maybe steal business secrets." Staff at federal and local bodies - including the Ministry of Justice, the Ministry of Interior and some municipalities - commonly communicate with clients and journalists via web-based email. In some cases, the unofficial e-mail is the primary web contact printed on business cards.
But the vulnerability of popular webmail services was underscored in September, when a hacker invaded the Yahoo account of Sarah Palin, the US Republican vice-presidential candidate. The incident should have alarmed the UAE, according to Lance Spitzner, an American security expert who has consulted for Etisalat as well as the FBI. "What we tend to find a lot in the Middle East is a situation where they have the technology, but the policies aren't there to ensure people are using the domain name or that organisation's e-mail properly," said Mr Spitzner, who will lead security seminars this month in Dubai.
"The US has strict policies in a lot of organisations against mixing personal and work e-mail. I know several banks where if you do that, you get fired." As demonstrated in Mrs Palin's case, hackers can spy on anyone's private webmail by resetting the account holder's password. If the intruder can answer a few personal details about the victim - such as that person's birthplace or the names of his or her children - breaking into the account is simple, Mr Spitzner said, as those details are often used to answer security questions.
In April, German spies intercepted work e-mails between Amin Farhang, Afghanistan's trade minister, and a journalist. The agents were able to learn Mr Farhang's Yahoo details after discovering he was among several ministers in the Afghan Commerce department who corresponded over non-secure webmail, rather than their government addresses. "It was quite a scandal," said Alexander Kornbrust, the German chief executive of Red Data Security. "I'm quite sure that other agencies are monitoring these public accounts, so I would personally not trust them. Even if Gmail is more convenient, I think it's dangerous."
Mr Kornbrust, who has worked in Riyadh and Dubai, advised free webmail users to intentionally fill out false log-in details to throw off potential hackers. "E-mail is one of the most critical applications from a security perspective," he added. "It should be completely under control if you talk about critical things, and always internal, especially if you're discussing government-related stuff." Guy Bunker, a London-based cyber threat analyst who co-wrote the Data Leaks For Dummies instructional guide, estimated that one in 400 e-mails contains sensitive data.
"Once you get to government officials, they get hundreds of e-mails a day," he said. "That's one person each day who gets an e-mail that might contain sensitive information. Multiply that across a government and, by the law of averages, you've really got hundreds or thousands a day." Ensuring confidentiality is not just about protecting state secrets. In certain scenarios, Mr Bunker noted, competing firms might track e-mails from Abu Dhabi Municipality related to private contracts in an effort to outbid one another.
"You might not think there's sensitive information being exchanged, but knowing which contract is coming in would give a competitor an advantage," he said. "Municipal employees are assigned secure internal "adm.abudhabi.ae" email identities, a source said, but it is their decision whether they use them. Abu Dhabi Municipality refused to answer questions on the subject. The Municipality's IT service provider, Injazat, also declined to comment.
mkwong@thenational.ae