Email Security Tips for General Petraeus (even if a bit late)
Could General Petraeus Have Kept His Emails Secure?
The terms Email and Security generally do not go together. Email is inherently insecure, not because of the communications vehical itself, but in how it is used. The moment data leaves your possession, you have lost control. What the other party does with afterwards leaves you out of the loop with keeping it secure. Email security will be a problem in the foreseeable future. But there are some steps General Petraeus could have done to maybe have a more of a warm and fuzzy feeling about what he was sending.
1) Dont Email. That’s a good first step in securing Email. Even if you share an account with someone and keep drafts of the email in a folder rather than actually sending the email, it is still sitting on someone else’s server, beyond your control. The government is success in subpoenaing Email service providers for logs and old data. If you don’t really have to email your shady doings, that’s a good step.
2) Encrypt Email. Say you are forced to Email. Encryption has been around for a long time. PGP is a past master at email encryption. If only you and the other do not share your secret keys, no one is going to really get past PGP encryption.
3) Email Antivirus. It should go without saying these days that anti-malware and anti-virus should be checking all inbound and outbound emails. Say you were using PGP encryption but accepted an attachment that has a virus, your encryption would be useless.
4) Secure Passwords. So this is Internet Security 101. If you have a weak password on your encrypted email, then your encryption protect is again useless. People still use easy to guess passwords, things you can probably find on their Facebook page such as pet’s name, kid’s name, college etc. This is your first line of defense. The Huffington Post just had a great article on weak passwords “The Top 25 Worst Passwords Of 2011: See What To Avoid” I particularly like the “trustno1” as a password. Here are the top ones:
5) Encrypt Login. When you are accessing you emails, make sure its over an encrypted login. If you don’t see the “https” in the URL, you are not encrypted. So if someone was on the same network as you, they could potentially capture your password. It is a simple security measure but one most people do not really think about.
So there could have been several thing General Petraeus could have done to protect himself further, the best would probably have been no online communications for the shady activities.