Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Company Uses Negotiated Checks For Packing Material! | Main | Iowa's Fields of Digital Dreams »

TV Anchor Confesses To Snooping His Co-Anchor's 3 Email Accounts For 2 Years!

A few months ago I blogged about a co-anchor at a television station who was accused of getting into his co-anchor's email and passing information from the messages along to news outlets.

I was interested to see a CNN report today, "Fired anchor pleads guilty to e-mail snooping" that followed up on this story. Larry Mendte reportedly admitted to accessing Alycia Lane's emails, in her 3 home and work accounts, over 500 times over a 2-year period!

Okay, why was he able to so easily get into her email accounts...3 OF THEM!...over a period of 2 years?! Wasn't there any security applied to these email systems?

Some possibilities...

  • Lane may have used the same password for all three accounts, never changed her password, and it was one that Mendte was able to easily guess.
  • Lane may have left her email IDs and passwords written in a location that was easy for Mendte to find.
  • Mendte may have had some sort of admin rights to the email systems, or got the admin's password, so that he was able to view poorly configured email settings that may have shown Lane's password in clear text.
  • Mendte may have gotten onto Lane's logged in computer while she was not around and surreptitiously set her email to forward a copy of all message to his account.
  • Mendte may have been able to view Lane's email directly on the email server if the email server was not appropriately secured. However, it does not seem likely three different email servers (for three different email accounts) would all be poorly secured...possible, but not probable.


If he was able to get into all three of Lane's email accounts for two years, it is likely she never changed her password for any of her email accounts.

Whatever the reason, Mendte definitely was wrong to access Lane's emails!

However, it is important for everyone to take precautions to protect their email, and any other electronic information.

One way is through good password management.

  • If possible do not write down your passwords! If you have a lot of passwords and you need to write them down to remember them, then never, never, never keep your list where anyone else can see it or get to it. Putting your list under your keyboard is *NOT* a good idea!
  • Change your password occasionally. Perhaps Mendte could have been shut out of Lane's emails if she had changed hers, if that was the way he was getting into them.
  • Change your password just as soon as you think someone else may have figured it out and may be using it.
  • Do not share your passwords with anyone! I know some folks need to share their home/personal email password with a family member, but you should never, ever, ever share your work email passwords with anyone else. If someone tells you they need your email password, you can tell them that no, they do not!
  • Choose a GOOD password. Do not pick something that is easy to guess, such as a name, a birthdate, and so on. Make it at least 8 alpha-numeric characters long if at all possible.
  • Do not continue to use default passwords. If your email account came with a password to use the first time you used the account, change it as soon as possible.
  • Make sure email account passwords are encrypted in storage so others cannot see them.
  • Make sure your print queues do not show the content of the email messages through queries that anyone on the network can use.
  • Do not send anything within clear text email message that you would not want to see printed within your local newspaper or TV station. Always assume that your work email account is being monitored. If you must send something sensitive within email messages, then encrypt it.
  • Lock your computer when you leave it unattended.
Tags:                      
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on August 22, 2008 6:39 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/792

Comments

Hi Rebecca.

Here are three more/free bonus password tips:

1) Use a trustworthy password vault program to create and remember complex passwords for webmail and websites. [I say "trustworthy" to hint that choosing a free or low-cost password vault program from an unknown vendor based in a crime-ridden part of the world may not be the smartest move you'll ever make! Cybercriminals would love you to disclose all your deepest darkest secrets to them ...].

2) If you use a password vault, make absolutely sure that the one password you still need to remember (the one that unlocks the vault) is as strong as possible - certainly long and ideally complex. The first letters from the words of a line in your favourite song or poem work quite well, better still if you swap some of the characters for lookalike numbers or punctuation. All your eggs are in the one basket so take the effort to pick a really strong yet memorable vault password.

3) Don't take your passwords to the grave, meaning either share your vault password with a trusted family member, in strict confidence, or write it into your will. That way, someone can still access and use your secrets after you enter the pearly gates, making it easier for them to administer your estate.

I'm writing security awareness materials on email security this month so your post was very opportune. Thanks for the ideas!

Kind regards,
Gary Hinson
NoticeBored.com

Posted by: Gary Hinson | August 24, 2008 3:56 AM

Gary, thanks for your suggestions!

I agree, those password vaults can be useful, if used appropriately. It does make me nervous, though, to see how haphazardly some folks use them.

Rebecca

Posted by: Rebecca | August 24, 2008 12:33 PM

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.