FIVE and a half years ago there were none. Now there are more than 2,000 subscribers
to email in Cambodia, receiving and sending thousands of messages a day. It's used
for everything from business accounts to end-of-year reports to quick memos to love
letters - yet how secure is our email?
It's a question that was highlighted two months ago when a computer hacker managed
to break into hotmail.com, the free email service available over the internet, and
exposed the email accounts of all 40 million Hotmail users around the globe. With
email in Cambodia a fast-growing means of communication, some experts here say that
protecting our cyber-messages should be more of a concern for users, who may not
realize the potential for security breaches.
"Sending an email is like sending a postcard," said Mike Gaertner, an information
technology analyst currently working in Phnom Penh. "Anyone who has the know-how
can read it."
Bill Herod, advisor to Kids, a public internet service in Phnom Penh, agreed.
"Email is not secure. It's written in plain text, and [when it's sent out] anyone
in the world can get into that stream. It's a serious consideration if you're dealing
with lawyers, or have private business considerations [being carried out by email],"
he said.
But this doesn't necessarily mean we should be canceling our email accounts and running
back to snail mail. Experts agree that to try to intercept a specific message takes
a lot of time, know-how, and probably a bit of luck too.
Emails being sent out are delivered from one Internet Service Provider (ISP) to another,
for example from Bigpond in Phnom Penh to Demonnet in San Francisco. Because of the
sheer volume of email traffic flying through cyberspace, to be able to filter out
specific messages to intercept would take a huge amount of software and hardware,
as well as an enormous amount of time.
But David Lewis of Bigpond admitted that hackers were more likely to be able to intercept
messages while they waited at an ISP to be downloaded onto a customer's computer.
"The chances of having your messages read by someone else while they're waiting
at the ISP is entirely down to the security of the mail server," he explained.
He noted that Bigpond kept their mail server in a locked room, with access restricted
to only three people who know the password.
"You can't break in via the internet to Bigpond," he said. "You would
have to gain physical access to the room itself."
So Bigpond is foolproof?
"Well, no," he admitted. "Security holes are spotted and exploited
all the time. We're not complacent, but at the moment you can't break in. Of course,
tomorrow, we might hear of some new hole - the thing has to be actively managed."
One thing that can certainly improve your chances of keeping your email safe is to
encrypt your messages, a practice which is becoming more and more widely used in
Europe and the US, especially for businesses like banking, and which is used in Phnom
Penh by some embassies. Encryption services are available free over the internet,
or by companies set up specifically to provide encryption codes.
One such system is the humbly-titled PGP (Pretty Good Privacy), which requires both
sender and receiver to use the same encryption code. Anyone surveilling the email
or trying to intercept messages would be unable to do so unless they had a copy of
the encryption key.
Mike Gaertner is currently exploring the feasibility of setting up an encryption
service in Phnom Penh.
"I see it as a personal expression of freedom - the right to send a message
without anyone else reading it," he said.
An added bonus of an encryption service such as the one Mike proposes to set up in
Phnom Penh is the "certification of warranty" that it provides.
"When you sign up to use the encryption key, you have to be able to prove that
you are who you say you are," he said. New users show their passports, or other
reliable forms of ID, and are then signed up for the service. When someone receives
an email via this encryption service, they also receive an automatic guarantee that
the sender has been certified bona fide.
Knowing who you're really talking to through email is an important side to cyber-transactions
that people often overlook, according to Gaertner.
"In real life, everyone has a passport or an ID card, but in digital life, there
is no such thing. This is a way to try to organize it."
But there are loopholes in the service, as pointed out by Bill Herod.
"Encryption still has an element of trust built into it," he said. Potentially,
a new user could fake their ID to set up a bogus certification. "This is exactly
the kind of loophole that the bad guys would look for," he said.
Although the chances of having your email intercepted by a random hacker are small,
a more sinister possibility is that of email surveillance by employers, or even governmental
departments.
"In Vietnam, for instance, all email goes through the government server,"
says Gaertner, "so the government has the possibility to spy on people's private
messages. But as far as I know, the government here does not have the equipment to
spy on private email."
Herod was equally sure that the men at the top are not spying on us.
"I can say with certainty that no-one at the Ministry of Interior is monitoring
Bigpond or Camnet [Cambodia's two largest ISPs]."
Than Sina, Secretary of Sate at the Ministry of Interior, was less forthcoming in
his denials of surveillance.
"We're discussing the National Security Act at the moment," he said, "and
this may include laws on the email and internet.
"It's important to look at security issues without violating the rights of the
people. When you're talking about tapping phones and surveillance, you have to ask
at what level of security you're talking about," he said, but refused to be
drawn on the current level of surveillance that prevails in Cambodia.
One thing that is known for sure: if you are sending private emails from work, it's
completely possible that your employer is monitoring your movements. One prominent
western diplomat was recently left red-faced after his superiors discovered that
he was sending pornographic photographs by email - the embassy he worked for routinely
scanned employee emails for any large photo attachments.
Perhaps the most common concern of regular email users is the possibility of infecting
their computers with viruses that are passed on unwittingly through received messages.
Viruses, or more often, virus warnings, come spinning through the internet every
day, and most people with email access have at some time or another received anonymous
virus warnings through their mailbox. In fact, say the experts, most of these are
just rubbish - a 1990s version of the unwanted chain letter.
"A virus cannot get into your computer just through receiving an email,"
says Lewis. "The only way for it to happen is if you open up an attachment that
came with the email. For instance, I could write a program which would delete your
hard disk, and call it 'sex.exe'. If you were crazy enough to open it, the damage
would be done - but just looking at the email I sent you couldn't do anything."
A recent US Department of Energy statement noted that: "We are spending much
more time debunking hoaxes than handling real virus incidents". There are even
entire websites devoted to hoax viruses, including the top ten hoaxes of all time,
and stories of how unsuspecting email users were duped by fake virus warnings. (See
box).
Meanwhile, as the flow of email traffic to and from Cambodia grows, more and more
people are coming to rely on it as their primary, or even sole means of communication
with the outside world. This, says Herod, means that the need for security will grow.
Yet at Kids internet service, one regular customer was less than impressed by a friendly
security warning.
"I'm not worried at all, because I never write anything particularly private,"
he said. "I wouldn't care if the whole world saw my emails."
Useful web sites on email security
Ziplip.com - a free encryption service, plus information about email security.
www.at.pgp.net/pgpnet/pgp-faq/faq.html - frequently asked questions about PGP.
www.cert.org - summary of the most frequent internet security incidents.
www.av.ibm.com/Publish - an IBM site dedicated to information on protection from
viruses and virus hoaxes.
kumite.com/myths - excellent site detailing latest scares and hypes, plus top ten
hoaxes of all time.
Contact PhnomPenh Post for full article
Post Media Co LtdThe Elements Condominium, Level 7
Hun Sen Boulevard
Phum Tuol Roka III
Sangkat Chak Angre Krom, Khan Meanchey
12353 Phnom Penh
Cambodia
Telegram: 092 555 741
Email: [email protected]