Computer Security: Enter the Cloud, pay with your password
Let me tell you a story that recently happened to a colleague of mine. She was looking for a nice e-mail client for her brand new Android smartphone. She found several apps suiting her needs, installed all of them on her phone, configured them with her CERN password so that they could access her CERN e-mails and tested them thoroughly. In the end, she was happy with one and deleted the other apps.
But she wasn’t happy for long: over the following days, she realized that many new e-mails in her CERN mailbox were mysteriously marked as “read” despite her never having accessed them. A dedicated analysis of the CERN e-mail logs showed that one of the e-mail app providers was still downloading her emails - even though she had uninstalled the corresponding app from her smartphone. In fact, her CERN password had ended up in the Cloud, continuing to allow access to her inbox (similar to what Google does when you let Gmail pull your e-mails from your CERN mailbox). Neither that mail provider’s Terms of Usage nor its Privacy Policy listed this feature, nor were her e-mails destroyed once she purged the app… In the end, she had to change her CERN password to block access.
So pay attention to where your CERN password ends up. Certain apps promise to “unite all your e-mails, contacts and calendars into one single application”. So long as your password remains on your smart-phone, you still retain a bit of control (unless it is stolen or compromised). iOS’ and Android’s native e-mail clients work like this. But once your password is configured with your preferred Cloud provider (e.g. Gmail) or transmitted to a Cloud provider (e.g. mail.ru), you have to trust them to keep that password protected, secret and not to misuse it… If you are dealing with sensitive issues at CERN, regularly share sensitive data (like our colleagues in the FP and HR departments or DG and HSE units), that might be a bit too much trust, don’t you think?
Think twice. CERN's sensitive documents should never be made accessible to third parties unless there is a professional need. Losing sensitive data - both intentionally and accidentally - to third parties is in violation of the CERN Data Protection Policy (draft) and is considered to be professional misconduct.
Please avoid forwarding your professional e-mails to external e-mail providers, as there are implications for CERN’s privileges and immunities as an intergovernmental organisation (see also our article on “Don’t let your mail leak”). The CERN e-mail system provides largely similar functionality. Also avoid sharing sensitive or restricted data on external storage systems like Pastebin, Dropbox or Google Drive. In most cases, CERN DFS web access (CERN Webdav), CERNbox, CERN’s OneDrive (you need to be registered with http://social.cern.ch), or CERN’s “Paste” are perfectly acceptable alternatives!
Share your ideas! Check out our website for further information, answers to your questions and help, or e-mail Computer.Security@cern.ch.
If you want to learn more about computer security incidents and issues at CERN, just follow our Monthly Report.
Access the entire collection of Computer Security articles here.
