This week's attack on Sarah Palin's e-mail account highlights how the same application could have very different threat models depending on the technology used. While this is a general issue for all Software-as-a-Service offerings versus traditional desktop packages, let's focus on just e-mail for now. Let's first step into our adversary's shoes and try to think like an attacker. If your target is a webmail system, there are a variety of techniques you can use to compromise the account. You may attempt any of the following:
- Using a targeted phishing attack to grab the individual's username and password.
- Requesting a password reset on the account.
- Researching sophisticated web attacks, XSS/CSRF style exploits, hoping to find one that works against your target's current webmail provider.
Attacking a desktop machine would require a somewhat different set of techniques, such as:
- Stealing their computer.
- Infecting their system with a piece of malware that provides access to their local hard drive.
It appears that desktop-based applications are more secure from face value, but our model discounts data loss from hard drive failures, bad backups, and all of the other means that isolated pieces of hardware can refuse to work. When you add in the added convenience of accessible-from-anywhere, continuously backed-up, low administration services, it is quite easy to see how many people prefer using webmail and equivalent systems.
You do need to appreciate, though, how the threat model changes when you choose one technology over the other.