Email (In)security

Written on July 19, 2009  |  by RP Mickler  |  Leave a Comment Leave a Comment  |  Bookmark and Share

insecurityt

This week, one of my clients talked to me about a strange set of coincidences. When he was discussing a specific topic in email, the next day, the exact same topic/phrase came back to him in the form of spam email, and the next day, the same thing. In fact, he could see a common thread of activity: whenever he’d mention a few specific keywords, the next day he could count on some spam to be reflected back at him and dropped into his junk mail folder concerning the same topic.

And this is no coincidence. Email is inherently insecure. When it travels across the Internet to a destination server, it travels in plaintext: unencrypted and easily “sniffed” off of the network as it passes by. It doesn’t help matters that this client’s mail server – about a year ago, prior to my involvement with the firm – was compromised as a relay server: spammers figured out how to route bad mail across their server, and even though that capability has been disabled now, their server has been the interest of spammers ever since.

So what do you do? How can you make email more secure? Two ways:

1. Digital Encryption. Most mail clients, including Microsoft Outlook, allow for the installation of an encryption certificate. The cert is used to secure the contents of your mail as it moves across the Internet, as well as verify your identity as “authentic”, so the reader can have confidence that you really sent the email. You can enable this feature in Outlook from doing a Tools, Options, Security, and enabling the encryption options; you’ll need a digital cert first though, and there are a number of commercial providers out there. You can learn more about encrypting email in Outlook as well as how to secure a digital cert for use with Outlook.

2. 3rd Party Applications. Voltage is one application that I’m familiar with, as well as PGP (Pretty Good Privacy). These programs are installed on a Windows workstation and work with the email client to secure email as it leaves the PC. There are also a number of open source solutions that you might be interested in but their installations are technical and sometimes confusing to end-users.

There’s also a couple of ideas concerning web-based email systems. Sometimes, users will get the wrong impression about the security of their email when using Yahoo!, Gmail, Microsoft’s HotMail, or any other web-based email solution. The creation and transmission of the email to the host is secured through SSL (that little lock-thing in your browser that tells you communication is safe), so mail that is dropped to these services is secured as it’s being created and transmitted. It’s not, however, secured as it leaves their mail server and transmits to a destination. So, as it moves away from Gmail and to a destination server, the mail is just as much at risk.

Another good rule of thumb is simply not to send confidential information in email. Make a phone call instead, or, send an encrypted attachment like an encrypted *.pdf, or, send a fax, which is inherently secure. Try not to share anything in email that you wouldn’t want the public to overhear. Avoid transferring passwords and account information in email. Always keep in mind that you’re “talking” in a public place, and it’s relatively easy for somebody to eavesdrop and pick up on your conversation.

Finally, if you want more information on encryption and the vulnerability of email, here’s a book that’s a must-read: PGP & GPG: Email for the Practical Paranoid. It’s more of a technical book and definitely, I’d recommend it for students and technicians who’re interested in free, useful means of encrypting data and email on microcomputers. If you’re looking for an inexpensive means of learning more about a complex subject – along with some free, practical tools for application – this is a great book for you.

So, best wishes, and watch your emails.

R