E
E
m
m
a
a
i
i
l
l
S
S
e
e
c
c
u
u
r
r
i
i
t
t
y
y
&
&
S
S
m
m
a
a
r
r
t
t
S
S
t
t
r
r
a
a
t
t
e
e
g
g
i
i
e
e
s
s
It’s difficult to think of a more revolutionary application over the last few years than email. Inquiring minds want to know: is there anyone on the planet without an email address? Probably … but certainly not anyone I know. You know a technology has reached critical mass when your mother uses it! Yes, email’s convenience as a communication tool is virtually unrivaled. As wonderful as email is (we couldn’t live without it) there are some security concerns to mention. As we’ve done
throughout the main book – we’ll first examine the concerns then highlight some strategies to enhance email security (and it turn – your security).
Email Not So Private
Email is sent in what’s called clear text. Clear text is just what it sounds like – text without any encryption or security. Any receiver of the
message – either legimately or not will be able to read the message. So, the main concern when dealing with clear text is the danger of electronic eavesdropping.
Email is about as private as sending a postcard through the mail. Think about it, when you send a postcard – how many people can read it before it reaches its destination? Several. Think of how many mail carriers touch that exposed piece of mail between the time of mailing
and delivery. Similarly when you send an email – that message passes through several mail servers usually on a variety of networks before it reaches its destination server. Once you send a message – you loose direct control over that information.
Now, of course, the sheer volume of email sent daily greatly reduces the chance of any unwanted attention placed on your message. Still, as a best practice, you never want to send any critical or financial
information through email. At the end of this report, I’ll mention two great encryption options to use when you must send something private or confidential through email.
One last note about email privacy, especially in a corporate setting, always assume your email administrators can open your mailbox and read your mail without your knowledge. In addition, deleted email is rarely ever truly deleted and likely “lives” on a backup tape somewhere. In the digital world – things you thought were long gone can live on indefinitely. The idea here is not to turn everyone into ultra-paranoid conspiracy theorists (that’s the job of Information Security personnel
☺
) – however, it is important to understand the privacy limitations of email.Chain Letters, Junk Mail, and Other Nuisances
Now that we’ve looked at email privacy concerns – let’s look at other email threats ranging from benign to serious. First off, everyone might think of Spam – and Spam is such a large topic that it received its own special report! Another serious email threat is known as “Phishing,” which is the attempt to obtain personal and financial information through
fraudulent email messages appearing to originate from trusted sources. Phishing is covered in depth in our Online Identity Theft chapter.
Let’s examine email chain letters. What’s the advice on email chain letters? Don’t do it! Why the hard stand? What’s wrong with chain letters? Well let’s see, where do I start? A classic chain letter from a few years ago claimed that Microsoft was testing new email technology, and wanted everyone to indiscriminately forward this email on (how many copies did you receive?). In the way of incentive, the email promised a financial reward for participating. The email went on to assure everyone that Microsoft could trace through all email headers diligently making sure every deserving person received their just financial reward. Of course this was a blatant hoax! As are many similar chain letters. Chain letters about Nigerian bank accounts and children requiring heart transplants, while interesting reading, have also been exposed as hoaxes.
This brings up another problem with chain letters, which we can
properly term “junk email.” It’s notoriously unreliable. It’s just like that telephone game where everyone sits in a circle and some creative soul makes up a story and whispers it to the person next to them. By the time the story comes back around it’s completely distorted. The original story was about George W. Bush, and by the time it comes back around it’s about that purple Teletubby with the purse! Seriously. While email is great for one-on-one or limited group communication, it’s unreliable for relaying news events and other such stories. The temptation to “alter” details is just too great for many. What it comes down to is this:
Spammers have been known to instigate and participate in chain letters as a means of harvesting valid email addresses. Yes, in what can be known as “Email Karma” – if you send junk, you can expect to receive junk.
While detailing chain letters is beyond the scope of this report – there’s a great website devoted to the subject called Break the Chain. This site’s stated mission is to stop junk email and misinformation –
worthwhile goals, methinks. They operate a working database of chain letters and other scams, which makes for some amusing reading. If you receive a chain letter that isn’t already in their database, you can submit it for inclusion.
We’ve all received an email addressed to many people. We know this because we can look at the “To:” field, and see everyone’s email address right there next to ours. If we’re so bold, we can even add them to our address book – even if we don’t know them. I think you see where I’m going with this. Sending out emails this way is really
broadcasting out email addresses. A more discrete way to handle this is to address your message to your own email address, and use the “BCC” field for everyone else. BCC stands for Blind Carbon Copy, and it hides your recipients’ addresses. I don’t know about you, but I’ve received unwanted email and Spam as a result of senders not following this simple advice.
Other Security Exposures
Aside from the lack of real privacy in email and receiving nuisance and scam email – two real threats exist:
• Email attachments containing malicious code.
• Auto-loading code in HTML email messages.
Let’s examine each in more detail.
Email Attachments Containing Malicious Code
Virus infected email attachments just might be the quickest way to spread infection. As serious a threat as this is, viruses are certainly not the only things to be concerned about. Think Spyware, Trojans and Malware – all are known to spread through email. It bears repeating, be very cautious of attachments in email. Reject all attachments from unknown senders. Even when you know the sender but were not expecting an attachment – delete it. Remember, legitimate companies will not send updates and fixes through email – assume these are spoofed emails with dangerous content -- delete them. If it turns out something was deleted in error, you can always have it resent -- better this than unknowingly loading malicious software on your machine.
The current version of Outlook Express (known here out as “OE”) automatically blocks file attachments it considers potentially harmful. While OE doesn’t allow you to select the exact attachment types for blocking – you can view the current blocked list at Microsoft’s support site.
Note, OE does not delete the attachment – it just prevents access from your inbox. What happens when you are expecting an attachment, and
you know it’s safe? You can disable this feature in OE by doing the following.
In OE – select Tools Options Security.
Uncheck the box that says “Do not allow attachments to be saved or opened that could potentially be a virus.” Note: only do this if you have an up-to-date Anti Virus program running. Consider disabling this setting momentarily while you retrieve the needed attachment.
Security tab in Outlook Express.
Auto-loading Code in HTML Email
In case you’re unfamiliar with HTML email – it’s email that looks like a web page – it can contain images, different fonts and colors,
hyper-links, etc. Most email programs allow you to send and receive email in HTML. With a few exceptions, the code creating HTML messages is the same as the code on websites. In the main book we mentioned how just visiting a site with malicious code could result in unwanted programs installing on your machine (especially if your computer is not up-to-date with security tools, and system updates). Just as you should be cautions of suspicious websites, you should be careful of suspicious HTML email.
How can you protect your computer? The best thing for protection against such threats is disabling the Preview pane in Outlook and OE. The Preview pane is that handy portion of your email client that displays email messages without actually opening them. Be aware, viewing a message in the Preview pane is the same as opening it – all of the code in the message is loaded. With your Preview feature enabled – it’s all too easy to accidentally load a suspicious email message. To disable the Preview pane – do the following.
In OE: select View Layout. Uncheck the “Show preview pane” box,
In Outlook the Preview pane can be toggled on/off. The option is found
under the View menu.
If you use an email client other than these, the steps should be similar.
Smart Strategy: Send Encrypted Attachments
When we talk about “security” on the Internet, we’re usually speaking of data encryption. Without encryption, it would be far too risky to do
everyday things like shop and bank online. What is encryption? We’ve mentioned encryption elsewhere in our book without actually defining it. In the way of defining it, we could say: “it’s a means of making data unreadable to everyone except the intended receiver.” To make it even simpler – while clear text is text without any encryption – encrypted data can be thought of as “garbled data.” As an example of encryption – let’s look at our encryption definition in clear text and what it might look like encrypted.
It's a means of making data unreadable to everyone except the intended receiver.
Clear text
TVYwQQAAABR0ZXN0NEBtaWNyb3ZhdWx0LmNvbQA AA
Encrypted
The ideal scenario is never sending anything remotely sensitive over email. However, the truth of the matter is that there are many situations that may require sending confidential information over email such as applying for a job, sending a proposal or some other form of intellectual property to a client, to name just a few. Instead of potentially exposing critical information – you can securely send them as encrypted
attachments. I heard an interesting story on the radio telling how two guys made a hip-hop album. What made this story unusual is that one lives in North Carolina, while the other lives in the Netherlands. The two had never met face-to-face, but collaborated together by working on portions of tracks, and emailing music files to each other. Now this is an obvious case where encryption should be mandatory.
There are several software options for sending encrypted files – the ones I mention don’t require your recipients to load any special software. I think this is a better option, as most people don’t want to download a special program just to open your attachment.
Note: PGP is a popular email encryption program. I don’t mention it beyond this note because 1.) PGP requires both the sender and receiver to have it installed, and 2.) many find it difficult to setup and use.
Secure Email Attachment
If all of your correspondence is between fellow Windows users, Secure Email Attachment (SEA) from iOpus should do the job. Other than the fact that SEA is free, the best part is that your recipient doesn’t require special software to decrypt your attachment. SEA works by creating a self-expanding .Exe file (or a .Cab file, useful since many email systems automatically block .Exe files – actually it creates an .Exe file within a .Cab file). How easy is it to create an encrypted file? To encrypt a file either open the program or right-click on your file and select “Create iOpus Secure Email Attachment (SEA).” That’s about it. As shown in the screenshot below, you just need to provide a “Save As” file name, and a password to decrypt the file. Just so you’re aware, by default, SEA wants to save your encrypted file in its own program folder
(C:\Program Files\iOpusSEA), however, this can be changed at the time of creation by clicking “Browse” and selecting another location (your desktop for example). Once your file is encrypted, it can be sent like any other email attachment.
Secure Email Attachment encryption screen.
On your receiver’s end, they only need to know the password you used to decrypt the file. Resist the urge to put the password in the email body – this would essentially defeat the purpose of encrypting in the first place. For security reasons, it’s best to relay this password over the phone or by some other means.
One minor annoyance I’ve noticed with SEA, file names are
automatically converted into what’s called “8.3 format.” If you ever used MS-DOS or a Windows version prior to Windows 95, you’ll know what this means. If not, as an example, the file Bonus2_Email.doc will be converted to Bonus2~1.doc. Note: this does not change the contents of the file, only the file name.
Filetrust’s Encrypt
Encrypt is an elegant solution for sending encrypted attachments not only to fellow Windows users but also to people using other computer systems like Macintosh and Unix. Similar to SEA, Encrypt creates a standalone self-expanding file. The benefit being that your recipients will not require any special software to decrypt your attachment. All they will need is a web browser and the password used to encrypt the file.
Encrypt adds an “Encrypt for Email” option to your right-click menu for quickly selecting a file to encrypt. In addition to encrypting files, Encrypt provides an “Encrypt text message” feature for typing an encrypted message. Both files and text messages can be sent as encrypted email attachments.
If you recall, SEA’s encrypted files were sent as either an .exe or .cab file – both of these file-types are only known to Windows systems. Encrypt does something different, it stores its data within an encrypted
HTML file – making it accessible to just about every computer system. As you can see, this greatly extends Encrypt’s versatility.
As shown in the screen shot below, your recipient will open your
attachment in their web browser and will be prompted for the password used at creation. I like the way Encrypt displays information about the creator of the file.
Encrypt's decryption screen (what your receiver will see).
Well, there you have it. I hope you picked up some smart strategies for increasing email security. Thanks for reading.
