Email insecurity video

This article is a the first in a series aimed to people who are looking to understand the risks of using the internet as a primary communication channel, especially for sensitive subjects.

Let’s start with something that has become an indispensable tool for communication in our world and I’m referring to the email. Email can be considered one of the core tools for anybody that spends sometime in front of a computer either for work, entertainment or social communication. Unfortunately email by design is not a secure communication method and a lot of design flaws since its inception will be around for the foreseeable future. The two main design flaws are:
•    The way an email is being transmitted
•    The way an email is stored.

 

 

How does email work? Imagine a letter written in plain text that is sent across to a person across a room passing form one person to the next until it reaches its intended recipient.  Well back in our school days that just was enough, but think for a moment and the content of that message was readable by any number of people who was part of the human chain to make it reach its destination. Well that is how an email works in layman terms.

The idea is not to go into the inner workings on how it’s done, that takes much more space than one introductory article can cover, but the aim is to open your eyes to the number of threats and risks to your confidentiality by using your email service. Now let discuss the 2 main flaws.

The way email is being transmitted an email by design doesn’t have any security feature by default from your computer to your provider’s email server (Outlook, Gmail, Yahoo, etc). Not so long time ago (a couple of years back) all the transmission of email was being done using unsecure communications. Now the use of secure communications from your computer to the provider’s email server is common place but that only takes care of very small part of the path an email must travel in order to reach its destination, for the rest of its journey there is no guarantee that the communication from your mail provider infrastructure to the next hop to reach its destination will be secured.

Somebody could say: “I’m using a secure client” or “I access my email account in my browser, and I heard that https is secure isn’t it?” As mentioned, secure communication for email browser clients is a relative new feature offered by major email providers such as Yahoo, Gmail, etc.

But there is a new generation of interception tools that are now available to the public in the form of open source software (free) such as SSLstrip, SSLsplit, Mitmproxy; and commercial out of the box devices from companies as Blue Coat that allows the user to intercept secure communications as the ones offered by your email provider. Are you still confident that your email is not being read by other people?

You also must keep in mind that if your ISP could be breached due a vulnerability that is totally out of your control such as the one on September 2014 (shellshock) that allowed attackers to obtain the access credentials to millions of email accounts from yahoo and other email providers, you will now must see why the use of email is not exactly the ideal communication method especially if the information being transmitted is sensitive.

Now the second issue at hand the way our emails are being stored by our Email providers, well here is more bad news, in most case those emails are stored in plain text that means that anybody with access to the server can read your email, and that list can become rather long including Big Brother to the system administrator of the server to the hacker that has gained access to the server thru any number of flaws a computer system has these days. Even doe there are Email providers such as Google that utilizes encryption to protect your data, it only works under two scenarios, first if the email recipient is also another Gmail user, and second only for the copy stored within Google’s servers.

This brings an interesting question: Have you ever thought about how many copies exist around the internet of a single email? Well for starters there is one in the origin computer (if using an email client such as thunderbird), a second one in your provider’s server, another one in the recipient’s server, and finally another one in the recipient’s machine (if using a local email client). That is not taking into account any copy that could be stored in any of the many in between servers your email crossed to reach its destination and most likely not being stored in a secure manner (i.e. encrypted).

But not everything is lost there are a couple of things you can do to avoid the content of sensitive email being read by unwanted parties, and here is the use of encryption. Encryption is a method to convert human readable text in a message into something that to any unauthorized party attempting to read will look like garbage. There are two ways to access this type of defense mechanism; one is to use a service provider that insures the following:
•    The content of your email is stored encrypted
•    The messages can only be accessed at all times thru secure communication methods (i.e. https)
•    That the email provider doesn’t have access to the content being stored.

One such provider is Sendinc, (https://www.sendinc.com/) which offers for free their basic service.

The second option is that you take into your own hands the encryption of the content of your email messages before being transmitted; there are several open source and commercial options but the most well known is GPG (https://www.gnupg.org/). This route requires discipline and force the user to learn some new skills but is another excellent option for those who depend on the confidentiality of their information to stay safe.

Remember there is no magic solutions for security so in order for any of the options mentioned above to work they will need to be supplemented by other security technologies and knowledge on how to use them correctly, all this will be explored in future articles.

Nick

Nick Altamira is the pen name of a SANS certified incident and forensic security expert who has worked with Amerandus Research for many years to help educate and protect the security and privacy of communications among whistleblowers, plaintiffs, attorneys, investigators, and auditors.

More Posts

Posted in email, featured, recommendations.

One Comment

  1. If SendInc relies on SSL, how secure is it? We’ll be hearing a little more detail on SendInc and related email options.

Leave a Reply to Cisspo Cancel reply

Your email address will not be published. Required fields are marked *