email security - when can i consider my e‐mail to be secure? by ralph van der pauw
TRANSCRIPT
-
8/8/2019 Email Security - When can I consider my email to be secure? by Ralph van der Pauw
1/19
HaagaHeliaUniversityofAppliedSciences
Email SecurityWhencanIconsidermyemailtobesecure?
RalphvanderPauwa1000513
27/4/2010
-
8/8/2019 Email Security - When can I consider my email to be secure? by Ralph van der Pauw
2/19
-
8/8/2019 Email Security - When can I consider my email to be secure? by Ralph van der Pauw
3/19
2
Whatisemail?
EmailistheabbreviationofElectronicmail,anowstandardizedwordusedtodescribetheprotocol
ofexchangingandstoringdigitalmessages.Thoughtherehadalreadybeensomeprogramsmadefor
exchangingmessages
between
direct
connected
computers,
the
first
foundations
for
email
had
been
inventedintheearly1970sbyRayTomlinson.ShortlyafterthecreationoftheARPANET(beginning
oftheinternet)hecreatedtwoprogramscalledSNDMSGandREADMAILtoeithersendorreadmail.
In1971heupdatedhisSNDMSGapplicationbyaddingaprogramthatcouldcopyfilesthrougha
networkconnectionwhichcompletedthecreationofthefirstfunctionalemailclient(Hardy,1996).
Tomlinsonassignedeveryclientaddressbasedonthesamestructureweusenowadays.Inhiscaseit
wasusername@usercomputer,withusernamebeingtheclientsnameandusercomputerthe
computerwheretheclientwaslocated(Black,2010).Overtheyearsnotmuchhaschangedother
thanthatusercomputerchangedintothenameoftheprovider(domainname).Furthermorean
extensionis
added
behind
the
domain
defining
acountry
or
sector.
Still
the
foundation
of
Tomlinsonsworkexistsinthecommunicationthatwefindsocommoninourdaytodaylife.
Anemailisbasicallyatextmessagecontainingaheaderandabody.Theheaderismeantfor
metadatasuchasthesender,recipient,dateandotherinformationdefiningthecontent. Thebody
containsthecontentwrittenbythesenderwhichcaneitherbeplaintextorHTMLcodedcontent.
MostemailclientssupportHTMLbodiesinemailmessages,butduetotheexistenceofolderemail
clients,alinktoawebpageoratextversionofthebodyisstillsentalong. Emailusedtobeatext
onlyprotocol,butwiththedevelopmentofMIME(MultipurposeInternetMailExtensions)itisnow
possibletosendrichmultimediacontentsuchasattachmentsalong.MIMEisawaytoconvertfiles
intoplain
text,
so
it
can
be
sent
with
the
email
messages.
Once
the
message
arrives
with
the
recipient,thetextisconvertedbacktothefileitwasbeforeithadbeensent(Tschabitscher,2010).
SimpleMailTransferProtocol
TheprotocolusedtosendanemailmessageiscalledSMTP,meaningSimpleMailTransferProtocol.
Whentheclientsendsanemail,itssentbytheemailclienttotheSMTPserverwhichisusually
hostedbyeitheryour(online)mailorinternetserviceprovider.Theworldwidestandardforthe
SMTPportisportnumber25,onlybeingusedtosendemail. AftertheSMTPserverconnectedwith
yourmailclientaconversationisinitiatedcontainingboththeaddressoftherecipientandthe
addressofthesender.Therecipientaddressisbrokendownintotheclientnameandthedomain
name.If
the
domain
had
been
the
same
as
the
domain
used
to
send
the
mail,
the
SMTP
server
would
passthemessagesontothePOP/IMAPserver.Incaseadifferentdomainisused,theSMTPserver
connectstotheDNS(DomainNameServer)andwillaskfortheuniqueinternetwebaddress(IP:
InternetProtocoladdress)oftheSMTPserverforthatdomain.TheSMTPserverconnectswiththe
otherSMTPservertotransferthemessagetoitsserver.Themessageisthenplacedinthevirtual
mailboxoftherecipient. InrealitythedeliveryofthemessagebetweentwoSMTPserverstakesabit
moretimeandstepsbutthisprocesswillbeexplainedwhenwecovertheinternetandpackage
sniffing(Brain,2008).
PostOfficeProtocol&InternetMessageAccessProtocol
Thereare
two
different
protocols
for
receiving
email
messages.
The
oldest
and
simplest
protocol
is
calledPOPorPOP3(PostOfficeProtocol).Thetransferprocessisremarkablysimple:Whenaperson
-
8/8/2019 Email Security - When can I consider my email to be secure? by Ralph van der Pauw
4/19
3
useshisorheremailclient,theclientlogsinonthePOP3serverusingport110andthenusesthe
LISTcommandtoseeifthereareanymessagesthathavetoberetrieved.Iftherearenewmessages
availabletheemailclientretrievesthemessagesfromtheserverusingtheRETRcommandafter
whichthevirtualmailboxisemptyagainandallnewmessagesarestoredontheclientscomputer.
TheIMAP(InternetMessageAccessProtocol)isabitmoreadvancedbecauseitkeepsyourmailon
themailserverandletstheclientdownloadcopiesofthenewmessagestocacheitonthemachine.
Whenanewmessageisreadthemailclientsends(whenconnectedtotheinternet)acommandto
theIMAPserversothemessageontheservercanbemarkedasreadtoo.Thiswayyouareableto
keepyoumailsynchronizedinmoreplaces(Brain,2008).
DisadvantagesofIMAPforcompaniesmightbethatthesizeofthevirtualmailboxcantakeupalot
ofunnecessaryspaceonthecompanyshostserver.NowadaysPOP3canalsosupportthepossibility
tokeepacopyofyoumessagesontheserver,butIMAPstillcoversamoreadvancedgroundinthe
mailprotocolbeingabletochangethestatusofthemessageontheservertoforexampleread.
-
8/8/2019 Email Security - When can I consider my email to be secure? by Ralph van der Pauw
5/19
4
Whyshouldemailbesecure?
Emailhasbecomeoneofthebiggestwaysofcommunication.With90%oftheUnitedStatescitizens
onlinetoreadorsendemail,itisconsideredthemostpopularformofcommunicationinboth
corporateas
well
as
personal
communication.
57%
of
these
citizens
use
email
on
aday
to
day
basis
forithasbecomepartoftheirdailyroutine(Brownlow,2009).Unfortunatelythatsoneofthe
reasonsithasbecomeinsecure.Emailhasbecomeapartofourdaytodayroutinewhichformost
peoplehasmadeitaroutinetheynolongerpayattentionto.
Thesuccessfactorofemailliesinthefactthatitissimple,cheap,relativelyfastandhasbecome
somethinguniversaleverybodyisabletouse.Thetotalnumberofemailssendin2009hasbeen
estimatedaround90trillion.Thismeanseveryday247millionemailsperdayaresentandreceived
byanestimated1.4billionemailusersaroundtheworld(Pingdom,2010).Wetakethisformof
communicationforgrantedandstartusingitforalmosteverythingwewouldliketotalkabout.Little
dowe
know
how
secure
our
communications
really
are.
Whilethenumberofemailclientsisrapidlyincreasing,theincreaseofhackingattemptsonthe
internethasincreasedevenmore.SecuritycompanySymantecshowshowthenumberofinfected
computersin2009hasincreasedwith71%comparedtotheyearbefore.Everysecondseveral
hundredsofattemptsaremadetoconfiscatesensitiveinformationortoinfectacomputerwith
maliciouscode.Every4.5secondsoneoftheseattemptssucceeds.Thesestatisticsshowhowa,to
mostpeople,seeminglyinnocentenvironmentjustisntthatinnocentatall.Internetgrowsasa
commonnecessityineveryoneslife,butmostuserslosetrackhowitalsogrowstobeaplatform
thatcanbeabusedinmanydifferentways.
Howtheinternetworks
Askingaregularemailuserhowhisorheremailwillactuallybedeliveredtotherecipientandwhat
itcanbeexposedto,willpointouthowunknowntheemailtrafficactuallyis.Asexplainedbefore,
theSMTPserverwilltrytoconnecttotherecipientsSMTPserver,butthesendingprocessofthis
emailisnotdonebydirectlytransferringthemessageservertoserver.Thisisnothowtheinternet
works.Packagesaresentinanassumeddirectionwheretheyarebeingreceivedbyotherservers
whokeeppassingthemontotherightdirection,socalledrouting.Whenapacketisreceivedby
oneoftheserouters,thepacketheaderisexaminedandtheroutersearchesitsroutinginformation
table(RIT)foranaddressofarouterclosertowheretherecipientsmailserverislocated(Wilson,
1997).More
shocking
is
that
when
your
email
is
not
encrypted,
which
it
usually
isnt,
it
is
very
easy
fortheseserverstoreadthecontentofyouremailiftheywouldactuallywantto.Thecorrectterm
forscanningthesepacketsalongtheemailrouteispacketsniffing.Ifyouremailsarenotbeing
encryptedtheyaresentascleartextpastseveralrouterswhothenhavetheabilitytointerceptand
readthem.
Notjustsendinganemailcanputyouinavulnerablespot.WhenyouarelogginginonyourPOP3or
IMAP4server,thelogininformationisinitiallysentascleartext.Thismeanswithpacketsniffing
methodsyourusernameandpasswordcanberead(Theall,2004).Nowconsiderthenumberof
peoplethatusethesamepasswordfortheiremailclientasaccesstotheirbackaccount,itcould
becomealucrative
business.
Nowadays
most
email
clients
support
encryption
for
these
log
in
-
8/8/2019 Email Security - When can I consider my email to be secure? by Ralph van der Pauw
6/19
5
connectionsbuttherearestillquitealotofmailserversthatdonotuseanyencryptionatallwhich
leavesplaintextlogininformationunsecure.
Commonsense
Inanalyzingemailsecurityanddirectthreatstothemailboxwefindourselvesdefiningtwodifferent
fieldsof
prevention.
There
are
on
one
side
the
technical
aspects
(like
the
encryption
and
sniffing,
mentionedbefore)andthenthereiscommonsense.Commonsenseisanaspectthatcantbe
preventedaseasilyasthetechnicalaspectsinemailsecurity.Assumingmostofthepeopledonot
knowwheretheiremailgoesafterpressingthesendingbutton,theyusuallyarentthatawareto
protecttheirmailboxwithsomecommonsense.
Thereisabignecessityforsecuringbothyourmailboxandyourinternettraffic.Asmentionedbefore
itisthenumberoneformofcommunicationinbothprivateandcorporatesector.Theamountof
sensitiveinformationthatisbeingsentthroughemailsisgigantic.Summedupfrompersonal
informationlikebanktransactionsandprivatematterstocompanysecretsandclassifieddocuments.
Itis
really
not
that
hard
to
intercept
and
read
these
emails.
Of
course
methods
like
packet
sniffing
andbreakingintosomeonesmailboxarestillillegal,butthatdoesnotkeepcertainpeoplefrom
tryingit.
-
8/8/2019 Email Security - When can I consider my email to be secure? by Ralph van der Pauw
7/19
6
Whichthreatsexistinemail?
Withthreatswearenotfocusingsomuchontheprivacyissuesofemail,butmoreontechnical
dangersofreceivingemail.Mostcompaniesthinktheysecurethemselveswithafirewallwhich
wouldmake
unauthorized
access
to
their
intranet
impossible.
Unfortunately
this
is
not
entirely
true,
severalattackmethodsexistthatcanbypassthisfirewall.Mostimportantlyfirewallsdonotcheck
thecontentofemailmessagesthatarebeingsentandreceivedbythepersonswhoareauthorized
tousethisintranet(GFISoftware,2009). Inthelastquarterof2009,SymantecinternetSecurity
Companyadded921,143newmaliciouscodesignaturestotheirdatabase(Pingdom,2010).Thisis
dangerousbecausethelargestamountoftheinternetusersstillareignorantabouttheinternets
capabilitiesandrelytoomuchontheirownfalseassumptions.Thiswillputtheminanunsecure
positionsurroundedbymillionsofpiecesofmaliciouscode.
Trojans
Abigthreatinreceivingemails,especiallywithattachments,isaTrojan.TrojansshortforTrojan
horses arepartsofcodehiddeninausefullittleapplicationthatlocatesitselfonyourharddrive..
TheygottheirnamefromthehorseofTroyinthelegendaryancientstorywhereGreeksoldiershad
hiddenthemselvesinsideabigwoodenhorse,allegedlybuiltbyOdysseusasagiftforthegoddess
PallasAthenaandleftoutsidethegatesofthecityofTroy.OncetheGreekhadleft(sotheymadeit
looklike)andtheTrojanshadbrokendownasectionofthecitywalltohaulthegianthorseintotheir
city,thewoodenhorseopenedupandtheGreeksoldiersconqueredTroy.
Trojansdonotautomaticallyspreadthemselves,theyarepartofsomethingandtheuseristhe
personthatacceptsandactivatesthemaliciouscodewithoutknowingit.Theyusuallyspreadbye
mailand
sometimes
through
p2p
(person
to
person)
networks
(Petri,
2009).
WhataTrojanactuallydoesisitopensupyourPCtootherusersthroughabackdoorinthecode.A
Trojanhasaccesstocopy,removeorchangefilesonyourharddriveanditcantakecontrolofyour
computershardware.UsuallyTrojansareusedtoaddyourcomputerasasocalledzombietoa
botnet.Abotnetisalargenetworkofinfectedcomputersthatcanbeusedtocreatemassattacksto
adifferentcomputeroraserver.TheattacksarecalledDistributedDenialOfService(DDOS)
attacks,allthezombiecomputersinthebotnetworkareusedtosendrequeststoasingleserver
withtheintentiontomakeitcrash.ApartfromDDOSattacksyourcomputercanalsobeusedasa
spambottosendlargeamountsofspamemailstodifferentemailaddresses.Thespambotcrawls
theworldwide
web
for
new
email
addresses
to
sell
these
email
addresses
to
companies
for
spam
purposes.Trojanscanfunctionforalongtimeonyourcomputerwithoutyouevenknowingit;thisis
whatmakesthemsodangerous.
Viruses
CNNreportedinJanuary2004thattheMyDoomviruscostcompaniesaboutUS$250millioninlost
productivityandtechsupportexpenses,whileNetworkWorld(September2003)citedstudiesthat
placedthecostoffightingBlaster,SoBig.F,WechiaandotheremailvirusesatUS$3.5billionforUS
companiesalone(GFISoftware,2009).
Computerviruses
are
most
likely
the
biggest
threat
in
sending
and
receiving
emails.
They
are
besidesthatalsothebiggestcostexpense.Onceacomputerhasbeeninfectedbyavirusitisusually
-
8/8/2019 Email Security - When can I consider my email to be secure? by Ralph van der Pauw
8/19
-
8/8/2019 Email Security - When can I consider my email to be secure? by Ralph van der Pauw
9/19
8
In2000theILOVEYOUvirushadinfectedmillionsofcomputersallovertheworld.Itsoongotthe
nameILOVEYOUvirusalthoughitsarchitecturedefineditasaworm.Thewormwashiddeninan
attachmenttoanemailmessagewiththesubjectILOVEYOU.TheattachmentcalledLOVE
LETTERFORYOU.TXT.vbsmadepeopleverycuriousandluredtheuserintoclickingitandthereby
activatingtheworm.Afteropeningtheattachmentthewormsentacopyofitselftoeveryoneinthe
addressbookandmadesomemaliciouschangestothecomputersystem.Becauseoftheenormous
amountofemailmessagesbeingsentatthesametime,alotofPOPserverscrashed.Thewormhad
agiganticimpactontheworldcausinganestimated5.5billiondollarsofdamage(Lemos,2000).
-
8/8/2019 Email Security - When can I consider my email to be secure? by Ralph van der Pauw
10/19
9
Howcanthesethreatsbeeliminated?
Youcanneverentirelyprotectyourselffromviruses,Trojansandworms.Butyoucandoareally
goodjobbyrelyingontherightantivirussoftwareandhandlingsuspiciousemailsaccordingly.
Antivirussoftware
Therightantivirussoftwarewillmakesurethemajorityofthesethreatswillbepickedupby
scanningtheincomingmailandoutgoingmail.Themostpopularantivirusprogramshavea
detectionratebetween95%99%,whichprovestheydontentirelyprotectyoufromalltheexisting
threats(Mathews,2009).Nonethelesstheydoagoodjobfilteringoutmostofthemaliciousmails.
Alwaysmakesureyourantivirusdefinitionsareuptodate.Mostantivirussoftwareupdatesitself
whenthecomputerbootsbutdomakesureyouhavethelatestupdatesinstalledonyourcomputer.
Whenyouuseanemailclientonyourdesktop,makesureyourantivirusprogramsupportsinbound
aswellasoutboundemailscanning.Themostpopularsoftwaresuitsdoso,butitsstillimportantto
makesure
that
when
receiving
your
mail
you
know
it
has
been
filtered
through.
The
importance
of
outboundemailscanningliesinthefactthatyoudonthurtyourrecipientsbyaccidentlymailing
themmaliciousattachmentsorlinks.Asmentionedbefore,onceawormhasbeenactivateditcan
copyitselfandsendthesecopiestoyouraddressbook.Thisiswhereoutboundemailscanning
comesinplace.ItpicksuptheconnectionmadetotheSMTPserverandscanstheemailsfor
anythingmaliciousbeforetheyaredeliveredattheSMTPserver.Ifanythingisfound,theemailsare
blockedandyouhavepreventedyourselffromspreadingtheproblem.
Dependingonyourmailprovider,youremailmightalreadybescannedforvirusesontheserver
side.Thereareantivirusapplicationswhichareabletorunasamoduleon(forexample)aLinuxmail
serverand
make
it
possible
to
scan
all
the
SMTP
traffic
passing
that
server.
Having
an
anti
virus
scan
onbothserversideandclientsidelevelprovidesahigherdetectionrateandthereforincreasesyour
protectionlevelinemailcommunication(Kaspersky,2010).
Thinkbeforeyouact
Althoughtheantivirussoftwarewillinterceptthemajorityofthesethreats,thereisstillaverylow
percentagethatcanslipthroughyourfilter.Thepointistobeverycautiouswhenyoureceiveemail.
Developersofmaliciouscodesdoeverythingtomaketheemaillookassafeandnormalaspossible.
Whenyoureceiveanewemail,thereareseveralprecautionstepsyoucantotaketoavoidmalicious
threats(Microsoft,2010).
Nevertrustthesenderinformation.Auserisabletospoofthesenderaddresssothattheemaillooksharmless.
Approachimagesinanemailwithcaution.Imagescancontainaharmlesscodethatsendsinformationbacktotherecipient.Theprocessistriggeredbyclickingontheimageandis
oftenusedtoharvestemailaddressesforspammingpurposes.
Approachlinksinanemailwithcaution.Dontclickalinkifyoudonottrustthelocationitwilltakeyouto.Bymovingthemouseoveralinkmostemailclientsshowyouwherethe
linkwilltakeyou.
-
8/8/2019 Email Security - When can I consider my email to be secure? by Ralph van der Pauw
11/19
-
8/8/2019 Email Security - When can I consider my email to be secure? by Ralph van der Pauw
12/19
11
Whichvulnerabilitiesexistinemail?
Besidesthreatsinemailtraffic,thereareseveralpointsofinteresttosecureyourprivacywhen
sendingoraccessingyouremail.Becausethemajorityofthepeopleusingemailrelyonmodern
technologyto
secure
them
and
their
email,
they
do
not
realize
the
user
has
an
equal
part
in
this
security.Withouttherightprecautionsemailingeneralisquiteunsecure.
Privacy
Ingeneralanemailmessageisnotencrypted,whichmeansyourcontentissentinplaintexttothe
recipient.Passingseveralroutersthatcandigitallyeavesdroponthepassingemailstherearealotof
possibilitiesforreadingyouremailwiththewrongintentions.Unfortunatelythisisnotwhereit
stops.BothISPsandrouterscanstoreunprotectedbackupsofyouremails.
Ineffect,everyemailleavesadigitalpapertrailinitswakethatcanbeeasilyinspectedmonthsor
yearslater
(CPASecure,
2007).
Wevediscussedthebasicsofpacketsniffingearlierbuttounderstandthevulnerabilitywewilllook
morecloselyintotheprocessandaccessibility.Apacketsniffer(alsoknownasanetworkanalyzeror
networkmonitor)isaprogramthatisusedtointercepttraffictravelingbetweentwonetworked
computersorservers.Thepacketsnifferwillinterceptthepacketsincludingdatatostoreitforlater
analysis.Whenyousendanemail,itisbrokendownintosegmentsallcontainingaheaderand
footerwiththedestinationaddress,senderandotherinformation.Whenthepacketsarrivewiththe
recipient,theyarebeingreconstructedandthepacketheadersandfootersarestrippedaway.
Asimpleexampleofafunctioningpacketsnifferiswhenyouconnecttoasimplehubnetworkwith
yourdeviceandsetupthepacketsniffer.Inthenetworkallthedataisspreadbyahub.Every
computerreceivespacketsthatarenotmeantforit.Asimplefilterinthecomputermakessurethat
thesepacketswithdifferentdestinationinformationarediscarded.Usuallyapacketsnifferisonly
abletocapturethepacketsintendedforthedeviceitisrunningfrom.Butwithapacketsnifferin
promiscuousmodeyouareabletodisablethefilterandreceiveallpacketstravelingthroughthe
network.TrafficfromcomputerAtocomputerBcanbeinterceptedbycomputerCwithoutA&B
knowingit.Itsveryhardtodetectthiskindofpacketsniffingbecauseitcreatesnotrafficbyitself.
Thisexampleisbasedonahubnetworkwhichhastheprincipletosendallthepacketstoallthe
connecteddevices.Amoresecurenetworkwouldbeaswitchnetworkbecauseaswitchactually
sendsthe
addressed
packets
to
the
right
device,
unlike
ahub.
Unfortunately
this
does
not
mean
you
areprotectedonaswitchednetwork.Thereareafewworkaroundstotricktheswitchinsendingyou
thepackets.OnemethodcalledARPpoisoningwilltrytopretendasbeingthedestinationdevice
soitwillreceivethepackets.AnotherwayistofloodtheswitchwithdifferentMACaddresses
(MediaAccessControl)sotheswitchwillgoinfailopenmode,thismodefunctionssimilartothe
hubfromthepreviousexample.Bothoftheabovementionedmethodsdocreatetrafficwhereitis
easiertodetectthepacketsniffing(Bradley,2010;Kayne,2010).
Besidespacketsniffingitisimportanttoknowthatanemailuserhimselfisabigvulnerabilitytoo.In
thenextchapterwewillsumupsomeprecautionsanemailusershouldtakebeforeheorsheuses
anemail
client
so
it
becomes
clear
that
technical
abuse
is
not
the
only
vulnerability.
Matters
like
haste,improperuseandunawarenesscanbeimportantrisksinemailuse.
-
8/8/2019 Email Security - When can I consider my email to be secure? by Ralph van der Pauw
13/19
12
Spam&Phishing
Bothspamandphishingmailareunwantedmailsthattrytomakeaprofitfromyou.Spammailsare
unwantedmailsby(usually)anunknownaddressthattrytosellyouproductsorservices.Famous
spamsubjectslinesare: Youreceivedagreetingcard,MastersdegreewithnoeffortsandNon
profitjobfromhome.Phishingisinthiscaseamoreconcealedmethodwherepeopletrytoobtain
sensitiveinformation
in
aseemingly
secure
environment.
The
email
or
website
tries
to
masquerade
itselfastrustworthytoluretheuserintofillinginhisorherpersonalinformation.Examplesaree
mailsfrombanks,auctionsitesoronlinepaymentcompanies.Itisnothardforanyonetomakea
websitelooklikeitistrustworthytofillincreditcarddetails.Itsimportanttoalwayscheckthe
websiteaddressforacorrectURL(withoutanyspellingerrors)(WindowsLive,2010).
Althoughspamseemsharmlessandpeoplequicklyidentifyit,ithasstillafewunknowndownsidesto
it.Whenyouopenaspamemail,eighttimesoutoftenitcontainsatrackingmethodthatenables
thesendertoidentifyyouremailaddressasactive.Youemailaddresscanthenbesoldtospam
corporationsinwhichcaseyouwillstartreceivingevenmorespam(InformationAge,2006).The
biggestdownsideinspamemailisthetimeconsumingefforttoremoveandreportspamemail.It
canbeatremendouscostexpenseforcorporations.Googlehaslaunchedacalculatortoestimatethe
totallosscausedbyspam.Foracompanywith100employers,whowork245daysayearwitha
salaryof65euroanhour,spamcancostacorporationover100.000euroayear(Google,2010).
-
8/8/2019 Email Security - When can I consider my email to be secure? by Ralph van der Pauw
14/19
13
Howcanthesevulnerabilitiesbereduced?
Mostvulnerabilitiescanbereducedtoaminimumbutcanunfortunatelynotbeeliminated.Itisup
totheusertodetermineiftherisklevelislowenoughtouseemailasacommunicationmethod.In
loweringthis
risk
level
we
will
take
two
approaches,
atechnical
and
human
approach.
Encryption(SSL,TLS&PGP)
Inthetechnicalapproachthefocusliesonencryption.Encryptionisanimportantpartofemail
security.Inencryptingthemessagesarecypheredintounreadablecodesothepacketsarenot
readableforanyonewhotriestointerceptthem.Allemailtrafficshouldbedonethroughasecure
connection.Notonlysendingandreceivingemailsbutalsothecommandssenttotheserversuchas
logininformationshouldbesecure.AsecureconnectioncanbeestablishedbyeitherusingtheSSL
ortheTLSprotocol.SSL(SecureSocketLayer)wasinitiallycreatedbyNetscapetoensurethe
integrityofdatatransport.TLS(TransportLayerSecurity)isbuiltasanimprovementonSSLwith
strongerkey
encryption
algorithms
and
the
ability
to
work
on
different
ports.
Both
TLS
and
SSL
use
thepublicprivatekey(AsymmetrickeyCryptosystem)infrastructure.Inthisencryptionmethodtwo
uniqueencryptionkeysexist,apublicandprivatekey.Thepublickeyisusedtoencryptthedataand
theprivatekeytodecrypt.Theprivatekeyremainsprivatebutthepublickeyissenttoarecipientto
encryptitsdatawith.Thiswayonlytheowneroftheprivatekeycandecryptthemessageandsee
whatdataitcontains(UITS,2009;Technet,2010).
BothyouremailclientandemailprovidershouldbeabletosupportaSSLorTLSconnectionin
ordertousethissecuremethodofexchangingdata.NowalmosteveryemailclientsupportsSSLand
TLS,butunfortunatelytherearestillsomeolderemailproviderswhodonotupdatetheirserversto
adaptto
this
method
of
secure
data
exchange.
AnotherwaytoencryptyouremailiswiththePGP(PrettyGoodPrivacy)infrastructure.PGPislike
SSLandTLSalsobasedonanAsymmetricKeyInfrastructurebutthereisadifference.SSLandTLSare
morebasedonthetransportofdatabetweenclientsandservers.PGPismeantforstoringdata
whereitwillencryptthewholeemailandsendittoarecipientthatcanonlydecryptitwhenheor
shealsousesPGP.WhileSSLandTLSaresecuringtheprotocol(SuchasPOPIMAPandSMTP),PGP
encryptsafile(thewholeemailmessage)andtherebysecuresthecommunicationbetweentwo
clients.Besidesencryptionoftheemails,arecipientcanalsoidentifythesenderoftheemail
throughanauthenticationbythesender(RUN,2010).Asmentionedbefore,adownsideisthatboth
clientshave
to
support
PGP
which
has
not
become
abig
standard
with
email
users
(yet)
(PGP,
2010).
Spamfilters
Mostemailprovidersandclientsofferspamfilteroptions.Evensomeantivirusprogramsoffer
spamfilters.Aspamfilterwillinterceptemailsdefinedasspambasedonthelevelofprivacythathas
beensetinthefilter.Spamfiltersusuallyworktogetherwithyourcontacthistoryandapersonal
databasetodeterminewhatemailsaremeantfortheuserandwhicharespam.Emailsdefinedas
spamwillbeputinthespamdirectoryanduserscanscanthisdirectoryforpossiblemistakes.Ifane
mailslipsthroughthefiltertheuserhasanoptiontomarkitasspam,thesenderdetailswillthenbe
takenintoaccountandtheemailwillbedealtwithappropriately.
-
8/8/2019 Email Security - When can I consider my email to be secure? by Ralph van der Pauw
15/19
14
Awareness
Awarenessinusingyouremailaccountmightbejustasimportantasinstallingtechnicalprecautions.
Incorporationsitisveryimportantfortheadministratorstocreatethisawarenessamongthe
employees.Importantprecautionsforemailusersarelistedbelow.
Keepthenumberofemailaccountstoaminimum.Itiswisetosplitpersonalandcorporateemailoverdifferentaccountsbuttokeepthenumberofaccountsaslowaspossible.
Besidesapersonalandcorporateaccountitisrecommendedtocreateaseparateaccount
forlesssecuretraffic,asocalledspamaccount.Thisaccountcanbeusedforinternetforms
andunsecurecommunication(ITSecurity,2008).
Amoresecurewayofcommunicationisthetelephone.Ifyourmessagecanbesentbyatelephonecallitiswisetochoosethismoresecureandprivateoption.
Spamtrafficisusuallycumulative.Thismeansonceyoustarttoreceivealotofspam,theamountwillslowlyincrease.Itisthereforesmarttodiscardaccountswhicharereceivingan
immenseamountofspam(ITSecurity,2007).
Whenaccessingyouremailonapubliccomputer,neveruseanemailclientbutalwaysusethewebinterfaceofyouremailprovider.Whenyouaredonewiththesession,closethe
browser,logoutanddeletethecache,cookies,historyandpasswordssotherearenotraces
ofyoursessionleft.
AvoidusingthereplyallorBCCoptioninsendingemails.Thiswayyoushowyourownandothersemailaddressestoalotofusers.TryusingtheCCoptionwhereotheremail
addressesarehiddentoobtainprivacy(ITSecurity,2008).
Neversendsensitivecompanyinformationwithyour(unsecure)personalaccount,alwaysuseyourcorporateaccountwhereyourprivacycanbeprotectedbythecompanysIT
department.If
the
information
happens
to
be
intercepted,
you
are
less
vulnerable
in
possible
lawconflicts(ITSecurity,2007).
Createregularbackupsofyouemailaccount.Importantemailmightbestoredinyourmaildirectories,alwaysmakesuretheseemailsarebackeduponyourcomputers.Alsowhen
accessingyouremailonamobileplatformandusingthePOPprotocol,makesurethereisa
copyoftheemailonyourserver.Acellphoneiseasilylostandwiththatyouwouldloseall
youremailstoo.
Anoftenusedtechniquetoobtainyouremailaddressistosendyounewsletterswithanunsubscribeoption.Whenyouhaveclickedthisoptionyouwillbelinkedtoawebpageand
your
e
mail
address
will
be
stored.
Dont
unsubscribe
for
these
e
mails
unless
you
remember
subscribingtothem(ITSecurity,2007).
Phishingmailsmightslipthroughyourspamfilterdependingonthelevelofthoroughnessyousetitto.Identifyaphishingmailbylookingforanythingthatimpliesthemailisnotfrom
whoitpretendstobe.Inthemailyouwillprobablybeaskedtofillinpersonalinformation.
Mostbanks,webpaymentsandauctionsitesusewebformsforthesematterssoifyouare
askedtomailyouraccountdetailsyoucanassumeitisfake.Iftheygiveyoualinktogoto,
alwaysholdyourmousecursoronthelinktoseewheretheaddressmayleadyouto.Check
carefullyforspellingerrorsinthelinkwhichisacommontricktomasqueradeasa
trustworthyidentity(Microsoft,2010).
-
8/8/2019 Email Security - When can I consider my email to be secure? by Ralph van der Pauw
16/19
15
Realizewhereyouremailgoestoandhowittravelsthere.Itisimportantthatanemailuserknowshowhisemailworksandwhatcouldhappen.Thismightscaretheusertoavoide
mailtoacertainextinct.
-
8/8/2019 Email Security - When can I consider my email to be secure? by Ralph van der Pauw
17/19
16
Sources
(Black,2010)WhatisEmail?ByKenBlack.http://www.wisegeek.com/whatisemail.htmretrieved
on2042010.
(Hardy, 1996) TheEvolutionofARPANETemail,byIanR.Hardy.
http://www.livinginternet.com/References/Ian%20Hardy%20Email%20Thesis.txtretrievedon204
2010.
(Brain,2008)Howemailworks?ByMarshallBrainandTimCrosby.
http://communication.howstuffworks.com/email.htmretrievedon2042010.
(Tschabitscher,2010)HowMIMEworks,byHeinzTschabitscher.
http://email.about.com/cs/standards/a/mime.htm retrievedon2042010.
(Hitwise,2010)
Top
20
Sites
&
Engines,
by
Hitwise
Pty
ltd.
http://www.hitwise.com/us/datacenter/main/dashboard10133.html retrievedon2142010.
(Brownlow,2009)EmailandWebmailstatistics,byMarkBrownlow.http://www.emailmarketing
reports.com/metrics/emailstatistics.htm retrievedon2142010.
(iHotdesk,2008)Emailmostpopularformofcommunication,byiHotdesk.
http://www.ihotdesk.com/article/18626486/Emailmostpopularformofcommunication retrieved
on2142010.
(Pingdom,2010)Internet2009innumbersbyPingdom.
http://royal.pingdom.com/2010/01/22/internet2009innumbers/retrievedon2142010.
(Wilson,1997)TheJourneyofpackets,byGarretWilson.
http://www.garretwilson.com/essays/computers/routing.html retrievedon2142010.
(Theall,2004)IMAPunencryptedcleartextlogins,byGeorgeA.Theall.
http://www.securityspace.com/smysecure/catid.html?id=15856 retrievedon2142010.
(Symantec,2010)InternetSecurityThreatReportVolumeXV:April2009,bySymantec.
http://eval.symantec.com/mktginfo/enterprise/white_papers/b
whitepaper_exec_summary_internet_security_threat_report_xiii_042008.en
us.pdf
retrieved
on
2142010.
(GFISoftware,2009)Protectingyournetworkagainstemailthreats,byGFISoftware.
http://www.gfi.com/whitepapers/networkprotectionagainstemailthreats.pdf retrievedon224
2010.
(Petri,2009)WhatsaTrojanhorse?ByDanielPetri.
http://www.petri.co.il/whats_a_trojan_horse.htm retrievedon22042010.
(Notenboom,2007)Whatsabotnet?OrZombie?Andhowdomyselffromwhateveritis?ByLeo
Notenboom.http://ask
-
8/8/2019 Email Security - When can I consider my email to be secure? by Ralph van der Pauw
18/19
17
leo.com/whats_a_botnet_or_zombie_and_how_do_i_protect_myself_from_whatever_it_is.html
retrievedon2242010.
(Spamlaws,2009)ComputerVirus:TheTypesofVirusesOutThere,bySpamlaws.
http://www.spamlaws.com/virustypes.html retrievedon2442010.
(Kamat,2001)VirusesTypesandExamples,byMayurKamat.
http://www.boloji.com/computing/security/015.htm retrievedon2442010.
(Beal,2009)Thedifferencebetweenacomputervirus,wormandTrojanhorse.ByVangieBeal.
http://www.webopedia.com/didyouknow/internet/2004/virus.asp retrievedon2442010.
(Lemos,2000)InsidetheILOVEYOUworm.ByRobertLemos.http://news.zdnet.com/21009595_22
107344.html retrievedon2442010.
(Mathews,2009)SixfreeantivirusprogramsmadeforyourWindows7system,byLeeMathews.
http://www.downloadsquad.com/2009/10/24/sixfree
antivirus
programs
made
for
your
windows
7system/ retrievedon2442010.
(Kaspersky,2010)KasperskyAntiVirusforLinuxMailserver,byKaspersky.
http://www.kaspersky.com/antivirus_linux_mail_server retrievedon2442010.
(Microsoft,2010)Howtohandlesuspiciousmail,byMicrosoft.
http://www.microsoft.com/protect/fraud/spam/email.aspx retrievedon2442010.
(CPASecure,2007)Problems..byCPASecure.http://www.cpasecure.com/Problems.htmlretrievedon
2542010.
(Bradley,2010)Introductiontopacketsniffing.ByTonyBradley.
http://netsecurity.about.com/cs/hackertools/a/aa121403.htm retrievedon2542010.
(Kayne,2010)Whatisapacketsniffer?ByR.Kayne.http://www.wisegeek.com/whatisapacket
sniffer.htm retrievedon2542010
(WindowsLive,2010)Whatisphishing?ByWindowsLive.http://onecare.live.com/site/en
Us/article/phishing_what.htm retrievedon2642010.
(InformationAge,2006)Thehiddendangerofspam,byInformationAge. http://www.information
age.com/articles/295441/thehidden
danger
of
spam.thtml
retrieved
on
26
42010.
(Google,2010)TheGoogleROIcalculator,byGoogle.
http://www.google.com/postini/roi_calculator.htmlretrievedon2642010.
(RUN,2010)EmailenPGP,byRadboudtUniversityNijmegen.http://www.ru.nl/ict
beveiliging/cert_ru/algemene_informatie/email_en_pgp/ retrievedon2742010.
(UITS,2009)WhatisthedifferencebetweenSSLandTLS,byUnivesityInformationTechnologies
Services.http://kb.iu.edu/data/anjv.html retrievedon2742010.
(PGP,2010)
PGP
Desktop
email,
by
PGP
corporation.
http://www.pgp.com/products/desktop_email/retrievedon2742010.
-
8/8/2019 Email Security - When can I consider my email to be secure? by Ralph van der Pauw
19/19
(Technet,2010)TechnetLibraryWhatisTLS/SSL?ByTechnetMicrosoftCorporation.
http://technet.microsoft.com/enus/library/cc784450(WS.10).aspx retrievedon2742010.
(ITSecurity,2008)HackingEmail:99TipstoMakeyouMoreSecureandProductive,byITSecurity.
http://www.itsecurity.com/features/99emailsecuritytips112006/retrievedon2742010
(ITSecurity,2007)25Mostcommonmistakesinemailsecurity,byITsecurity.
http://www.itsecurity.com/features/25commonemailsecuritymistakes022807/retrievedon27
42010.