Email Security
There are six significant risks to your security associated with anyone’s use of email:
- Opening files that contain viruses, usually these are attachments to emails sent to you.
- Getting what looks like an ‘Official’ email and clicking on a link and typing in your username and password into a bogus site. This is called ‘Phishing’.
- Having your email account stolen and losing your contacts, this allows the thief to send trusted emails to your friends and family.
- Having your email account stolen and losing the sensitive contents like passwords or really private information stolen (see Hillary Clinton’s Campaign)
- Being stupid. Don’t think that you can get 5 million dollars from an African potentate. Don’t taunt a spammer.
- Email is transmitted without encryption from your computer to your recipients computer and all hops in between. Don’t send passwords or sensitive documents via email.
The first two categories involve what you do when reading email, the second two involve securing your email account.
Email History
Before we look at these six areas in detail, it is useful to understand how email works and why. In the pre-internet days of the 1970’s to mid 1990’s, email existed but it was usually a separate system for each computer company that did not interact with the greater world. When I worked at Cray Research, the supercomputer company, in 1988, I had two concurrent email systems that I needed to pay attention to: One had sales people on an HP system, and the other had technical people on a Digitial Equipment system, these email systems did not interact.
With the development of the ARPAnet and other government sponsored systems came a more universal email system, one that we use today. It was based on a very simple concept that emails would be transferred via a specific known address on every computer that supported it. So if you new the address of the computer, you could just send mail to port 22 on that computer and viola! your mail was sent!
Today, this has some profound implications, when you author an email in say Lima Peru on your Macintosh and send it to your friend in Europe, your transmitting and unencrypted message that anyone who can intercept the message can read in the clear and it’s specifically kept unencrypted until it’s delivered in Europe. This SCREAMS to not use email to send passwords, or credit card numbers, etc.
Better looking emails came in the early 2000’s, with the ability of mail systems to support web viewable emails.
Email Overview
To send an email you just have to use the email protocol, the key take away here is NOTHING is verified. Everything in the email header, including the To: the From: can be fake. So emails from the Bank of America can look legitimate when sent from a Nigerian spammer.
Also, when you open and email, it is very easy to display a web link, it’s also very easy to have that web link go somewhere nefarious. So the link that is highlighted going to bankamerica.com could go to nefarious.com (hover over link in this sentence to see where it’s really going).
My father used to say “believe nothing of what you hear, and only half of what you see”. In this case bring skepticism to every email you read.
Email address harvesting
You might be wondering, how is it that I get so much spam mail? Companies sell their email lists is how you get commercial spam. Other ways your email address is harvested is by people scanning the web (including comment pages) for email addresses. In light of yahoo’s hack, equifax’s hack, home depot’s hack, and other major hacks, email addresses are easily available for spammers.
Email Attachment Viruses
Here is an example of an attachment virus:
This example is an attempt from someone claiming to be from the bank of america sending me an archive program file (.zip file) that contains a computer virus. If I clicked on this particular file and I had a window’s PC, my computer would now be infected.
In the past, Window’s PC’s were notoriously easy to install viruses. You took your bad code and placed it in a place where windows would run it. Done. Macintosh computers, since the emergence of Mac OS were harder to install viruses, often you needed the owner to say ‘Oh my computer wants to install software I didn’t buy and don’t know about! should I say yes?’ This was a hurdle for the virus makers. In the last few years, however, most software developers use a large percentage of open source code (the source is viewable to anyone), and more people are using Macintoshes so they have become a larger target and creative virus creators are in a war with software developers.
Recommendation (no really it’s a demand!): Install virus checker on every computer you have, and make sure it runs every day and make sure it updates itself with new virus definitions every day!
Email Phishing
The US State department hired a security company that emailed government employees with an email that looked official but asked them to login to a fake site. Over 50% of the recipients gave up their username and password to this company, which used it as a training exercise.
Some emails sent to you legitimately need you to click on them, like when you change a password and the website needs to verify it’s you, or using a password manager when someone shares a password. Most emails do not need you to click on their contents. You can just go to the website on your browser.
Recommendation: Unless you triggered an email, don’t click on email links for known websites.
Compromised email account
You have two significant risks associated with your email account getting hacked: Losing your contacts, and compromising the contents of your email. How does your email get hacked? Mainly, reuse of passwords or really bad password hygiene. In 2008 yahoo lost everyone’s passwords to a hack, all of us who reuse passwords should have had a wake up call. Is your gmail password the same as any other password? Yup you’re at risk.
Losing your contacts to a hacker
This can have terrible consequences to your friends. A friend who is a public official that we know, sent us a wedding vow renewal invitation for he and his wife, the hitch was we had to log into to our google account to accept it. Bing! a light went off my wife’s head and she thought, gee that’s weird, then realized the address wasn’t google. This public official had been hacked and his contact information was used to send a ‘trusted’ email to his contacts. Protecting your email account is critical to protecting your friends.
Losing critical information to a hacker
Has anyone sent you a password via email? How about your credit card information, is it in a email? do you keep every email you’ve ever received? Anything that you’d not be proud of in your email? Receipts? Even thought many of think our email content is unimportant, would a hacker find a gold mine?
Securing your email account
You should view your email account as probably the most secure account you need, even more important than a bank, or investment account, since it’s the key to changing your address or verifying your identity. If it’s lost, you might be in real danger and you might not even know it’s lost. A careful hacker can eliminate traces that the account has been hacked. Two things are critical: a very strong password and 2 factor (or multifactor) authentication.
2 factor authentication means that you need a username and password AND you need some other verification, often on a smartphone to verify that it’s really you.
Recommendation: Change your email password to a VERY secure password (see password managers), and move to an email system that uses 2 factor authentication and enable it.
Currently, 2 factor authentication is available for Apple Mail, Google’s gmail, Microsoft’s outlook. If you use any of these you should enable this feature. If you’re still using Yahoo, they’ve been repeatedly hacked and it looks like they are now owned by Verizon, so I say maybe it’s time to move to gmail.
Stupidity or Gullibility
“If it’s too good to be true…” You are not going to get rich emailing Nigerian spammers to receive your $5,000,000 from Idi Amin’s widow. Sorry. Just like Bill Gates isn’t going to donate a $1 for a random charity every time you click Like on Facebook. Why do people send you these? Because they work.
Don’t engage with spammers: it won’t end well. If someone is angry at you and they have some personal info like an email address, you can find yourself being hacked. A tech writer, Kevin Roose, a few years ago asked a few hackers to try to hack his accounts. He was not pleased with the ease that they found just about every piece of personal information about him. They did it two ways: a phishing email (which he was on the lookout for) and social engineering (a hacker claiming to be his wife in an emergency called customer service with a youtube video of a baby crying in the background, and the frantic customer service rep allowed an over the phone password change). Anonymity is a good thing, don’t mess it up.
Recommendation: Don’t piss off spammers
Transmitting sensitive documents on Email
Use creative ways to send sensitive documents. Use a password manager (lastpass.com, 1password, etc) to invite others to see and use your password, NEVER email a password. Recently when trying to book a hotel in Ecuador the only way to secure the reservation was to email a scan of our credit card information including the security code. The secure solution we came up with was to scan the document into our dropbox (dropbox.com) and send a link to the hotel with a 24 hour expiration of that link.
Good Email versus Bad email
As we discussed before, email information can be fake. So how do email systems figure out wants good (Ham) versus what’s bad (Spam)? Some do a really poor job of sorting out spam from ham. Google’s gmail is probably the best example of good spam identification, but it has both false positives (real mail going to the spam folder) and false negatives (spam to your inbox). I get about 15-20 spam emails a day and google catches most of them. If you hate getting spam in your inbox, then you probably should be on gmail, google has excellent knowledge of spam versus ham.
Recommendations: If spam email is an issue you probably are already on gmail, check the spam folder once a week to help ‘train’ gmail on what it got wrong (good emails characterized as spam).
Your probably sending out spam without knowing it
If you have an email address that’s been around for a while (in my case about 22 years), its already been harvested by spammers. They will probably use it for sending out spam and there isn’t anything you can do about it. I received this a few weeks ago from a mail server:
This mail is from me but, not really. All of the to and from information here is bad or untraceable. This is life.
Recommendations: Your email address might be used to send out spam but gmail will normally characterize it as spam so don’t worry, your not a bad person. 🙂
Summary
Your primary risk on email is losing your account to a hacker. Your Email is used by most websites as a verification of ownership, so:
- Use a STRONG Password, generally 16 characters that have no dictionary words.
- Use a mail system with 2 factor authentication, if you don’t have it, move to gmail
- use a good email system with strong junk mail filtering
Your secondary risk is losing secure passwords to phishing schemes. Distrust all emails. If you think you’ve been phished, change your password immediately.
This is the first in a series of blogs, the second blog entry is about passwords, the last blog entry is about securing your credit files.