Email insecurity

email sign

Email was invented 50 years ago at a time when security and privacy were not major concerns.  Times have changed.  Now every government, business, hacker and vandal wants to mess with your email.  Now email has plenty of security and privacy issues.

Here are my quick suggestions for safer email and then some detailed explanations.

 

Quick suggestions for safer email

  • DO NOT open attachments or click on links in emails that are suspicious.  Be careful.
  • Use good passwords.
  • Use two email accounts – one for important stuff and a second for less important stuff.
  • Protect your important email account with 2 factor authentication.
  • Don’t put anything in an email that you wouldn’t want the world to know.
  • If you must send sensitive documents, encrypt them.
  • Don’t respond to spam or trolls.

 

Getting hacked by email

Email is the most common way to get hacked.

The results of a phishing email hack can be as ugly as identity theft, monetary loss, data loss and reputation damage.

The phishing email message may look legitimate but contains a malicious attachment or link.  This is how the bad guys grab control of your computer.  They send you an official looking email that scares or intrigues you.  The email has an attachment that you open and run.  This installs a virus.  Or the email has a link.  You click the link, open a website and a virus gets installed.  Or the link takes you to a real looking website that asks you for login credentials or personal information.

The virus can do bad things – silently monitor your keystrokes for passwords which it sends back to the hacker, encrypt your files and demand a ransom, make your computer a botnet member, change your DNS so that you browse to counterfeit websites, monitor your computer use and so forth.

Email errors and privacy

You may think that you are in control of your email, but there are plenty of ways to lose it.  Sending it to the wrong address, CC, BCC, reply all can send email off to unexpected recipients.  Realize that email can be forwarded with a click.  Walk away from your device and someone can use your account, even change the password.  Hackers.  Drunk email.

Best not to put anything you wouldn’t want the world to see in an email.

Email is forever

Nothing is forever but web mail services and business email are being backed up.  Web mail services may be backed up indefinitely.  Businesses have the right to delete after a legal retention time.  You may think that you deleted an email but it exists on a backup somewhere.   Oddly the US government considers email older than 6 months fair game to read without a warrant.  Hackers, employees, system administrators and subpoenas can get access to email.

Governments and businesses are collecting and archiving all the information that they can get their hands on including email.

What you write goes into your permanent file.

Plain text

When email is sent between systems it is usually in plain text.  This means that anyone along the way can a read, modify or make a copy of the email.  Some mail transfers are encrypted but don’t count on it.  Mail encryption software has been around a long time but never gained widespread acceptance due to its complicated nature.

When email is in plain text is gone.  Messages can be modified so authenticity is gone.  Realize that all mail messages are vacuumed up by government and business everywhere for analysis and storage and plain text is just all that easier to analyze for government and business reasons.

Other email annoyances

Spam.  Spam.  Spam.  Spam.

Scams.  Scams have been around since day one, now email is a new high tech way to commit fraud.  Examples are emails that try to trick you into thinking that you owe the IRS and need to make a payment immediately or be arrested.  Offers of romance and pharmaceuticals.  The Nigerian Prince needs your help transferring millions of dollars and will pay for your help.

Spoofed email.  Email From fields can be made to say anything and appear to be from someone important.  The email header can show the true source of an email.

Reply and Reply All gotchas.  Email clients default to Reply only to the sender.  If the message was sent to a group and people only Reply to the sender, the conversation gets fragmented real fast.

Email lacks cues for emotion so it is easy to write ambiguous email and misread the intention of email.  Is he angry?  Is she being funny?  For this reason be careful to write clearly and even add those dumb emoticons 🙂 to clarify.  DON’T SHOUT UNLESS YOU MEAN IT!

Email overload can cause one to miss important messages.

You can do everything right but the email provider fails

An email provider can get hacked and your account can be stolen.  Yahoo! email is an example of a service that got hacked.  A flaw in an email system can expose you to exploits.

An email provider can go out of business and lock you out of your email or make mistakes and lose your email.

Customer service may be difficult or impossible for web based services.

Recovering forgotten passwords can be difficult.  Recovering passwords for the deceased can be difficult.

Business email

Every business uses email.  They want their system private and secure so that their business secrets, transactions and client information are safe.  Most businesses take their email seriously and take steps to protect and secure their systems.

One step a business will take is to require that employees read and sign an agreement called an Acceptable Use Policy (AUP) that spells out what email may be used for, limiting personal use, requirements for sending sensitive information, password requirements, antivirus requirements, cautions about phishing and attachments and more.  You may have seen warnings and policies displayed when logging on to a business system.  You may have seen those disclaimers at the bottom of business emails stating that business correspondence is confidential and if you received it by mistake you must delete it.

Business email is highly vulnerable to phishing and malicious attachments.  This is a good way for hackers to gain a foothold on one computer then penetrate the whole system.

Compromised email systems can be a big embarrassment when emails are released – think Wikileaks, the hacks of Sony and the DNC.

The company owns the computer system and everything on it including email so they have the right to monitor and read everyone’s email.  This can be done in an automated fashion, looking for keywords.  Realize that the company sees everything in email.

Use discretion with personal use of company email.  Employees can be disciplined or fired for email errors, misuse or use contrary to company HR policies.  If you aren’t getting promotions, maybe it is because you called the boss a clown in email.

At work, use your smartphone for personal email.  If you wish to use a web mail service at work at least check site’s certificate in your browser for evidence of a proxy.

 

Where is your email stored?  Two ways to email

There are two popular ways to send, receive and store email.  One way is using an email client on your computer and the other is using a web based email service.

An email client such as Outlook stores your email in a big file on your computer.  It will receive emails from a server (POP3) or synchronize emails with a server (IMAP and MAPI).  One advantage is that you have all your email on your computer and don’t need an Internet connection to access it, like on the road.  But there are many disadvantages to storing your email this way.  The worst is you can lose all your email if you move it from the server to your client (POP3 with delete) and then lose your client by having your computer stolen, lost or the hard drive fails.  People rarely backup to avoid this loss. Another disadvantage is that your email is only accessible on the one device.  Outlook is good in a business environment with exchange server and nerds to maintain it all but for the home and small business user I recommend a web based email service.

Web based email services include AOL Mail, Gmail, Outlook/Hotmail and Yahoo! Mail.  The advantages of web based mail is that you can access it from any Internet device via browser or app and the service backs up your email.  These services offer free accounts with plenty of storage and include other services like calendars and online office suites.  The disadvantage of web email services is that they use and sell your information to advertisers, business and anyone else.

There are other ways to use email.  One is to use a paid service that promises not to read or sell your email info.  Choose a service in a neutral country to avoid government interference.  You can use your own mail server.  You can encrypt everything.

Email at untrusted locations

Using email at untrusted locations such as public libraries or a friend’s computer carries the risk of keystroke loggers.

Using email with untrusted WiFi is best done with a VPN.

Look for the https:// in the address bar to know that you are using an encrypted connection to the website.

 

One Reply to “Email insecurity”

Leave a Reply

Your email address will not be published. Required fields are marked *