Protect Your Email Communications

463 views
405 views

Published on

All email communication is vulnerable to snooping by official and unofficial entities. What are the options available to protect and secure email communications? There are many alternatives from simple to complex, each providing a varying degree of privacy.

Published in: Self Improvement, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
463
On SlideShare
0
From Embeds
0
Number of Embeds
30
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Protect Your Email Communications

  1. 1. PROTECT YOUR EMAIL COMMUNICATIONS (From the NSA, FBI, Hackers & Foreigners) E mai l Mal c o l m at : SpeakUp@Mal col mO utLoud.com © 2013 Mal col m O ut Loud, LLC White Paper Protect Your Email Communications Exclusive Series 2 of 3
  2. 2. Situation All email communication is vulnerable to snooping by official and unofficial entities. What are the options available to protect and secure email commu- nications? There are many alternatives from simple to complex, each provid- ing a varying degree of privacy. Executive Summary & BackGround Billions of email messages flow through thousands of Internet computer servers daily and most are in “plain text” meaning they can be easily read by anyone who intercepts them. The process of sending a simple email involves sending multiple messages over the internet to complete the mail delivery. E mai l Mal c o l m at : SpeakUp@Mal col mO utLoud.com © 2013 Mal col m O ut Loud, LLC
  3. 3. In this graphic we see that a simple message from Alice to Bob involves mul- tiple communications links across the Internet, each one of which may be intercepted using readily available software and hacking techniques. Alice creates her message on her computer, tablet or smart phone and sends it to her email provider (smtp.a.org). The ISP stores the message while it con- tacts the Name Server to convert “b.org” to the IP address of pop3.b.org. With the IP address, the message is forwarded to that email server then into the email box for Bob at pop3.b.org. When Bob next checks his email box he downloads the email message from Alice completing the transaction. Problem In reality, nearly all emails travel a more circuitous route through the Inter- net passing through multiple servers and communications links. At each of these servers copies of the emails are saved, at least temporarily. And, if they are in plain text they can be easily read. Also, they are stored on multi- ple servers, sometimes for years, to prevent loss and for later investigation, review and customer retrieval at email providers such as AOL, Gmail and Ya- hoo. Under various US and foreign laws the service providers are required to provide access to the communications links and messages stored on their mail servers. Hackers and rogue employees also access these messages to steal information or cause harm to account owners. Don’t forget that computers, tablets and smart phones store your email messages until you delete them. Sometimes for years! If your device is lost or stolen, all of these messages are immediately compromised if they are still in plain text. Solution Providing absolute privacy is very difficult or maybe impossible given the ca- pabilities of organizations such as the NSA. However, there are several sim- ple steps that can be taken to make interception more difficult for the casual hackers and snoops. ! E mai l Mal c o l m at : SpeakUp@Mal col mO utLoud.com © 2013 Mal col m O ut Loud, LLC
  4. 4. Here are suggestions for increasing the privacy of emails. 1. Use strong email passwords and change them often. The first and most important step for email privacy is use a strong password and change it often. Yes, remembering passwords and remembering to change them is difficult for most people. And we have so many passwords to remember today for bank accounts, email accounts, credit card accounts, etc. A simple and effective solution is to use a Password Manager. You create one secure master password that you can easily remember and it securely stores all of the rest of your passwords for you. There are several free ones available such as KeePass (www.keepass.com) and Roboform (www.roboform.com) and Dashlane (www.dashlane.com). And they also provide other login information simplifying your account access. Most work across multiple platforms (computers, smartphones, tablets, etc.) so a single master password access all of your passwords and login information. Some of the Password Managers even help you create secure passwords of random characters, numbers and special characters. If you use Norton Antivirus, they provide a free, feature rich program –Nor- ton Identity Safe- that securely stores your login information and shares it securely over the internet with multiple devices. A word of caution. Recently it has been reported that the US Government is demanding that major internet companies turn over their user’s stored passwords. This represents an escalation in surveillance techniques that has not been previously reported. If the government is able to determine a per- son’s password, which is typically stored in encrypted form, the credential could be used to log into an account, peruse confidential correspondence and even impersonate the account holder. Whether the NSA or FBI has the legal authority to demand an internet com- pany divulge a hashed password, salt and algorithm remains murky. The Justice department has argued in court proceedings before that it has broad legal authority to obtain passwords. So far, the results of two court cases ! E mai l Mal c o l m at : SpeakUp@Mal col mO utLoud.com © 2013 Mal col m O ut Loud, LLC
  5. 5. have been mixed. Both of these cases deal with criminal proceedings when the password holder is the target of a criminal investigation. They don’t ad- dress a hashed password that is stored on the servers of a company who is an innocent third party. If you are concerned about this loss of privacy for your communications then consider encrypting your messages when they are created and stored on your computer. And send them as encrypted attachments to emails. While this does not prevent the government or snoops from accessing your ac- count it does protect the privacy of your communications. For details on us- ing encryption, see paragraph 3 below. 2.Use SSL (Secure Socket Layer) and TLS (Transport Layer Security) to encrypt the communications link between your computer or smart phone and your email server. To secure the connection between your email provider and your computer or other device, you need to set up Secure Socket Layer (SSL) and Transport Layer Security (TLS) encryption--the same protection scheme that you de- pend on when checking your bank account or making online purchases. This is especially important if you regularly check your email or browse the web over open WiFi systems. Keep in mind that if your email provider is required to give access to government snoops or the system has been compromised by hackers, your emails on their server is plain text! However, securing this link is critical if you are using WiFi, especially in a public location. And, it also protects your privacy while web browsing. If you check your email with a Web browser (whether on a desktop, a lap- top, a smartphone, or a tablet), take a moment to ensure that SSL/TLS en- cryption is active. If it is, the website address (URL) will begin with https in- stead of http; depending on your browser, you should see some additional indication, such as a notification next to the address bar or a small yellow padlock icon on the status bar at the bottom of the browser window. Encrypted connection to Gmail using Internet Explorer 9. Note the 'https' in the address bar. ! E mai l Mal c o l m at : SpeakUp@Mal col mO utLoud.com © 2013 Mal col m O ut Loud, LLC
  6. 6. If you don't see an 'https' address and other indicators after logging into your Web-based email program, type an s at the end of the 'http' and press Enter. If your email provider supports SSL/TLS, that instruction will usually prompt it to encrypt your current connection. Then browse your account set- tings to see whether you can activate encryption by default for future logins, and whether you can create or modify bookmarks or shortcuts to your email site using the 'https' address. If you can't force the encryption, check with your provider as they may not support SSL/TLS. If you use a desktop client program like Microsoft Outlook to check your email, or if you use an email app on your smartphone or tablet, you should still try to use SSL/TLS encryption--but in such situations, encryption is harder to verify or to set up. To do it, open your email program or app and navigate to the settings menu; there, your account will likely be labeled as a POP/SMTP, IMAP/SMTP, HTTP or Exchange account. Look for an option to ac- tivate encryption; it's usually in the advanced settings near where you can specify the port numbers for incoming and outgoing connections. ! E mai l Mal c o l m at : SpeakUp@Mal col mO utLoud.com © 2013 Mal col m O ut Loud, LLC
  7. 7. You can enable encrypted connections in Outlook's advanced settings. It also requires the use of new ports such as 995 for POP3 and 465 for SMTP. If you use an Microsoft Exchange email account for work, for example, you'll find a designated area for security settings where you can clearly see whether encryption/security is enabled for the incoming and outgoing con- nections and for your Microsoft Exchange account. If it isn't enabled, check with your email provider to see whether the provider supports encryption, and consider switching to a service that allows SSL/TLS encryption. 3. Use Encrypted Email Service Using SSL/TLS encrypts the messages on the communications links from your computer to the email server. But, the message remains in plain text on ! E mai l Mal c o l m at : SpeakUp@Mal col mO utLoud.com © 2013 Mal col m O ut Loud, LLC
  8. 8. your computer/smart phone and on the email servers. Also, from your email server to the recipient the messages are again in plain text and readily available to snoops and hackers. For important messages containing information you do not want to share use f i l e e n c r y p t i o n . S i m p l e a n d f r e e p r o g ra m s l i k e Tr u e C r y p t (www.truecrypt.com) let you easily encrypt documents and files for trans- mission. Once the documents are encrypted, they can be sent as attach- ments to normal email messages. In this case, the files are fully encrypted from end-to-end meaning that at no time are they readable as plain text un- til the recipient decrypts them using TrueCrypt software and the same en- cryption key as the one used to encrypt the message originally. Of course, you must pre-share the key in a secure fashion to allow decryption. How- ever, the metadata is still plain text and may be intercepted, analyzed and stored by snoops and hackers. Also, it is generally believed that when snoops detect an encrypted file they routinely put it aside for future analysis and potentially cracking the encryption to read the message in the belief that it most likely includes valuable information. TrueCrypt is a very powerful and versatile encryption system with many ad- ditional uses. We will cover more of these capabilities in the next White Pa- per on Web Browsing. Some other email encryption products automatically encrypt your email messages for you and manage the process automatically inside email clients such as Microsoft Outlook as well as through webmail. Two of these are Sendinc (www.sendinc.com) and FlexCrypt (www.flexcrypt.com). Both of these offer free and paid services with an annual fee per subscriber. One of the advantages of these products is that the recipient is not required to have the software loaded on his device. To decrypt messages it is only necessary to enter the pre-shared key. And, you can respond to an en- crypted message without having the software loaded on your computer. Un- fortunately, at this time both of these products only work on Windows desk- top systems. ! E mai l Mal c o l m at : SpeakUp@Mal col mO utLoud.com © 2013 Mal col m O ut Loud, LLC
  9. 9. Other products such as SilentCircle (www.SilentCircle.com) offer a suite of products for securing all communications, including email. It establishes a completely private communications network between clients and is not in- tended for general communications to Internet subscribers. For $10 per month, personal users get a comprehensive package of services. All commu- nications from users is encrypted peer-to-peer and SilentCircle does not have access to the plain text of communications. Their servers are outside the US which provides some protection against legal snooping but some lim- ited metadata is available, For commercial customers there are many more solutions for managed se- cure email and other communications services available at prices from low to very high. Banks, financial institutions and medical facilities are required to have and use these systems. 4. Hiding information in plain sight--Steganography Sometimes, when you really want to make sure people aren’t able to read your email or data, encrypting it may not be enough. While people won’t have immediate access to encrypted files, they may eventually find a brute force way to decrypt it, or they may force you to share the password and encryption algorithm. For cases like those, you’ll not only want to encrypt, but hide the data. Steganography, or hiding messages in plain sight, is another choice for se- curely sending messages and files. And they can be sent by open email sys- tems. In modern practice, steganography means taking a media file such as an MP3 or a jpeg image and burying data in it. The file still works as usual, and if you don't specifically look for the hidden data, you'll have no idea the encrypted information is even there. One good tool for this is OpenPuff, a powerful open-source steganography application that supports a wide variety of "carrier" formats for hiding data in, including MP3, JPG, and more. ! E mai l Mal c o l m at : SpeakUp@Mal col mO utLoud.com © 2013 Mal col m O ut Loud, LLC
  10. 10. OpenPuff’s interface looks simple at first, but it does take some getting used to. For example, you could hide an important text message in an image file, and then post that file publicly online. Another party could then download the file and—using OpenPuff and a password you both shared in advance—process the file and extract whatever information you've buried in it. By default, OpenPuff asks you to protect your information with three differ- ent passwords, although it does let you dial that down to just a single pass- word. It even supports plausibly deniable encryption, and this is where things get really paranoid: Even if someone somehow realizes your seem- ingly innocent image or music file contains a hidden message, OpenPuff lets you hide a decoy along with the real message. Simply provide a different password, and the other person will extract the decoy out of the image, thinking they've won–but actually, your real secret will still be hidden in the file. ! E mai l Mal c o l m at : SpeakUp@Mal col mO utLoud.com © 2013 Mal col m O ut Loud, LLC
  11. 11. OpenPuff lets you select the level of encryption and suggests that you use three passwords. Steganography usually works well for hiding short text messages or other condensed information; obviously, you can't hide an entire video file within another video file using steganography–there's just no room for all of those extra bytes. Still, if you need to hide a large amount of information, Open- Puff lets you chain multiple carrier files together into one large message. To extract the information, the recipient (or yourself) needs to have all of the carrier files, and feed them into OpenPuff in exactly the right sequence, along with the correct password or passwords. Not for the faint of heart. Summary For those needing the ultimate in email privacy, a combination of techniques are required. And, there is not 100% certainty that any of them, or all of ! E mai l Mal c o l m at : SpeakUp@Mal col mO utLoud.com © 2013 Mal col m O ut Loud, LLC
  12. 12. them combined, cannot now or in the future be compromised by govern- ments or determined hackers. The techniques discussed in this White Paper provide starting points for the various techniques but are not intended as a full analysis of everything available today in this marketplace. There are many more products and techniques available that are not covered here in the interest of time. Some may be exactly the solution you prefer. With the current interest in communications privacy, many new products are being released to the private market. Systems and products that previously were only available to governments or large corporations are now releasing versions intended for small companies and individuals. Stay tuned, these are exciting times! ! E mai l Mal c o l m at : SpeakUp@Mal col mO utLoud.com © 2013 Mal col m O ut Loud, LLC
  13. 13. About The Author Robert D. (Bob) Francis Technology Expert Managing Partner Milford Communications Partners After an extensive career in telecommunications and data communications companies, Francis founded Milford Communications in 1993 to promote the development of high technology companies and projects. Francis directed a high technology practice in Washington DC with a focus on Satellite, Inter- net, Multimedia and Wireless technologies. www.milfordcommunications.com Malcolm Out Loud Chairman, The Out Loud Network TV and Radio Host The brand of Malcolm Out Loud is delivered around the world and across multiple platforms. We live in a world that is communications rich and fast changing... which creates a thirst for knowledge and an appetite for truth! Malcolm is a great alternative to the talking heads that influence the head- lines with their agenda driven analysis. Malcolm is first and foremost an In- novator and a Visionary who inspires and encourages people around the world to tap into their greatest strength; themselves! www.MalcolmOutLoud.TV www.BrinkThinking.com ! E mai l Mal c o l m at : SpeakUp@Mal col mO utLoud.com © 2013 Mal col m O ut Loud, LLC

×