Short answer: No. Slightly longer answer: Maybe, but not without additional protection.
E-mail is one of the oldest and most widely used services on Internet. It was developed during an era when we were comfortably unaware of viruses, worms, spam, e-crime and the NSA. And that is clearly visible in the architecture and blatant lack of security features. Without going deep into technical details, one can conclude that the security of plain e-mail is next to non-existing. The mail standards do by themselves not provide any kind of encryption or verification of the communicating parties’ identity. All this can be done with additional protection arrangements. But are you doing it and do you know how to?
Here’s some points to keep in mind.
Finally. Sit down and think about what kind of mail secrecy you need. Imagine that all messages you have sent and received were made public. What harm would that cause? Would it be embarrassing to you or your friends? Would it hurt your career or employer? Would it mean legal problems for you or your associates? (No, you do not need to be criminal for this to happen. Signing a NDA may be enough.) Would it damage the security of your country? Would it risk the life of you or others? And harder to estimate, can any of this stuff cause you harm if it’s stored ten or twenty years and then released in a world that is quite different from today?
At this point you can go back to the list above and decide if you need to do something to improve your mail security.
You have all heard the classic mantra of computer security: use common sense, patch your system and install antivirus. That is still excellent advice, but the world is changing. We used to repeat that mantra over and over to the end users. Now we are entering a new era where we have to stress the importance of updates to manufacturers. We did recently write about how Chrysler reacted fairly quickly to stop Jeeps from being controlled remotely. They made a new firmware version for the vehicles, but didn’t have a good channel to distribute the update. Stagefright on Android demonstrates a similar problem, but potentially far more widespread. Let’s first take a look at Stagefright. What is it really? Stagefright is the name of a module deep inside the Android system. This module is responsible for interpreting video files and playing them on the device. The Stagefright bug is a vulnerability that allows and attacker to take over the system with specially crafted video content. Stagefright is used to automatically create previews of content received through many channels. This is what makes the Stagefright bug really bad. Anyone who can send you a message containing video can potentially break into your Android device without any actions from you. You can use common sense and not open fishy mail attachments, but that doesn’t work here. Stagefright takes a look at inbound content automatically in many cases so common sense won't help. Even worse. There’s not much we can do about it, except wait for a patch from the operator or phone vendor. And many users will be waiting in vain. This is because of how the Android system is developed and licensed. Google is maintaining the core Linux-based system and releasing it under an open license. Phone vendors are using Android, but often not as it comes straight from Google. They try to differentiate and modifies Android to their liking. Google reacted quickly and made a fix for the Stagefright bug. This fix will be distributed to their own Nexus-smartphones soon. But it may not be that simple for the other vendors. They need to verify that the patch is compatible with their customizations, and releasing it to their customers may be a lengthy process. If they even want to patch handsets. Some vendors seems to see products in the cheap smartphone segment as disposable goods. They are not supposed to be long-lived and post-sale maintenance is just a cost. Providing updates and patches would just postpone replacement of the phone, and that’s not in the vendor’s interest. This attitude explains why several Android vendors have very poor processes and systems for sending out updates. Many phones will never be patched. Let’s put this into perspective. Android is the most widespread operating system on this planet. 48 % of the devices shipped in 2014 were Androids (Gartner). And that includes both phones, tablets, laptops and desktop computers. There’s over 1 billion active Android devices (Google’s device activation data). Most of them are vulnerable to Stagefright and many of them will never receive a patch. This is big! Let’s however keep in mind that there is no widespread malware utilizing this vulnerability at the time of writing. But all the ingredients needed to make a massive and harmful worm outbreak are there. Also remember that the bug has existed in Android for over five years, but not been publically known until now. It is perfectly possible that intelligence agencies are utilizing it silently for their own purposes. But can we do anything to protect us? That’s the hard question. This is not intended to be a comprehensive guide, but it is however possible to give some simple advice. You can stop worrying if you have a really old device with an Android version lower than 2.2. It’s not vulnerable. Google Nexus devices will be patched soon. A patch has also been released for devices with the CyanogenMod system. The privacy-optimized BlackPhone is naturally a fast-mover in cases like this. Other devices? It’s probably best to just google for “Stagefright” and the model or vendor name of your device. Look for two things. Information about if and when your device will receive an update and for instructions about how to tweak settings to mitigate the threat. Here’s an example. Safe surfing, Micke Image by Rob Bulmahn under CC BY 2.0
This is the fourth in a series of posts about Cyber Defense that happened to real people in real life, costing very real money. It was only just past 1 pm, but Magda was already exhausted. She had recently fired her assistant, so she was now having to personally handle all of the work at her law office. With the aching pain in her head and monstrous hunger mounting in her stomach, Magda thought it was time for a break. She sat at her desk with a salad she had bought earlier that morning and decided she’d watch a short online video her friends had recently told her about. She typed the title in the browser and clicked on a link that took her to the site. A message popped up that the recording couldn’t be played because of a missing plugin. Magda didn’t have much of an idea what the “plugin” was, which wasn’t surprising considering that her computer knowledge was basic at best – she knew enough to use one at work, but that was pretty much all. It was the recently sacked assistant, supported by an outsourced IT firm, who took care of all things related to computers and software. A post-it stuck to Magda’s desk had been unsuccessfully begging her to install an antivirus program. “What was this about?”, Magda tried to remember. At moments like this, she regretted letting the girl go. After some time, she recalled that her assistant had mentioned something about a monthly subscription plan for some antivirus software to protect the computers, tablets and mobile phones. This solution, flexible and affordable for small businesses like Magda’s firm, had also been also recommended by the outsourced IT provider. Despite a nagging feeling that something wasn’t right, she clicked “install”. After a few seconds, the video actually played. Magda was very proud of herself: she had made the plugin thing work! A few days later, she logged into her internet banking system to pay her firm’s bills. As she looked at the balance of the account, she couldn’t believe her eyes. The money was gone! The transaction history showed transfers to accounts that were completely unknown to her. She couldn’t understand how somebody was able to break in and steal her money. The bank login page was encrypted, and besides that, she was the only person who knew the login credentials... At the bank she learnt that they had recorded a user login and transfer orders. Everything had been according to protocol, so the bank had no reason to be suspicious. The bank’s security manager suggested to Magda that she may have been the victim of a hacker’s attack. The IT firm confirmed this suspicion after inspecting Magda’s computer. Experts discovered that the plugin Magda had downloaded to watch the video online was actually malware that stole the login credentials of email accounts, social networking sites and online banking services. Magda immediately changed her passwords and decided to secure them better. She finally had good antivirus software installed, which is now protecting all of the data stored on her computer. She recalled that her bank had long been advising to do that, but she had disregarded their advice. If only she hadn’t... Her omission cost her a lot of money. She was happy, though, that money was all she lost. She didn’t even want to imagine what might have happened if any of her case or clients information had been compromised. That would have been the end of her legal career. "This is why you should always use different browsers for different sorts of tasks," F-Secure Security Advisor Sean Sullivan explains. "Any browser you use for sensitive financial transactions should be used just for that, especially at work." To get an inside look at business security, be sure to follow our Business Insider blog.
In response to news that the secret records of more than 22 million Americans have been breached, possibly by attackers from China, you may have heard the loaded term being used to describe the unprecedented attack. "Why are we ignoring a cyber Pearl Harbor?" a conservative columnist asked. F-Secure Security Advisor Sean Sullivan joined other experts in explaining that while the Office of Personnel Management hack was a very big deal, it's hyperbole to call it an act of war. Sean argues that the term cyber war should be limited to cyber weapons that cause actual physical damage. It would have to break the so-called "kinetic barrier". There is no international treaty that defines online rules of engagement but he points to NATO's Tallinn Manual on the International Law Applicable to Cyber Warfare, which attempts to apply existing laws to cyber warfare. Cyber attacks present an even more vexing challenge in attributing the author of an attack than stateless terrorism. But regardless the author, any cyber attacks on a hospital, for instance, would be illegal under existing law. Sullivan sees the OPM hack as more likely to be part of another governmental activity that predates the internet: espionage. "Espionage can be a part of warfare, if you think they’re gathering that information for military defense purposes," he said. "Or it can be counterintelligence." He suggests the OPM hack data could be used to find which Americans are, for instance, not working on diplomatic mission and thus might be intelligence. He notes that former NSA contractor Edward Snowden briefly worked at a U.S. embassy. The lack of a background check in that instance could suggest that he was working as a spy under a false identity. There’s a difference between war and warfare, Sean notes. "It could be China is interested in defensive capabilities," he said. "It’s an aspect of warfare. It’s not war." If it were to transgress to the level of war, the results would be severe. "We can assume that China is a rational actor," Sean said. "It wants world power without wrecking the world economy. Military posturing is more likely." He suggests that the U.S. should be much more concerned about the protection of all of its digital data. “I guarantee you that the IRS’ records are just as vulnerable," he said, suggesting that the one thing that may be keeping taxpayers' records safe is the government's tendency to rely upon dated technology like magnetic tape. And at least some powerful U.S. officials agree that more must be done to secure America's private information. But don't expect them to be satisfied with the same sort of restricted networks the private sector relies upon. A bipartisan coalition of senators are backing new legislation that would give the Homeland Security secretary the authority "to detect intrusions on .gov domains and take steps similar to what the National Security Agency can do with the Pentagon," according to Roll Call. Ah, so more powers for the NSA. Isn't that always the endgame these days when the language of war being tossed around? [Image by U.S. Naval War College | Flickr]