Image from EFF

Is e-mail OK for secret stuff?

Image by EFF

Image by EFF

Short answer: No. Slightly longer answer: Maybe, but not without additional protection.

E-mail is one of the oldest and most widely used services on Internet. It was developed during an era when we were comfortably unaware of viruses, worms, spam, e-crime and the NSA. And that is clearly visible in the architecture and blatant lack of security features. Without going deep into technical details, one can conclude that the security of plain e-mail is next to non-existing. The mail standards do by themselves not provide any kind of encryption or verification of the communicating parties’ identity. All this can be done with additional protection arrangements. But are you doing it and do you know how to?

Here’s some points to keep in mind.

  • Hackers or intelligence agencies may tap into the traffic between you and the mail server. This is very serious as it could reveal even your user ID and password, enabling others to log in to the server and read your stored mails. The threat can be mitigated by ensuring that the network traffic is encrypted. Most mail client programs offer an option to use SSL- or TLS-encryption for sent and received mail. See the documentation for your mail program or service provider. If you use webmail in your browser, you should make sure the connection is encrypted. See this article for more details. If it turns out that you can’t use encryption with your current service provider, then start looking for another one promptly.
  • Your mails are stored at the mail server. There are three main points that affect how secure they are there. Your own password and how secret you keep it, the service provider’s security policies and the legislation in the country where the service provider operates. Most ordinary service providers offer decent protection against hackers and other low-resource parties, but less protection against authorities in their home country.
  • Learn how to recognize phishing attacks as that is one of the most common reasons for mail accounts to be compromised.
  • There are some mail service providers that focus purely on secrecy and use some kind of encryption to keep messages secret. Hushmail (Canada) and Mega’s (New Zealand) planned service are good examples. Lavabit and Silent Mail used to provide this kind of service too, but they have been closed down under pressure from officials. This recent development shows that services run in the US can’t be safe. US authorities can walk in at any time and request your data or force them to implement backdoors, no matter what security measures the service provider is implementing. And it’s foolish to believe that this is used only against terrorists. It’s enough that a friend of a friend of a friend is targeted for some reason or that there is some business interest that competes with American interests.
  • The safest way to deal with most of the threats is to use end-to-end encryption. For this you need some additional software like Pretty Good Privacy, aka. PGP. It’s a bit of a hassle as both parties need to have compatible encryption programs and exchange encryption keys. But when it’s done you have protection for both stored messages and messages in transit. PGP also provides strong authentication of the message sender in addition to secrecy. This is the way to go if you deal with hot stuff frequently.
  • An easier way to transfer secret stuff is to attach encrypted files. You can for example use WinZip or 7-Zip to create encrypted packages. Select the AES encryption algorithm (if you have a choice) and make sure you use a hard to guess password that is long enough and contains upper and lowercase letters, numbers and special characters. Needless to say, do not send the password to the other party by mail. Agreeing on the password is often the weakest link and you should pay attention to it. Even phone and SMS may be unsafe if an intelligence agency is interested in you.
  • Remember that traffic metadata may reveal a lot even if you have encrypted the content. That is info about who you have communicated with and at what time. The only protection against this is really to use anonymous mail accounts that can’t be linked to you. This article touches on the topic.
  • Remember that there always are at least two parties in communication. And no chain is stronger than its weakest link. It doesn’t matter how well you secure your mail if you send a message to someone with sloppy security.
  • Mails are typically stored in plaintext on your own computer if you use a mail client program. Webmail may also leave mail messages in the browser cache. This means that you need to care about the computer’s security if you deal with sensitive information. Laptops and mobile devices are especially easy to lose or steal, which can lead to data leaks. Data can also leak through malware that has infected your computer.
  • If you work for a company and use mail services provided by them, then the company should have implemented suitable protection. Most large companies run their own internal mail services and route traffic between sites over encrypted connections. You do not have to care yourself in this case, but it may be a good idea to check it. Just ask the IT guy at the coffee table if NSA can read your mails and see how he reacts.

Finally. Sit down and think about what kind of mail secrecy you need. Imagine that all messages you have sent and received were made public. What harm would that cause? Would it be embarrassing to you or your friends? Would it hurt your career or employer? Would it mean legal problems for you or your associates? (No, you do not need to be criminal for this to happen. Signing a NDA may be enough.) Would it damage the security of your country?  Would it risk the life of you or others? And harder to estimate, can any of this stuff cause you harm if it’s stored ten or twenty years and then released in a world that is quite different from today?

At this point you can go back to the list above and decide if you need to do something to improve your mail security.

Safe surfing,
Micke

More posts from this topic

wifi_exp_cropped

The Dangers of Public WiFi – And Crazy Things People Do To Use It

Would you give up your firstborn child or favorite pet to use free WiFi? Of course not. Sounds crazy, right? But in an independent investigation conducted on behalf of F-Secure, several people agreed to do just that – just to be able to instantly, freely connect to the Internet while on the go. For the experiment, we asked Finn Steglich of the German penetration testing company, SySS, to build a WiFi hotspot, take it out on the streets of London, and set it up and wait for folks to connect. The purpose? To find out how readily people would connect to an unknown WiFi hotspot. (You can view our complete report, see the video and listen to the podcast below.) Thing is, public hotspots are insecure. Public WiFi simply wasn’t built with 21st century security demands in mind. When you use public WiFi without any added security measures, you leak data about yourself from your device. We know it, but we wanted to find out in general how well people out on the street know, whether or not they take precautions, and what kind of data they would actually leak. We also enlisted the help of freelance journalist Peter Warren of the UK’s Cyber Security Research Institute, who came along to document it all. Accompanying the two was Sean Sullivan, F-Secure’s Security Advisor. [protected-iframe id="4904e81e9615a16d107096f242273fee-10874323-40632396" info="//www.youtube-nocookie.com/embed/OXzDyL3gaZo" width="640" height="360" frameborder="0" allowfullscreen=""] Leaking personal information What we found was that people readily and happily connected, unaware their Internet activity was being spied on by the team. In just a half-hour period, 250 devices connected to the hotspot. Most of these were probably automatic connections, without their owner even realizing it. 33 people actively sent Internet traffic, doing web searches, sending email, etc. The team collected 32 MB of traffic – which was promptly destroyed in the interest of consumer privacy. The researchers were a bit surprised when they found that they could actually read the text of emails sent over a POP3 network, along with the addresses of the sender and recipient, and even the password of the sender. Encryption, anyone? If you aren’t already using it, you should be! The Herod clause For part of the experiment, the guys enabled a terms and conditions (T&C) page that people needed to agree to before being able to use the hotspot. One of the terms stipulated that the user must give up their firstborn child or most beloved pet in exchange for WiFi use. In the short time the T&C page was active, six people agreed to the outlandish clause. Of course, this simply illustrates the lack of attention people pay to such pages. Terms and conditions are usually longer than most people want to take time to read, and often they’re difficult to understand. We, of course, won’t enforce the clause and make people follow through with surrendering their loved ones – but this should give us all pause: What are we really signing up for when we check the “agree” box at the end of a long list of T&C’s we don’t read? There's a need for more clarity and transparency about what's actually being collected or required of the user. The problem So what’s really the issue here? What’s going to happen to your data, anyway? The problem is there are plenty of criminals who love to get their hands on WiFi traffic to collect usernames, passwords, etc. It’s easy and cheap enough for them to set up their own hotspot somewhere (the whole hotspot setup only cost SySS about 200 euros), give it a credible-looking name, and just let the data flow in. And even if a hotspot is provided by a legitimate business or organization, criminals can still use “sniffing” tools to spy on others’ Internet traffic. So be warned: Public WiFi is NOT secure or safe. But we’re not saying don’t use it, we’re saying don’t use it without proper security. A good VPN will provide encryption so even if someone tries, they can’t tap into your data. The Solution F-Secure Freedome is our super cool, super simple wi-fi security product, or VPN. Freedome creates a secure, encrypted connection from your device and protects you from snoops and spies, wherever you go and whatever WiFi you use. (Bonus: It also includes tracking protection from Internet marketers, browsing protection to block malicious sites and apps, and lets you choose your own virtual location so you can view your favorite web content even when you’re abroad.) Still don’t believe that public WiFi poses risks? Take a closer look next time you’re faced with a terms and conditions page for public WiFi hotspot. “A good number of open wi-fi providers take the time to tell you in their T&C that there are inherent risks with wireless communications and suggest using a VPN,” Sullivan says. “So if you don't take it from me, take it from them.”   Check out the full report here (PDF): Tainted Love - How Wi-Fi Betrays Us   Listen to the podcast, featuring interviews with Victor Hayes, the "Father of WiFi," our Sean Sullivan and others: [audio mp3="http://fsecureconsumer.files.wordpress.com/2014/09/wifi_experiment_podcast.mp3"][/audio]   Disclaimer: During the course of this experiment, no user was compromised at any point nor user data exposed in a way that it could have been subject to misuse. We have not logged any user information, and during the experiment a lawyer supervised all our activities to avoid breaching any laws.   Video by Magneto Films    

Sep 29, 2014
bash

Shellshock only concerns server admins – WRONG

Yet another high-profile vulnerability in the headlines, Shellshock. This one could be a big issue. The crap could really hit the fan big time if someone creates a worm that infects servers, and that is possible. But the situation seems to be brighter for us ordinary users. The affected component is the Unix/Linux command shell Bash, which is only used by nerdy admins. It is present in Macs as well, but they seem to be unaffected. Linux-based Android does not use Bash and Windows is a totally different world. So we ordinary users can relax and forget about this one. We are not affected. Right? WRONG! Where is your cloud content stored? What kind of software is used to protect your login and password, credit card number, your mail correspondence, your social media updates and all other personal info you store in web-based systems? Exactly. A significant part of that may be on systems that are vulnerable to Shellshock, and that makes you vulnerable. The best protection against vulnerabilities on your own devices is to make sure the automatic update services are enabled and working. That is like outsourcing the worries to professionals, they will create and distribute fixes when vulnerabilities are found. But what about the servers? You have no way to affect how they are managed, and you don’t even know if the services you use are affected. Is there anything you can do? Yes, but only indirectly. This issue is an excellent reminder of some very basic security principles. We have repeated them over and over, but they deserve to be repeated once again now. You can’t control how your web service providers manage their servers, but you can choose which providers you trust. Prefer services that are managed professionally. Remember that you always can, and should, demand more from services you pay for. Never reuse your password on different services. This will not prevent intrusions, but it will limit the damage when someone breaks into the system. You may still be hurt by a Shellshock-based intrusion even if you do this, but the risk should be small and the damage limited. Anyway, you know you have done your part, and its bad luck if an incident hurts you despite that. Safe surfing, Micke   PS. The best way to evaluate a service provider’s security practices is to see how they deal with security incidents. It tells a lot about their attitude, which is crucial in all security work. An incident is bad, but a swift, accurate and open response is very good.   Addition on September 30th. Contrary to what's stated above, Mac computers seem to be affected and Apple has released a patch. It's of course important to keep your device patched, but this does not really affect the main point of this article. Your cloud content is valuable and part of that may be on vulnerable servers.  

Sep 26, 2014
BY Micke
Screen Shot 2014-09-20 at 9.12.30 AM

GameOver ZeuS: The Kind of Game You Don’t Want On Your Computer

Unlike Team Fortress 2 or Doom, two of the most popular PC games of all time, GameOver ZeuS is not a game you can buy online or would willingly download on to your computer. What is GameOver ZeuS? While we’ve talked about banking Trojans before, none have been as detrimental to users as the GameOver ZeuS or GOZ Trojan, which initially began infecting users in 2012. Gameover ZeuS is designed to capture banking credentials from infected computers, and make wire transfers to criminal accounts overseas. It was allegedly authored by Russian hacker Evgeniy Bogachev, who then implanted it on computers all around the world; building a network of infected machines - or bots - that his crime syndicate could control from anywhere. It’s predominately spread through spam e-mail or phishing messages. So far, it’s been estimated to scam people out of hundreds of millions of dollars and it’s only getting worse. It doesn’t stop there; Gameover ZeuS can also be modified by hackers to load different kinds of Trojans on to it. One such Trojan is a ransomware called CryptoLocker, which is a devastating malware that locks a user’s most precious files by encrypting all the files until he or she pays the hacker a ransom. In June 2014, the FBI, Europol, and the UK’s National Crime Agency announced they had been working closely with various security firms and academic researchers around the world and took action under a program dubbed “Operation Trovar.” This initiative temporarily disrupted the system that was spreading the Trojan and infecting computers, allowing a temporary pause in additional computers from being infected. However, computers that were already infected remained at risk, as they were still compromised. What’s next? The disruption of the GameOver ZeuS botnet was a great success in many ways, but it’s not over. Our security advisor, Sean Sullivan, worries that this temporary disruption was actually more dangerous than completely taking it down. “Without arresting Bogachev, Gameover ZeuS is still a huge threat and likely to evolve to become more dangerous. The hackers can just as easily program a future version of the Trojan to initiate a “self-destruct” order (like destroy every file on a computer) if the ransom isn’t paid, or if authorities try to intervene.” What can we do to protect our digital freedom? Beware of malicious spam and phishing attempts — don’t open any attachments within emails unless you are specifically expecting something. Check email attachments carefully, and make sure you don’t open any files that automatically launch, which frequently end in .exe Have an Internet security solution in place and keep it up to date Keep your Windows operating system and your Internet browser plugins updated Back up all of your personal files regularly Also, check your machines to be sure you do not carry the Gameover ZeuS Trojan. For more information on how this powerful Trojan works and how it is spread, check out this this video. [protected-iframe id="888198d18fd45eae52e6400a39fb4437-10874323-9129869" info="//www.youtube-nocookie.com/v/JhiPDbTIsqw?hl=en_US&version=3&rel=0" width="640" height="360"] Have more questions? Ask us here on the blog.  

Sep 20, 2014