Image from EFF

Is e-mail OK for secret stuff?

Image by EFF

Image by EFF

Short answer: No. Slightly longer answer: Maybe, but not without additional protection.

E-mail is one of the oldest and most widely used services on Internet. It was developed during an era when we were comfortably unaware of viruses, worms, spam, e-crime and the NSA. And that is clearly visible in the architecture and blatant lack of security features. Without going deep into technical details, one can conclude that the security of plain e-mail is next to non-existing. The mail standards do by themselves not provide any kind of encryption or verification of the communicating parties’ identity. All this can be done with additional protection arrangements. But are you doing it and do you know how to?

Here’s some points to keep in mind.

  • Hackers or intelligence agencies may tap into the traffic between you and the mail server. This is very serious as it could reveal even your user ID and password, enabling others to log in to the server and read your stored mails. The threat can be mitigated by ensuring that the network traffic is encrypted. Most mail client programs offer an option to use SSL- or TLS-encryption for sent and received mail. See the documentation for your mail program or service provider. If you use webmail in your browser, you should make sure the connection is encrypted. See this article for more details. If it turns out that you can’t use encryption with your current service provider, then start looking for another one promptly.
  • Your mails are stored at the mail server. There are three main points that affect how secure they are there. Your own password and how secret you keep it, the service provider’s security policies and the legislation in the country where the service provider operates. Most ordinary service providers offer decent protection against hackers and other low-resource parties, but less protection against authorities in their home country.
  • Learn how to recognize phishing attacks as that is one of the most common reasons for mail accounts to be compromised.
  • There are some mail service providers that focus purely on secrecy and use some kind of encryption to keep messages secret. Hushmail (Canada) and Mega’s (New Zealand) planned service are good examples. Lavabit and Silent Mail used to provide this kind of service too, but they have been closed down under pressure from officials. This recent development shows that services run in the US can’t be safe. US authorities can walk in at any time and request your data or force them to implement backdoors, no matter what security measures the service provider is implementing. And it’s foolish to believe that this is used only against terrorists. It’s enough that a friend of a friend of a friend is targeted for some reason or that there is some business interest that competes with American interests.
  • The safest way to deal with most of the threats is to use end-to-end encryption. For this you need some additional software like Pretty Good Privacy, aka. PGP. It’s a bit of a hassle as both parties need to have compatible encryption programs and exchange encryption keys. But when it’s done you have protection for both stored messages and messages in transit. PGP also provides strong authentication of the message sender in addition to secrecy. This is the way to go if you deal with hot stuff frequently.
  • An easier way to transfer secret stuff is to attach encrypted files. You can for example use WinZip or 7-Zip to create encrypted packages. Select the AES encryption algorithm (if you have a choice) and make sure you use a hard to guess password that is long enough and contains upper and lowercase letters, numbers and special characters. Needless to say, do not send the password to the other party by mail. Agreeing on the password is often the weakest link and you should pay attention to it. Even phone and SMS may be unsafe if an intelligence agency is interested in you.
  • Remember that traffic metadata may reveal a lot even if you have encrypted the content. That is info about who you have communicated with and at what time. The only protection against this is really to use anonymous mail accounts that can’t be linked to you. This article touches on the topic.
  • Remember that there always are at least two parties in communication. And no chain is stronger than its weakest link. It doesn’t matter how well you secure your mail if you send a message to someone with sloppy security.
  • Mails are typically stored in plaintext on your own computer if you use a mail client program. Webmail may also leave mail messages in the browser cache. This means that you need to care about the computer’s security if you deal with sensitive information. Laptops and mobile devices are especially easy to lose or steal, which can lead to data leaks. Data can also leak through malware that has infected your computer.
  • If you work for a company and use mail services provided by them, then the company should have implemented suitable protection. Most large companies run their own internal mail services and route traffic between sites over encrypted connections. You do not have to care yourself in this case, but it may be a good idea to check it. Just ask the IT guy at the coffee table if NSA can read your mails and see how he reacts.

Finally. Sit down and think about what kind of mail secrecy you need. Imagine that all messages you have sent and received were made public. What harm would that cause? Would it be embarrassing to you or your friends? Would it hurt your career or employer? Would it mean legal problems for you or your associates? (No, you do not need to be criminal for this to happen. Signing a NDA may be enough.) Would it damage the security of your country?  Would it risk the life of you or others? And harder to estimate, can any of this stuff cause you harm if it’s stored ten or twenty years and then released in a world that is quite different from today?

At this point you can go back to the list above and decide if you need to do something to improve your mail security.

Safe surfing,
Micke

More posts from this topic

Charlie

I really miss Benjamin Franklin!

January 7th was a sad day. The Charlie Hebdo shooting in Paris was both an attack on free speech and fuel for more aggression against Muslims. And controversially also fuel for even more attacks against free speech. The western society’s relation to free speech is very complicated nowadays. Officially it is still valued as a fundamental right. But it is also seen as a threat, even if politicians are very keen to masquerade free speech reductions as necessary security improvements. British PM Cameron’s recent debacle is an excellent example. In his opinion, there must not be any form of communication that the authorities can’t listen in to, which would mean restrictions on encryption. Non-digital metaphors are usually a good way to explain things like this. This is as smart as banning helmets because they make it harder to recognize criminals riding motorcycles. French president Francois Hollande wanted to join the party and proposed a law making internet providers responsible for users' content in their services. The idea was to make companies like Facebook and Twitter monitor all communication and call Paris as soon as someone talks terrorism. This goes even further than Cameron as it actually would force companies to do the police’s work. But should the phone company also be held responsible if it turns out that a terrorist has been allowed to place calls? And maybe even send mail delivered by the postal service? Hollande did of course not include those as they would help people understand how crazy the idea is. Anything can be misused for criminal purposes. But trying to make providers of things responsible is just madness and hurts the whole society and economy. The important point here is naturally that freedom of speech is a much broader concept than what Charlie Hebdo utilizes. The caricatures express our freedom to communicate publicly without censorship. But there is also another dimension of free speech. Everybody has the right to choose whom they communicate with and whom a message is intended for. This is not just about secrecy and privacy, it is really about being free to exchange opinions without worrying about them being used against you later by some third party. This dimension of free speech would of course not exist in Cameron’s ideal society. So no Cameron and Hollande, you are definitively not Charlie! It’s sad that the great “Je Suis Charlie” -movement has become a symbol for both freedom of speech and hypocrisy. Didn’t you really see anything wrong in first marching in support of Charlie Hebdo in Paris, and then immediately attack freedom of speech yourself? It takes courage to be a leader and balance between security and freedom. Today we really need leaders like Benjamin Franklin, who had guts and said things like “Freedom of speech is a principal pillar of a free government; when this support is taken away, the constitution of a free society is dissolved, and tyranny is erected on its ruins.” and “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.”   Safe surfing, Micke   Image by Markus Winkler @ Flickr under CC BY-SA 2.0 via Wikimedia Commons Benjamin Franklin quotes from wikiquote.org

Jan 29, 2015
BY 
F-Secure shares tips to protect your data on Data Privacy Day

It’s Data Privacy Day, and Companies Know More About You Than Ever

Nowadays companies know more about you than ever. But do you know what they’re doing with all your data? Today's Data Privacy Day, and at F-Secure we usually talk a lot about defending your personal data from online criminals: the likes of hackers, scammers and WiFi snoops. But today we'd like to talk a little about how your privacy can be invaded completely legally - by private businesses who collect your data, and how you can protect yourself. We give companies unprecedented access to our personal info and shopping habits. We give knowingly, such as when we fill out a website form. We also give in ways we may not be aware of, in the case of online advertisers who track our clicks around the web and gain insight into our interests and preferences. These advertisers are building up detailed, extensive profiles about us so they can target us with online ads we'll be more likely to click on. The apps we install garner even more of our information. Not to mention what we give to social networks and our email providers. The result: a mass of digital data is spread around about each of us that's super difficult to control. An Adroit Digital study found that 58% of respondents aren't comfortable with the amount of information they have to give to get special offers or services from retailers, and 82% are uncomfortable with the amount of information online advertisers have about them. And according to a survey by SAS, more than 69% of respondents agree that recent news events have increased their concerns about their data in the hands of businesses. News events like all-too-common data breaches, no doubt. But there's also a skepticism of what businesses and organizations may do with the data they are entrusted with. Last week, for example, Americans were shocked to learn that their government’s healthcare website had been quietly funneling consumers’ personal details along to advertising and analytics companies. At F-Secure, we've always been extremely conscious about the responsibility we have to respect the privacy of our customers' data and content. We recently put our core privacy principles into a structured form and shared them with the world - and Micke delved into them in a recent 3-part series. We also are passionate about helping you protect your own privacy - which is why we've created privacy-centered products like Freedome, which keeps online advertisers out of your business by blocking tracking. At the very least, we hope to inspire you to be, if not already, a little more aware of your data trail. So in celebration of Data Privacy Day, here are a few tips for helping you keep from spreading your data too far: 6 Tips for Defending Your Personal Data Check before committing. If your relationship with a business means you’ll be giving up a lot of data to them, check for a privacy policy or principles that outline how they use customer data Choose privacy. Turn on Private or Incognito mode in your web browser so that websites can’t use cookies to identify you Check your settings. Use this handy list to check your privacy settings on all the most popular sites, from ecommerce to social media and more. Provided by the folks behind Data Privacy Day. Search carefree. Use F-Secure Search, our free search engine that makes sure your search history is not stored anywhere or linked to you Get informed. Use F-Secure App Permissions, our free app that lets you know what information you’re giving up to the apps you’ve installed on your phone Keep advertisers at arms' length. Use F-Secure Freedome, our privacy app that blocks third-party online advertisers from following you around the Web. Freedome is available for a free 14-day trial here.   Happy Data Privacy Day!   Image courtesy Philippe Teuwen, flickr.com  

Jan 28, 2015
BY 
iot

The big things at CES? Drones, privacy and The Internet of Things

F-Secure is back from CES -- where the tech world comes together in Las Vegas to preview some of the latest innovations – some which might change our lives in the coming years, others never to be seen or heard again. Inside the over 200,000 square meter exhibit space, Drones flew, and made a fashion statement; hearing aids got smartphone apps; and 3-D printers printed chocolate. We made a stir of our own with Freedome. Our David Perry reminded the industry professionals that the mobile devices nearly all of them were carrying can do more than connect us. "I want you to stop and think about this," he told RCR Wireless News as he held his smartphone up on the event floor. "This has two cameras on it. It has two microphones. It has GPS. It has my email. It has near-field detectors that can tell not only where I am but who I'm sitting close to. This is a tremendous amount of data. Every place I browse on the internet. What apps I'm running. What credit cards I have. And this phone doesn't take any steps to hide my privacy." In this post-Snowden world, where professionals are suddenly aware of how much their "meta-data" can reveal about them. Privacy also played a big role in the discussion of one the hottest topics of 2015 -- the Internet of Things (IoT). The world where nearly everything that can be plugged in -- from washing machines to light bulbs to toasters -- will be connected to the internet is coming faster than most predicted. Samsung promised every device they make will connect to the net by the end of the decade. If you think your smartphone holds a lot of private data, how about your smarthome? "If people are worried about Facebook and Google storing your data today, wait until you see what is coming with #IoT in next 2-5 years," our Ed Montgomery tweeted during the event's keynote speeches, which included a talk from US Federal Trade Commission Chairwoman Edith Ramirez that tackled privacy issues on the IoT. Newly detected attacks on home routers suggest that the data being collected in our connected appliances could end up as vulnerable to snoops and hackers as our PCs. Some fear that these privacy risks may prevent people from adopting technologies that could eventually save us time, effort and energy. At F-Secure we recognize the promise that IoT and smart homes hold and we’re excited about the coming years. But we also understand the potential threats, risks, and dangers. We feel that our job is to enable our customers to fully enjoy the benefits of IoT and that is why we’re working on new innovations that will help customers to adopt IoT and smart home solutions in a safe and controlled way. It will be an exciting journey and we invite you to learn more about our future IoT solutions in the coming months. We at F-Secure’s IoT team would like to hear from you! Are you ready to jump on the IoT? What would your dream connected home look like? Or have you perhaps already set up your smart home? What are you worried about? How could your smart home turn into a nightmare? Read the rules and post your thoughts below for your chance to win one of our favorite things -- an iPad Air 2 16 GB Wi-Fi. [Image by One Tech News | via Flickr]

Jan 21, 2015