Sunday, May 1, 2011

Is Our E-mail Safe?

Over the past few years it has become evident that we are taking our online safety into our own hands. Some users are undereducated in protecting themselves and their precious data. Some users rely on Internet security software, anti-virus software, anti-spam software, and pop-up blockers to protect them. Some users take for granted what it is they actually need to protect.

I am not a security expert and any information provided here should be viewed as an opinion or observation and is not intended to provide answers or solutions. It is only to remind all of us that we must act more responsible when on-line and take everything we see and hear on-line with skepticism.

This post was inspired by the recent mass e-mail breach reported by Epsilon back on March 31, 2011. This sort of thing happens quite frequently but normally goes without a major fanfare because the information that was leaked or the clients that were involved are not in the masses. In this case, the story picked up national attention because of the clients involved and the amount of data that was retrieved. I will not go into details of the story as you can find all the true and false information on-line. The point is that even when you fully trust someone with a secret, there is always the possibility that the trust will be violated. In many cases, not deliberately, but we are all human and can be misguided or tricked into doing or saying something that we did not intend.

With this most recent episode, supposedly only e-mail addresses and names slipped out. What this means to many of us is that we will start getting more junk e-mail. Hurray! Just what I was needing! This is why I keep multiple e-mail accounts. One is truly personal and if anyone gives it out without my permission I will need to reevaluate my relationship with said person. Another e-mail address is semi-personal. It is the one I give to banks, companies, or legitimate online forums as my e-mail address. I do not like to get junk e-mail in my semi-personal e-mail box, but if I do it is not the end of the world. I then have a third e-mail account that I will give out when I do not really want to hear from the person who is requesting it. I do not check this e-mail account unless I have specifically asked someone or something to e-mail me at that address. This is the e-mail address I will use when I must provide an e-mail address to get something I need.

I can live with the junk e-mail that will most likely result from these recent e-mail address leaks. The real danger of this type of leak is posers or phishing attempts. These are the type of things that even educated Internet users can fall victim to.

What happens is that an e-mail that looks very official comes from a company that you do business with. The e-mail will lead you to believe that something may be wrong with your account or even lead you to believe nothing is wrong with your account. They may simply say, "We are writing to inform you of a recent security breach at one of the advertisers we do business with. Although none of your account information was stored by the third-party and we have no reason to believe your account is at risk, we have taken steps to improve security of our web site. At this time, we ask that you follow the below link to update your security settings. As a reminder, we will never ask you to provide personal or security information via e-mail." Although this e-mail may be legitimate, there is no way to know by simply looking at the e-mail, the sender's address, or the e-mail's headers.

The design of the Internet and the protocols used by e-mail was not intended to be safe and secure. It is similar to the United States Postal Service. A letter is written, placed into an envelope and addressed to a recipient. In addition, a return address may or may not be written on the envelope. Postage is applied to the envelope and it is turned over to a mail carrier. Although the United States Postal Service works very hard to protect these letters from being received or breached by unintended parties while they are carried from the sender to the recipient, there is no way to know that the sender is really who they say they are. Sure, you may be able to identify which postal facility the letter originated from by using the post mark, but this too is meaningless as a means to identify the sender.

What this means is that you should never trust anything received via e-mail. Regardless if you know the sender or not. Many of us hear that we should not trust e-mails from senders that we do not recognize, but really, we shouldn't trust e-mails from anyone! Especially the people we know! We should really be asking, "Is that link Mom sent me actually going to infect me with a virus?" "Did Mom really send me this e-mail or has her computer been infected by a worm that has accessed her address book and e-mail account?"

If you receive an e-mail that asks you to do something pertaining to one of your accounts, the best thing to do is to ignore it or contact the sender using information outside of the e-mail. For example, if this is for a credit card account, call the credit card company using the phone number listed on the back of your card or on an old statement. Or go to their website using the web address printed on the back of the credit card or on an old statement.

The harm in a link

The link displayed in the e-mail says one thing but can actually be taking you to a different site or performing an unintended action.

For example, the link appears to be a valid address to your bank or an online store but could actually be taking you to a completely different site which is not affiliated with your bank or the online store you are doing business with. The "different" site's address will look very similar to the legal site address but its not. This is because some letters and numbers can easily be switched around and the human brain fixes it without you even realizing it. This is how many optical illusions work. Once you go to the fake web site, it looks just like the real thing. You are then tricked into providing your account information such as user name, password, account number, or other information that can be used to access personal information. This is what we have come to know as the Phishing scam.

Additionally, the process of clicking on the link can result in you confirming you are real and potentially result in additional junk e-mail or spam. This is because the link may seem harmless but actually contains a URL parameter that identifies your e-mail address which then tells the sender that your e-mail address is valid and active. This is how the unsubscribe link in many junk e-mails work. Which then results in continued junk e-mails plus a whole lot more. By clicking a link in an e-mail, you are indicating that the e-mail address it was sent to is valid and in use. Therefore, making your e-mail address more valuable to those who are selling it to advertisers, spammers, and other scam artists.

How many words is a picture really worth?

Images displayed in HTML e-mail can actually be reporting receipt of the e-mail. This is similar to clicking on a link in an e-mail. Just by downloading the image, you may actually be sending information to someone on the Internet letting them know that your e-mail address is active and that you received and opened the message. This makes your e-mail address more valuable to advertisers, spammers, and scam artists. Many e-mail applications disable the ability to display HTML images sent in an e-mail and require you to confirm the download of such images before they are downloaded.

This does not mean you can not send images in an e-mail. When you send images in an e-mail, you are normally attaching a physical file to the e-mail. What this pertains to is an image link that is placed in the e-mail body of a message. As a link, the real image isn't downloaded until the e-mail is viewed in an HTML viewer. At that point, your e-mail application goes out onto the Internet and grabs the image from some remote location. It is possible that the link included information that identifies your e-mail address and therefore tells someone out there that your e-mail address is active and more valuable.

The old fashioned attachment

The attachment, although seemingly harmless, is not what it has been advertised as. That e-mail you get from your bank that says "Your latest statement, with personal identifiable information removed, is attached." and indicates that it is a PDF could actually be named "Statement.PDF.exe" and by opening it, you are actually infecting yourself with a virus or malicious software. This can also be true for those cute photos that your sister sends around. They may appear to be JPEG or JPG images and actually display an image when you open them, but in reality, they are executable files that are infesting your computer with a virus or malicious code.

Over time, users have become educated on file types and extensions. They know not to open e-mails with a .EXE or .CMD or .BAT extension. But this isn't good enough. First off, there are many other file formats that can contain malicious code. Additionally, file extensions can be hidden by naming technique or by the e-mail client application itself. It could simply be chopping off the stuff after the last dot because it thinks it knows what the file type is and displays an icon in the attachment list as an indicator to the user. Later versions of WIndows and Outlook have made this a thing of the past, but keep in mind that people are always trying to find new exploits.

Are you really you?

The sender of the e-mail can be faked. Each e-mail contains detailed message headers that show where it originated and what servers it touched along the way but this information is not validated and can be added or faked by the original sender or by anyone who intercepted the e-mail along its route to your e-mail box.

A legitimate request for information

From time to time we receive e-mails from our bank or other companies we do business with, that remind us that they will never ask us for personal or account information. That is a great reminder but what about e-mails we get from other people? Like our family members? Should they be asking us for personal information? The answer is no! We should never ask anyone for personal or confidential information over e-mail. Even more importantly, we should never send personal or confidential information via e-mail or provide it using a method the e-mail indicates unless it is being done through a mutually trusted method.

Case and point: I could be at the video store renting a movie. I decide to use my debit card to pay for it. Meanwhile, someone near the back of the store takes a high-resolution photo of me swiping my card at the register. Later, they can review the photo and establish my card number, my full name, and who I bank with. Now that they have this information they can do a bit more research using online tools to track down my spouse's name and both our e-mail addresses. A few months later, I may receive an e-mail from my wife that simply says "I meant to ask you last night but I forgot! What is our user name and password for our First Bank of Scams account? I need to confirm a transaction!" Well, there is probably a pretty good chance that I will easily realize that she is setting right next to me and ask her why she is e-mailing me, but what if she wasn't. What if I am away on business and talked to her on the phone last night. I might immediately think that it is a legitimate request. The thing to remember is that it is never a legitimate request. If she wants to ask me for that information via e-mail, I have no problems with it. But I should never provide the information requested by replying to the e-mail or providing it through a means she requested that I am not familiar with, such as sending it as a text message to a mobile number that is similar to hers but not the same. I should call her at a number I am familiar with or tell her to call me. Even if I am comfortable providing her the information over e-mail, I should do so by sending a new message to her e-mail address and not via the reply method.

Stop using e-mail?

I am not saying that we should not use e-mail but when we do, we must understand the risks involved and anything that seems suspicious or tells you that you need to take immediate action may actually not be from who it appears. In situations where we are being asked to do something out of the ordinary or provide sensitive or confidential information, we should use a means unrelated to e-mail to validate the request and the sender.

Over the years, attempts have been made to make e-mail more secure. One method is e-mail signing. The concept of a signature is a means to identify the person who the signature belongs to. The idea is not that the signature says Larry O'Leary but it is the way the signature visually looks and how it is physically made up. The idea is that people who know you or do business with you will recognize your signature and be able to spot a fake signature easily. Unfortunately, this too has proven to be something that most of us can not do as we are not trained in hand writing analysis or forgery detection. With e-mail, the same problem exists. Just because I sign my e-mail by typing Larry O'Leary at the bottom doesn't mean that someone else can't do the same. Because of this, we need a way to digitally sign our e-mails and the stuff we send to each other. One such signing technology is Pretty Good Privacy (PGP). The idea is that a sender uses a private key to sign or even encrypt something they are sending. The recipient has the sender's public key so they can verify the item came from the identified sender and validate that the sender's key is valid and really belongs to the sender. This type of digital signing and encryption is great and can make e-mail a safer means to communicate. The frustrating thing is that it is not in wide adoption. My bank still sends me plain-text and HTML e-mail without any digital signature or means of validating that it really came from them. Furthermore, it still doesn't make the content of the e-mail safe. I must still rely on my own common sense and paranoid tenancy to keep myself safe. Just because I know for certain that the e-mail came from Mom doesn't mean the link she sent me is safe.

Modern e-mail client applications such as Microsoft Outlook, Evolution, and Thunderbird do a great job with their default configuration making your use of e-mail a little safer. They block the loading of images unless you say otherwise. They also make opening attachments a bit more difficult so that you don't accidentally install a nasty virus. They do a fairly good job at detecting spam or phishing attempts and try to keep you from falling a victim. But with all these security practices being implemented all we can do is complain that it is too hard to use them. We end up disabling those annoying "Are you sure you want to do this?" pop-ups because we feel that our actions are considerate and safe. But later we can easily become victim to trickery by being caught off guard. Maybe we are having a bad week or preoccupied with something else going on in our busy life. Or maybe we just ran out of coffee and are having a hard time waking up. It only takes one wrong click of the mouse to land us in "Oops! I didn't mean to do that!"

We also have web mail clients such as Yahoo! Mail, Gmail, and Hotmail. Web mail clients offer us another level of security. In most cases, if we accidentally open an attachment, it has been scanned by an anti-virus scanner and the web mail provider is hopefully keeping their anti-virus software up-to-date. We also benefit from the web mail provider keeping their web mail application up-to-date and helping us protect ourselves. However, this in itself may lead to irresponsible behavior on our part.

The take away is that even with all the steps that others have taken to protect us, we are still responsible for our own actions and any of us can fall victim to an array of unacceptable social behavior and engineering with or without our realization. Just remember, e-mail is much like the telephone. The information you receive from the other end may or may not be true and you may or may not know who is on the other end.

1 comment:

mystikmoon13 said...

Is this safe to post on? 8) Good article!