You might occasionally think about email security. You might try use use strong passwords and be careful with attachments. There may be a lot more however that you haven’t thought about when it comes to email security and protecting your messages.
Why worry about protecting your email if you’re not sending sensitive information? You might be more at risk depending on the nature of work you do or the type of information you send about. Even if you’re in the habit of not sending sensitive inforation, you might receive it. You might not realize the importance of information you have. And it’s not always about the content of your messages. Your email traffic may be more valuable than content , and this might lead to other, bigger exposures. Examples of this are the recent Twitter.com hacks/compromises, in one instance where an attacker was able to gain significant leverage over Twitter by starting with a single email account. Read more about Hacker Croll and the Twitter attack on Techcrunch.
Ok, so maybe you’re not a billion dollar enterprise, but you do probably bank online. And check your credit cards. And maybe shop at Amazon.com or iTunes. And it’s not hard to steal your information via WiFi when you’re sipping you half-half mocha-frappa-double extra wipped chocopresso at ThatCoffePlace. I bet you’re using the same password for your email account that you use for your iTunes account…
What to Protect
There’s more than just the content of your messages to consider. Think of it as layers. At each layer there is something to protect:
- Your authentication (username and password)
- The email traffic
- The mailstore (local copy of mail, cache, etc.)
- The content
For simplicity’s sake, let’s assume the following covers Mac and PC systems using tools like Outlook, Entourage, Exchange, Firefox, and Gmail.
Your Email Authentication
Let’s say that you’re a business user on a Mac or PC trying to get mail from your company’s Exchange server. To start with, have a good password. If your company has a public web interface available via something like Outlook Web Access (OWA) and it isn’t configured to lock out after so many failed attempts, an attacker can brute force that all they want until they’re blacklisted. And don’t let your Outlook client remember the password for you. If your laptop was running when it was stolen, and the thief has access to the desktop, opening the mail client gives direct access to email and whatever else Outlook has access to. Under the security settings in Outlook select “Always prompt for logon credentials.” For Entourage users on the Mac, you may want to have Entourage place your password in your MacOS Keychain (provided you have a strong keychain password.) For a POP or IMAP client, again, use strong passwords and see the traffic comments below.
Your Email Traffic
Exchange users, while you’re in the security settings, check “Encrypt data between Outlook and Exchange…” as well. If you’re concerned about the security of your email traffic between your email client and your Exchange server, check with your Mail Administrator for more information. What about POP, SMTP, and IMAP email? Normal POP, SMTP , and IMAP sessions are insecure by default, meaning if you open your email client and check for mail from your ISP, if you are using the standard mail network setup, your username and password is being sent in clear text, along with email. This might not be as big a concern at home, but if you’re on a laptop using public wifi somewhere, it’s very easy for someone to grab your email username and password.
It’s possible to use secure connection settings with your email client, however your ISP must provide the ability, and your email client must be capable. In Thunderbird for example, when setting up a POP account, POP traffic would normally talk on port 110. Changing the connection security to TLS/SSL will force the POP traffic over SSL, and probably change to port 995. The same is true for an IMAP connection. Changing its connection security to TLS/SSL will accomplish the same and will use port 993 rather than port 143. Don’t forget to check the settings for your outgoing mail server (SMTP) as well. Default SMTP traffic talks unprotected on port 25. Changing the connection security for SMTP will encrypt email traffic when you are sending mail, and will talk on a secure port other than port 25.
If you’re not able to do the above, an alternative is to use SSH port forwards to tunnel your mail traffic if your ISP allows SSH traffic to their mail server. This will send your email traffic through an encrypted tunnel protecting it from prying eyes.
The mailstore is the local copy of your mail. If you’re using cached mode in Outlook there is a local copy of your mail in an .OST file (Windows.) If your have personal or local mail in Outlook, that’s kept in a .PST file. (Windows.) PST files can essentially be opened by anyone. They can be password-protected however prior to 2003, the passwords could be stripped simply by downloading a utility from Microsoft. The utility’s purpose was to do exactly that, strip passwords off of .pst files when people forgot or lost passwords. Even with improved and more current protection on these files, once an attacker gets a copy of those files, there is nothing preventing them from performing brute-force attempts on their copy until they get in and get all your downloaded email.
Similar to the .pst and .ost files under Windows, the Mac Entourage 2008 client stores email in a file at “/Users/Your_ID/Documents/Microsoft User Data/Office 2008 Identities/Your_Profile” and the Mail app stores it’s mail in “/Users/Your_ID/Library/Mail/.” Other email clients such as Thunderbird will put their mail and profiles in the directories you specify during the setup.
So how do you protect the mailstore? You can place your .ost and .pst files in an encrypted drive. Using a free utility like TrueCrypt you can create an encrypted drive or volume, put the files in that location, and then configure Outlook to use the files in that location. For example, you could create a TrueCrypt volume called “EncryptedMailstore”, and with Outlook shut off, move the files to your new drive, modify the email settings via the control panel, and have Outlook look there for the offline folder and personal files. Additionally you can password-protect your .pst files (limited but with newer versions of Outlook better doing it than not.) The drawback to this is that you need to mount the drive before you launch Outlook, as well as give it the same drive letter each time.
You can do exactly the same thing with Thunderbird mail. Entourage and Mail however pose a problem. Both applications seem to be fixed with the locations in which they store their data. I have yet to find any way to direct or modify where they store their mail. If you move the files that Entourage creates to another location, it just creates new blank ones the next time Entourage is started. And as far was I can tell, there ‘s nothing preventing Entourage files from being opened on another system. True you could use the Mac OS to encrypt the drive or user directory, but I don’t think that would protect the files once the Mac was running and/or files were unencrypted and in use.
I thought you could be sneaky by using a combination of symbolic links and encrypted volumes. I tested by creating a TrueCrypt volume, moved my Entourage files to the new volume, and then via the Terminal created a symbolic link with the same exact name in the correct place and pointed it at the files on the encrypted volume. It worked. And then it didn’t. For some reason, when I initially started Entourage up, if worked and used my protected files. Once I restarted Entourage however, it seemed to realize what I was doing and started making blank default files in the old location again.
The Email Content
It it possible (and free) to encrypt the content of the email message itself. Frankly though, unless you are dealing with some type of extreme that would require only the recipient to ever be able to read the message, most of us would probably not have a need to encrypt email messages. To be sure, emailing sensitive information such as passwords, financial information, or valuable intellectual property would benefit from encryption. Depending on where in the world you live, if you are politically active what you say in email could result in real danger if the wrong people read your messages.
There are many solutions for email encryption. There are some simple solutions for small businesses and individuals that are adequate. Examples include Unified Threat Manager (UTM) solutions such as the Astaro Gateway and their Virtual Machine option (free to home users) or GNU Privacy Guard (GPG) which is a free replacement to PGP. GPG runs under Mac, Windows, and Linux, and can be used with Outlook, Firefox, and other email clients. Users install GPG on their computer, generate a public and private key for their given email account, and users then distribute and share their public keys so that others can use the key to send them an encrypted message that only they can decrypt. You can start learning more about Public Key Infrastructure (PKI) at Wikipedia. Differences between GPG and other commercial solutions include no third-party verification and no central authoritative repository for keys, however the quality of encryption is just as good as any other.
Protect Your Identify
How does the recipient know that it’s really you that sent them an email? We assume that when we get a message from someone, especially someone we know, that it was really them that sent the message. Malware or a virus could be capable of collecting data from a user’s address book and sending messages to the addresses it finds. In some circumstances it might again be critical to verify the authenticity of the sender. Products such as Digital IDs from Verisign provide a means to digitally sign a message, providing verification that the message was sent from your account, with your permission, and has not been altered since being sent (provided of course the sender is being responsible about protecting their digital ID and authentication, and is using strong credentials.) And GPG keys can also be used to sign as well as encrypt.
What about Gmail?
If you’re using an email client to get your email from Gmail via POP or IMAP, that traffic is subject to the same concerns any other mail connection would be. If you use the browser to get your mail, traffic is secured the same way any other secure website would be via SSL (https in the URL.) However Gmail did not always default to https. Some web-based email doesn’t offer any encrypted connections. It was possible to force Gmail to use SSL by changing the address manually from http to https. According to a post by Google dated January 12th 2010, Gmail is now defaulting to https. This was posted shortly after notification of their being attacked, and some speculate this change was made to protect Gmail users from having their mail intercepted and read.
Before authenticating to web-based email, make sure that the page is secure (https) otherwise the username and password you enter will be in clear text over the network. If there’s no SSL once you’ve logged in, mail that you send and read could be captured as well if your network traffic is capable of being intercepted.