EMAIL SECURITY
Did you know that when you send your email messages, they do not go directly to recipient mailboxes? Did you know that your Internet Service Provider (ISP) stores copies of all your email messages on its mail servers before it tries to deliver them? Do you know that someday all the information kept on the servers can be easily used against you? Email Security is a system-tray local SMTP server program for Windows that lets you send email messages directly from your PC to recipient mailboxes ensuring your email security and privacy by means of bypassing your ISP's mail servers where your relevant information can be stored and viewed. Did you also know that when you send an email message to a list of email addresses, the respondents can see each other in the email message header? You think it is secure? While sending, Email Security always breaks email messages addressed to a group of people to individual messages to ensure your security and security of your respondents. Also, Email Security does not leave any traces on your PC because it just gets your email messages from your email client and puts them in the recipient mailboxes at the same time without making any temporary files on your PC. Email Security supports all email programs like Outlook Express, Outlook, Eudora, etc. The email program you already use for sending and receiving messages can be connected to Email Security in a very easy way - just by using the word local host instead of your current SMTP host. Having done so, you can send messages in a usual manner.
Protect your computer and restrict access to Internet with Security Administrator. This nice password-protected security utility enables you to impose a variety of access restrictions to protect your privacy and stop others from tampering with your PC. You can deny access to each individual component of several Control Panel applets, including Display, Network, Passwords, Printers, System and Internet Options. You can disable your boot keys, context menus, DOS windows, Registry editing, Internet and Network access. Hide your desktop icons, local, network and USB drives, Start menu items, or even the entire taskbar. You can also apply password protection to Windows and restrict users to running specific applications only, Control Internet Usage, view statistics of computer use by your kids or employees. Security restrictions can be applied universally or to specific computer users. You'll find the program interface very easy to negotiate. Excellent online help is available.
When a mailbox is popped using standard POP3 protocol, the username and password are sent in the clear over the internet. This means, that anyone with the ability to "listen in" on your mail client's login session with your mail server can easily retrieve your username and password as well as read your email. In addition, once they have your password, they could read your email without your knowledge or permission or they could even send SPAM email from your account, possibly getting you into serious trouble since spamming is a crime in most Western countries these days.
The best way to ensure no one can get your password (at least not without going to a huge amount of trouble) is to POP your email using a Secure Socket Layer (SSL) connection. This means that all data exchanged between your mail client and the server is encrypted with a digital security certificate making it [pretty close to] impossible for anyone with malicious intentions to steal your email and/or password.
5 Steps to Make Your Email Secure
One: Use a secure email client
Your email client is the piece of software you use to compose, send and receive your messages. This obviously includes products like Outlook Express, The Bat and Thunderbird. Strictly speaking, if you use Web mail such as Hotmail, Gmail or Yahoo Mail, then your browser (Internet Explorer, Firefox, Netscape, and etcetera) becomes your email client - but for our purposes here we will treat Web mail as something separate. If you use an email client, the first rule for secure email is to use a secure email client.
So how do you choose a secure email client? One possible crude method would be to search the Carnegie Mellon University CERT database for known past vulnerabilities. Such a search (at the time of writing) shows Outlook Express has had 940 vulnerability entries, Mac's Tiger Mail has 124 entries, Thunderbird has 83 entries, and RITlabs' The Bat! has 2 entries. Try it with any other email client you may be considering.
But, of course, it's not that simple. Outlook Express is by far the most popular client, and therefore by far the most probed and analyzed - which goes a long way to explaining the large number of known vulnerabilities. And you can be pretty certain that Microsoft will work very hard to correct any problems it learns about. Tiger Mail is relatively new (you might consider 124 entries in a relatively short period of time to be quite high). And bear in mind that many analysts believe that the hacker community is now beginning to train its eye on the increasingly popular Macintosh.
Thunderbird is free open source software (OSS). It is growing in popularity, and will start to attract the attention of hackers. If you believe in the OSS model for security (i.e., the best software brains in the world strive to be the first to find and fix any problem), then this is a good option.
But on the measurement we're using, The Bat! is by far the most secure email client of the four. And it is certainly true that RITlabs sells The Bat! as a secure email client. Against this we must accept that a relatively unknown product will not attract the attention of the underworld - so all it says is that only 2 vulnerabilities have been reported so far, not that only 2 vulnerabilities exist.
There is another thing to consider. We define ourselves by our messaging - it is a very personal thing. It is really quite important that we use an email client that we are comfortable with and that suits us. We just need to take security into account when we choose what's right for us. So consider it, choose it, and then keep it fully patched is probably the best route to take.
Two: Always use text
Jim Clausing, Technical Consultant, Network Security at AT&T writing for SANS, puts this just right: "Read email in plain text (as God intended)". Anything capable of doing something without your say-so is potentially harmful. And HTML contains some things that can do just that - like going to a website you don't know about and getting what you think is just a picture to display in the email. Most email clients can protect against most problems - but just don't do it; it's much safer. Of course, the corollary is that you should only send messages as text as well.
There is usually an option in the software to switch to text. In Outlook Express its Tools>Options>Read, and check the box 'Read all messages in plain text'. Then go to the 'Send' tab and check the 'Plain text' radio button under Mail Sending Format. You can also make sure that 'Reply to messages using the format in which they were sent' is also unchecked.
In Thunderbird, you can use the View>Message Body As... and then select the Plain Text option in order to read your incoming mail as text only. For outgoing messages, click Tools>Account Settings and then select the Composition and Addressing option. From here make sure that the 'Compose messages in HTML format' is unchecked.
This, of course, is only half the problem. What about attachments? Certain file types can carry macros and the macros can carry exploits. So be very careful.
Here are a few basic rules:
- Never accept attachments unless you are expecting them
- Never open an attachment unless you are really confident that it is safe. Some safe attachments could include .txt, .pdf, .gif. Some potentially unsafe attachments could include .doc, .xls...
- Never, ever, ever open an attached .exe unless you are really, really, really confident of what it is.
And of course you should return the compliment. Send attachments wherever possible as .txt files or PDFs.
Three: Use free Web mail accounts for subscriptions and postings
We all love subscribing to relevant free newsletters that will be delivered by email to our desktop. In fact free newsletters are probably second only in volume to spam. And phishing. And scams.
So where do those bothersome people get our email addresses? Well, there are many methods - some of which we can do something about. One of their methods is to let robots loose on websites. These robots trawl through all the pages copying down any email address they come across (this is called harvesting). So the first thing is never to put your email address on your own website in anything like a machine readable format (and frankly JOHN AT SMITH DOT COM is probably machine readable).
You may, however, find that your email address has been harvested from a different website - perhaps a non-too savvy website that takes postings and includes the poster's email address. Or perhaps a hacker has got into a newsletter publisher's database and stolen all the subscriber addresses. This (semi-) solution works in both cases - never use your own main email address. Guard this like it is your most embarrassing moment ever, and only tell people you really trust. For everyone and all things else - use a web mail account. Firstly, companies like Hotmail and Google and Yahoo are really good at screening out spam; and secondly, if and when spam does start getting through, just dump that address and get another one. You will need to re-subscribe to the newsletters, but it will be a good opportunity to abandon all of those you don't want or don't trust. But out of common courtesy, if there is a mechanism for formally closing the old web mail account, please do so.
Four: Use additional multi-layered defenses
It isn't enough to stop bad things getting on to your system via your email - you have to prevent any unknown hidden infection you may already have getting out through your email and infecting someone else. It's not just good manners - it could save your job or your bank balance or both. Many lawyers expect that sooner or later the victim of loss by infection will seek redress from the source of that infection; even if the source was totally unaware of what happened. Better make sure you're not that source; so you have to avoid sending out infections just as much as you must avoid receiving them.
Email isn't the only way you can catch a Trojan horse - it could be just by visiting the wrong website, using P2P injudiciously, a colleague or relative downloading or installing something not quite kosher... In fact, it's probably best to assume that sooner or later you will get infected by spyware or similar. So you don't just need an anti-virus system capable of inspecting your incoming email, you need one that will inspect your outgoing mail as well. But just to be especially safe, you need anti-spyware/ad ware software to scan your system for Trojans that have got through; and you need a firewall that will stop unauthorized applications trying to connect to the internet.
Five: Encrypt sensitive emails
You can make Outlook Express (and any other email client that supports S/MIME) provide encryption if you obtain or have a digital ID (digital certificate). To be frank, for most users of personal email, the process of getting a dig cert is either too expensive or too onerous to bother. So it comes down to the usual cost/benefit trade-off: if the value of the information you wish to secure is high, then you need to obtain a digital certificate; if it is not that high, then seek an alternative method of encryption.
And there are plenty of alternative methods. If you work for a large company, you may already have a company PKI (Public Key Infrastructure) system established. If you have, you can consider all mail using this to be as secure as it gets. But this is not really an option for small companies, and certainly not for the majority of individuals. If you have an IT specialist in-house, or if you're computer savvy yourself, you could consider installing a free version of PGP - and again, your email will be as secure as it gets. But it's still frankly onerous for a user generation brought up on plugs it in and get on with it.
Perhaps the easiest option is to use a third party secure email provider. This will usually mean your mails will go through the third party's servers, but usually in a secure fashion. It can be as simple as using the SSL encryption already in your favorite browser to upload an encrypted email; and from where only the stated recipient can download it, again through his or her browser. Or it could be an altogether more sophisticated approach such as that adopted by Hush mail (which even has a free option). Whatever method you choose, if the communication is either sensitive or valuable, it should be encrypted.