How To Secure Your E-Mail – Part I

So just how safe is this?

Everyone loves the convenience of e-mail. In minutes you can instantly send pictures of your kids, travel itineraries, love notes, or any other form of written or visual (picture or video) communication to far away relatives. It’s practically instant gratification, with communicators sending notes back and forth on a whim.

Degree of Difficulty: 3(Power User) for installation, 2(Normal User) for subsequent usage

Note: All tips published will have a difficulty rating of 1 (Grandma could do it), 2 (Normal User), 3 (Power User), and 4 (Geeks only).

But what lots of people fail to realize is that e-mail is inherently a highly insecure method of communication. For instance, did you know that:

  • By default, your message is broadcast across the internet in clear text, meaning it is not scrambled or encrypted in any way.
  • During its voyage, it may spend time on computers that are a) not owned or in any way related to the sender or recipient, and b) quite possibly not running the latest and most secure version of software, and are vulnerable to being hacked.
  • In the case of (a) above, as well as on your ISP’s mail server, your e-mail can be read at any time by someone who has administrative (think super duper all-powerful) rights on that server. Imagine some poor, lonely, nerdy guy sitting at a computer terminal, busily reading your passionate love letter to your husband or wife. OK, that’s a bit of an extreme case, but you get the point.
  • E-mail is inherently “spoofable”. That is, it is extremely easy to fake the sending address of an e-mail, making a spammer’s message asking for personal information appear as though it came from your good friend or spouse.

So what are we to do? Abandon all use of the medium, and resort to folded notes, sealed with wax and delivered by pigeons?

Well, no, that’s not really necessary, but we do need to take steps to ensure that either we a) accept the insecure nature of e-mail, and make sure we don’t talk about anything we wouldn’t want our neighbors knowing over it, or b) take steps to make our e-mail readable only to those the message is meant for.

The Lock-Box Methaphor of Key-Based Encryption

We all know that to “encrypt” something means to somehow scramble its contents to the point where without knowledge of how to decode the message, it appears as nothing more than garbage.

One of the more common encryption methods is known as “Public Key Encryption”.  Here’s how it works.

Imagine for a moment that you are in possesion of the following items:

  1. An unlimited number of boxes with nearly impenetrable locking mechanisms.  These boxes can hold letters, pictures, video tape, etc, and can be sent through the mail.
  2. An unlimited number of keys that can lock these boxes; however once closed and locked, this key cannot be used to open the box and view what is inside.
  3. A single, master key, which can be used to open any of the boxes.

Let’s say you have a significant other who lives across town (or across the country, for that matter), and they have something private they want to send you: their bank account number, a steamy love letter, perhaps some rather, err, “personal” pictures? Use your imagination.

Now if you’re friend were to simply send these through the mail, your friendly-yet-nosy postal service worker could easily open the package and view its contents.  So, being a saavy and security conscious person, you instead give your SO a bunch of these boxes, as well as one of your “lock-only” keys.  Now, they simply need to put the incriminating item in one of your boxes, lock it up, and send it on its merry way.  You can both be confident that only the two of you will know what contents lie within.

As an added bonus, imagine that your friend has sealed the box with one of those old-fashioned wax stamps, using their finger as the source of the impression (ouch! that’s hot).  Now imagine that you have some fool-proof way to verify that the seal was in fact made by your friend, and not some impostor.  This is called “cryptographic signing” and is yet another benefit to using public key encryption.  But we’ll get into more detail in later parts.

Do I have your attention?

For now, all you need to know is that by the end of the series, you’ll be able to securely send and receive e-mail with your friends and family, without spending so much as a penny.  You can do this on just about any computer, with any e-mail client from AOL to GMail (though as we’ll see, some are easier than others).  For the difficulty of this task, I will give a hybrid 3 (Power User) / 2 (Normal User) rating, as the installation process is a bit tricky.  If you’re not comfortable with the instructions I give, you may want to have someone computer friendly and trustworth carry them out for you (note: do not let some anonymous Geek Squad employee do this for you, as you will essentially give them the keys to your e-mail).

Tune in next week for Part II of our series, when we’ll be talking about the first steps in installing the software necessary to undertake our operation.

Why you should care about computer security

Here are some sobering quotes to consider:

  • “As the global financial crisis continues, we expect criminals to take advantage of the panic and fear among consumers worldwide and increase their targeted phishing attacks in the coming months.”
  • “Phishing attacks spiked significantly following the announcements of various bank failures in late September. While there was no strong trend towards using any one specific bank or failure, overall increases in phishing activity in the days following each major announcement were recorded.”
  • “Acquisition of innocent machines via email and Web-based infections continued in Q3 at about the same pace measured in Q2, with over 5,000 new zombies created every hour.” Note: a “zombie” is a computer which has been infected by viruses or other bad programs, which allows hackers to remotely manipulate or control the machine and use it for their own purposes. A Very Bad Thing to say the least.
  • Source: http://www.securecomputing.com/pdf/SCC-InternetThrtRprt-Oct08.pdf

There is an enormous amount of malicious content out on the web, just waiting to be installed on an unaware user’s computer. In the best case scenario, you may only see some annoying pop up ads for sites touting items such as Viagra knock-offs or pornography. In many cases, however, the result may be far less obvious, but far more nefarious.

I do not pretend to be any kind of true expert in the world of computer security. What I am is someone who is highly security conscious (some would say bordering on paranoia), who would like to help those who are less technically savvy to reduce their risk of being a victim of cyber-crime.  With computers  becoming more and more a part of our daily lives, keeping your computer safe is every bit as important as locking your doors at night.

This post is the first in a new weekly series I’ll call “Information Security Made Easy”. Every Tuesday or thereabouts, I’ll be posting tips or short how-to articles containing steps that normal users can take to better defend themselves against this new breed of crime. Every post will have a difficulty rating, ranging from “Grandma” to “Geek”, indicating how hard the recommended action is. In many cases, the tips I’ll be writing about may make your ability to freely browse the internet a little more difficult; if that’s the case, I’ll tell you so, frankly and clearly. Only you can decide if the trade-off is worthwhile.

If anyone has tips they think are worthwhile, please feel free to e-mail me at josh at awanderingmind dot com.  On that note, here’s your first tip: use a dedicated e-mail address whenever signing up for a website or entering your information.  That should help prevent your normal address from being bombarded with spam.