Email Security
Everyone uses e-mail. It is the second most used application on the internet next to your web browser. But what you might not realize is that a significant portion of network attacks and compromises originate through e-mail.
How E-mail Works?
E-mail accounts are available through many different sources. You may get one through school, through your work or through your ISP. When you get an e-mail account, you will be given a two part e-mail address, in this form: username@domain.name. The first part, username identifies you on your network, differentiating you from all the other users on the network. The second part, domain.name is used to identify your specific network.
POP and SMTP
Your incoming e-mails are going to be on a computer called a POP server.
Your outgoing e-mails will be sent to a computer called a SMTP server.
Web Mail
A second option for e-mail is to use a web based e-mail account. This will allow you to use a web browser to check your e-mail. Since the e-mail for these accounts is normally stored on the web e-mail server – not on your local computer – it is very convenient to use these services from multiple computers. It is possible that your ISP will allow you to access your e-mail through both POP and the web.
Safe E-mail Usage : 1
Receiving
Everyone uses e-mail, and to the surprise of many people, your e-mail can be used against you. E-mail should be treated as a post card, in that anyone who looks can read the contents. You should never put anything in an ordinary e-mail that you don’t want to be read. - Attachment Security(Most Important )
Another real concern related to received e-mail security is attachments. Attackers can send you malware, viruses, Trojan horses and all sorts of nasty programs. The best defense against e-mail borne malware is to not open anything from anyone you don’t know. Never open a file with the extension .exe or .scr, as these are extensions that will launch an executable file that may infect your computer with a virus. For good measure, any files you receive should be saved to your hard drive and scanned with an antivirus program. Beware of files that look like a well known file type, such as a zip file. Sometimes attackers can disguise a file by changing the icon or hiding the file extension so you don’t know it is an executable.
- Spam, Phishing and Fraud
Everybody likes to get e-mail. A long time ago, in a galaxy far far away it used to be you only got mail from people you knew, and it was about things you cared about. Now you get email from people you never heard of asking you to buy software, drugs, and real estate, not to mention help them get 24 million dollars out of Nigeria. This type of unsolicited advertising is called spam. It comes as a surprise to many people that e-mail they receive can provide a lot of information to a sender, such as when the mail was opened and how many times it was read, if it was forwarded, etc.
- HTML E-Mail
One of the security concerns with HTML based e-mail is the use of web bugs. Web bugs are hidden images in your e-mail that link to the senders’ web server, and can provide them with notification that you have received or opened the mail.
Safe E-mail Usage:2
Sending
Sending mail is a little more care free. There are some things you can do to make sure your conversation is secure though. The first is to ensure your connection is secure (see section 9.4 Connection Security for more information).
Digital Certificates
A digital certificate is unique to an individual, kind of like a drivers license or passport, and is composed of 2 parts. These parts are a public and private key. The certificate is unique to one person, and typically certificates are issued by a trusted Certificate Authority, or CA.
Digital Signatures
A digital signature is generated by your e-mail software and your private key to assure the authenticity of your e-mail. The purpose of the signature is twofold. The first is to certify it came from you. This is called non-repudiation. The second is to ensure the contents have not been altered. This is called data integrity.
Encryption
As an additional layer of security, you can encrypt your e-mail. Encryption will turn your e-mail text into a garbled mess of numbers and letters that can only be read by its intended recipient. Your deepest secrets and your worst poetry will be hidden from all but the most trusted eyes.
Encryption is fairly complicated, so I’ll try to explain it in a low tech way: Jason wants to send an encrypted message. So the first thing Jason does is go to a Certificate Authority and get a Digital Certificate. This Certificate has two parts, a Public Key and a Private Key. If Jason wants to receive and send encrypted messages with his friend Ali, they must first exchange Public keys. If you retrieve a public key from a Certificate Authority that you have chosen to trust, the key can be verified back to that certifying authority automatically. That means your e-mail program will verify that the certificate is valid, and has not been revoked. If the certificate did not come from an authority you trust, or is a PGP key, then you need to verify the key fingerprint. Typically this is done separately, by either a face to face exchange of the key or fingerprint data.
Decryption
So Ali has received an encrypted message from Jason. This typically is indicated by a lock Icon on the message in her in box. The process of decryption is handled by the e-mail software, but what goes on behind the scenes is something.
Last but not least is connection security. For web mail, ensure you are using an SSL connection to your ISPs e-mail. A small lock icon will appear in the bar at the bottom of your browser. If you are using POP and an e-mail client, ensure that you have configured your email client to use SSL with POP on port 995 and SMTP on port 465. This encrypts your mail from you to your server, as well as protecting your POP / SMTP username and password. Your ISP should have a how-to on their web site to configure this. If they don’t offer a secure POP / SMTP connection, change ISPs!
0 comments:
Post a Comment