Email advice for the rest of us

Coming up on the second anniversary of Security For All (no, this is not THAT entry – it’s coming) I realize that I’ve been remiss about the “For All” part of Security For All. Lately it’s been all about copyright enforcement shenanigans, e-discovery technicalities, Fourth Amendment, privacy issues and Captain X-Ploit parables and nary a peep about how a real person (read non-ultra-geek) can save what’s left of their privacy and avoid being abused on the Internet. I was particularly struck while reading this article entitled 10 things non-technical users don’t understand about your software (no, this isn’t about THAT article either – although it is quite good in a software engineering kind of way) wherein the author, Andy Brice, makes these points.

Techies are happy to play with software to see what it does. They aren’t usually too worried about trying things because they can rely on some combination to undo, version control and backups to reverse most changes and they can usually judge when a change won’t be reversible. Non-technical users aren’t so confident and won’t try things in the same way. In fact some of them seem to think that a wrong move could cause the computer to burst into flames.

Unskilled users often don’t realize how unskilled they are.

That is a nasty but common combination. The implications include users who are afraid of trying things out, because they might “break something” and when they need help don’t have the skill or experience to ask or even know what to ask. Recently I installed a new iMac for my mom. I made sure that she had all of the necessary security software installed and configured including a password safe, made sure that her iSight camera was working so that she could video chat and even transferred all of her photos, addresses and music. In other words she was ready to roll. Or so I assumed. The next day she called me in a panic because her “screen went blank” and the iMac appeared to be dead. After a great deal of troubleshooting over the phone I determined the root of the problem: the iMac was powered off and she didn’t know where to find the power button. So that great work configuring and securing her new computer was useless when she doesn’t know how to turn it on. All of the preceding is an epiphany and mea culpa. I’m returning to the roots of this blog (for this entry at least) with some email advice for everybody.

I’ve written about sending safe email before, but I recently came across this pair of articles by Chad Perrin in TechRepublic. This first, entitled Basic e-mail security tips and the follow-on Five tips for avoiding self-inflicted email security breaches. I’ve condensed these into a single list with my commentary, but you should definitely check out Chad’s full articles.

1. Never allow an e-mail client to fully render HTML or XHTML e-mails without careful thought. At the absolute most, if you have a mail client such as Microsoft Outlook or Mozilla Thunderbird that can render HTML e-mails, you should configure it to render only simplified HTML rather than rich HTML — or “Original HTML” as some clients label the option.

Chad goes so far as to suggest that you use an email client that doesn’t render HTML at all. I wouldn’t go that far but I would agree that you shouldn’t automatically allow HTML. This is the default setting for most email clients. So let’s step back a second and explain some things. First off “HTML and XHTML” are computer “languages” that allow you to see nice page layouts, pictures, sounds and movies in your email. It’s the same stuff you see when you surf the web. A web page is usually HTML that is rendered (“translated”) by your web browser into all of those previously mentioned cool things. So since HTML can automatically download and display stuff like pictures, movies and music from the web, it can also download bad stuff like links to phishing sites or malware that looks like a picture or movie but is really something bad. So if this is the same thing that your web browser displays all the time, then why is it a problem with email? Unlike your web browser which doesn’t copy anything to your computer unless you allow it to, your email program makes a copy on your computer before it even tries to display it. So the bad stuff is already there just waiting to be activated. So be very careful before you “download pictures” in an email (your email program should ask first) and don’t select “always download pictures”. Even when they’re from Dear Old Aunt Alice. Especially if they’re from Dear Old Aunt Alice.

2. If the privacy of your data is important to you, use a local POP3 or IMAP client to retrieve e-mail. This means avoiding the use of Web-based e-mail services such as Gmail, Hotmail, and Yahoo! Mail for e-mail you wish to keep private for any reason.

What he’s getting at here is that you should not use the “webmail” application with these services. That is don’t check your email from a web browser. All of the services mentioned are also POP3 or IMAP servers that your email program can get email from. Unfortunately this can be pretty tricky to set up and you will probably need to get some help to do it right. The main thing to realize is this: those “free” web-based email services aren’t free (sorry but Grandma was right – there is no free lunch). They make money from their advertisers and YOU are the product they offer to those advertisers. So all of those companies would prefer that you leak as much private information to them as possible. It makes you a more valuable product.

3. It’s always a good idea to ensure that your e-mail authentication process is encrypted, even if the e-mail itself is not. The reason for this is simple: You do not want some malicious security cracker “listening in” on your authentication session with the mail server. If someone does this, that person can then send e-mails as you, receive your e-mail, and generally cause all kinds of problems for you (including spammers).

This is very important. It sounds technical – and it is  – but it’s not that hard to find out if your email program is set up right to do this. Just go to the “accounts” set up screen and make sure that the settings include something called “SSL” or “TLS”. If instead it says “cleartext authentication” or “password sent clear” that is bad. Most Internet Service Providers (ISPs)  have been doing “secure authentication” by default for years. They only support the older (bad) stuff for really old computers, but if you have been with your ISP for a long time then you might never have changed your original settings. Definitely check this out. Also be aware that the web-based email services mentioned earlier all have this feature as well, but it is not on by default. They would like everyone to be able to access their service even from broken old web browsers or old smart phones that don’t communicate the right way. That’s not for you. In Gmail (the one I use and know the most about) under the general settings there is a choice to “always use https” which is a fancy way of saying “use a secure connection”.

4. If, for some reason, you absolutely positively must access an e-mail account that does not authorize over an encrypted connection, never access that account from a public or otherwise unsecured network. Ever. Under any circumstances.

This is spot on. It may be convenient to check your email using a web browser on your laptop, iPad or Droid from Starbucks, but be aware that it’s also very convenient for the bad guys to see everything you do – from afar. I’ve written before about using public WiFi safely. The main point being – don’t be an idiot. There’s a reason public WiFi is called that.

5. Turn off automated addressing features: As communication software accumulates more and more automated convenience features, we’ll see more and more cases of accidentally selecting the wrong recipients. A prime example is Microsoft Outlook’s “dreaded auto-fill feature,” where it is all too easy to accidentally select a recipient adjacent to your intended recipient in the drop-down list.

Yes indeed. Your email software contains all sorts of convenient features with which you can easily shoot your foot off. Or at least seriously embarrass yourself. Just make sure that your outgoing message is really going to it’s intended recipients – and ONLY the intended recipients – before you hit SEND.

6. Use BCC when sending to multiple recipients: It’s a bad idea, from a security perspective, to share email addresses with people who have no need for them. It is also rude to share someone’s email address with strangers without permission. Every time you send out an email to multiple recipients with all the recipients’ names in the To: or CC: fields, you’re sharing all those email addresses with all the recipients.

I can’t count the number of times I have gotten email from a well-meaning friend or acquaintance that has added me to a mailing list where every email address on the list is visible to every recipient. In some cases I might even know many of the people on the list, but that doesn’t mean that they want an unsavory character like myself knowing their email address. In case you are interested – or are one of the egregious offenders I mentioned – I use special email rules for all emails I receive where I’m part of a mailing list. Special in the sense that the message goes straight to the trash and black-lists the sender’s address if there are multiple visible recipients. So long and don’t bother to keep in touch.

7. Save emails only in a safe place: No amount of encryption for sent emails will protect your privacy effectively if, after receiving and decrypting an email, you then store it in plain text on a machine to which other people have access. Sarah Palin found out the hard way that Webmail providers don’t do as good a job of ensuring stored email privacy as we might like.

Boy Howdy! I’ve also written about that very incident, in this entry about Sarah Palin and the great Yahoo! angst.The point here is one of the fundamental principles of security – be it information security or physical security – If you don’t control the location of the thing you want to protect, you can’t protect the thing. Whether it’s a classic car, the formula for Coca Cola or a email message. Last time I checked, you don’t have any control over Gmail, Yahoo! or Microsoft mail servers. You do, on the other hand, control your own computer. Learn from Sarah’s email mistakes.

8. Use private accounts for private emails: Any email you share with the world is likely to get targeted by spammers — both for purposes of sending mail to it and spoofing that email address in the From: field of the email headers. The more spammers and phishers spoof your email address that way, the more likely your email address is to end up on spam blocker blacklists.

If you are someone who insists on sending to mailing lists (we call that spam in the infosec biz) at least do it from some throwaway public email address you don’t care about – just like the real spammers. Because I guarantee that it won’t be long before real spammers are using that address anyway and then you won’t be able to send an email to anyone from that address. And for you Canadian readers, it’s probably best to avoid this behavior entirely as the Canadian government takes a rather dim view of spammers – intentional or otherwise.

9. Double-check the recipient, every time — especially on mailing lists: Accidentally replying directly to someone who sent an email to a mailing list, when you meant to reply to the list, isn’t a huge security issue. It can be kind of inconvenient, though, especially when you might never notice your email didn’t actually get to the mailing list.

This is a corollary to #5. So let’s just keep this real simple – avoid mailing lists. Sure they are convenient for sending out invitations to your soirée but seriously, how many times do you invite the exact same group of people to your soirées? And by the way, that mailing list you keep for sending out those funny jokes and videos – you know the one – where do you think those all end up? See #6 if you are really interested. Otherwise ignorance is bliss. And a complete waste of bandwidth.

Sarah Palin and the great Yahoo! angst

I’ve really been trying to stay out of this one. I really have. Mostly because everyone, and I do mean everyone, has this story covered. While mainstream media, in stories like this, were concentrating on where to place blame, whether nasty sites like wikileaks are legal (while dutifully linking the prurient details) and whether Ms. Palin was a victim or villian (how about just clueless), the Security Bloggers Network, yea the entire blogoshere, has been alight with posts about what we can learn from this incident and how to make sure this doesn’t happen to you. Kindred spirit Alan Shimel even weighs in with words of advice and consolation for Ms. Palin.

So what’s the most important takeaway from this ugly, yet amusing, incident? That Yahoo!’s email security policies suck? I’m guessing that Alan would answer that with a resounding “yes!“ (albeit more emphatically and certainly more colorfully). Or is it that all web-based email services’ security sucks? Or maybe that there is a vast left-wing conspiracy to discredit our lovely GOP VP wannabee? (Oh! – I like that one).

Not to minimize or criticize the excellent analysis and advice proffered by fellow security bloggers, I think the most important takeaway was this:

Security is about managing risk. First you identify the assets that are exposed, then determine the threats that those assets will be exposed to, and finally determine how best to to manage that risk. This was yet another, albeit high profile, case of poorly managed risk.

Does Yahoo!’s mail security, particularly their password reset mechanism, introduce threats? Of course. Same with Google Mail or Hotmail. Can these threats be mitigated? Of course. Is it safe for me to use webmail? Ah, now we get to the question, however obliquely, that we should have asked first. So lets start at the beginning shall we?

1. What is the benefit received from a web-based email/calendar/contacts system?
2. What are the information assets that would be exposed?
3. What are the threats to those assets?
4. How can those threats be mitigated?
5. Given the value of the exposed assets, can the threats be mitigated sufficiently such that the risk can be accepted?
6. Do the benefits outweigh the cost in money and risk?

So if I’m me (which I was last time I checked) I would get a great deal of benefit from an online system like Yahoo! (disclaimer: I don’t actually use Yahoo!, I use something else), since I like to be connected everywhere and I make a point of keeping my work and personal stuff well separated.

In my case, the information assets that are exposed by my webmail are intentionally minimal. No important numbers or addresses and minimal Personally Identifiable Information.

The major threat to my assets is exposure due to data breach, with the most likely vector being a compromised password.

I’ve already written a blog entry about password security and I also use some of the stuff outlined here.

The value of my exposed information assets is pathetically low – my family weekend plans or my personal address list are, sadly, valuable only to me. So any common sense mitigation I can put in place will definitely make the effort required to compromise my data a very poor investment indeed.

Therefore, the convenience of having my todo list available on my iPhone far outweighs the risk of that data being exposed.

But then I’m not the Governor of Alaska and a vice presidential candidate. Ms. Palin should have gotten to #2 and started hearing all kinds of alarms going off. Barring that (hey, she only recently became a celebrity – er… high profile person) the answer to #5 is “no!” (actually “HELL, NO!“). Particularly since the data identified in #2 was not hers to risk – some of it belonged to the people of the sovereign state of Alaska. I can safely say that were I to expose my employer’s data via a personal online account, no matter what precautions I took and regardless if it were actually compromised, I would be fired. Immediately. Walked right out the door. And rightly so.

I’m pretty sure I wouldn’t get promoted to Vice President.