Pages

Categories

Search

 

Confidential Blog Post On Email Security

by
December 15, 2016
CTOvision
No Comment

Junaid Islam

I’m often puzzled when I get emails with the words “confidential” or “private” in the subject line as if cyber attackers will be careful not read them. 

Obviously the title is a joke.  Unfortunately the national security issues relating to sensitive content is no laughing matter.  Currently we’re witnessing a rash of public and private email theft.  The big news isn’t that emails are being stolen but that people thought that it was secure in the first place.

Older tech workers, like myself, who remember Internet Relay Chat, X.25 and public bulletin boards know that email is built on store and forward modules that relay messages around the globe.  There are modules to get the sender’s message to the relay network.  Next there are other modules to route messages to either internal or Internet relays based on destination.  There are different modules read messages on mobile phones.  And still others for web access. And yet more for data archiving processes.  

Cyber attackers can either proxy a specific store and forward module or simply listen in to the traffic between modules to get a copies of messages.  Cyber attackers can also directly access email storage servers to download the entire archive. There’s also combination attacks where they steal the identity database and use that information to access the individual accounts of people they don’t like.  And finally cyber attackers can just phish the actual user to reset their password.

On a practical level, the question is what to do.  Here’s a list starting from a simple suggestion (that requires no money) to a comprehensive solution (which requires some thought):

1 Never send sensitive data in email Whether using a private email server or public service think hard before sending something of value.  Remember that email is a shared Internet-based service. Also given the economics of email services (which are free), there’s no incentive for anyone to fix the problem. You get what you pay for. 

2 Secure your email system At the bare minimum implement 2 factor authentication and encryption on your email archive.  While this won’t stop cyber attackers from reading individual messages as they transit the Internet or phishing individual users at least you won’t go thru the embarrassment of all your messages being made public at once. 

3 If you must share sensitive data, build an overlay network Set up your own private content distribution service. This seems complex but public cloud hosted services and software based security solutions have made this easier. The best part is many of these new solutions utilize email to inform users they have new content.

If you’ve read this far you’re probably wondering if the RNC emails were also stolen?  Almost certainly.  What about the Trump organization?  Yes.  The question is ask when will the cyber attackers share them?  I don’t know but I hope they don’t have any confidential or private information in them.