Email is an old technology – I sent my first email almost exactly 25 years ago – and we are all quite used to it. So we have all developed habits over the years which we are used to, and not all of those habits are safe in terms of IT security.
Whilst most of what follows is advice that has been passed out many times over the years, it is advisable to review our ingrained habits to see if there is anything we should be doing better.
Every so often whilst writing this, I have been tempted to add “I’ve a story to tell about that”. But I’ve a story to tell about just about every piece of advice contained within this blog entry.
Email Is Not Private!
We normally think of email as the electronic equivalent of a letter, where we seal a message inside an envelope so that those carrying it along the way cannot see the contents. In fact email is far more like a postcard where anyone can read the contents just by flipping over the card.
When email is sent, it hops from server to server along the path to the final destination and can be intercepted and read at each hop. Whilst those with sufficient rights on our servers have been educated (and frankly didn’t really need telling) that casual email snooping is not permitted, there is no guarantee that snooping cannot be carried out at other places.
No Sensitive Personal Information
Because of the risk of accidental data leakage through the use of email, no sensitive personal information may be sent via unencrypted email. And if you are using encryption, you should seek advice on whether the encryption you use is appropriate.
Be Careful What You Quote
It is common for people to send emails where they add their own comments to the top of an existing email. Whilst this is quick and easy, it also means that emails can get longer and longer with information contained within them that may not be intended for the current set of recipients.
It is strongly suggested that you check the complete email before sending it to ensure that the contents are appropriate for the people you are sending to. Not only can this prevent leaking information to people who should not have that information, it can also prevent you from embarrassment!
Don’t Write Anything A Random Stranger Shouldn’t See
It is all too easy to end up making a simple typo in an email address, and sending an email off to where you do not expect. And of course it almost always happens to the one email you really do not want it to happen to.
So it is worth avoiding putting anything in an email that you would not want a random stranger to see.
Use End To End Encryption Where Possible
Unfortunately, most solutions for end-to-end encryption of email are rather tricky to use, so it is not something we can expect everyone to use. And of course you need to persuade people you email to use encryption too!
But the only solution for email security that ticks all of the boxes is end-to-end encryption using something like PGP. Watch this space! Blog articles on how to use PGP may well appear, although it will remain something for those comfortable with very technical configuration.
Email Identity Is Insecure
Internet email is based around standards that date back to the 1970s. As such there is very little to ensure that rogue people cannot send emails out with all sorts of interesting trickery in place.
As detailed previously, it is perfectly possible to send emails out with headers that indicate that the email came from someone other than yourself. Or indeed someone else can send out emails that appear to come from yourself.
The only effective technical solution is to use digital signing of emails – this is unfortunately as technically challenging as encryption is, as digital signatures are effectively encryption too.
The non-technical solution is to be aware that forged emails can be sent in your name, and you can receive them too. If you are in any doubt about the authenticity of an email, you should contact the sender “out of band” (i.e. not using email) to check.
There are many possible irritations with email, but the one that is almost certainly at the top of everyone’s list is spam – technically unsolicited bulk email. These need not be commercial – they can be on any subject at all.
As spam has come up on this blog a number of times before, there is no need to go into great detail here.
Attachments, Viruses and Other Malware
As soon as email started to be used, someone made the observation that email by itself was all very well, but the ability to send documents (of any kind) alongside the email would be useful. And so the email attachment was born.
Whilst the phrase “email attachment” sort of implies that any attached documents are treated as separate objects, at the very lowest level of email they are not really separate at all. What happens is that your document is encoded in plain text (and so grows by about 30%) and appended to the end of your email.
It becomes one giant email. And email systems are not necessarily very efficient when dealing with very large emails. For one thing it is easy to have a size explosion – sending a 20Mbyte file attachment to 1,000 users becomes 25Gbytes. Not something that is pushed out very quickly, and whilst it is being pushed out, all the other email could well be delayed.
So almost every mail server implements a size limit. These vary according to the whims of whatever organisation configured the mail server – we have a carefully considered limit of 25Mbytes. But you can always run into this limit.
Of course attachments are not only used for legitimate documents but for malicious software too.
Viruses and Other Malware
Malware software can be distributed through all sorts of methods – originally floppy discs, network shares, USB memory sticks, and of course email. Although email clients that would automatically “display” the contents of an attachment (and thus run attached software) have hopefully been assigned to history, malware is still distributed via email.
This relies on persuading the recipient to open any attachment on the email. Whilst some people will open any attachment at all, more cautious people need to be tricked into opening an attachment. After all, we have been saying “be careful of attachments” for a while now.
So the senders of malware rely on all sorts of tricks to persuade us to open their malware and get it to run. Some of the tricks used to make us open attachments containing malware can include :-
- Making the attachment sound irresistible – such as offers of naked pictures of celebrities.
- Forging the email so it appears to come from someone with credibility.
- Crafting the email so that it sounds important to deal with – a tax issue, a lottery win, a notification of copyright infringement, etc.
Although we should all be running anti-virus protection of some kind, it is still worth avoiding the nasty attachments. Simply avoid opening attachments where the email is a bit suspicious.
Again if you have any doubts about the origin of the email, simply contact the sender “out of band” (using phone, or something other than email) to verify that the email is legitimate or not.