Tips for Securing Your E-mail Understanding and Illustrating E-mail Security Concerns Eric Geier
As much as we use e-mail to conduct business today, most small businesses routinely send sensitive messages — messages that often contain social security numbers, business deal discussions, corporate secrets or account updates and notices — without regard for security. Why? Mainly it's because they don't know better or they don't know how to address the issue.
In this tutorial, we'll look at securing the connection between e-mail servers and e-mail software (i.e. Microsoft Outlook or Thunderbird) and protecting the content and attachments of the messages we send and receive.
Understanding the E-mail Security Concerns
When you use e-mail software such as Microsoft Outlook or Thunderbird without proper protection, the account credentials that log you into the incoming and outgoing e-mail servers are sent in clear-text from your computer, over the local network and Internet, to your servers.
Any e-mail messages you send or receive are in clear-text as well. This means if you are surfing the net on an unsecured or unencrypted network, such as using a Wi-Fi hotspot or public Internet port, anyone with the right tools can capture the network packets and read your account credentials and messages.
To better understand what an eavesdropper can see on an unprotected network, we sent an e-mail (see Figure 1) and captured its raw data packets as it was being received from the recipient's e-mail server.
As Figure 2 shows, you can see the server login credentials. We opened Outlook and hit the Send/Receive button, which logged onto our e-mail (POP3) server and downloaded the e-mail awaiting pickup and displayed it in our inbox. Figure 3 shows the body of the message we had downloaded to Outlook, formed by the reorganized view that the raw data-capturing tool created.
If you are using a Web-based-only e-mail service, such as Gmail, Yahoo Mail, or AOL Mail, you also have a client-server security concern. As we'll discuss later, if you don't follow one important guideline when using Web-based e-mail services, your messages and login info can also be compromised when traveling to and from your computer and their Web/e-mail servers.
Moreover, if you use an e-mail application in conjunction with your Web-based e-mail service, you must make sure to secure both the Web access and the client application access.
You also need to be concerned about compromising the security of the e-mail messages you send, and any attachments they may be carrying, after they leave your e-mail server. This concern applies whether using computer-based e-mail software application or Web-based e-mail.
Even when you use encrypted connections to your e-mail servers, messages you send can still be in clear-text when they reside on your e-mail server and when they leave your server. For example, your messages may pass through other servers on the World Wide Web, during their travel to the recipient's server, which might be unsecured and monitored by hackers.
Additionally, the recipient may not use encrypted connections to his or her servers. Therefore, Joe Hacker could intercept the message you sent containing your sensitive information when the recipient downloads your message from his or her incoming e-mail server.
Now that we know the two main e-mail security concerns we can address them, and encrypting the information is the solution. Even though Joe Hacker can pull network traffic from a wired network and intercept packets from Wi-Fi connections, everything is safe if the account credentials and e-mail messages are encrypted — Joe will see only a bunch of gibberish.
