Who can read your email? by Mark Brooks
Internet Security Threats: Who can read your email?
=================================================== Nov 23, 2003 Before being
able to choose a secure Internet communication system, you need to understand
the threats to your security.
Since the beginning of the Internet there has been a naive assumption on the
part of most email users that the only people who are reading their email are
the people they are sending it to. After all, with billions of emails and
gigabytes of data moving over the Internet every day, who would be able to find
their single email in such a flood of data?
Wake-up and smell the coffee! Our entire economy is now information based, and
the majority of that mission critical information is now flowing through the
Internet in some form, from emails and email attachments, to corporate FTP
transmissions and instant messages.
Human beings, especially those strange creatures with a criminal mind, look for
every possible advantage in a dog eat dog world, even if that advantage
includes prying into other peoples' mail or even assuming your identity. The
privacy of your Internet communications has now become the front line in a
struggle for the soul of the Internet.
The New Generation Packet Sniffers: ===================================
At the beginning of 2001, most computer security professionals began to become
aware of an alarming new threat to Internet security, the proliferation of
cheap, easy to use packet sniffer software. Anyone with this new software, a
high school education, and network access can easily eavesdrop on email
messages and FTP transmissions. Software packages such as Caspa 3.0 or
PassDetect - Ace Password Sniffer automate the task of eavesdropping to the
point were if you send an email messages over the Internet with the phrase
"Credit Card", it's almost a certainty that someone, somewhere will capture it,
attachments and all.
(Caspa 3.0 - from ColaSoft Corporation, located in Chengdu, China
http://www.colasoft.com,PassDetect - a product whose advertised purpose
is to sniff passwords sent in email, over HTTP, or over FTP from EffeTech
Corporation, http://www.effetech.com )
A good example of this new class of software is called MSN Sniffer, also from
Effetech, and it highlights the "party line" openness of today's LAN and
Internet environments. Just like old telephone party lines, MSN sniffer lets
you listen-in on other people's conversations, just like picking up another
phone on a party line.
On their web site, Effetech advertises MSN Sniffer as:
"a handy network utility to capture MSN chat on a network. It records MSN
conversations automatically. All intercepted messages can be saved as HTML
files for later processing and analyzing. It is very easy to make it to work.
Just run the MSN Sniffer on any computer on your network, and start to capture.
It will record any conversation from any PC on the network."
Just as the Internet has been flooded by a deluge of spam messages after the
introduction of cheap, easy-to-use spam generation software, the same effect is
now taking place with sniffer software. The major difference is that, unlike
spam, Internet eavesdropping is totally invisible, and ten times as deadly. How
much of the identity theft being reported today is a direct result of Internet
eavesdropping? Its hard to tell, but with the every growing dependency by
individuals and corporations on Internet communications, opportunities to
"capture" your sensitive data abound.
Most FTP transmission are unencrypted! =====================================
As of November 2003, the majority of corporate FTP transmissions are still
unencrypted (unencrypted is geek speak for "in the clear" ) and almost all
email communications take place "in the clear". Many email and FTP
transmissions travel over 30 or more "hops" to make its way from the sender and
receiver. Each one of these hops is a separate network, often owned by a
different Internet Service Provider (ISP). Any Idiot in the Middle Even a well
run corporation must still primarily rely on trusting its employees,
contractors and suppliers to respect the privacy of the data flowing over its
networks. With the new sniffer technology, all it takes is one "idiot in the
middle", and your security is compromised. It could be the admin assistant
sitting in the cubical next to you, or a network assistant working for one of
the many ISPs your data will travel over, but somewhere, someone is listening.
Maybe all he is looking for is his next stock trading idea, or maybe he wants
to take over your eBay account so he can sell a nonexistent laptop to some
unsuspecting "sucker" using your good name. its all happening right now, at
some of the most respected companies in the world. Access to your network
doesn't have to come from a malicious or curious employee-many Internet worms,
Trojans and viruses are designed to open up security holes on a PC so that
other software can be installed. Once a hacker has access to one computer in
your network, or one computer on your ISP's network, he can then use a sniffer
to analyze all the traffic on the network.
So I'll password-protect my files, right? :
=========================================
You're getting warmer, but this still isn't going to do the trick. It's a good
way to stop packet sniffers from searching for key words in a file, but
unfortunately it is not as secure as you might think. If you ever forget a Zip,
Word or Excel password, don't worry, just download the password tool from Last
Bit Software www.PasswordTools.com, it works very well. There are many other
packages out on the Internet but Last Bit's tool is the most robust and easy to
use, if a bit slower that some others.
So what can I do about it? ==========================
OK, so now that you understand the threat, what can you do about it?
. Stop using the Internet? - More than a few professionals are returning to
phone calls and faxes for all their important communications.
. Complain to your IT department? - If you have an IT department in your
company this is a good place to start. But did the spam mail stop when you
complained about it to your LAN administrator? Unfortunately he is almost as
helpless as you are. . Encrypt your communications with PKI, etc. - For email
this is a bit drastic, and can be very expensive, especially since you will
need to install a key on each PC and coordinate this with the receivers of your
email messages, your IT organization, etc.
. Use FileCourier - This is by far the easiest and most cost effective way to
protect your email attachments, or replace FTP transmissions. It takes out the
"idiot in the middle" with a very clever solution.
The FileCourier approach to Security ====================================
I believe that FileCourier is the easiest out-of-the box secure communication
system available.
FileCourier approaches Internet data transfer security in a unique way. Until
FileCourier was first released in December of 2002, all secure email and file
transmission systems relied on encrypting the data during the tried and true
method of "upload, store, and forward". When you send an email, it and any
documents attached to it are first transmitted to one or more intermediate
servers. These mail server store the documents and then attempt to forward it
to the receivers email server. To secure the transmission of the email requires
either the servers to use extra encryption software technology, or forces the
individual sender and receivers to install encryption software and their
associated keys, or both. Not only is this a costly and time consuming exercise
but it also often fails to protect the data over the complete path of the
transmission. What do you do if the receiver is in another company and doesn't
have any encryption software installed? What if his company is using a
difference encryption standard? Ignoring the complexity of existing secure
email and FTP systems their biggest failings continue to be the "idiot in the
middle". From a nosey email or FTP server administrator, to a hungry co-worker,
to an incompetent who lets a hacker have free reign of their server, if your
sensitive documents are stored on a server maintained by someone else then that
person, or his company, can view your documents. The FileCourier approach is
creative, yet simple. FileCourier utilizes existing email and instant messaging
systems in the same way you use an envelope to send a letter thru the US postal
service, as a wrapper for the real content. We assume that EVERYONE can read
what is in the email, so we don't send your documents in the email at all. In
fact your documents never leave your PC, until the receiver of the email
requests it. How it works FileCourier lets you ticket the file you want to
email, and then instead of sending the file in the email, sends a "FileTicket"
instead. The file is only transmitted to the receiver of the email when he
opens the FileTicket and is "authenticated". After the receiver is
authenticated the file is transmitted through an SSL (secure socket layer)
tunnel directly from the sender's PC to the receiver's PC through our secure
relay servers. SSL is the same security used by banks and is impossible for
packet sniffers to penetrate. With FileCourier each packet is encrypted using a
1024 bit key and is delivered to your receiver through his browser. FileCourier
lets your communications go un-detected by any sniffer, and removes the "idiot
in the middle" threat by never storing the data on an intermediate server. More
over, FileCourier is the easiest way to secure your sensitive data transmission
in both an Internet and corporate LAN environment.
Take Action Now! ================
Internet communications security is one of the most important privacy issues we
face today. It might feel a bit paranoid for a law-abiding citizen to encrypt
his email communications and computer document transmissions, but would you
send a customers contract thru normal mail without an envelope? How would you
feel if your employer sent your next pay stub to you on the back of a postcard?
Use FileCourier, just like you would use a envelope for regular mail. Download
the no obligation free trial today at www.filecourier.com. and send 50MB of
data securely for free!
About the Author
Mark Brooks is a software architect, internet entrepreneur and founder of CanDo
Networks Corporation. CanDo Networks Corporation makes easy-to-use software for
communicating large amounts of data securely and privately over the Internet.
Its flagship product, Filecourier (www.filecourier.com ), is used by thousands
of legal, medical, and computer professionals to securely deliver files over
the internet, to anyone, anywhere.
|
