| Guide Series | Buy This Issue Table of Contents For This Issue  E-mail
This To A Friend |
|
| |
| E-Mail & More | |
| July 2000• Vol.8 Issue 7 Page(s) 54-55 in print issue | |
Security Risks The Dangers Of Sending & Receiving E-mail |
| Jump to first occurrence of:
[MAIL]
[SECURITY]
[RISKS]
Even before the World Wide Web, there was e-mail. People have been exchanging electronic messages for personal and business reasons for a long time, and for nearly as long, bored or malicious hackers have been intercepting and reading them. This has never been acceptable, but as more and more businesses and individuals come to rely on e-mail as a major form of communication, the need to address e-mail security issues has become more urgent. Right now, the threats are many. When you receive a message, can you be sure of who sent it or that it doesn’t carry a nasty payload? Can you be sure the mail you send isn’t read en route or that the copies on your computer, the receiver’s computer, the sending or receiving servers, and the ISP (Internet service provider) backup files are all safe? OK, put down the paper, pen, and stamps. Even though there are many potential risks associated with e-mail, recognizing them and learning how to lessen the risks really does make it a much more secure medium.  Danger, Danger.
Attachments to e-mail, those cute little paper-clip additions that come with ordinary messages, are still the biggest risk you can face. If they come from people you don’t know—particularly if they have an .EXE (executable files), .COM (command files), or .BAT (batch files) file extension—toss them out and don’t open them. You just never know what they’re going to contain, and the options include some doozies. Trinoo. This little wonder is especially a threat to DSL (Digital Subscriber Line) and cable users. Hackers send Trinoo, which is a tool/application not a virus, to your computer as an e-mail attachment and then use it and many other computers to mount DoS (denial of service) attacks, which flood servers with messages until they crash. Many antivirus software packages are presently set up to scan for Trinoo and many other attachment interlopers, such as . . . Back Orifice. Once this Trojan horse (malicious programs disguised as something harmless or beneficial for the computer user) moves from the attachment to your system, you’re essentially at the mercy of the hacker. Using Back Orifice, hackers can control your entire system, including copying and deleting files, damaging data, and disrupting systems. Viruses. New viruses are popping up almost daily, and some are real nasty. The CIH virus, for example, can reformat your hard drive. It renders a computer useless when a user activates it because it overwrites the hard drive’s mapping system. It can also overwrite the computer’s BIOS (Basic Input/Output System, software that controls the PC’s startup process), rendering the computer inoperable until the user reprograms or replaces the motherboard. Are you sick of manually mailing viruses to your friends? Meet Melissa. Melissa made headlines last year for its ability to copy and mail itself to the first 50 people in your Outlook address book, making it appear as though you sent it. By the end of 1999, a virus with new capabilities reared its head. Fashioned after an infamous “Seinfeld” episode where Jerry and friends visit a bubbleboy, this virus is more annoying than malicious. It changes the computer’s registered user name to Bubbleboy and the organization to Vandelay Industries (another Seinfeldism), while displaying a message that says, “The Bubbleboy incident, pictures and sounds.” The real scary aspect of Bubbleboy came with its execution: You don’t have to open an attachment to activate it. Just by opening an Outlook e-mail (or even using the Preview function in Outlook Express), a Visual Basic script runs Bubbleboy and e-mails itself to everyone in your address book. Other viruses, such as the Wscript.kak, don’t even require you to open an e-mail. After receiving a message with the worm, it reboots Windows and then runs in the background, attaching itself to every e-mail you send. Even though these are more annoying than destructive so far, people worry that “Son of Bubbleboy,” something really malicious and self-launching, looms on the horizon. One of the best ways to guard against such things is to have the Windows Scripting Host option turned off or to set any browser security options on high. Browser Mail.
So-called Web-based e-mail has become quite popular over the past couple of years, and in addition to offering universal access to your e-mail account, it’s also had its share of problems. In 1999, Microsoft’s Hotmail (http://www.hotmail.com/) alone had two serious problems (also known as security holes) in which users’ e-mail passwords were at risk and users’ entire systems were at risk from malicious JavaScripts. And hackers aren’t the only ones targeting these systems. In December 1999, a coalition of consumer and privacy groups, including Junkbusters (http://www.junkbusters.com/) and the Privacy Rights Clearinghouse (http://www.privacyrights.org/), petitioned the FTC (Federal Trade Commission) to close a security hole with cookies (information from a Web site sent to a browser and stored on a user’s hard drive so the Web site can retrieve it later). In this case, users who read e-mail with Web browsers were inadvertently allowing snippets of code, or cookies, into their systems. This makes it possible for businesses to track browsing habits for specific e-mail addresses. If you really can’t do without your Web-based e-mail but want to make it safer, you can take a few steps. Switch to a service such as HushMail (http://www.hushmail.com/), which offers free e-mail with strong encryption technology built into it. Make sure you also clear your memory and disk caches after reading your mail; the very technology that makes the browser Back button such a convenience will also make it easy for future users to get at your e-mail. Make sure you turn your browser off and on and zap the e-mail cookie to clear any passwords that linger. Finally, always politely decline if your system offers to save passwords for you. Passwords are worthless if someone can access your computer, and sites proudly come up with the keys every time the hacker finds a door. Other Security
Threats. There are any number of ways your information, and your system, could be at jeopardy simply through your e-mail gateway. Passwords. Anybody with the initiative and a little (often very little) work can find numerous password cracking applications online. Most use a dictionary of common words to compare your password to. A simple e-mail password may be easy for you to remember, but it also makes for very easy cracking. Spoofing. The e-mail seemed to come from someone legitimate . . . then it turned your hard drive into a toxic-waste dump. Faking identities in e-mail is often as simple as filling in fields in the preferences dialog box. Spamming. This is when your mail gets flooded, or bombed, with thousands of messages. There isn’t much you can do about this but try and report the offender to his or her ISP. See “The Spammer Slammer” sidebar in the “Protect Your E-mail Address” article in this issue for information on how to report spammers. (NOTE: See the “Spamitize Your Inbox” article for more information on spam in general.) Subscription lists. Early this year, TWA (Trans World Airlines) accidentally sent out chunks of its “Dot Com Deals” e-mail newsletter subscription list to subscribers. These lists are worth gold to e-mail spammers (of the “You Too Can Make $30,000 A Week!” variety), and even if the lists claim they will never share information with others, mistakes do happen. Beef Up Security.
So, what can you do to cut down on some of these risks and gain greater control over your e-mail? Look into some of the new “life cycle” management software or get encrypted. Software. Several new software packages are set for release this year that give you much greater control over the “life cycle” of your e-mail. Packages such as Authentica’s MailVault (http://www.authentica.com/), QVtech’s Interosa (http://www.qvtech.com/), and Disappearing Email by Disappearing (http://www.disappearing.com/) all let you set an expiration date for e-mail so it’s only around for as long as you say (as opposed to “forever”). Other features in some of these packages include the ability to decide whether to let recipient’s print or copy the message, who can read it, and even the ability to recall e-mail after you send it. Think of it as e-mail management, after the fact. Encryption. As mentioned earlier, copies of a given e-mail message can reside in several locations, and often hackers can just snatch them up en route. By encrypting (encoding) your e-mail, you make it nearly impossible for even the most determined hacker to read your message. Several free encryption solutions exist, including PGP (Pretty Good Privacy; http://www.pgp.com/), InvisiMail (http://%20www.invisimail.com/), and ZixMail (http://www.zixmail.com/). These programs all use strong encryption, and even though they can be somewhat of a nuisance compared to regular e-mail (both parties usually have to have a copy of the software, or the receiver needs to download your key from your Web site), they are effective at keeping both casual snoopers and serious hackers alike from reading your messages.  by Rich Gray
|
Copyright & Legal Information Privacy Policy