We had a heated discussion the other day, with some from the 'suspecting' spectre and some outright 'paranoid'. And I realised I don't actually know. I've heard gmail is quite complicated to hack into - but it's just hearsay. Giggled, but not a specialist enough to be enlightened.
So, if I'm just an average user, don't know the software tricks, how sure can I be that my e-mails are not monitored (not that I think any of them has anything to hide, just for information). Are there any that are more difficult to get into when you know the address, provided you don't just make an intelligent guess of the password?

My bank have been telling me for ages never to send bank account numbers etc by email and even in communications to them to refer to my accounts as 1234 XXXX for example. And yet they send out cheque books, statements, and remittance advices by normal mail which I would imagine less secure than email. Like many things in the modern world, this makes no sense to me.

how sure can I be that my e-mails are not monitored

You have a gmail account and you ask that question ?

:D

"how sure can I be that my e-mails are not monitored""In short, you can't. E-mail is inherently unsafe. It was never designed to be secure as when it was coded, the modern scale of use had never been envisioned

You've got several areas of concern
1) Security of your account.
This is only as good as the password you use, its potential for guessability, and how you store it. No birthdays / dogs names / kids names or similar. No writing passwords on scraps of paper. Make sure the password reset questions cannot be guessed - an idea is to make sure the answers don't relate to the question, e.g. question "mothers maiden name" answer "your last cars registration number"
Also - and this is important - don't use the e-mail password for all your other websites (eg Ebay, Paypay, tesco....) each needs to be distinct
You also have to realise that workers in ISPs / call centres etc are often seriously underpaid and could well be subject to bribery
2) Security of the network
E-mail is sent in clear, unencrypted, through a relay of mail servers. At any one of those servers it can be read by anyone with access in real time. If you make a habit of using wifi access in hotels etc, then its easy to hack you. All I'd need to do would be to turn my Android phone into a mobile hotspot which appeared to be the hotel's network, then all your messages would pass through my phone and be readable (using the correct software). The same can be done with mobile broadband: the G3 transmission signal can be intercepted in much the same way, and the phone spoofed into switching off encryption of the data stream
The only solution is to encrypt all your e-mails end-to-end using PGP or similar. However only a couple of weeks ago a flaw was discovered in the way in which some systems generate public keys, so even that may have problems
3) security of your PC
How sure are you that your computer is not vulnerable? Its a relatively trivial task to send someone a mail containing a keylogger or trojan or worse, or to fool them into visiting a compromised website. Most people have inadequate security software , leaving their systems easily vulnerable
4) personal security
how trusting are you? Do you let other people know your password? Son/daughter/mother/computer repair man.....? You have to keep that password safe
Just remember that the person most likely to spy on you is a jealous friend or close relative. I've been asked several times to put keyloggers on women's machines by husbands. Never the other way around..... I've always refused

So, to reprise, you need
A highly secure password, which can't be guessed or found easily. Preferably at least 16 characters
Password reset questions which cannot be guessed
Encryption of the mails
Computer security which works
A tight lip


And even then you are at the risk of some zero-day flaw being found in your e-mail providers servers

Emails on my Hotmail account aren't encrypted before transmission but I do connect to their server over a 128 bit SSL connection,so very difficult to intercept and read while in transit to/from the Hotmail server.Not perfect but better than nothing.

Presumably you're using webmail to access the servers? Not sure, but I don't think there is a way of encrypting that with Hotmail. You'd have to use their pop/imap servers instead and a local mail client
Of course for you the main vulnerability is when stuff is on the way to / from your account and your correspondents: you've no control over their mail systems

The only solution is to encrypt all your e-mails end-to-end using PGP or similar. However only a couple of weeks ago a flaw was discovered in the way in which some systems generate public keys, so even that may have problems

Even encryption is vulnerable if you are just storing your private key on your computer.

E-mail is inherently unsafe
Correct.

To be treated like a postcard.

The postman probably won't read your postcards and repeat the interesting bits to your neighbours, but he could, and you choose what to write accordingly.

When running a political campaign we don't put anything on email that would cost us if the enemy got to read it - sensitive stuff is word of mouth.

The other thing to mention is that it is incredibly easy to spoof who an email is being sent by. Most non web based emails go through whats called an SMTP server. These don't check usernames or passwords - they just forward on emails. You can call yourself anything and no checks are made. Hence why you shouldn't click on a link in an email, then type in your password - in almost all cases you don't have any way of knowing if the email was sent by who it says it was sent by (so the link could be to a website collecting passwords...).
There are ways to create emails which will allow the sender to be confirmed (again using encryption such as PGP) but these are rarely used.

Most non web based emails go through whats called an SMTP server
. These don't check usernames or passwords Happily this isn't as much of a problem as it used to be. Open SMTP relays are gradually being closed down as ISPs try to deal with the spam flooding through their systems. However some do still allow this - Talktalk and Orange did until recently. not sure if they still do

Most non web based emails go through whats called an SMTP server

All emails go through whats called an SMTP server.
However webmail is more difficult to spoof than non-webmail.

:cool:

Open SMTP relays are gradually being closed down

Some ISPs run open relays with ACLs in place to prevent off-net usage. Pure open relays are the bad ones.

Let's face it, you can spoof any sort of SMTP server if you can relay through it, whether because its open or you've got credentials. That's why SPF etc. is out there.

All emails go through whats called an SMTP server.

What about X.400?

Not much used in comparison to SMTP, but it does have features that SMTP doesn't that makes it ideal for secure, robust messaging and communications (which is why it is still used in defence systems, for example).

SD

I've never even come across it
Do any ISPs offer it and is it compatible with POP/IMAP/SMTP systems?

Google have a 2-factor authentication (http://support.google.com/a/bin/answer.py?hl=en&hlrm=en&answer=175197) option, that works on the principle of "something you have + something you know". You (should) know your password, so the 2nd factor is something you "have": there are various options, including a smartphone app or a text message.

I work on the assumption that email and mobile phone calls are unsecure and if someone really wants to dig in they will.

What about X.400?

Only goes so far..... eventually you hit an SMTP bridgehead, gateway or data diode unless you're satisfied talking to yourself.

Also, the GSi is fundamentally SMTP based, by choice. So X.400 may be seeing its days slowly numbered through technology normalisation.

How do you think GCHQ get their info

Do any ISPs offer it and is it compatible with POP/IMAP/SMTP systems?

Most publicly accessible X.400 implementations are for EDI now rather than email. It isn't compatible with SMTP. Where it is used, organisations build their own Message Store and MTA infrastructure, using private or public networks and have specific client software.

SD

Jeezz, guys, did I HAVE to ask for this? :{
And what's the joke about gmail? I have it but use it for blogs log-in (study and homework assignments that are not public, no really confidential things) only - it does trace for keywords, but...
And tonight's nightmare will be dedicated to Milo for sure! :E

But, seriously, thanks. To paraphrase Clarkson: "How naive can one be?" I've never thought of jealous neighbours, but the possibility is there, I guess.

P.S and I'm not naive enough to use unsecured wifis or click on links to get fortunes, that little I know.

How do you think GCHQ get their info

If I knew, I'd have to kill you.

What's your address again ? :cool:

Don't worry, only joking, I don't officially know, but I can take a fairly good guess.

To quote Donald R.


There are known knowns; there are things we know we know.
We also know there are known unknowns; that is to say we know there are some things we do not know.
But there are also unknown unknowns – there are things we do not know we don't know.

i.e.
Its likely not as neat and tidy as you may think, hence the previous government's introduction (or rather attempted introduction) of all sorts of legislation and schemes to give them insight into areas that they are a bit grey on at the moment (you know, the "Interception Modernisation Programme", now snappily known as the "Communications Capabilities Development Programme" and all that jazz).

EDI

Aaah.... Saab.... the great oracle of the slowly dying protocols.

Who else have you got up on your ward Saab ? Is Mr Banyan VINES still alive ? :cool:

And what's the joke about gmail?

Its public knowledge that Google trawl their gmail databases for the purposes of delivering targeted advertising to you based upon the content of the emails you send and receive.

Depending on how you feel about such matters, you may or may not choose to expand the potential purposes of the trawling exercises. I'll leave that one for you to decide. :cool:

Google trawl their gmail databases for the purposes of delivering targeted advertising
but I thought it's trawling for key-words, not content? Targeted advertising is easy to notice even when you do not use it very much.
Actually it would be interesting what kind of advertising certain key-words would prompt... well, not politically correct to type any, just a hyphthetical suggestion. Would I get politically incorrect advertising?

Its not just based on your e-mail contents. They also profile your online Goggle Documents, and your browsing habits (assuming you are logged into Google at the time)

I make a habit of using several browser at one time - Chrome for Google Apps and other webmail, Firefox and / or IE for everything else. But I don't log into anything on Firefox or IE. Browsing is kept separate from online apps and webmail

Hm. Google Chrome is logged in my gmail then - as I organise the blogs there. Seems to be fastest, too (and I AM picky, sorry, due to working a lot). IE for business mail (looks most 'normal' there, log in/out every time) and somehow I don't like Firefox. Does that sound normal? (and I browse different things from wind farms to... well, personality traits, depending on the current translation/editing).

seems good
the benefit of using Firefox for browsing is that you can lock it down really tight using NoScript, Adblock plus, Ghostery and a few other toys which together make it much more resistant to attack

Thanks a lot, Milo (alas - no nightmare to dedicate as Milo's Special :p). I'll grab the local IT guy and ask about the things to go with Firefox.

To harden Firefox you need the following

from https://addons.mozilla.org/en-US/firefox/extensions/privacy-security/
NoScript
AdBloclk Plus
AdBlock Plus Popup Blocker
Ghostery
Better Privacy
Browser Protect (though there is a better version at Browser Hijack Protection for free - BrowserProtect.org (http://www.browserprotect.org/))
Some people also like to install WOT/World of Trust, though personally I've never bothered

from https://www.eff.org/https-everywhere
HTTPS Everywhere

if the paranoias really kick in, then these two programs are useful
Spybot S&D Browser Hijack Protection for free - BrowserProtect.org (http://www.browserprotect.org/)
Spyware Blaster SpywareBlaster® | Prevent spyware and malware. Free download. (http://www.javacoolsoftware.com/spywareblaster.html)

these last two are complementary - not alternatives - and both require manual updating a couple of times a week

In the tools > options>privacy settings for Firefox, set it to "do not track" and "never remember history"

Finally, in Windows Control Panel set Java to not keep temporary internet files.

Of course the assumption is that you have a working and up-to-date antivirus program on the machine

With that lot, Firefox should be as close to bullet-proof as its possible for a browser to be.. The only "extra" I can think of would be to disable Javascript in Adobe Reader

Comments anyone?

Comments anyone?

Yeah....

To harden Firefox you need the following......

Common sense.
Decent anti-virus.
Not running as Admin user.
:cool:

That's it.

I've never really seen the point of installing half a ton of pointless add-on shareware / freeware programs to your machine. It ends up being almost as bad as the malware you're trying to avoid (eating up resources etc.). Plus no average Joe is ever going to keep all that software up to date like they should !

KISS as they say..... Keep It Simple Silly. :p

Of the items listed the only ones that need manual updating are Spybot and Spyware Blaster, and those two are probably not essential given the nature of the other plugins. They're effectively block lists, and given the behavioural scan techniques of the other products they are probably superfluous.
However the other products are needed.
"Common sense. Decent anti-virus" Doesn't wash nowadays, especially in the day of the supercoockie.
A large number of "safe" web pages are compromised nowadays, and a lot of A/V programs don't block web attacks. They should, but they don't.
As for slowing the system down - it does, but insignificantly.
The final point is that most current computer users either don't have the knowledge, or else are too thick, to browse safely. You HAVE to load the machine up to protect users from their own idiocy.

"Common sense. Decent anti-virus" Doesn't wash nowadays

Seems to work fine for me, I also don't see IT departments rolling out NoScript,AdBloclk Plus,AdBlock Plus Popup Blocker,Ghostery,Better Privacy,Browser Protect,WOT/World of Trust, HTTPS Everywhere,Spybot S&D,Spyware Blaster to their hundreds or thousands of endpoints, do you ?

And anyway, if you want to install all that, you might as well just install one commercial "endpoint protection suite" type programme.... at least then you'll only have one thing to troubleshoot and one reasonably optimised thing running in the background.

Trying to troubleshoot which one of twelve plug-ins is causing your system problems must be terribly frustrating and time consuming.

Oh, well, each to their own I guess. :cool:

Mixture,

Perhaps you are overlooking the fact that the vast majority of corporates access the internet via a proxy such as websense that takes on most of that functionality - unlike home users, who have to provide it themselves.

Also, it is not by any means unknown for IT departments to deploy a few browser plug-ins for specific reasons - e.g. ad blocking. It's not a big deal to add these via a software / application deployment tool to a standard build / image.

SD

Saab,

Perhaps although not necessarily, especially in places which are increasingly adopting the BYOD (bring your own device) model.

My point about 12 things to troubleshoot vs 1 still stands, particularly for your average Joe with two left hands when it comes to IT.

Theres a heck of a difference between someone working in a corporate environment, and the average home user. And those "average joes with two left hands" are the problem.
They have not got a clue what "safe browsing" means. Yo have to lock their machines down to protect them from themselves. Of those plugins, the only ones that require manual updates are Spybot and Spyware Blaster. The only one which requires user input is NoScript - something easily learnt by most
The rest are invisible to the user.
I judge how successful things are by how often I get called back to sanitise machines I've previously worked on. The fact is, what I do works: I never need to reprise the protection on machines I've worked on.

[quote] Milo Mindbender
Theres a heck of a difference between someone working in a corporate environment, and the average home user. And those "average joes with two left hands" are the problem.
They have not got a clue what "safe browsing" means. Yo have to lock their machines down to protect them from themselves. Of those plugins, the only ones that require manual updates are Spybot and Spyware Blaster. The only one which requires user input is NoScript - something easily learnt by most
The rest are invisible to the user.
I judge how successful things are by how often I get called back to sanitise machines I've previously worked on. The fact is, what I do works: I never need to reprise the protection on machines I've worked on. [quote]

Thank you for your post ! :ok: :ok:

That answers much of the confusion created within us " two left hands " when the IT professionals disagree over various recommendations and we ( OK , I :O ) are reduced to doing nothing :\, through fear, ignorance and lack of understanding.

Milo Minderbinder, you recommendation of BetterPrivacy a little earlier reminds me that Firefox no longer allows it or, for that matter, ExpatShield either. Has the poacher turned gamekeeper? They certainly seem steps worthy of a little suspicion....

I assume that everything in an email message is readable by someone else.

We use a secure FTP set up to transfer anything sensitive. simply add the info to a file, say Word, Excel, whatever, it doesn't matter.

The transfer is 256bit encrytped, the data on the server is 256 bit encrypted and the download to the recipient is also 256 bit encrypted. They need to use an agreed password before they can get the download.

No software for the recipient to download, and they can actually send files back to us using the same secure mechanism.

Even better we don't end up with our people using Exchange as a filing system, using system resources and saving cash.

Not sure who told you BetterPrivacy is no longer working but it I have it running on FF 11.

le PingouinI wonder if you've got the same information as I do. As soon as I updated Firefox to FF11 I got a box telling me that the two addons were incompatible with FF11 and had been disabled. I took the opportunity offered to get FF to look for a compatible version (something which has absolutely never worked, not even once, before) to be told that there was no compatible version of either. I fired up the new FF and checked "Addons" to find them both disabled with no box available to click to attempt to enable them. I presume that they are therefore duly disabled.

I only use the expat thingy to get access to some BBC stuff so haven't had cause to try it in the few hours since all this happened.

So far as BetterPrivacy is concerned, I can find neither hide nor hair of it. It's much more important than the other one so I'd love to hear how it appears on your machine....

Sorry probes if you're upset that I appear to have hijacked your very interesting thread but Milo Minderbinder brought it up in his excellent reply to you so I thought it was pertinent.

Well, here I am fifteen minutes later. All of the above is absolutely true and I have just reconfirmed it. Then I went to the BetterPrivacy website, saw that it (version 1.68) is still recommended by Mozilla for FF, so downloaded it afresh and it seems to be there.

ExpatShield is still shown as disabled and incompatible yet I've just tried it and it's working too. There are things in heaven and earth which pass all understanding!

Thank you for putting me up to it le Pingouin!

If you want to harden email, the first thing you should be doing is not viewing it in a browser.

And yet they send out cheque books, statements, and remittance advices by normal mail which I would imagine less secure than email.

How would you send a cheque book by email?

to get access to some BBC stuff
the ones (videos & programs) not available outside UK? Is that possible?

probes see Expat Shield (http://expatshield.com/)

Its free, but be warned though - its advertising sponsored, but it works there are several similar programs for which you have to pay

Thanks a lot! :)

back to the original question, I just came across this list of supposed encrypted e-mail services
Hacker 10 - Security Tips | Email encryption (http://www.hacker10.com/email-encryption/)

I've no personal experience with any, so no recommendations