e-mail security
Thread Starter
Join Date: Apr 2010
Posts: 95
Likes: 0
Received 0 Likes
on
0 Posts
e-mail security
We had a heated discussion the other day, with some from the 'suspecting' spectre and some outright 'paranoid'. And I realised I don't actually know. I've heard gmail is quite complicated to hack into - but it's just hearsay. Giggled, but not a specialist enough to be enlightened.
So, if I'm just an average user, don't know the software tricks, how sure can I be that my e-mails are not monitored (not that I think any of them has anything to hide, just for information). Are there any that are more difficult to get into when you know the address, provided you don't just make an intelligent guess of the password?
So, if I'm just an average user, don't know the software tricks, how sure can I be that my e-mails are not monitored (not that I think any of them has anything to hide, just for information). Are there any that are more difficult to get into when you know the address, provided you don't just make an intelligent guess of the password?
Join Date: Feb 2012
Location: Cape Town / UK / Europe
Posts: 728
Likes: 0
Received 0 Likes
on
0 Posts
My bank have been telling me for ages never to send bank account numbers etc by email and even in communications to them to refer to my accounts as 1234 XXXX for example. And yet they send out cheque books, statements, and remittance advices by normal mail which I would imagine less secure than email. Like many things in the modern world, this makes no sense to me.
Join Date: Jan 2012
Location: .
Posts: 2,173
Likes: 0
Received 0 Likes
on
0 Posts
Code:
"how sure can I be that my e-mails are not monitored""
You've got several areas of concern
1) Security of your account.
This is only as good as the password you use, its potential for guessability, and how you store it. No birthdays / dogs names / kids names or similar. No writing passwords on scraps of paper. Make sure the password reset questions cannot be guessed - an idea is to make sure the answers don't relate to the question, e.g. question "mothers maiden name" answer "your last cars registration number"
Also - and this is important - don't use the e-mail password for all your other websites (eg Ebay, Paypay, tesco....) each needs to be distinct
You also have to realise that workers in ISPs / call centres etc are often seriously underpaid and could well be subject to bribery
2) Security of the network
E-mail is sent in clear, unencrypted, through a relay of mail servers. At any one of those servers it can be read by anyone with access in real time. If you make a habit of using wifi access in hotels etc, then its easy to hack you. All I'd need to do would be to turn my Android phone into a mobile hotspot which appeared to be the hotel's network, then all your messages would pass through my phone and be readable (using the correct software). The same can be done with mobile broadband: the G3 transmission signal can be intercepted in much the same way, and the phone spoofed into switching off encryption of the data stream
The only solution is to encrypt all your e-mails end-to-end using PGP or similar. However only a couple of weeks ago a flaw was discovered in the way in which some systems generate public keys, so even that may have problems
3) security of your PC
How sure are you that your computer is not vulnerable? Its a relatively trivial task to send someone a mail containing a keylogger or trojan or worse, or to fool them into visiting a compromised website. Most people have inadequate security software , leaving their systems easily vulnerable
4) personal security
how trusting are you? Do you let other people know your password? Son/daughter/mother/computer repair man.....? You have to keep that password safe
Just remember that the person most likely to spy on you is a jealous friend or close relative. I've been asked several times to put keyloggers on women's machines by husbands. Never the other way around..... I've always refused
So, to reprise, you need
A highly secure password, which can't be guessed or found easily. Preferably at least 16 characters
Password reset questions which cannot be guessed
Encryption of the mails
Computer security which works
A tight lip
And even then you are at the risk of some zero-day flaw being found in your e-mail providers servers
Last edited by Milo Minderbinder; 23rd Mar 2012 at 10:13.
Emails on my Hotmail account aren't encrypted before transmission but I do connect to their server over a 128 bit SSL connection,so very difficult to intercept and read while in transit to/from the Hotmail server.Not perfect but better than nothing.
Join Date: Jan 2012
Location: .
Posts: 2,173
Likes: 0
Received 0 Likes
on
0 Posts
Presumably you're using webmail to access the servers? Not sure, but I don't think there is a way of encrypting that with Hotmail. You'd have to use their pop/imap servers instead and a local mail client
Of course for you the main vulnerability is when stuff is on the way to / from your account and your correspondents: you've no control over their mail systems
Of course for you the main vulnerability is when stuff is on the way to / from your account and your correspondents: you've no control over their mail systems
Join Date: Aug 2002
Location: Earth
Posts: 3,663
Likes: 0
Received 0 Likes
on
0 Posts
The only solution is to encrypt all your e-mails end-to-end using PGP or similar. However only a couple of weeks ago a flaw was discovered in the way in which some systems generate public keys, so even that may have problems
Join Date: Nov 2000
Location: Cambridge, England, EU
Posts: 3,443
Likes: 0
Received 1 Like
on
1 Post
E-mail is inherently unsafe
To be treated like a postcard.
The postman probably won't read your postcards and repeat the interesting bits to your neighbours, but he could, and you choose what to write accordingly.
When running a political campaign we don't put anything on email that would cost us if the enemy got to read it - sensitive stuff is word of mouth.
Join Date: May 2011
Location: Glasgow
Age: 40
Posts: 642
Likes: 0
Received 0 Likes
on
0 Posts
The other thing to mention is that it is incredibly easy to spoof who an email is being sent by. Most non web based emails go through whats called an SMTP server. These don't check usernames or passwords - they just forward on emails. You can call yourself anything and no checks are made. Hence why you shouldn't click on a link in an email, then type in your password - in almost all cases you don't have any way of knowing if the email was sent by who it says it was sent by (so the link could be to a website collecting passwords...).
There are ways to create emails which will allow the sender to be confirmed (again using encryption such as PGP) but these are rarely used.
There are ways to create emails which will allow the sender to be confirmed (again using encryption such as PGP) but these are rarely used.
Join Date: Jan 2012
Location: .
Posts: 2,173
Likes: 0
Received 0 Likes
on
0 Posts
Code:
Most non web based emails go through whats called an SMTP server . These don't check usernames or passwords
Join Date: Aug 2002
Location: Earth
Posts: 3,663
Likes: 0
Received 0 Likes
on
0 Posts
Most non web based emails go through whats called an SMTP server
However webmail is more difficult to spoof than non-webmail.
Open SMTP relays are gradually being closed down
Let's face it, you can spoof any sort of SMTP server if you can relay through it, whether because its open or you've got credentials. That's why SPF etc. is out there.
Spoon PPRuNerist & Mad Inistrator
All emails go through whats called an SMTP server.
Not much used in comparison to SMTP, but it does have features that SMTP doesn't that makes it ideal for secure, robust messaging and communications (which is why it is still used in defence systems, for example).
SD
Google have a 2-factor authentication option, that works on the principle of "something you have + something you know". You (should) know your password, so the 2nd factor is something you "have": there are various options, including a smartphone app or a text message.
Join Date: Aug 2002
Location: Earth
Posts: 3,663
Likes: 0
Received 0 Likes
on
0 Posts
What about X.400?
Also, the GSi is fundamentally SMTP based, by choice. So X.400 may be seeing its days slowly numbered through technology normalisation.
Spoon PPRuNerist & Mad Inistrator
Do any ISPs offer it and is it compatible with POP/IMAP/SMTP systems?
SD
Thread Starter
Join Date: Apr 2010
Posts: 95
Likes: 0
Received 0 Likes
on
0 Posts
Jeezz, guys, did I HAVE to ask for this?
And what's the joke about gmail? I have it but use it for blogs log-in (study and homework assignments that are not public, no really confidential things) only - it does trace for keywords, but...
And tonight's nightmare will be dedicated to Milo for sure!
But, seriously, thanks. To paraphrase Clarkson: "How naive can one be?" I've never thought of jealous neighbours, but the possibility is there, I guess.
P.S and I'm not naive enough to use unsecured wifis or click on links to get fortunes, that little I know.
And what's the joke about gmail? I have it but use it for blogs log-in (study and homework assignments that are not public, no really confidential things) only - it does trace for keywords, but...
And tonight's nightmare will be dedicated to Milo for sure!
But, seriously, thanks. To paraphrase Clarkson: "How naive can one be?" I've never thought of jealous neighbours, but the possibility is there, I guess.
P.S and I'm not naive enough to use unsecured wifis or click on links to get fortunes, that little I know.
Join Date: Aug 2002
Location: Earth
Posts: 3,663
Likes: 0
Received 0 Likes
on
0 Posts
How do you think GCHQ get their info
What's your address again ?
Don't worry, only joking, I don't officially know, but I can take a fairly good guess.
To quote Donald R.
There are known knowns; there are things we know we know.
We also know there are known unknowns; that is to say we know there are some things we do not know.
But there are also unknown unknowns – there are things we do not know we don't know.
We also know there are known unknowns; that is to say we know there are some things we do not know.
But there are also unknown unknowns – there are things we do not know we don't know.
Its likely not as neat and tidy as you may think, hence the previous government's introduction (or rather attempted introduction) of all sorts of legislation and schemes to give them insight into areas that they are a bit grey on at the moment (you know, the "Interception Modernisation Programme", now snappily known as the "Communications Capabilities Development Programme" and all that jazz).
EDI
Who else have you got up on your ward Saab ? Is Mr Banyan VINES still alive ?
And what's the joke about gmail?
Depending on how you feel about such matters, you may or may not choose to expand the potential purposes of the trawling exercises. I'll leave that one for you to decide.