probes

We had a heated discussion the other day, with some from the 'suspecting' spectre and some outright 'paranoid'. And I realised I don't actually know. I've heard gmail is quite complicated to hack into - but it's just hearsay. Giggled, but not a specialist enough to be enlightened.
So, if I'm just an average user, don't know the software tricks, how sure can I be that my e-mails are not monitored (not that I think any of them has anything to hide, just for information). Are there any that are more difficult to get into when you know the address, provided you don't just make an intelligent guess of the password?

Tableview

My bank have been telling me for ages never to send bank account numbers etc by email and even in communications to them to refer to my accounts as 1234 XXXX for example. And yet they send out cheque books, statements, and remittance advices by normal mail which I would imagine less secure than email. Like many things in the modern world, this makes no sense to me.

mixture

You have a gmail account and you ask that question ?

Milo Minderbinder

In short, you can't. E-mail is inherently unsafe. It was never designed to be secure as when it was coded, the modern scale of use had never been envisioned

You've got several areas of concern
1) Security of your account.
This is only as good as the password you use, its potential for guessability, and how you store it. No birthdays / dogs names / kids names or similar. No writing passwords on scraps of paper. Make sure the password reset questions cannot be guessed - an idea is to make sure the answers don't relate to the question, e.g. question "mothers maiden name" answer "your last cars registration number"
Also - and this is important - don't use the e-mail password for all your other websites (eg Ebay, Paypay, tesco....) each needs to be distinct
You also have to realise that workers in ISPs / call centres etc are often seriously underpaid and could well be subject to bribery
2) Security of the network
E-mail is sent in clear, unencrypted, through a relay of mail servers. At any one of those servers it can be read by anyone with access in real time. If you make a habit of using wifi access in hotels etc, then its easy to hack you. All I'd need to do would be to turn my Android phone into a mobile hotspot which appeared to be the hotel's network, then all your messages would pass through my phone and be readable (using the correct software). The same can be done with mobile broadband: the G3 transmission signal can be intercepted in much the same way, and the phone spoofed into switching off encryption of the data stream
The only solution is to encrypt all your e-mails end-to-end using PGP or similar. However only a couple of weeks ago a flaw was discovered in the way in which some systems generate public keys, so even that may have problems
3) security of your PC
How sure are you that your computer is not vulnerable? Its a relatively trivial task to send someone a mail containing a keylogger or trojan or worse, or to fool them into visiting a compromised website. Most people have inadequate security software , leaving their systems easily vulnerable
4) personal security
how trusting are you? Do you let other people know your password? Son/daughter/mother/computer repair man.....? You have to keep that password safe
Just remember that the person most likely to spy on you is a jealous friend or close relative. I've been asked several times to put keyloggers on women's machines by husbands. Never the other way around..... I've always refused

So, to reprise, you need
A highly secure password, which can't be guessed or found easily. Preferably at least 16 characters
Password reset questions which cannot be guessed
Encryption of the mails
Computer security which works
A tight lip


And even then you are at the risk of some zero-day flaw being found in your e-mail providers servers

TWT

Emails on my Hotmail account aren't encrypted before transmission but I do connect to their server over a 128 bit SSL connection,so very difficult to intercept and read while in transit to/from the Hotmail server.Not perfect but better than nothing.

Milo Minderbinder

Presumably you're using webmail to access the servers? Not sure, but I don't think there is a way of encrypting that with Hotmail. You'd have to use their pop/imap servers instead and a local mail client
Of course for you the main vulnerability is when stuff is on the way to / from your account and your correspondents: you've no control over their mail systems

mixture

Even encryption is vulnerable if you are just storing your private key on your computer.

Gertrude the Wombat

Correct.

To be treated like a postcard.

The postman probably won't read your postcards and repeat the interesting bits to your neighbours, but he could, and you choose what to write accordingly.

When running a political campaign we don't put anything on email that would cost us if the enemy got to read it - sensitive stuff is word of mouth.

riverrock83

The other thing to mention is that it is incredibly easy to spoof who an email is being sent by. Most non web based emails go through whats called an SMTP server. These don't check usernames or passwords - they just forward on emails. You can call yourself anything and no checks are made. Hence why you shouldn't click on a link in an email, then type in your password - in almost all cases you don't have any way of knowing if the email was sent by who it says it was sent by (so the link could be to a website collecting passwords...).
There are ways to create emails which will allow the sender to be confirmed (again using encryption such as PGP) but these are rarely used.

Milo Minderbinder

Happily this isn't as much of a problem as it used to be. Open SMTP relays are gradually being closed down as ISPs try to deal with the spam flooding through their systems. However some do still allow this - Talktalk and Orange did until recently. not sure if they still do

mixture

All emails go through whats called an SMTP server.
However webmail is more difficult to spoof than non-webmail.



Some ISPs run open relays with ACLs in place to prevent off-net usage. Pure open relays are the bad ones.

Let's face it, you can spoof any sort of SMTP server if you can relay through it, whether because its open or you've got credentials. That's why SPF etc. is out there.

Saab Dastard

What about X.400?

Not much used in comparison to SMTP, but it does have features that SMTP doesn't that makes it ideal for secure, robust messaging and communications (which is why it is still used in defence systems, for example).

SD

Milo Minderbinder

I've never even come across it
Do any ISPs offer it and is it compatible with POP/IMAP/SMTP systems?

bnt

Google have a 2-factor authentication option, that works on the principle of "something you have + something you know". You (should) know your password, so the 2nd factor is something you "have": there are various options, including a smartphone app or a text message.

racedo

I work on the assumption that email and mobile phone calls are unsecure and if someone really wants to dig in they will.

mixture

Only goes so far..... eventually you hit an SMTP bridgehead, gateway or data diode unless you're satisfied talking to yourself.

Also, the GSi is fundamentally SMTP based, by choice. So X.400 may be seeing its days slowly numbered through technology normalisation.

Vizsla

How do you think GCHQ get their info

Saab Dastard

Most publicly accessible X.400 implementations are for EDI now rather than email. It isn't compatible with SMTP. Where it is used, organisations build their own Message Store and MTA infrastructure, using private or public networks and have specific client software.

SD

probes

Jeezz, guys, did I HAVE to ask for this?
And what's the joke about gmail? I have it but use it for blogs log-in (study and homework assignments that are not public, no really confidential things) only - it does trace for keywords, but...
And tonight's nightmare will be dedicated to Milo for sure!

But, seriously, thanks. To paraphrase Clarkson: "How naive can one be?" I've never thought of jealous neighbours, but the possibility is there, I guess.

P.S and I'm not naive enough to use unsecured wifis or click on links to get fortunes, that little I know.

mixture

If I knew, I'd have to kill you.

What's your address again ?

Don't worry, only joking, I don't officially know, but I can take a fairly good guess.

To quote Donald R.

i.e.
Its likely not as neat and tidy as you may think, hence the previous government's introduction (or rather attempted introduction) of all sorts of legislation and schemes to give them insight into areas that they are a bit grey on at the moment (you know, the "Interception Modernisation Programme", now snappily known as the "Communications Capabilities Development Programme" and all that jazz).

Aaah.... Saab.... the great oracle of the slowly dying protocols.

Who else have you got up on your ward Saab ? Is Mr Banyan VINES still alive ?

Its public knowledge that Google trawl their gmail databases for the purposes of delivering targeted advertising to you based upon the content of the emails you send and receive.

Depending on how you feel about such matters, you may or may not choose to expand the potential purposes of the trawling exercises. I'll leave that one for you to decide.