Protect Your Email Communications1. PROTECT YOUR EMAIL COMMUNICATIONS
(From the NSA, FBI, Hackers & Foreigners)
E mai l Mal c o l m at : SpeakUp@Mal col mO utLoud.com © 2013 Mal col m O ut Loud, LLC
White Paper
Protect Your Email Communications
Exclusive Series 2 of 3
2. Situation
All email communication is vulnerable to snooping by official and unofficial
entities. What are the options available to protect and secure email commu-
nications? There are many alternatives from simple to complex, each provid-
ing a varying degree of privacy.
Executive Summary & BackGround
Billions of email messages flow through thousands of Internet computer
servers daily and most are in “plain text” meaning they can be easily read by
anyone who intercepts them. The process of sending a simple email involves
sending multiple messages over the internet to complete the mail delivery.
E mai l Mal c o l m at : SpeakUp@Mal col mO utLoud.com © 2013 Mal col m O ut Loud, LLC
3. In this graphic we see that a simple message from Alice to Bob involves mul-
tiple communications links across the Internet, each one of which may be
intercepted using readily available software and hacking techniques. Alice
creates her message on her computer, tablet or smart phone and sends it to
her email provider (smtp.a.org). The ISP stores the message while it con-
tacts the Name Server to convert “b.org” to the IP address of pop3.b.org.
With the IP address, the message is forwarded to that email server then into
the email box for Bob at pop3.b.org. When Bob next checks his email box he
downloads the email message from Alice completing the transaction.
Problem
In reality, nearly all emails travel a more circuitous route through the Inter-
net passing through multiple servers and communications links. At each of
these servers copies of the emails are saved, at least temporarily. And, if
they are in plain text they can be easily read. Also, they are stored on multi-
ple servers, sometimes for years, to prevent loss and for later investigation,
review and customer retrieval at email providers such as AOL, Gmail and Ya-
hoo. Under various US and foreign laws the service providers are required to
provide access to the communications links and messages stored on their
mail servers. Hackers and rogue employees also access these messages to
steal information or cause harm to account owners.
Don’t forget that computers, tablets and smart phones store your email
messages until you delete them. Sometimes for years! If your device is lost
or stolen, all of these messages are immediately compromised if they are
still in plain text.
Solution
Providing absolute privacy is very difficult or maybe impossible given the ca-
pabilities of organizations such as the NSA. However, there are several sim-
ple steps that can be taken to make interception more difficult for the casual
hackers and snoops.
!
E mai l Mal c o l m at : SpeakUp@Mal col mO utLoud.com © 2013 Mal col m O ut Loud, LLC
4. Here are suggestions for increasing the privacy of emails.
1. Use strong email passwords and change them often.
The first and most important step for email privacy is use a strong password
and change it often. Yes, remembering passwords and remembering to
change them is difficult for most people. And we have so many passwords
to remember today for bank accounts, email accounts, credit card accounts,
etc.
A simple and effective solution is to use a Password Manager. You create
one secure master password that you can easily remember and it securely
stores all of the rest of your passwords for you. There are several free ones
available such as KeePass (www.keepass.com) and Roboform
(www.roboform.com) and Dashlane (www.dashlane.com). And they also
provide other login information simplifying your account access. Most work
across multiple platforms (computers, smartphones, tablets, etc.) so a single
master password access all of your passwords and login information. Some
of the Password Managers even help you create secure passwords of random
characters, numbers and special characters.
If you use Norton Antivirus, they provide a free, feature rich program –Nor-
ton Identity Safe- that securely stores your login information and shares it
securely over the internet with multiple devices.
A word of caution. Recently it has been reported that the US Government is
demanding that major internet companies turn over their user’s stored
passwords. This represents an escalation in surveillance techniques that has
not been previously reported. If the government is able to determine a per-
son’s password, which is typically stored in encrypted form, the credential
could be used to log into an account, peruse confidential correspondence and
even impersonate the account holder.
Whether the NSA or FBI has the legal authority to demand an internet com-
pany divulge a hashed password, salt and algorithm remains murky. The
Justice department has argued in court proceedings before that it has broad
legal authority to obtain passwords. So far, the results of two court cases
!
E mai l Mal c o l m at : SpeakUp@Mal col mO utLoud.com © 2013 Mal col m O ut Loud, LLC
5. have been mixed. Both of these cases deal with criminal proceedings when
the password holder is the target of a criminal investigation. They don’t ad-
dress a hashed password that is stored on the servers of a company who is
an innocent third party.
If you are concerned about this loss of privacy for your communications then
consider encrypting your messages when they are created and stored on
your computer. And send them as encrypted attachments to emails. While
this does not prevent the government or snoops from accessing your ac-
count it does protect the privacy of your communications. For details on us-
ing encryption, see paragraph 3 below.
2.Use SSL (Secure Socket Layer) and TLS (Transport Layer Security)
to encrypt the communications link between your computer or smart
phone and your email server.
To secure the connection between your email provider and your computer or
other device, you need to set up Secure Socket Layer (SSL) and Transport
Layer Security (TLS) encryption--the same protection scheme that you de-
pend on when checking your bank account or making online purchases. This
is especially important if you regularly check your email or browse the web
over open WiFi systems. Keep in mind that if your email provider is required
to give access to government snoops or the system has been compromised
by hackers, your emails on their server is plain text! However, securing this
link is critical if you are using WiFi, especially in a public location. And, it
also protects your privacy while web browsing.
If you check your email with a Web browser (whether on a desktop, a lap-
top, a smartphone, or a tablet), take a moment to ensure that SSL/TLS en-
cryption is active. If it is, the website address (URL) will begin with https in-
stead of http; depending on your browser, you should see some additional
indication, such as a notification next to the address bar or a small yellow
padlock icon on the status bar at the bottom of the browser window.
Encrypted connection to Gmail using Internet Explorer 9. Note the 'https' in
the address bar.
!
E mai l Mal c o l m at : SpeakUp@Mal col mO utLoud.com © 2013 Mal col m O ut Loud, LLC
6. If you don't see an 'https' address and other indicators after logging into
your Web-based email program, type an s at the end of the 'http' and press
Enter. If your email provider supports SSL/TLS, that instruction will usually
prompt it to encrypt your current connection. Then browse your account set-
tings to see whether you can activate encryption by default for future logins,
and whether you can create or modify bookmarks or shortcuts to your email
site using the 'https' address. If you can't force the encryption, check with
your provider as they may not support SSL/TLS.
If you use a desktop client program like Microsoft Outlook to check your
email, or if you use an email app on your smartphone or tablet, you should
still try to use SSL/TLS encryption--but in such situations, encryption is
harder to verify or to set up. To do it, open your email program or app and
navigate to the settings menu; there, your account will likely be labeled as a
POP/SMTP, IMAP/SMTP, HTTP or Exchange account. Look for an option to ac-
tivate encryption; it's usually in the advanced settings near where you can
specify the port numbers for incoming and outgoing connections.
!
E mai l Mal c o l m at : SpeakUp@Mal col mO utLoud.com © 2013 Mal col m O ut Loud, LLC
7. You can enable encrypted connections in Outlook's advanced settings. It also
requires the use of new ports such as 995 for POP3 and 465 for SMTP.
If you use an Microsoft Exchange email account for work, for example, you'll
find a designated area for security settings where you can clearly see
whether encryption/security is enabled for the incoming and outgoing con-
nections and for your Microsoft Exchange account. If it isn't enabled, check
with your email provider to see whether the provider supports encryption,
and consider switching to a service that allows SSL/TLS encryption.
3. Use Encrypted Email Service
Using SSL/TLS encrypts the messages on the communications links from
your computer to the email server. But, the message remains in plain text on
!
E mai l Mal c o l m at : SpeakUp@Mal col mO utLoud.com © 2013 Mal col m O ut Loud, LLC
8. your computer/smart phone and on the email servers. Also, from your email
server to the recipient the messages are again in plain text and readily
available to snoops and hackers.
For important messages containing information you do not want to share use
f i l e e n c r y p t i o n . S i m p l e a n d f r e e p r o g ra m s l i k e Tr u e C r y p t
(www.truecrypt.com) let you easily encrypt documents and files for trans-
mission. Once the documents are encrypted, they can be sent as attach-
ments to normal email messages. In this case, the files are fully encrypted
from end-to-end meaning that at no time are they readable as plain text un-
til the recipient decrypts them using TrueCrypt software and the same en-
cryption key as the one used to encrypt the message originally. Of course,
you must pre-share the key in a secure fashion to allow decryption. How-
ever, the metadata is still plain text and may be intercepted, analyzed and
stored by snoops and hackers. Also, it is generally believed that when
snoops detect an encrypted file they routinely put it aside for future analysis
and potentially cracking the encryption to read the message in the belief that
it most likely includes valuable information.
TrueCrypt is a very powerful and versatile encryption system with many ad-
ditional uses. We will cover more of these capabilities in the next White Pa-
per on Web Browsing.
Some other email encryption products automatically encrypt your email
messages for you and manage the process automatically inside email clients
such as Microsoft Outlook as well as through webmail. Two of these are
Sendinc (www.sendinc.com) and FlexCrypt (www.flexcrypt.com). Both of
these offer free and paid services with an annual fee per subscriber.
One of the advantages of these products is that the recipient is not required
to have the software loaded on his device. To decrypt messages it is only
necessary to enter the pre-shared key. And, you can respond to an en-
crypted message without having the software loaded on your computer. Un-
fortunately, at this time both of these products only work on Windows desk-
top systems.
!
E mai l Mal c o l m at : SpeakUp@Mal col mO utLoud.com © 2013 Mal col m O ut Loud, LLC
9. Other products such as SilentCircle (www.SilentCircle.com) offer a suite of
products for securing all communications, including email. It establishes a
completely private communications network between clients and is not in-
tended for general communications to Internet subscribers. For $10 per
month, personal users get a comprehensive package of services. All commu-
nications from users is encrypted peer-to-peer and SilentCircle does not
have access to the plain text of communications. Their servers are outside
the US which provides some protection against legal snooping but some lim-
ited metadata is available,
For commercial customers there are many more solutions for managed se-
cure email and other communications services available at prices from low to
very high. Banks, financial institutions and medical facilities are required to
have and use these systems.
4. Hiding information in plain sight--Steganography
Sometimes, when you really want to make sure people aren’t able to read
your email or data, encrypting it may not be enough. While people won’t
have immediate access to encrypted files, they may eventually find a brute
force way to decrypt it, or they may force you to share the password and
encryption algorithm. For cases like those, you’ll not only want to encrypt,
but hide the data.
Steganography, or hiding messages in plain sight, is another choice for se-
curely sending messages and files. And they can be sent by open email sys-
tems. In modern practice, steganography means taking a media file such as
an MP3 or a jpeg image and burying data in it. The file still works as usual,
and if you don't specifically look for the hidden data, you'll have no idea the
encrypted information is even there. One good tool for this is OpenPuff, a
powerful open-source steganography application that supports a wide variety
of "carrier" formats for hiding data in, including MP3, JPG, and more.
!
E mai l Mal c o l m at : SpeakUp@Mal col mO utLoud.com © 2013 Mal col m O ut Loud, LLC
10. OpenPuff’s interface looks simple at first, but it does take some getting used
to.
For example, you could hide an important text message in an image file, and
then post that file publicly online. Another party could then download the file
and—using OpenPuff and a password you both shared in advance—process
the file and extract whatever information you've buried in it.
By default, OpenPuff asks you to protect your information with three differ-
ent passwords, although it does let you dial that down to just a single pass-
word. It even supports plausibly deniable encryption, and this is where
things get really paranoid: Even if someone somehow realizes your seem-
ingly innocent image or music file contains a hidden message, OpenPuff lets
you hide a decoy along with the real message. Simply provide a different
password, and the other person will extract the decoy out of the image,
thinking they've won–but actually, your real secret will still be hidden in the
file.
!
E mai l Mal c o l m at : SpeakUp@Mal col mO utLoud.com © 2013 Mal col m O ut Loud, LLC
11. OpenPuff lets you select the level of encryption and suggests that you use
three passwords.
Steganography usually works well for hiding short text messages or other
condensed information; obviously, you can't hide an entire video file within
another video file using steganography–there's just no room for all of those
extra bytes. Still, if you need to hide a large amount of information, Open-
Puff lets you chain multiple carrier files together into one large message. To
extract the information, the recipient (or yourself) needs to have all of the
carrier files, and feed them into OpenPuff in exactly the right sequence,
along with the correct password or passwords. Not for the faint of heart.
Summary
For those needing the ultimate in email privacy, a combination of techniques
are required. And, there is not 100% certainty that any of them, or all of
!
E mai l Mal c o l m at : SpeakUp@Mal col mO utLoud.com © 2013 Mal col m O ut Loud, LLC
12. them combined, cannot now or in the future be compromised by govern-
ments or determined hackers. The techniques discussed in this White Paper
provide starting points for the various techniques but are not intended as a
full analysis of everything available today in this marketplace. There are
many more products and techniques available that are not covered here in
the interest of time. Some may be exactly the solution you prefer.
With the current interest in communications privacy, many new products are
being released to the private market. Systems and products that previously
were only available to governments or large corporations are now releasing
versions intended for small companies and individuals. Stay tuned, these are
exciting times!
!
E mai l Mal c o l m at : SpeakUp@Mal col mO utLoud.com © 2013 Mal col m O ut Loud, LLC
13. About The Author
Robert D. (Bob) Francis
Technology Expert
Managing Partner
Milford Communications Partners
After an extensive career in telecommunications and data communications
companies, Francis founded Milford Communications in 1993 to promote the
development of high technology companies and projects. Francis directed a
high technology practice in Washington DC with a focus on Satellite, Inter-
net, Multimedia and Wireless technologies.
www.milfordcommunications.com
Malcolm Out Loud
Chairman, The Out Loud Network
TV and Radio Host
The brand of Malcolm Out Loud is delivered around the world and across
multiple platforms. We live in a world that is communications rich and fast
changing... which creates a thirst for knowledge and an appetite for truth!
Malcolm is a great alternative to the talking heads that influence the head-
lines with their agenda driven analysis. Malcolm is first and foremost an In-
novator and a Visionary who inspires and encourages people around the
world to tap into their greatest strength; themselves!
www.MalcolmOutLoud.TV
www.BrinkThinking.com
!
E mai l Mal c o l m at : SpeakUp@Mal col mO utLoud.com © 2013 Mal col m O ut Loud, LLC