Email: The Security Industry’s Single Biggest Failure
I still remember so clearly the frustration I felt back in the 90’s when starting in the security industry and trying to sell my services. It was so difficult trying to emphasize just how much at risk potential clients were and then get them to pay me to fix their stuff. Too often I came off like the paranoid conspiracy theorist–their sky wasn’t falling and they saw no wolf.
I remember one particular conference call at the peak of my frustration where a network administrator confidently bragged to me and the managers on the call just how secure their network really was. What the managers didn’t know at the time was that as we were all talking, the network administrator was scrambling to lock things down as I was furiously trying to break in. Being that I was pretty good at that stuff at the time, I was able to quickly drop a little program called cdtray.exe onto a number computers, including the admin’s own PC, and used the at command to schedule all of their CD trays to open in one minute. I started asking the admin some questions and could hardly contain my amusement sixty seconds later as he suddenly seemed distracted. Then I went in for the kill: “are you convinced now you need more security?” I asked.
I didn’t get that job.
Nor did I get any work from Bank of America when I notified them of a glaring security flaw that exposed their global.asa file which contained their database username and password. That was over a decade ago but I still remember the password: superchicken.
Many hackers around that time weren’t malicious or set out for destruction, but were more of the mindset of whistle blowers. It was easy to get so caught up in frustration that we took extreme steps such as actually breaking in to systems before they hired us as clients just to get our point across. I have since learned to have a bit more tact with my approach, but the frustration is still there and has evolved from web server security to email security.
The Email Security Problem
It amazes me how complacent we (yes, including myself) have all become with email security. It is one of the oldest and most fundamental of Internet technologies yet it is also one of the least secure. It’s funny how we freak out about passwords stored plaintext, yet we all communicate sensitive information every day using a fragile, unreliable, and insecure technology that really hasn’t changed much since the seventies.
I almost feel dumb having to list these long-time flaws yet again, but here are some of the major shortcomings with email communication as commonly implemented:
- Much of it travels from server to server using unencrypted protocols allowing for interception
- The email itself can be read and intercepted by any server involved in the transport across the Internet
- There is no way to know if someone has read or intercepted the email during transport
- The email is stored unencrypted, sometimes permanently, on the receiving server and often the sending server
- We store the email unencrypted, sometimes permanently, in our own inbox
- When we send an email we can never be certain that it will go to the intended recipient and that only that recipient can, will, or has read the message
- There is no way the recipient can be certain that we were the actual sender nor is there a way to prove we did or didn’t send an email
- There is no assurance that the message you sent has not been altered
- It is difficult to send a truly anonymous and untraceable email
- It is difficult to conceal who you communicate with on a daily basis
Of course technology exists to address every single one of these problems, and many of us use those, but as a whole these flaws still exist. And none of this is new, we have been complaining about and pointing out these flaws for decades. What is critical here is that we have become so complacent with email security while at the same time working on the baseless assumption that email is somehow secure.
Just look at some of the ways we have built upon that assumption of security:
- So many authentication practices entirely depend on email as a key component for identifying an individual, such as password resets or to remove certain account restrictions as Matt Honan discovered the hard way.
- We often use email to initiate sensitive financial, business, or extramarital transactions.
- Many mail systems rely on mechanisms rely on technologies that are not globally or are poorly implemented as mathematician Zach Harris pointed out to Google last year.
- We often communicate and store extremely sensitive information which can be very damaging as demonstrated by the painful experiences of Stratfor and HBGary Federal.
- As unreliable as it is, courts allow submitting email as legal evidence in many situations.
The fact is that if someone owns our email account, they own us. To make things worse, so many of us hand the keys to our lives over to the custody of third parties such as Google, Microsoft, and Yahoo! It is good to see companies such as Google adding two-factor authentication to Gmail and making SSL protocols more the standard, but we all know that they can read our email–or turn it over to law enforcement–anytime they want.
My frustration surfaces as I write posts like this because I realize not only how much we have failed, but how difficult it will be to get major email providers to give us the tools we need to make global email security a reality. The technologies to accomplish this have been around for years. While there are some limitations, none of these are insurmountable–as humans we are extremely proficient at solving problems.
For some reason, whistle blowing-style hacks and scare tactics haven’t phased us much when it comes to email security. If we knew that every postal letter we sent went through an NSA facility where they opened, photocopied, and stored every postal letter we sent, we’d freak out. But that happens every day with email, yet we happily continue to exchange highly sensitive and personal information in those emails.
While it is easy for people like me to complain about the problem and then say that someone else has to go fix it, in this case it is clear that global email security will only come about once Gmail, Hotmail, and Yahoo! mail all make strong and seamless encryption a reality. Once the day comes that even Google can’t read our email, we will have succeeded. Will we see it in 2013? Definitely not. How about in the next ten or even twenty years? That too remains to be seen.