Scroogled,Outlooked or Yahooed, your email is not secured!

       You heard it loud and clear from Microsoft’s  “scroogled” campaign against Google's policy on email privacy. But I don’t think any of you would have bought into it, since we all know there is no such thing as privacy or security when it comes to emails. Any one remembers Petraeus affair? I guess, the convenience of email makes everyone forget and sacrifice their security concerns, how else can we explain that people don’t think twice before exchanging confidential information like their tax returns, mortgage papers and pay stub. If you assume, hackers are only interested in celebrities email, you are wrong. You just don’t hear about common Joe’s email hacks in newspapers! Given the importance of emails today, it is a gold mine to hack anyone’s email and snooping on documents being exchanged. Access to email is the most critical tool needed to reset passwords on pretty much anything; bank accounts, mortgage account, eBay, Amazon, iTunes, you name it.So I don't think anyone needs to be convinced that securing your email is an utmost important task.

       Email being such an important tool, why is it so hard to make it secured and protected? No one wants others to read their emails, celebrity or not. But the problem is, if your email service provider is in the business of reading your mails to sell advertisements, sell your data to vendors and feeding the government surveillance system, why would they make it easier to keep your data away from their reach! So there is no easy button out there. But we can’t give up and go back to Pigeon Post, well even then you would have to encrypt your messages!

General tips to keep your email account safe.

•  Always use a complex and long passwords for your email accounts and make sure you don’t store them on your PC.

·    Make sure your alternate email id, which is used for password reset is also secured with strong passwords
·    Use email service with minimum two factor authentication. I know gmail supports two factor authentications, but most other providers don’t. Never understood, why it takes so long for yahoo and Microsoft to implement it.
·    Make sure you are using HTTPS to access your mails when using browser

Content Encryption

       None of the above is going to make your email content safe, it only protects your email account and assures your message safety when it’s in transit. But it is not going to stop Google or Yahoo snooping on your email. Let’s see what we can do about.

1) Simple encryption

Encrypt your content and attachment using 7-zip with a strong password. 7-zip being a commonly used free application, it should not be hard to use it on the receiving side. Make sure you don’t store the password in your computer or don’t sent the password by email.

There are handfuls of other good tools that you can explore like Encrypt Files, which will encrypt the whole folder, dsCrypt allows you to drag and drop files to be encrypted are come of them. Whatever tool you use, make sure it is available on all platform and devices, including the mobile.

2) Use Pretty Good Privacy (PGP) certificates

This is basically certificate based content encryption, very similar to SSL site certificates. You generate two certs public one and a private one; give out the public cert to anyone who wants email to you so that he/she can encrypt the content with it. Once you receive, only you would be able to decrypt with your private key.

       OpenPGP is a free open source tool that lets you do it, for more information on how to use PGP encryption, there is a good article on Life Hacker.

Secured Email Providers

       There are lots of new players in this space now, offering you a secured service, some of them are free and others may charge a few dollars a month;HushMail, 4SecureMail and Swiss Mail are some of them.Typically the email recipient will be taken to a website to answer the secret questions and the content is decrypted upon successful answers.

       If you need security and privacy on your emails, you would have to sacrifice the convenience for sure. I am not sure whether you would be able to convince everyone communicating with you to follow the process. But my advice is, if you ever have to email anything sensitive, tax doc, medical records or SSN, never send them in plain text.

Whose war is this?

"If history repeats itself, and the unexpected always happens, how incapable must Man be of learning from experience" -George Bernard Shaw

I salute The New York Times for coming out and reporting on it's system being hacked, reported on Jan 30th, 2013. Following the suit, we hear the same from other major media companies WSJ and Washington Post. It makes you to wonder how many more companies are affected, but not disclosing! And how many more are affected but not aware of this APT running on their network!

NYT is not new to being hacked, it has seen it's share in the past, but unlike many companies, NYT management seems to be committed in securing their infrastructure,data and is well aware of Internet security pitfalls. It even conducts “Hackathon” events every year with a bug bounty program, it is working with major companies in security industry. Regarding this particular incident, NYT management took the time and risk to analyze the hackers activity, instead of shutting down the system in panic. Kudos to the management for all that. But I believe the issue is much bigger than what it appears to be. Let's take a look at some of the facts about this cyber terrorist activity.

• NYT isn’t new to being hacked, as it was hacked few times in the past along with other media companies (May 2009, Sept 2009, April 2010).
• In April, 2010, NYT journalist Andrew Jacobs claimed that his Yahoo email account was hacked while he was in Beijing, forwarding all of his correspondence to a third party. (http://nakedsecurity.sophos.com/2013/01/31/history-hack-attacks-against-media/)
• NYT expected retaliation from China after publishing the report on Wen Jiabao
• AT&T notified NYT on unusual traffic on day one after the report was published
• NYT uses Symantec AntiVirus, possibly using other desktop protection software
• 53 of their user computers were compromised
• 45 different malware were installed and only one was detected by an up-to-date AV software
• The hackers used University infrastructure to hide their tracks
• NYT didn’t notice it for three months!
• Symantec says AV alone is not enough to protect your PCs
• WSJ & Washington Post confirmed similar attacks on their systems too
• Based on the attack signature, NYT claims that govt of China was behind the attack
• Red China calling it a baseless allegation

Though NYT was expecting the retaliation, it wasn't able to detect or stop it for a while. Assuming it's allegation is true that it was govt of China, orchestrating these attacks, would it be possible for any one company to stop these attacks! I don't think so, when many of our corporations are being attacked by foreign states and individuals, what's the role of our government in all this? Is it not government's interest to protect it's business? What would have been the govt reaction if it were a real intrusion on it's borders? Is it really hesitating to get involved? Many are the unanswered questions.

It doesn't give any assurance when I look at the outdated federal guidelines on Internet Security, one has to wonder how much Washington wants to be involved in this war? Could it be hesitating because of it's past history, regarding Stuxnet and Iran? Or is it simply a matter of time before Washington catches up? Only time can tell.