flickerSTICKS™ - http://www.flickersticks.org
The ULTIMATE in easy-to-use USB computer security.
Protect your job, your family, your business, your identity and your freedom with realtime USB encryption, anonymous USB web surfing, secure USB email, and portable USB virus/malware scanning, without leaving digital footprints.
January 2, 2008
Standard email communications can be intercepted, read, changed and forged. Email messages can be archived forever, retrieved at any time without notice, entered into the public domain or used against the sender or receiver should the political or legal weather change. Some communications are quite simply meant to be private and confidential. Standard SMTP servers and PHP form mail scripts simply do not provide any means of security or privacy. Unsecured email is much like a postcard being sent through the mail system. At any point of transport or delivery, the message can be read without the sender or recipient ever being aware.
How is one to know if their communications have been intercepted, spied upon, read, archived, forwarded, archived, printed, altered or changed in any way? How is one to be certain that the email received is truly authentic? Email spoofing is a sad reality of modern communications in which ill intending or ill advised individuals wish to “dupe” unwitting recipients into some form of action.
Email spoofing is the forging of the email header in such a way that the message appears to have come from someone other than the actual sender. Email spoofing is often used by spammers and is illegal in most countries.
There are many ways to spoof email headers. The easiest method is to use an SMTP email program such as Outlook Express and simply provide a fake email address when setting up the primary email account.
SMTP (Simple Mail Transfer Protocol) servers are most often not configured to use authentication or security schemes. As such, SMTP servers can be easily manipulated for the purpose of sending illegitimate mail. However, such emails cannot be considered “spoofed” since they originate from a legitimate sender. For email to be considered “spoofed,” the email address reported in the “from” field has to be different than that of the real sender.
There are many websites and software applications that allow individuals to send spoofed email. Examples include:
Atomic Mail Sender: http://www.amailsender.com/
LiteMail: http://www.sprika.com/
Mail Sender Express Pro: http://www.brothersoft.com/e-mail/e-mail_sender/mail_sender_express_professional_41941.html
http://www.nodemise.com/spoof.php
http://www.crazybone.com/spoofmail.html (a joke site that can be exploited with injection)
There are also a great many form-mail scripts available both commercially and for free. Such scripts can be manipulated by spammers to spoof email addresses. An example of such is the Level 10 Design Form Mail script (L10FmX.php) which when not configured correctly or when used directly by spammers can “spoof submissions to send e-mail through the script” (http://www.leveltendesign.com/L10Apps/Fm/help_installation.php)
Additionally, through email header injection, spammers can succeed in sending spoofed emails. This is accomplished by exploiting the php mail() function (http://www.phpsecure.info/v2/article/MailHeadersInject.php) :
<?php mail($recipient,$subject,$message,$headers); ?>
to produce: To: $recipient
Subject: $subject
$headers
$message
example:
<?php mail(" recipient@victim.xxx","Hello","Hi,\nYour site is great.\nBye","From: sender@anonymous.xxx "); ?>
to produce: To: recipient@victim.xxx
Subject: Hello
From: sender@anonymous.xxx
Hi,
Your site is great.
Bye
A clever spammer would be able to cheat a simple php form such as the one below with email header injection.
<?php
$to=" webmaster@website.com ";
if (!isset($_POST["send"])){
// no post data -> display form
?>
<form method="POST" action="<?=$_SERVER['PHP_SELF'];?>">
To: webmaster@website.com
From: <input type="text" name="sender">
Subject : <input type="text" name="subject">
Message :
<textarea name="message" rows="10" cols="60" lines="20"></textarea>
<input type="submit" name="send" value="Send">
</form>
<?
}else{
// found post data .. deal with it
$from=$_POST['sender'];
// send mail :
if (mail($to,$_POST['subject'],$_POST['message'],"From: $from\n")){
// display confirmation message if mail sent successfully
echo "Your mail was indeed sent to $to.
";
}else{
// sending failed, display error message
echo "Doh! Your mail could not be sent.
";
}
}
?>
The header of an email message contains very specific information about the source and path of the email message. Often, this information can be used to determine if an email message has been spoofed. Again, if the email header has not been forged, the message is not considered “spoofed.”
Spoofed email messages will sometimes contain noticeable and obvious errors. The most common error is a discontinuity between the “friendly” and “email” names in the “from” field. For example, an email which displays a friendly name of “Albert Einstein” and an email name of “ mikesmith@someemailserver.net” is likely to be spoofed.
The “received” fields display the relay path of the sent email from its origin to destination. This information can contain IP addresses, the sender's email program, domain names and geographic information. Each of these items can be a clue to a possible forgery. For example, should the received field indicate the mailing program as Atom Mail Sender (a known mass mailing application with spoofing capabilities), it can be assumed the message has been spoofed. Or, should the sender be known to live in Ontario, but the originating IP address is geographically located in Romania, it's likely the email has been forged.
There are a great many other clues that can indicate an email forgery. The content of the email itself can be a good indicator. Most banks do not communicate with their customers through email. Especially to indicate security issues requiring the customer to provide confidential information to maintain their banking services. Regardless of the header information of the email, this would be an example of an obvious forgery.
The best detector for spoofed or forged email is diligence. Be aware of the latest scams and tricks. Question unsolicited correspondences. Verify “official” looking emails by navigating through Google (not the email links provided in the message) to the purported official site to check for security notices and warnings.
Secure e-mail is that mail which has been encrypted and digitally signed to ensure that only the intended recipient is capable of reading it. Furthermore, secure email is that mail which can not be altered or modified without the recipient or sender being aware of such modifications. By default of the method in which secure emails are created and distributed, that is through the use of private keys and publicly shared keys, secure email is virtually immune to spam, spoofing or phishing.
Regular email is much like a postcard in the snail-mail world. Anyone who handles the postcard at any point during the transport and delivery of the postcard is able and capable of reading the postcard. Thus, the postcard can not be considered as a safe means of communicating confidential or important information. Perhaps an even more accurate analogy would be that of a sealed letter. At any point during the transport and delivery of the letter to the intended recipient, the letter can be unsealed, read, copied, altered and or modified, resealed and delivered to the recipient without either the sender or recipient ever being aware.
In the snail-mail world, secure mail would be those messages which have been written in secret code and then placed into an envelope and sealed with stamped wax. Should the message be read at any point, the wax seal will be obviously broken. Additionally, the message is written using a secret code and even if intercepted is unlikely to be understood.
Secure e-mail uses digital certificates, also known as digital ID’s, along with two basic cryptographic techniques. The techniques used are a digital signature and content encryption.
With digital certificates and a personal keys, digitally signed emails can be sent. In order to send digitally signed emails, the email client must first be setup to permit the use of digital signatures. The biggest advantage of a digitally signed email is that it is protected against modifications while en route and is uniquely allocated to the sender and receiver.
Prior to sending a secure email, it must first be encrypted. To encrypt an email and use digital signatures, the sender must first have the recipient’s digital certificate (public key). The email is encrypted using the private and public keys to ensure that only the sender and the intended recipient will be able to open the mail.
To receive the recipient’s digital key, the sender merely needs to request the recipient send a digitally signed email first. Thus, the sender encrypts the email message using their private key and the recipient’s public key.
A private key is used for decryption and is stored by the owner securely and secretly on their computer. A public key is used for encryption and is given to anyone who would like to send or receive a secure email message. Both keys together form a pair of signature keys for encrypting and decrypting the email message.
When the recipient is in receipt of the encrypted message, it must be deciphered. This process of decrypting the message can only be accomplished with a public and matching private key.
There are many solutions available to individuals desiring secure email. Both VeriSign and Thwarte offer digital certificates (keys) that can be used with Outlook and Thunderbird along with S/MIME and encryption.
Alternatively, web based secure email solutions exist including Hushmail (www.hushmail.com), Crypto Heaven (www.cryptoheaven.com), Bitnet’s Managed Secure E-Mail (www.bitnets.com), 4 Secure Mail’s secure webmail and secure POP mail (www.4securemail.com), S-Mail (www.s-mail.com), CryptoMail (www.cryptomail.com), and ZipLip (www.ziplip.com) to name a few.
The cost of the different solutions available varies from service to service and the level of service required. Hushmail is free for individual desktop users and ranges up to $2.50/month USD for a premium web based account. Cryptoheaven costs from $2.42/month for a personal account to $7.98/month for a business account. Managed Secure E-Mail, a service which redirects personal email through the managed servers and cleans messages of spam, malware and viruses, costs $39.00/month CDN. 4 Secure Mail charges $1.39/month/user for a family membership, $3.39/month for a single user account, and $0.42/month/user for a business account.
One can only speculate as to why secure email hasn’t become the method of internet mail communication. Complacency may also be an issue. Users simply fail to see any issues with their current insecure email set ups. If users are not aware of any problems, then for them, problems do not exist. Additionally, some users do not care if their emails are opened by third parties and often feel they have nothing to fear because they have nothing to hide.
The process of applying for and collecting a digital certificate can be difficult. For many users, the difficulties are overwhelming and hardly worth the effort. Worse yet, some users may have forgotten, lost or are unaware of their certificates.
The process of exchanging certificates is not conducive to encouraging a positive experience amongst novice users. Having to contact recipients, request keys, install/verify keys, encrypt messages, decrypt messages, can slow down already impatient users.
Anyone can produce a public key with a target recipient’s name and give it a the sender with the hope of “tricking” the sender into releasing confidential and important information.
Because of this, it is important that public keys are given to the sender personally (i.e. via a trusted network and directly from the owner of the key), or through an authorized and trusted certificate authority.
Privacy of communication is explicitly protected by the Universal Declaration of Human Rights – Article 12:
Article 12.
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.
and by the International Covenant on Civil and Political Rights – Article 17:
Article 17
1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.
2. Everyone has the right to the protection of the law against such interference or attacks.
Many countries vigorously advocate and promote the use of secure email. In the United States, the healthcare industry is required by law to use secure email when communicating via the internet. Banks and government institutions, while not required by law, use secure email for most communications.
Email, like any other online communication, can be archived and stored anywhere in the world and may never be deleted or destroyed. Unprotected communications run the risk of being released into the public or eventually becoming public domain. Imagine your most personal communications being shared with the world.
But, controversy surrounds the concept of encryption, anonymous mail and secure mail. By simply encrypting an email, which is sent across international borders, both the sender and receiver may be guilty of a criminal act within their particular jurisdiction. Sending an encrypted email message from the United States to an official enemy country such as North Korea or Cuba can land the sender in jail. (see: Bureau of Export Administration; 15 CFR Parts 734, 740 et al, Revisions to Encryption Items; Interim Final Rule). Perhaps even crossing the border with an encrypted file on your laptop could be cause for issue.
Obviously a balance must be struck for protecting the rights of individuals and the rights of the community. Freedom of speech is an important aspect of an open democratic society, however that same freedom can be used against society to cause harm. Criminals can make use of secure email systems to circumvent the efforts of law enforcement. Disgruntled employees can make use of secure email systems to rob companies of intellectual properties.
Everyone has the right to privacy whether they choose to exercise it or not. Governments world wide are not permitted to interfere with an individual’s right to privacy, yet they do. It is up to individuals to educate and protect themselves. Secure email utilizing a system of encryption keys is just one way that individuals can guarantee a certain degree of privacy when communicating online.
Technology changes quickly though. What is secure today may be publicly accessible tomorrow. Email messages can be archived and stored indefinitely. Jeopardizing messages can rear their ugly heads at a future date highly inconvenient for the sender or recipient.
Governments tend to remove liberties from the community rather than grant them, and all in the name of protecting the community from evildoers. Big business has massive financial clout and can easily influence lawmakers and politicians. The climate is uncertain.
Services like SafeMessage.com represent email of the future where not only are messages encrypted with a system of key pairs, but the messages self destruct after a pre-determined period of time, automatically erase their own tracks as they’re handed from server to server, and the sender can control the viewing, printing, forwarding and saving options.
This article was produced by flickerSTICKS™
© Copyright 2008 flickerWORKS™ Inc. | All Rights Reserved
You may copy and redistribute this article providing you do not change its content and you leave all links referring to http://www.flickersticks.org intact.