Who can read your email?

Internet Security Threats: Who can read your email?
===================================================
Nov 23, 2003

Before being able to choose a secure Internet communication system, you
need to understand the threats to your security.

Since the beginning of the Internet there has been a naive assumption on
the part of most email users that the only people who are reading their
email are the people they are sending it to. After all, with billions
of emails and gigabytes of data moving over the Internet every day, who
would be able to find their single email in such a flood of data?

Wake-up and smell the coffee! Our entire economy is now information
based, and the majority of that mission critical information is now
flowing through the Internet in some form, from emails and email
attachments, to corporate FTP transmissions and instant messages.

Human beings, especially those strange creatures with a criminal mind,
look for every possible advantage in a dog eat dog world, even if that
advantage includes prying into other peoples' mail or even assuming your
identity. The privacy of your Internet communications has now become
the front line in a struggle for the soul of the Internet.

The New Generation Packet Sniffers:
===================================

At the beginning of 2001, most computer security professionals began to
become aware of an alarming new threat to Internet security, the
proliferation of cheap, easy to use packet sniffer software. Anyone
with this new software, a high school education, and network access can
easily eavesdrop on email messages and FTP transmissions.
Software packages such as Caspa 3.0 or PassDetect - Ace Password
Sniffer automate the task of eavesdropping to the point were if you send
an email messages over the Internet with the phrase "Credit Card", it's
almost a certainty that someone, somewhere will capture it, attachments
and all.

(Caspa 3.0 - from ColaSoft Corporation, located in Chengdu, China
http://www.colasoft.com,PassDetect - a product whose advertised purpose
is to sniff passwords sent in email, over HTTP, or over FTP from
EffeTech Corporation, http://www.effetech.com )

A good example of this new class of software is called MSN Sniffer,
also from Effetech, and it highlights the "party line" openness of
today's LAN and Internet environments. Just like old telephone party
lines, MSN sniffer lets you listen-in on other people's conversations,
just like picking up another phone on a party line.

On their web site, Effetech advertises MSN Sniffer as:

"a handy network utility to capture MSN chat on a network. It records
MSN conversations automatically. All intercepted messages can be saved
as HTML files for later processing and analyzing. It is very easy to
make it to work. Just run the MSN Sniffer on any computer on your
network, and start to capture. It will record any conversation from any
PC on the network."

Just as the Internet has been flooded by a deluge of spam messages after
the introduction of cheap, easy-to-use spam generation software, the
same effect is now taking place with sniffer software. The major
difference is that, unlike spam, Internet eavesdropping is totally
invisible, and ten times as deadly. How much of the identity theft
being reported today is a direct result of Internet eavesdropping? Its
hard to tell, but with the every growing dependency by individuals and
corporations on Internet communications, opportunities to "capture" your
sensitive data abound.

Most FTP transmission are unencrypted!
=====================================

As of November 2003, the majority of corporate FTP transmissions are
still unencrypted (unencrypted is geek speak for "in the clear" ) and
almost all email communications take place "in the clear". Many email
and FTP transmissions travel over 30 or more "hops" to make its way from
the sender and receiver. Each one of these hops is a separate network,
often owned by a different Internet Service Provider (ISP).
Any Idiot in the Middle
Even a well run corporation must still primarily rely on trusting its
employees, contractors and suppliers to respect the privacy of the data
flowing over its networks. With the new sniffer technology, all it
takes is one "idiot in the middle", and your security is compromised.
It could be the admin assistant sitting in the cubical next to you, or a
network assistant working for one of the many ISPs your data will travel
over, but somewhere, someone is listening. Maybe all he is looking for
is his next stock trading idea, or maybe he wants to take over your eBay
account so he can sell a nonexistent laptop to some unsuspecting
"sucker" using your good name. its all happening right now, at some of
the most respected companies in the world.
Access to your network doesn't have to come from a malicious or curious
employee-many Internet worms, Trojans and viruses are designed to open
up security holes on a PC so that other software can be installed. Once
a hacker has access to one computer in your network, or one computer on
your ISP's network, he can then use a sniffer to analyze all the traffic
on the network.

So I'll password-protect my files, right? :
=========================================

You're getting warmer, but this still isn't going to do the trick. It's
a good way to stop packet sniffers from searching for key words in a
file, but unfortunately it is not as secure as you might think.
If you ever forget a Zip, Word or Excel password, don't worry, just
download the password tool from Last Bit Software www.PasswordTools.com,
it works very well. There are many other packages out on the Internet
but Last Bit's tool is the most robust and easy to use, if a bit slower
that some others.

So what can I do about it?
==========================

OK, so now that you understand the threat, what can you do about it?

. Stop using the Internet? - More than a few professionals are returning
to phone calls and faxes for all their important communications.

. Complain to your IT department? - If you have an IT department in
your company this is a good place to start. But did the spam mail stop
when you complained about it to your LAN administrator? Unfortunately
he is almost as helpless as you are.

. Encrypt your communications with PKI, etc. - For email this is a bit
drastic, and can be very expensive, especially since you will need to
install a key on each PC and coordinate this with the receivers of your
email messages, your IT organization, etc.

. Use FileCourier - This is by far the easiest and most cost effective
way to protect your email attachments, or replace FTP transmissions. It
takes out the "idiot in the middle" with a very clever solution.

The FileCourier approach to Security
====================================

I believe that FileCourier is the easiest out-of-the box secure
communication system available.

FileCourier approaches Internet data transfer security in a unique way.
Until FileCourier was first released in December of 2002, all secure
email and file transmission systems relied on encrypting the data during
the tried and true method of "upload, store, and forward". When you
send an email, it and any documents attached to it are first transmitted
to one or more intermediate servers. These mail server store the
documents and then attempt to forward it to the receivers email server.
To secure the transmission of the email requires either the servers to
use extra encryption software technology, or forces the individual
sender and receivers to install encryption software and their associated
keys, or both. Not only is this a costly and time consuming exercise
but it also often fails to protect the data over the complete path of
the transmission. What do you do if the receiver is in another company
and doesn't have any encryption software installed? What if his company
is using a difference encryption standard? Ignoring the complexity of
existing secure email and FTP systems their biggest failings continue to
be the "idiot in the middle". From a nosey email or FTP server
administrator, to a hungry co-worker, to an incompetent who lets a
hacker have free reign of their server, if your sensitive documents are
stored on a server maintained by someone else then that person, or his
company, can view your documents.
The FileCourier approach is creative, yet simple. FileCourier utilizes
existing email and instant messaging systems in the same way you use an
envelope to send a letter thru the US postal service, as a wrapper for
the real content. We assume that EVERYONE can read what is in the
email, so we don't send your documents in the email at all. In fact
your documents never leave your PC, until the receiver of the email
requests it.
How it works
FileCourier lets you ticket the file you want to email, and then instead
of sending the file in the email, sends a "FileTicket" instead. The
file is only transmitted to the receiver of the email when he opens the
FileTicket and is "authenticated". After the receiver is authenticated
the file is transmitted through an SSL (secure socket layer) tunnel
directly from the sender's PC to the receiver's PC through our secure
relay servers. SSL is the same security used by banks and is impossible
for packet sniffers to penetrate. With FileCourier each packet is
encrypted using a 1024 bit key and is delivered to your receiver through
his browser. FileCourier lets your communications go un-detected by any
sniffer, and removes the "idiot in the middle" threat by never storing
the data on an intermediate server. More over, FileCourier is the
easiest way to secure your sensitive data transmission in both an
Internet and corporate LAN environment.

Take Action Now!
================

Internet communications security is one of the most important privacy
issues we face today. It might feel a bit paranoid for a law-abiding
citizen to encrypt his email communications and computer document
transmissions, but would you send a customers contract thru normal mail
without an envelope? How would you feel if your employer sent your next
pay stub to you on the back of a postcard? Use FileCourier, just like
you would use a envelope for regular mail. Download the no obligation
free trial today at www.filecourier.com. and send 50MB of data securely
for free!

ABOUT THE AUTHOR
Mark Brooks is a software architect, internet entrepreneur and founder of CanDo Networks Corporation. CanDo Networks Corporation makes easy-to-use software for communicating large amounts of data securely and privately over the Internet. Its flagship product, Filecourier (www.filecourier.com ), is used by thousands of legal, medical, and computer professionals to securely deliver files over the internet, to anyone, anywhere.