How do I send secure email?

A couple of Sundays ago I was up getting the griddle ready for some pancakes when an old buddy called.

“hey Dave, I’m looking to sell my Giants season tickets to a guy back east. What’s a secure way to send him account information via email?”

Jack and I worked together years ago at a software company in Palo Alto. He knew regular email wasn’t considered safe – but wasn’t sure why.

Generally the text you send in an email is about as safe as “snail mailing” a postcard.

Is your data in postcard worth really worrying about? Probably not. There are SO many pieces of mail – WHO would want to read it?? Also if you just one or two a year, no one. Those 2 postcards probably say something like “the weather is here, wish you were beautiful!” ;) ...thanks Buffet!

But if you sent a LOT of postcards, describing your daily life, your kids life – bills you’re paying …. Hmmm – that could be interesting to many of the mail handlers

So as with other types of attacks we have to look at what’s the frequency it could occur, what’s the likelihood and is the technology available? (have you ever heard of a product called ECHELON? It’s our government’s massive collection, correlation of ALL email, telephone and IM traffic. hmmm is that George Orwell laughing ...

With email, many people read/write in excess of 10 or 20 a day. It’s normally under the radar of your firewall and virus checker – and it’s up to you what’s in it. Emails do not travel from your computer to your friends computer directly – nor is it traveling encrypted. Nor is it stored encrypted at many of the most popular internet providers. (sorry yahoo!)

General rules of security still apply here – don’t give out your full name, don’t send your social security number, don’t inquire about billing issues. These are all vital pieces of your Non-Public Information (NPI). That should be protected by you and any institution you’re working with.

Beyond divulging NPI, the other risk here is social engineering. Did you know that the infamous hacker Kevin Mitnick was known for using social engineering to gain access to private data? By reading all of someone’s email for the past month, I could get a pretty good idea of who you are, where you live and perhaps enough information to convince a doorman, or a security guard or a online help person that I should be allowed access to your account.

Scary stuff – but it doesn’t need to be. Knowledge is your best weapon!

Securing your outbound email is a critical piece of your security portfolio.

There are dozens of solutions for the corporate user to send secure email – the easiest to implement and to use works similar to a safety deposit box. You have a “key”, and so does your recipient. Here’s a website that offers this service – http://www.hush.com/ for free. No installs on your PC are necessary, just a little thought to come up with a good password for your access AND a shared question the recipient would know the answer.

Another option comes with some firewalls. With the ZoneAlarm product and probably others there is an area you can tell it what type of NPI to scan your outbound emails for, and to XXXX out those areas. This helps with keeping SSN private, but it still leaves the rest of your text in the clear.

I’ve seen several options for kids – this one at Kidsafe mail sounds pretty good so far. For the amount of email my kids have now, I’m not sure I need it. Currently they have ‘regular’ accounts that their mom and I monitor the traffic in/out via our internet provider.