In today's uncertain times, how to secure mail servers and small-scale business interests online?

Sudhir Panda • 10 May 2017
1 comment
0 likes

One of the first things you do in the morning is check your email. And, if you’re like me, you also wonder who else has read your email. That’s not a paranoid concern. If you use a web-based email service such as Gmail or Outlook 365, the answer is kind of obvious and frightening. Add to it, now even corporatist governments are spying citizens and small businesses en masse on behalf of the allied big cronies drumming development and economies of scale, big data marketing, social profiling & securing us from terrorists their own bhakts create 24/7 with apathy and loot of the weaker sections.

Even if you delete an email the moment you read it on your computer or mobile phone, that doesn’t necessarily erase the content. There’s still a copy of it somewhere. Web mail is cloud-based, so in order to be able to access it from any device anywhere, at any time, there have to be redundant copies. If you use Gmail, for example, a copy of every email sent and received through your Gmail account is retained on various servers worldwide at Google. This is also true if you use email systems provided by Yahoo, Apple, Rediff, Jio, Comcast, Microsoft, Whatsapp, Facebook, or even your workplace. Any emails you send can also be inspected, at any time, by the hosting company. Allegedly this is to filter out viruses, malware, ransomware and some bla bla wares, but the reality is that third parties can and do access our emails for other, more sinister self-serving reasons: bigdata, mining, competitor spying, cross-selling and similar.

While most of us may tolerate having our emails scanned for malware, and perhaps some of us tolerate scanning for advertising purposes, the idea of third parties reading our correspondence and acting on specific contents found within specific emails is downright disturbing. The least you can do is make it much harder for them to do so.

Setup your Own Mail Cloud / Encryption and physically verify before securing:

Most web-based email services use encryption when the email is in transit, just like someone can break into a postal van or bribe the delivery man. However, when some services transmit mail between Mail Transfer Agents (MTAs), they may not be using encryption, thus your message is in the open. To become invisible you will need to encrypt your messages, just like we can disguise the postal van and the postman.

So how would encrypting the contents of your email work? The most popular method of email encryption is PGP, which stands for “Pretty Good Privacy.” It is not free. But its creator, Phil Zimmermann, also authored an open-source version, OpenPGP, which is free. And a third option, GPG (GNU Privacy Guard), created by Werner Koch, is also free. No matter which version of PGP you use, the basic functions are the same.

When Mr Snowden first decided to disclose the sensitive data he’d copied from the NSA, he needed the assistance of like-minded people scattered around the world. Privacy advocate and filmmaker Laura Poitras had recently finished a documentary about the lives of whistle-blowers. Snowden wanted to establish an encrypted exchange with Poitras, except only a few people knew her public key.

Snowden reached out to Micah Lee of the Electronic Frontier Foundation. Lee’s public key was available online and, according to the account published on the Intercept, he had Poitras’s public key. Lee checked to see if Poitras would permit him to share it. She would.

Given the importance of the secrets they were about to share, Snowden and Poitras could not use their regular e‑mail addresses. Why not? Their personal email accounts contained unique associations - such as specific interests, lists of contacts - that could identify each of them. Instead Snowden and Poitras decided to create new email addresses.

How would they know each other’s new email addresses? In other words, if both parties were totally anonymous, how would they know who was who and whom they could trust? How could Snowden, for example, rule out the possibility that the NSA or someone else wasn’t posing as Poitras’s new email account? Public keys are long, so you can’t just pick up a secure phone and read out the characters to the other person. You need a secure email exchange.

By enlisting Lee once again, both Snowden and Poitras could anchor their trust in someone when setting up their new and anonymous email accounts. Poitras first shared her new public key with Lee. Lee did not use the actual key but instead a 40-character abbreviation (or a fingerprint) of Poitras’s public key. This he posted to a public site, Twitter.

Sometimes in order to become invisible you have to use the visible.

Now Snowden could anonymously view Lee’s tweet and compare the shortened key to the message he received. If the two didn’t match, Snowden would know not to trust the email. The message might have been compromised. Or he might be talking instead to the NSA. In this case, the two matched.

Snowden finally sent Poitras an encrypted e‑mail identifying himself only as “Citizenfour.” This signature became the title of her Academy Award–winning documentary about his privacy rights campaign. That might seem like the end - now they could communicate securely via encrypted e‑mail - but it wasn’t. It was just the beginning.

How to Anonymize Everything You Do Online
The keys are (more or less) under your control, and so, as you might guess, their management is very important. If you generate an encryption key, you—and no one else - will have the key stored on your device. If you let a company perform the encryption, say, in the cloud, then that company might also keep the key after he or she shares it with you and may also be compelled by court order to share the key with law enforcement or a government agency, with or without a warrant.

When you encrypt a message—an e‑mail, text, or phone call - use end‑to‑end encryption. That means your message stays unreadable until it reaches its intended recipient. With end‑to‑end encryption, only you and your recipient have the keys to decode the message. Not the telecommunications carrier, website owner, or app developer - the parties that law enforcement or government will ask to turn over information about you. Do a Google search for “end‑to‑end encryption voice call.” If the app or service doesn’t use end-to-end encryption, then choose another.

If all this sounds complicated, that’s because it is. But there are PGP plug-ins for the Chrome and Firefox Internet browsers that make encryption easier. One is Mailvelope, which neatly handles the public and private encryption keys of PGP. Simply type in a passphrase, which will be used to generate the public and private keys. Then whenever you write a web-based email, select a recipient, and if the recipient has a public key available, you will then have the option to send that person an encrypted message.

Beyond Encryption: Metadata

Even if you encrypt your e‑mail messages with PGP, a small but information-rich part of your message is still readable by just about anyone. In defending itself from the Snowden revelations, the US government stated repeatedly that it doesn’t capture the actual contents of our emails, which in this case would be unreadable with PGP encryption. Instead, the government said it collects only the email’s metadata. You'd be surprised by how much can be learned from the email path and the frequency of emails alone.

What is email metadata? It is the information in the To and From fields as well as the IP addresses of the various servers that handle the email from origin to recipient. It also includes the subject line, which can sometimes be very revealing as to the encrypted contents of the message. Metadata, a legacy from the early days of the internet, is still included on every email sent and received, but modern email readers hide this information from display.

That might sound okay, since the third parties are not actually reading the content, and you probably don’t care about the mechanics of how those emails traveled—the various server addresses and the time stamps - but you’d be surprised by how much can be learned from the email path and the frequency of emails alone. According to Snowden, our email, text, and phone metadata is being collected by the NSA and other agencies. But the government can’t collect metadata from everyone, or can it? Technically, no. However, there’s been a sharp rise in “legal” collection since 2001.

To start, your IP address reveals where you are in the world, what provider you use, and the identity of the person paying for the Internet service (which may or may not be you). All these pieces of information are included within the email metadata and can later be used to identify you uniquely. Any communication, whether it’s email or not, can be used to identify you based on the Internal Protocol (IP) address that’s assigned to the router you are using while you are at home, work, or a friend’s place.

IP addresses in emails can of course be forged. Someone might use a proxy address - not his or her real IP address but someone else’s - that an email appears to originate from another location. A proxy is like a foreign-language translator - you speak to the translator, and the translator speaks to the foreign-language speaker, only the message remains exactly the same. The point here is that someone might use a proxy from China or even Germany to evade detection on an email that really comes from North Korea.

Becoming invisible and keeping yourself invisible require tremendous discipline and perpetual diligence. But it is worth it. The most important takeaways are: First, be aware of all the ways that someone can identify you even if you undertake some but not all of the precautions described. And if you do undertake all these precautions, know that you need to perform due diligence every time you use your anonymous accounts. No exceptions.

You may ask why so much pain, I am not a terrorist or fraud, but just a common law abiding citizen? Simply, this is common practice just like we are self-disciplined to not go out public undressed, privacy is important for each digital citizen, unless we make new rules and start walking nude anywhere expecting street vendors to sell clothing fitting our IP skeleton!

Technology
Solution Point

Beware of SIM Swap! SIM-Swap involves a fraudster collecting victim's personal banking information and then approaching the victim's mobile operator with fake ID proofs to obtain a duplicate SIM card. The mobile operator deactivates the original SIM card and issues a replacement SIM. With the help of the new SIM card, fraudster does account transactions through mobile banking without victim's knowledge.

Inquire with your mobile operator if you have no network connectivity and are not receiving any calls or alerts for unusually long periods. Do not disclose your mobile number on social media platforms. Contact your mobile operator immediately as soon as you receive an indication of a probable SIM-Swap.

Do not switch off your cell phone in the event you receive numerous unknown calls. It could be a ploy to get you to turn off your phone and prevent you from noticing a tampered network connection. Register for both SMS as well as e-mail alerts to stay informed about transactions on your account. Check your bank statements and online banking transaction history regularly so you can identify any issues or irregularities.

  • Log in or register to post comments