Chapter 1
Introduction

I prob­a­bly don’t need to recite a litany of famous cyber­se­cu­ri­ty breach­es, but I will. The media has pro­vid­ed us with plen­ty of head­lines over the last few years. And those are just the ones we know about. It is said there are plen­ty of oth­er big sto­ries that have nev­er come to light.

 A Par­tial List  A par­tial list of well-known com­pa­nies that have had their customer’s data breached since the mid­dle of the last decade: TD Amer­i­trade, Nation­al Archive and Records Admin­is­tra­tion, Cit­i­group, Health­net, eBay, Hon­da, Defense Depart­ment, Chase, Scott­trade, Tar­get, At&T, T-Mobile, Yahoo, Demo­c­ra­t­ic Nation­al Com­mit­tee, Wyn­d­ham Hotels, Equifax, Depart­ment of Vet­er­ans Affairs, Sony, Home Depot, IRS, Bank of Amer­i­ca, Texas Attor­ney Gen­er­al, Allied Insur­ance, JP Mor­gan, TJ Max, Hyatt Hotel, Kmart, Blue Cross/Blue Shield, Face­book, and Adobe.

Accord­ing to FBI Pub­lic Ser­vice Announce­ment, May 4, 2017, in the US between Octo­ber 2013 and Decem­ber 2016 there were 40,203 com­plaints of email secu­ri­ty breach­es from small and large busi­ness­es. The total loss­es were $5,320,890,448. That’s an aver­age loss of $131,902 per com­plaint. Between Jan­u­ary 2015 and Decem­ber 2016 there was a 2,370% increase in loss­es report­ed. Who knows how many breach­es went unre­port­ed. And the report doesn’t include per­son­al com­plaints. (The FBI announce­ment is very use­ful and includes sce­nar­ios, trends, and sug­ges­tions for pro­tec­tion.)

The Jan­u­ary issue of PC Mag­a­zine pre­dicts that email will con­tin­ue to be a major tar­get for cyber­crim­i­nals in 2018.

The big ques­tion is how does this seem­ing­ly end­less threat affect you? We all tend to think that that we are of lit­tle inter­est to hack­ers and in any case our chances of being hacked by cyber­crim­i­nals from Nige­ria, Roma­nia, Chi­na, or Rus­sia seem remote. Unfor­tu­nate­ly, what­ev­er we may think, we still have bank, bro­ker­age, cred­it, and shop­ping accounts online vul­ner­a­ble to hack­ing. It’s not a mat­ter of IF. It’s a mat­ter of WHEN. And when it comes, are you ready for it?

If you’re ready for the hack that comes your way, you’ll like­ly nev­er know it was attempt­ed. If you’re not ready, then shame on you. It’s not like­ly to end well. But then, there has been plen­ty of warn­ing.

This book is about get­ting you ready by mak­ing your email secure. Since your email is the cor­ner­stone of your online world, mak­ing your email secure goes a long way toward mak­ing your entire online pres­ence secure. Indeed, if your email is hijacked or oth­er­wise com­pro­mised, it can lead to a seri­ous breach of secu­ri­ty in your over­all cyber pres­ence. Such a breach can result in a sub­stan­tial finan­cial loss or a crit­i­cal loss of secre­cy (e.g., pro­pri­etary infor­ma­tion).

It’s true there is no absolute defense to email hack­ing. Nonethe­less, there are sim­ple, con­ve­nient, and inex­pen­sive things you can do to change the sta­tis­tics from being a real threat to being an unlike­ly occur­rence.

There are plen­ty of solu­tions to secu­ri­ty threats. Many are dif­fi­cult to under­stand, com­plex to imple­ment, or expen­sive to use. The ones that are more prac­ti­cal tend to be defens­es that solve only one secu­ri­ty threat, leav­ing you sus­cep­ti­ble to oth­ers. That’s why I con­sid­er RMail ser­vices impor­tant. It’s a suite of secu­ri­ty ser­vices.

RMail ser­vices are com­pre­hen­sive, easy to imple­ment, easy to use, and inex­pen­sive. RMail has been around since 2000 (start­ed out as RPost) and has sub­stan­tial expe­ri­ence in suc­cess­ful­ly pro­vid­ing spe­cial­ized secu­ri­ty to email users. Recent­ly it has expand­ed its secu­ri­ty ser­vices to be more com­pre­hen­sive. Hence, this book uses RMail as the prime exam­ple of defense against hack­ers.

Flex­i­ble  You can use RMail in place of your cur­rent email ser­vice, or you can use it as an addi­tion to your cur­rent email ser­vice to make your email activ­i­ties more secure. More­over, it works with what­ev­er email pro­grams and ser­vices recip­i­ents use.

But anti-hack­ing secu­ri­ty is only part of the RMail sto­ry. The huge bonus for busi­ness­peo­ple is that the RMail suite of ser­vices is at the same time a suite of con­ve­nient and inex­pen­sive busi­ness ser­vices. Indeed, this book is real­ly a busi­ness book. It’s a book about how to con­duct busi­ness secure­ly in the new dig­i­tal envi­ron­ment where every­one is con­nect­ed to every­one else, for bet­ter or worse. It’s a book about how to keep things straight (hon­est) with every­one you deal with whether friends, fam­i­ly, co-work­ers, col­leagues, clients, cus­tomers, ven­dors, col­lab­o­ra­tors, or the like. After all, almost every­one does some busi­ness on the inter­net.

If you’re an indi­vid­ual with few busi­ness respon­si­bil­i­ties, there’s plen­ty here for you to digest too. But if you’re a busi­nessper­son, this book is essen­tial for your secure busi­ness prac­tices mov­ing for­ward into a cyber future that’s get­ting to be more use­ful yet more hos­tile every day.

To begin, in order to eas­i­ly under­stand the top­ics in each chap­ter, you need to under­stand some of the spe­cif­ic terms the book defines and uses. With that in mind, this intro­duc­to­ry chap­ter sets forth some basic def­i­n­i­tions.

Internet Service Provider (ISP)

An inter­net ser­vice provider (ISP) pro­vides you with inter­net ser­vice. This means that your ISP gives you the means of hook­ing up to the inter­net. Typ­i­cal ISPs are AT&T, Ver­i­zon, Com­cast, Cox, and oth­er major com­mu­ni­ca­tions cor­po­ra­tions (tele­coms).

There are also plen­ty of local ISPs. Local ISPs typ­i­cal­ly do not serve a nation­wide mar­ket and in many cas­es do not even serve a statewide mar­ket. Some are so small that they serve only part of a city or coun­ty.

Prof­it and non-prof­it orga­ni­za­tions, such as cor­po­ra­tions and col­leges, also pro­vide inter­net ser­vice inter­nal­ly to their employ­ees and oth­er con­stituents, but not to the pub­lic.

What­ev­er their size and mar­ket, ISPs are the enti­ties that give you a con­nec­tion to the inter­net. That con­nec­tion is via phone line, cable, or satel­lite trans­mis­sion.

Host ISP

A host ISP is sim­ply a provider that spe­cial­izes in Web host­ing ser­vices. It doesn’t nec­es­sar­i­ly pro­vide you with a con­nec­tion to the inter­net, but it does pro­vide you with a smörgås­bord of ser­vices for estab­lish­ing and man­ag­ing your website(s). Your nor­mal ISP is typ­i­cal­ly a host ISP too. But most peo­ple pre­fer to use a sep­a­rate host ISP due to the spe­cial­ized Web host­ing ser­vices that a host ISP typ­i­cal­ly offers. Host­Ga­tor and 1&1 are good exam­ples.

Email Program

To han­dle your email, you use email soft­ware; that is, you use an email pro­gram. Your email pro­gram (on your com­put­er) sends, receives, stores, and man­ages your email. Email pro­grams are such soft­ware as Microsoft’s Out­look, Mozilla’s Thun­der­bird, Apple’s Mail, Synacor’s Zim­bra, and the like. Some email ser­vice providers pro­vide email pro­grams, too, such as Google (Gmail). For tablets and phones, email pro­grams are known as email apps. (There is also the tech­ni­cal and decades-old term of email client, but this book does not use that term.)

Email Service Provider

An email ser­vice provider runs an email serv­er on the inter­net. When you send an email, it goes to an email serv­er as out­lined in Chap­ter 2. An email ser­vice provider oper­ates that email serv­er.

For instance, if your ISP is Com­cast but you use Google’s Gmail, Google is your email ser­vice provider. When you send an email, it goes to the Google email serv­er.

Many of the email ser­vice providers such as Google Gmail, Microsoft Out​look​.com (Hot­mail), and Yahoo Mail offer free email ser­vice. ISP’s also offer email ser­vice typ­i­cal­ly at no addi­tion­al charge.

Mar­ket­ing Email Ser­vices  There is also a large indus­try of email ser­vice providers that han­dle mass email mar­ket­ing cam­paigns send­ing hun­dreds or thou­sands of mar­ket­ing email mes­sages at one time. Such email ser­vice providers are beyond the scope of this book. Exam­ples are AWe­ber and Con­stant Con­tact.

Email Server

An email serv­er is soft­ware that can run on any com­put­er con­nect­ed to the inter­net. It sends email mes­sages out across the inter­net, and it receives email mes­sages from the inter­net and holds those mes­sages in stor­age. An email serv­er is a pro­gram that runs on the email ser­vice provider’s com­put­er, not your com­put­er.

When you send a mes­sage from your email pro­gram it goes to an email serv­er, which sends it on to its des­ti­na­tion. An email serv­er also receives your email mes­sages from the inter­net and holds the mes­sages in stor­age until your email pro­gram retrieves them.

Can you oper­ate your own email serv­er? Sure. You can take an old lap­top (or desk­top), install a free email serv­er pro­gram on it, hook it up to the inter­net via your router, and run it 24/7. Any­one can do it. But if it doesn’t run 24/7, it miss­es incom­ing email. And it requires man­age­ment that some­times requires exper­tise. Con­se­quent­ly, few peo­ple run their own email serv­er. It’s just eas­i­er to use an email ser­vice pro­vid­ed by an ISP, a host ISP, or an email ser­vice provider.

Avoid Confusion

The pre­vi­ous def­i­n­i­tions make sim­ple dis­tinc­tions, but every­day real­i­ties often hide such dis­tinc­tions. For instance, most ISPs also pro­vide email ser­vice at no extra cost. That is, as well as hook­ing you up to the inter­net, they also pro­vide you with an email serv­er. Hence, you may eas­i­ly over­look the dis­tinc­tion between your ISP and your email ser­vice provider, if they are one and the same.

There are three dis­tinc­tions to remem­ber:

1. ISP (inter­net con­nec­tion)
2. Email ser­vice provider (email serv­er)
3. Email pro­gram

Each is inde­pen­dent. Each ser­vice that you use can be sup­plied by a dif­fer­ent provider, or one provider can sup­ply them all.

So, keep in mind that you don’t have to use the email ser­vice that your ISP offers. As long as you have a con­nec­tion to the inter­net, you can use any email ser­vice that you desire. That’s why many peo­ple who have ISPs such as AT&T, Com­cast, or oth­er major tele­coms may also use Gmail pro­vid­ed by Google for free.

(Note that if you oper­ate a web­site, your host ISP, also pro­vides email ser­vice typ­i­cal­ly at no extra cost giv­ing you yet anoth­er choice for your email ser­vice.)

Most ISPs, host ISPs, and email ser­vice providers not only pro­vide email ser­vice but also pro­vide a free email pro­gram. Nonethe­less, email ser­vice and an email pro­gram don’t nec­es­sar­i­ly go togeth­er. You can use an email ser­vice yet still use a sep­a­rate and inde­pen­dent email pro­gram. And even if you use Gmail pro­vid­ed by Google, you may opt to use it with an email pro­gram such as Out­look rather than with the Google Gmail pro­gram.

To gain an under­stand­ing of the email sys­tem and basic email secu­ri­ty, it’s nec­es­sary to keep all these dis­tinc­tions in mind.

Secure Email Service Provider

A secure email ser­vice provider is one that pro­vides email accord­ing to the expla­na­tion in Chap­ter 5. The short descrip­tion is that secure email pro­vides auto­mat­ic encryp­tion for the jour­ney of your email mes­sage for part of its way across the inter­net to its des­ti­na­tion (to the recip­i­ent). In oth­er words, it’s not total pro­tec­tion, but it’s much bet­ter than the total lack of pro­tec­tion you get with nor­mal email ser­vice. LuxS­ci is a secure email ser­vice that I used for ten years. RMail email ser­vices are also secure.

Subscription Email Service Provider

You can sub­scribe (pay a fee) to an email ser­vice that offers you a capa­bil­i­ty that oth­er email ser­vices do not offer.

For exam­ple, sup­pose your email ser­vice provider offers an email ser­vice that has a lim­it of only 50 MB (megabytes) for any incom­ing or out­go­ing email mes­sage. If you have a need to send and receive email mes­sages with attach­ments that occa­sion­al­ly exceed 50 MB, the email ser­vice provider’s ser­vice is inad­e­quate for your needs. There­fore, you’ll like­ly decide to sub­scribe to a spe­cial email ser­vice that allows email mes­sages up to 150 MB. You would be will­ing to pay a fee to get a spe­cial email ser­vice that enables you to do what you need to do. (In this case, RMail Large­Mail trans­fer is an alter­na­tive. See Chap­ter 11.)

Anoth­er exam­ple of a sub­scrip­tion email ser­vice is a secure email ser­vice. Most secure email ser­vices are sub­scrip­tion ser­vices with the excep­tions of Gmail and RMail, which are free.

Router

A router is a com­bi­na­tion of a hard­ware device plus soft­ware. It serves mul­ti­ple com­put­ers typ­i­cal­ly with Wi-Fi via only one con­nec­tion to the inter­net. (Some sys­tems, par­tic­u­lar­ly old sys­tems, use net­work cables instead of Wi-Fi.) An admin­is­tra­tor con­trols the soft­ware and man­ages the con­nec­tions to the net­work. For home net­works, that admin­is­tra­tor is prob­a­bly you.

Hacking

Some­one can use many tech­niques to breach the secu­ri­ty of your email and your gen­er­al com­put­ing sys­tem. In order to keep the book sim­ple, to refrain from pre­sent­ing com­plex­i­ties only of inter­est to IT (infor­ma­tion tech­nol­o­gy) pro­fes­sion­als, and to avoid a lot of tech­ni­cal ver­biage, I use hack­ing as a gener­ic term to refer to any and all secu­ri­ty-breach­ing tech­niques. And I use the term hack­er for any­one who uses such tech­niques. Note that such tech­niques are not lim­it­ed to dig­i­tal trick­ery. A huge part of hack­ing con­sists of social engi­neer­ing (explained in Chap­ter 16), which is the exper­tise of con artists. Indeed, great hack­ers are great con artists too.

Language

I have tried to avoid the use of tech­ni­cal lan­guage and jar­gon wher­ev­er pos­si­ble. Although there is plen­ty of tech-speak left in the book, I have writ­ten the book to be read and under­stood by any­one who can use a com­put­er. Mak­ing one’s use of email safer is infor­ma­tion that should be avail­able to all, not just the pro­fes­sion­als who speak the tech­ni­cal lan­guage. So, I ask the pro­fes­sion­als to for­give me, and I ask laypeo­ple like myself to stretch a lit­tle and learn some new tech­ni­cal terms.

History of RMail

To talk about secure email prac­tices, an author needs to give exam­ples. The exam­ples in this book are based upon the RMail suite of secure email ser­vices, known as RMail fea­tures. Why RMail? Because RMail is the only provider of secure email ser­vices that offers a suite of ser­vices that work with any email soft­ware used by any sender or any recip­i­ent. It holds the patents for secure email ser­vices offered by itself and many oth­er providers too. Vir­tu­al­ly every oth­er provider offers only one of the ser­vices. RMail pro­vides them all.

RMail Inbox is a secure email ser­vice sim­i­lar to LuxS­ci men­tioned above. The dif­fer­ence between RMail Inbox and LuxS­ci is that RMail Inbox pro­vides its secure ser­vice free and LuxS­ci charges a month­ly fee. In addi­tion, RMail Inbox pro­vides instant and con­ve­nient access to all the oth­er RMail ser­vices for which you only pay a fee if you use them a lot. Occa­sion­al use is free.

Disclaimer 1

Is this book the last word in mak­ing your email hack­proof? No. It’s all a mat­ter of reduc­ing risk. The more you can do to reduce your risk of get­ting hacked, the safer your online activ­i­ties will be. The tech­niques this book teach­es will make your email safe from all but the most deter­mined and most pro­fes­sion­al hack­ers backed by the most mas­sive dig­i­tal resources.

To get bet­ter pro­tec­tion you will have to use a spe­cial brows­er designed for encryp­tion, a durable encryp­tion pro­to­col, an ultra-secure email ser­vice provider that keeps its email servers and data­base repos­i­to­ries in a vault deep in a moun­tain some­where, and oth­er such extreme mea­sures. The prob­lem with set­ting up such a sys­tem for your­self is that it will only work if you have a coöper­a­tive recip­i­ent who is will­ing to set up such a sys­tem at their end of the email path. That might be pos­si­ble for com­mu­ni­ca­tions between you and one oth­er per­son or sev­er­al oth­er peo­ple, but it’s not pos­si­ble, as a prac­ti­cal mat­ter, for gen­er­al email com­mu­ni­ca­tions.

With that in mind, this book does not cov­er such extreme pre­cau­tions. They sim­ply aren’t prac­ti­cal for every­day email use, although you might want to employ them for very spe­cial­ized com­mu­ni­ca­tion activ­i­ties. What does make sense, what is prac­ti­cal, and what does work with all of the email ser­vices and pro­grams used by all recip­i­ents, is the RMail suite of secure ser­vices. For all prac­ti­cal pur­pos­es, the RMail ser­vices will make your email hack­proof while at the same time enable you to use them to com­mu­ni­cate with any recip­i­ent. Thus, because of prac­ti­cal­i­ty, the RMail ser­vices are the sole focus of this book; and alter­na­tive extreme encryp­tion tech­niques are beyond the scope of this book.

One caveat. If you take bur­den­some and imprac­ti­cal extreme mea­sures to secure your email com­mu­ni­ca­tions, you still have to wor­ry about social engi­neer­ing, which is the most suc­cess­ful tech­nique hack­ers use to breach your secu­ri­ty. Read Chap­ter 16.

With the above thoughts in mind, I bid you good luck with your efforts to improve your email secu­ri­ty and hope you find this book help­ful in doing so.

Disclaimer 2

And now I have to make a final dis­claimer. In 2010 my fam­i­ly had the oppor­tu­ni­ty of mak­ing a cash invest­ment in RMail. In 2013 we made an addi­tion­al invest­ment. That is, we paid full price for the shares bought at those times and have been share­hold­ers ever since. Con­se­quent­ly, I have a motive for writ­ing this book that extends beyond the mere pub­li­ca­tion and the sell­ing of indi­vid­ual copies.

Nonethe­less, I also dis­close that I’m an inde­pen­dent author and pub­lish­er and have received no com­pen­sa­tion from RMail for writ­ing the book. In oth­er words, the book will make mon­ey depend­ing on the vol­ume of book sales, not on any fee paid to me by RMail.

Note that my rep­u­ta­tion as an inde­pen­dent author, as out­lined at the back of the book, is well estab­lished. Over twen­ty of my books were pub­lished by nation­al pub­lish­ers, and I wrote them all objec­tive­ly. I con­tin­ue that prac­tice in this book.