Chapter 4
Risks and Defenses in the Email System

This chap­ter uses the out­line of Chap­ter 2 to com­pile the risks and defens­es to each of the 13 step in the email path­way. What should you look for? You have a unique set of cir­cum­stances in regard to the email path of your own email sys­tem. You have undoubt­ed­ly already set up some ade­quate defens­es. You need to deter­mine whether you need to revise or strength­en those defens­es. And, of course, you need to deter­mine what are the risks you have not yet defend­ed and how you might do so.

RMail pro­vides two defens­es to keep in mind. The first is auto­mat­ic encryp­tion enabled by RMail Inbox (see Chap­ter 6), RMail Web (see Chap­ter 7), and RMail plug-ins and app (see Chap­ter 13). This is facil­i­tat­ed by SSL/TLS encryp­tion built into the email sys­tem. It’s an incom­plete defense but nev­er­the­less one that reduces the risk of hack­ing con­sid­er­ably.

The sec­ond is the RMail man­u­al Mes­sage-Lev­el encryp­tion (see Chap­ter 9) enabled by choice for each indi­vid­ual email mes­sages. RMail uses the tech­ni­cal term RPX for it. In fact, it’s a 256-bit AES encrypt­ed (com­mer­cial strength) PDF processed in such a way as to keep attach­ments in their native form and be con­ve­nient to use with email. Your email mes­sage goes encrypt­ed all the way from your com­put­er to the recipient’s com­put­er. It’s a com­plete defense to be used for your most impor­tant and high-val­ue email mes­sages.

Let’s call these RMail ser­vices auto­mat­ic encryp­tion and Mes­sage-Lev­el encryp­tion.

Dif­fer­ent Encryp­tion Meth­ods  Some­times it’s dif­fi­cult to tell from a company’s prod­uct infor­ma­tion what’s what because the use of non-tech­ni­cal names and names for ser­vices change in the mar­ket­ing copy from time to time. In the case of RMail, to dif­fer­en­ti­ate between the two types of RMail encryp­tion, I use the terms auto­mat­ic (Chap­ters 5 and 6) and Mes­sage-Lev­el (Chap­ter 9). But this dis­tinc­tion may not be word­ed the same in the RMail mar­ket­ing copy.

Keep in mind that the defens­es cov­ered below are for indi­vid­u­als and small busi­ness­es. Larg­er net­works require enter­prise secu­ri­ty soft­ware and pro­tec­tions that are oper­at­ed by IT depart­ments and are beyond the scope of this book.

Let’s go over the email path steps explained in Chap­ter 2.

Your Email Program

RISKS: A hack­er might gain con­trol of your com­put­er (desk­top, lap­top, tablet, or smart­phone) to get con­trol of your email pro­gram and get access to your email oper­a­tion, man­age­ment, or data­base.

DEFENSES: See Your Com­put­er next. Also, an easy defense is to use a pass­word to access your email pro­gram. Whether your com­put­ing device is stolen or whether a hack­er gets access to it some­how online, pass­word pro­tect­ed access will pre­vent a hack­er from open­ing your email pro­gram and using it.

Your Computer

RISKS: A hack­er might gain con­trol of your com­put­er and there­by gain con­trol of your email pro­gram, adopt your iden­ti­ty, gain access to your accounts, gain access to your pass­words, etc.

DEFENSES: Use a com­pe­tent suite of soft­ware defens­es such as Syman­tec Nor­ton Secu­ri­ty, McAfee LiveSafe, Bit­de­fend­er Inter­net Secu­ri­ty, Web­root Secure­Any­where, or the like. Suites typ­i­cal­ly include a fire­wall with pro­tec­tions against virus­es, anti-phish­ing, mal­ware, adware, spy­ware, ran­somware, and more. Third-par­ty suites may offer bet­ter pro­tec­tion than the built-in pro­tec­tions of your oper­at­ing sys­tem (e.g., Win­dows).

Apple  Some Apple com­put­er users believe they are immune from com­put­er hack­ing. Don’t bet on it. With Apple hav­ing only about 10% of the com­put­er mar­ket, most hack­ers have an incen­tive to ignore Apple com­put­ers and go graz­ing in more pro­duc­tive pas­tures. But that does not mean the Apple com­put­ers are hack­proof.

Don’t over­look a sim­ple defense: use a pass­word (pin num­ber) to access your com­put­ing device.

Local Transmission

RISKS: A hack­er might inter­cept the trans­mis­sion between your com­put­er and your net­work and there­by get access to your email mes­sages.

What Does It Take?  What does it take for a hack­er to inter­cept a Wi-Fi trans­mis­sion? First, the hack­er must be in range of the Wi-Fi trans­mis­sion (near­by). Few Wi-Fi sys­tems have the pow­er to reach a sig­nif­i­cant dis­tance beyond your home or place of busi­ness. Sec­ond, a hack­er needs time. If a hack­er is parked in an unrec­og­nized vehi­cle out­side your home for ten hours, you might notice. Or maybe not. Per­haps the biggest threat at home is your neighbor’s tech-savvy teenag­er. Per­haps the biggest threat at your office is a guy in the busi­ness next door. A pub­lic Wi-Fi net­work, such as a hotel or cof­fee shop, is the riski­est place to use email. A hack­er could be hid­ing any­where. Or the admin­is­tra­tor of the pub­lic Wi-Fi net­work could be a hack­er (very dan­ger­ous).

Note that if your router is not a Wi-Fi router (if it uses net­work cables instead of Wi-Fi trans­mis­sions), there is no like­li­hood of a hack­er inter­cep­tion between the router and your com­put­er.

DEFENSES: Encryp­tion is the essen­tial defense. There are sev­er­al sources of encryp­tion. First, in your Wi-Fi router soft­ware you need to ini­ti­ate encryp­tion for the trans­mis­sions and oth­er­wise con­fig­ure your router prop­er­ly (read Chap­ter 19). This takes care of the trans­mis­sion between your com­put­er and the router.

Sec­ond, you can use the auto­mat­ic encryp­tion email ser­vices such as RMail Inbox and RMail Web that auto­mat­i­cal­ly encrypt mes­sages between your email pro­gram, your email serv­er, and poten­tial­ly the recipient’s email serv­er (see Chap­ter 5).

Third, if the auto­mat­ic encryp­tion of RMail Inbox or RMail Web is not secure enough for your par­tic­u­lar pur­pose (see Fatal Flaws in Chap­ter 5), you can use the RMail Mes­sage-Lev­el encryp­tion which encrypts your email mes­sage from your email pro­gram all the way to the recipient’s email pro­gram (see Chap­ter 9). RMail Mes­sage-Lev­el encryp­tion can be enabled in the RMail Inbox and RMail Web pro­grams (inter­faces) and also in RMail plug-ins and app.

Your Local Network

RISKS: A hack­er can hack into your net­work as a first step toward hack­ing into your com­put­er.

DEFENSES: Router soft­ware (built into the router) typ­i­cal­ly pro­vides very com­pre­hen­sive secu­ri­ty pro­tec­tion. The default set­tings should prove ade­quate unless you have some spe­cial con­fig­u­ra­tion for your net­work that requires adjust­ment. (If so, con­sult with a net­work secu­ri­ty expert.) Note, how­ev­er, that you do need to ini­ti­ate cer­tain sim­ple router set­tings for ade­quate pro­tec­tion. Such set­tings do not require any IT knowl­edge or skills. These basic router set­tings are out­lined in Chap­ter 19.

Warn­ing 1  The fail­ure to set up your router for secu­ri­ty will result in a com­plete lack of secu­ri­ty. Again, such a set­up is easy to do. Read Chap­ter 19.

Warn­ing 2  Keep in mind that the admin­is­tra­tor of a pub­lic W-FI net­work could be a hack­er or could allow access to the router by fel­low staff mem­bers, oth­er employ­ees, or even friends.

Transmission Across the Internet

RISKS: A hack­er might inter­cept the trans­mis­sion across the inter­net between your local net­work and your mail serv­er (i.e., your email ser­vice provider’s email serv­er).

DEFENSES: First, you can use RMail Inbox or RMail Web, both secure email ser­vices (see Chap­ters 6 and 7). They pro­vide auto­mat­ic encryp­tion all the way to your email serv­er or the recipient’s email serv­er (see Chap­ter 5).

Sec­ond, you can instead use RMail Mes­sage-Lev­el encryp­tion. That gets you secure­ly all the way from your email pro­gram to the recipient’s email pro­gram with com­plete secu­ri­ty, includ­ing pre­vent­ing IT staff and those with unau­tho­rized access from see­ing your email.

Third, note that if you and the recip­i­ent are both RMail Inbox users, your email will be secure all the way from your email pro­gram to recipient’s email pro­gram via auto­mat­ic encryp­tion. This is due to the fact that RMail Inbox is a secure email ser­vice, and your email doesn’t go any fur­ther than the RMail email serv­er (read Chap­ter 6).

Your Email Server

RISKS: A hack­er might hack into your email serv­er (your email ser­vice provider’s email serv­er) or the provider’s mes­sage data­base (archive), which holds incom­ing email mes­sages until down­loaded and per­haps there­after.

DEFENSES: The defens­es are the respon­si­bil­i­ty of the oper­a­tor of the email serv­er (your email ser­vice provider). A rep­utable email ser­vice provider typ­i­cal­ly employs defens­es like­ly to be pro­fes­sion­al, effec­tive, and up-to-date.

What about Staff  If your email does not stay encrypt­ed on the email serv­er, the staff of your email ser­vice provider can poten­tial­ly read it. Remem­ber, your email goes to the email serv­er to be man­aged, and part of that man­age­ment is tem­po­rary stor­age of email on the email serv­er. While it is stored, your email can be poten­tial­ly read or even record­ed by a staff mem­ber, if unen­crypt­ed. Then when it gets to the recipient’s email serv­er, the staff there can poten­tial­ly read it, if unen­crypt­ed. Thus, secure email such as Gmail may not be secure from staff. (In the case of an enter­prise email sys­tem, the staff is the enter­prise IT depart­ment.) RMail Mes­sage-Lev­el encryp­tion is the RMail ser­vice you need to use if it’s impor­tant to you that staff does not ever see your email.

An email serv­er is a com­put­er pro­gram, noth­ing more noth­ing less. You don’t need a spe­cial com­put­er to run an email serv­er. Email servers (soft­ware) are avail­able both for free and for a fee. You might run such an email serv­er on an old desk­top or lap­top com­put­er that you’re no longer using. Sim­ply con­nect such a com­put­er to the inter­net with the email serv­er soft­ware installed, set up the soft­ware, and you’re in busi­ness. But remem­ber, the email serv­er must oper­ate 24/7.

Can you run an email serv­er on the same com­put­er you use every day? Sure. Why don’t peo­ple run their own email servers? There are sev­er­al rea­sons: (1) In order be effec­tive, an email serv­er has to run 24/7. You can’t turn it off. (2) Email servers are some­what com­pli­cat­ed to set up and oper­ate. (3) By oper­at­ing your own email serv­er, you enter the world of IT (infor­ma­tion tech­nol­o­gy) oper­a­tions which requires a min­i­mal lev­el of com­put­er skill. (4) If you don’t run your email serv­er prop­er­ly, you could be black­list­ed by ISPs; black­list­ing would ren­der your email sys­tem inef­fec­tive. (5) Final­ly, the biggest chal­lenge to run­ning your own email serv­er is man­ag­ing the inbound spam.

You may need to employ an email archive serv­er (for a mul­ti-employ­ee busi­ness) that stores all email mes­sages sent and received over the years, a large and grow­ing data­base. With­out prop­er encryp­tion, the email stored could be read­able by staff or be sus­cep­ti­ble to exter­nal hack­ing.

Accord­ing­ly, very few peo­ple choose to oper­ate their own email servers. Oper­at­ing your own email serv­er is cer­tain­ly not rec­om­mend­ed. Too much risk and too lit­tle reward. You can achieve bet­ter secu­ri­ty by let­ting the IT per­son­nel take care of it.

Transmission Across the Internet

RISKS: A hack­er might inter­cept the email mes­sage as it goes across the inter­net from your email serv­er to the recipient’s email serv­er.

DEFENSES: The defens­es are in the hands of the email ser­vice providers. They can be expect­ed to be dili­gent and guard against hack­ing. To be sure, how­ev­er, you need use to RMail Mes­sage-Lev­el encryp­tion, and your email will be secure all the way to the recip­i­ent.

Anom­aly  In the unlike­ly event that you use a secure email ser­vice and the recip­i­ent uses a dif­fer­ent secure email ser­vice, the mes­sage might auto­mat­i­cal­ly trans­mit secure­ly between your email serv­er and the recipient’s email serv­er and then on to the recip­i­ent. But you will not know for sure if this will hap­pen and there­fore should assume that it doesn’t hap­pen. Read more about secure trans­mis­sions in Chap­ter 5.

This is a very vul­ner­a­ble step in the email path. Chap­ter 5 ana­lyzes this vul­ner­a­bil­i­ty in greater depth. Auto­mat­ic encryp­tion is not nec­es­sar­i­ly com­plete secu­ri­ty. It remains encrypt­ed to the recipient’s email serv­er, but may not be encrypt­ed beyond that. Only RMail Mes­sage-Lev­el encryp­tion proves secu­ri­ty along the entire email path.

Recipient’s Email System

Well now, let’s take a look at the defens­es for the remain­der of the jour­ney between your email pro­gram and your recipient’s email pro­gram (steps 8–13 in Chap­ter 2). The real­i­ty is that this part of the email path is out of your con­trol. There’s not much you can do. After your email reach­es the recipient’s email serv­er it’s in the recipient’s con­trol (and the con­trol of recipient’s email provider). The risks are the same as steps 1–6 except in reverse (steps 8–13), and the defens­es to be applied by the recip­i­ent are the same.

You have no idea whether your recipient’s email serv­er, local net­work, and com­put­er are secure or not. Your recip­i­ent like­ly doesn’t even know. Many local net­works have some secu­ri­ty in place but most do not have com­plete secu­ri­ty as out­lined in this chap­ter.

There is one excep­tion. If your recip­i­ent is in a large enter­prise net­work, you can assume that the net­work is run by a pro­fes­sion­al IT depart­ment that has installed sub­stan­tial secu­ri­ty. But even enter­pris­es may not pro­vide secure email as out­lined in Chap­ter 5.

For com­plete con­trol use RMail Mes­sage-Lev­el encryp­tion. The recipient’s email defens­es are irrel­e­vant because your email mes­sage is encrypt­ed all the way to the recipient’s email pro­gram. Not even the staff that admin­is­ters the recipient’s email can read it.

Another View

A sum­ma­ry of each secu­ri­ty defense will give you a bet­ter idea of poten­tial defens­es you can use.

Secu­ri­ty soft­ware  Again, your com­put­er and the recipient’s com­put­er need to be pro­tect­ed by secu­ri­ty soft­ware such as Syman­tec Nor­ton Secu­ri­ty.

Oper­at­ing sys­tem  The secu­ri­ty pro­grams native to your oper­at­ing sys­tems (e.g., Win­dows Defend­er) may not be as effec­tive or depend­able as the lead­ing third-par­ty secu­ri­ty soft­ware. Regard­less, upgrades to your oper­at­ing sys­tem often patch holes in inter­nal secu­ri­ty pro­tec­tion. Such patch­es are essen­tial for ongo­ing secu­ri­ty. Always keep your oper­at­ing sys­tem up to date. The most reli­able way to do so is with auto­mat­i­cal­ly installed updates.

Router  With­out oth­er defens­es, the pro­tec­tions pro­vid­ed by your router (read Chap­ter 19) become impor­tant for email, because such pro­tec­tions cov­er the local trans­mis­sion, which is vul­ner­a­ble to hack­ing. Keep in mind also that router pro­tec­tions act as a defense against all types of hack­ing in your local net­work that have noth­ing to do with email.

RMail ser­vices  RMail offers a ser­vice Mes­sage-Lev­el encryp­tion that will keep your email encrypt­ed and unable to be read if hack­ing takes place (read Chap­ter 9). RMail also offers oth­er secure ser­vices such as Reg­is­tered Email, E-sign, and Large­Mail trans­fer (read Chap­ters 8, 10, and 11).

RMail email ser­vices  RMail pro­vides auto­mat­ic encryp­tion in RMail Inbox and RMail Web (read Chap­ters 6 and 7).

RMail plug-ins  RMail pro­vides plug-ins to enable you to use RMail ser­vices in lead­ing email pro­grams such as Out­look (read Chapter13).

Parting Thoughts

Don’t get me wrong. Although there’s a lot of risk, if you employ good secu­ri­ty mea­sures, it’s dif­fi­cult for a hack­er to hack your email sys­tem. This state­ment assumes the fol­low­ing:

1. You prac­tice the max­i­mum secu­ri­ty for your com­put­ing device.
2. You prac­tice the max­i­mum secu­ri­ty in the oper­a­tion of your Wi-Fi local net­work.
3. Your ISP prac­tices the max­i­mum secu­ri­ty in the oper­a­tion of its net­work.
4. Your email ser­vice provider prac­tices the best secu­ri­ty for email servers.
5. The recip­i­ents email ser­vice prac­tices the best secu­ri­ty in the oper­a­tion of its email serv­er.
6. The recipient’s ISP prac­tices the max­i­mum-secu­ri­ty for ISP net­work.
7. The recip­i­ent prac­tices the max­i­mum-secu­ri­ty for their Wi-Fi local net­work.
8. The recip­i­ent prac­tices the max­i­mum secu­ri­ty for their com­put­ing device.

If all that is done, the like­li­hood of you get­ting hacked is min­i­mized, but still pos­si­ble. If you add up all the oper­a­tors and their lev­els of net­work secu­ri­ty, that equals a lot of vari­ables. In fact, you might say that send­ing email is a some­what iffy busi­ness in any case. That’s why you need to reduce your risk by doing all the things you can do to make the email path more secure for your email mes­sages.

RMail ser­vices pro­vide you with a means of mak­ing a trans­mis­sion between your email pro­gram and the recipient’s email pro­gram absolute­ly secure. If you use Mes­sage-Lev­el encryp­tion, you don’t have to wor­ry about all the steps in the email path. Your email mes­sage is encrypt­ed and secure from your com­put­er to the recipient’s com­put­er regard­less of the secure prac­tices of oth­ers. It even remains encrypt­ed while resid­ing on the recipient’s com­put­er. It’s quite safe. This state­ment assumes only the fol­low­ing:

1. You prac­tice the max­i­mum secu­ri­ty for your com­put­ing device.
2. The recip­i­ent prac­tices the max­i­mum secu­ri­ty for their com­put­ing device.