Stop E-Mail Snoops

EXECUTIVE SUMMARY

MOST E-MAIL IS vulnerable—it can be read by computer-savy snoops and even tampered with. THERE ARE WAYS TO make your e-mail more secure—at least to the extent that no one can intercept it and read it. And there is a way to know whether it was tampered with as it traveled through the Internet. THE TWO MOST popular security tools are PGP (Pretty Good Privacy) and S/MIME (Secure Multipurpose Internet Mail Extensions). PGP is the more popular security program of the two. IN ADDITION, DIGITAL certificates can ensure that the message you receive from a client or a customer actually came from the person who signed it. SECURITY ISSUES have recently become even more vital now that specially prepared and electronically signed e-mail is considered as legal as its paper counterpart. SOME INTERNET EXPERTS claim that as much as 25% of e-mails are vulnerable to legal voyeurism by Internet and company e-mail administrators and blatant trespassing by snooping hackers.

MAUREEN FRANCIS MASCHA, CPA, PhD, is an assistant professor at Elmhurst College, Elmhurst, Illinois. Her e-mail address is maureenm@elmhurst.edu . CATHLEEN L. MILLER, CPA, PhD, is an assistant professor at the University of Michigan, Flint. Her e-mail address is catmillr@flint.umich.edu .

id you know that your e-mail is only slightly more secure than that picture postcard you mailed from Jamaica? While it’s true that not everyone can easily intercept and read your e-mails, the risk exists. And since you probably transmit lots of confidential and legally sensitive files via the Internet that risk should immediately set off liability alarms, sending chills down your spine.

BEWARE THE SNIFFER
What’s the likelihood that someone is intercepting, reading or tampering with your e-mail? Some Internet experts claim that as much as 25% of electronic mail is scanned by Internet service providers (ISP), company e-mail administrators and hackers who have software that lets them sneak a look at Internet mail.

The most common form of e-mail abuse is electronic eavesdropping, sometimes called sniffing. Don’t assume that your password—no matter how long and complex—provides total protection. Aside from hackers who usually can break a password code, many people have access to your password or can snoop into your mailbox even without it, and that has to do with the way e-mails are transmitted and stored. Every organization that has its own e-mail system has a “postmaster” with access to your e-mail content. Ditto for the vendor that provides the e-mail function—that is, the ISP.

And if that doesn’t shatter your privacy fantasy, consider this: All your transmitted e-mails (sent or received or deleted) end up on digital disks operated by your ISP or your own organization. Even worse: When the message files are removed from the your organization’s storage or your ISP’s computer, they are moved to separate electronic storage disks as archives and who knows what, if any, security is maintained over this information.

KEYS TO THE CODE
The most common way to prevent someone from reading your e-mail is to use software to encrypt it, thus rendering it incomprehensible to anyone without the decoder, or key. And with today’s fast computers, it does it so quickly that you aren’t even aware of the time it takes to perform the translation.

There are two major commercial encryption standards in use today: PGP (Pretty Good Privacy) and S/MIME (Secure Multipurpose Internet Mail Extensions). PGP is the most widely accepted tool. Like a safe-deposit box, it uses two keys—one private and one public—only its keys are complex electronic passwords. To read a PGP-encrypted message, you need both keys. Private keys, or passwords, should never be divulged by the sender. Public keys, however, which are distributed to all potential e-mail recipients, can be distributed through e-mail, posted on a Web site or registered with a digital certificate authority—a subject we’ll discuss later. It’s up to users how widely they want their public keys distributed. Most users distribute their public keys to a limited number of people or register one with a digital certificate authority—a firm that operates such services.

Here’s an illustration of how a message is sent with PGP security: Bob wants to send an e-mail to Mary. He encrypts his message using either his private key or Mary’s public key. Upon receipt, Mary decrypts the message using the opposite key—that is, if the message had been encrypted with Bob’s private key, then Mary uses Bob’s public key. Conversely, if the message had been encrypted using Mary’s public key, then Mary would use her private key to decrypt the message.

Whether you encrypt with your private key or the recipient’s public key depends on the reason for encryption. For example: If Bob is concerned about confidentiality—that is, he wants only Mary to be able to see it—then Bob encrypts the message with Mary’s public key. However, if Bob is concerned about authentication—that is, assuring Mary that he, not an imposter, sent the e-mail—then he encrypts the message with his private key, requiring Mary to open the e-mail with Bob’s public key.

If both confidentiality and authenticity are desired, then Bob uses the “double lock” method: Bob encrypts his message with both his private key and Mary’s public key. That way, Bob knows that only Mary can open the message and Mary knows for sure that Bob sent the message.

PGP is available free to noncommercial users. To download it and for more information, go to www.nai.com/products/security/pgpfreeware.asp . PGP is available in a variety of modes for commercial users of various sizes, ranging from standalone PCs for $52, to corporate desktop users for $179. It’s also available for network users for variable costs that depend on the number of network nodes. One version for wireless appliances goes for $52.

You might want to consider buying a commercial version because of its extra features—the most important is that the user is not tethered to one particular browser.

PGP is relatively easy to install and configure—taking anywhere from 10 minutes (if you accept the defaults) to two hours (if you reconfigure every option).

One advantage of PGP over S/MIME is its acceptance rate. Since PGP is the most widely used encryption software package, compatibility is hardly ever an issue. Additionally, it can be plugged into the most popular e-mail software applications such as Eudora, Microsoft Outlook and Netscape Communicator.

PGP has all facets of encryption security, including a digital signature module, and it provides telephone and online support.

Disadvantage: If the sender chooses to disseminate the PGP key widely, say, on a Web site, then there is no way to be sure an imposter didn’t obtain it. This risk eases if a digital certificate authority is used for user authentication, but this raises the cost (see below).

S/MIME is available free on the Internet to all users and is included in the Netscape Navigator and Microsoft Internet Explorer browser packages. It’s available as a plug-in to most e-mail packages. For more information, go to www.baltimore.ie/products/mailsecure/index/html .

S/MIME is simple to configure and use—with two major exceptions. S/MIME uses a shorter code for its key, making it easier for a hacker to crack, and S/MIME doesn’t rely on public keys; instead it uses third-party authentication relying on digital certificates. These contain the user’s name, e-mail address and public key.

GETTING VERIFICATION
You can buy digital certificates from a third-party digital certificate authority, of which there are many. Two leading certificate providers are VeriSign ( http://digitalid.verisign.com ) and Nortel ( www.nortelnetworks.com ). While prices vary, here are the particulars for VeriSign:

A class 1 certificate costs $9.95. To get it, the applicant completes only an identity form—no proof required. VeriSign also offers a free, six-month trial for noncommercial users.

A class 2 certificate costs $19.95. The applicant is asked to provide only his or her driver’s license and Social Security number.

A class 3 certificate varies from about $300 to $1,000, depending on such things as key length, and requires the applicant to undergo a background check.

Costs for the other authorities vary according to the number of users and the level of security. For a list of certificate-granting authorities, go to www.pki-page.org . Any organization can become a digital certificate authority and thereby generate certificates. This may be beneficial if the organization has many employees who need to encrypt e-mail.

Disadvantages: The less expensive certificates offer little assurance of the user’s identity. This means the certificate is only as good as the granting authority.

Another downside is that each party to the e-mail—sender and recipient—must obtain a digital certificate. Finally, unlike public keys generated by PGP, digital certificates expire and therefore users must maintain and renew them at an additional cost. (It should be noted that PGP allows for digital certificates as well; it does not require them, however.)

Now, here’s how S/MIME works: The sender—let’s continue using Bob—encrypts his message to Mary with his private key. Next, he uses his digital certificate to “sign” the message. He also includes Mary’s digital certificate if confidentiality is desired. Upon receipt, Mary compares the digital certificate “on file” at the digital certificate authority with the one used to sign the message. If the two agree, she’s assured the sender is authentic and decrypts the message. If Bob includes both his digital certificate and Mary’s as well, then both confidentiality and authenticity should be ensured.

MESSAGE TAMPERING
As good as encryption is, it doesn’t prevent or detect someone’s tampering with the message content during transmission. However, PGP and S/MIME can detect message tampering by using their digital signature features. PGP’s digital signature software applies an algorithm (or formula) to the message content that automatically generates a unique code, or digital signature. Bob, who is again sending a message to Mary, appends his private key to the signature and the two are attached to the e-mail. When Mary receives the e-mail, she first decrypts the digital signature using Bob’s public key. If signature decryption is successful, she knows the sender is authentic.

Next, she opens the message using Bob’s digital signature and that generates a second algorithm. If the results of both algorithms are the same, she knows the message wasn’t tampered with during transmission.

S/MIME digital signatures also apply an algorithm to the message content; the only difference, again, is that the message is “signed” using the digital certificate. Bob attaches his signature to the e-mail and Mary compares the digital certificate used to sign the message with that on file, then applies the algorithm and decrypts the message as described above.

As you can see, security is a double-edged sword. While it does provide safety, it also adds to complexity. Like it or not, you can’t have one without the other.