Modernizing Authentication — What It Takes to Transform Secure Access
To me, the important lesson derived from the recent dust-up between the United Arab Emirates, India, Saudi Arabia and RIM, the company behind the BlackBerry, is that governments can spy on almost all wireless email.
And, they get annoyed when they can't. Not being able to hack into BlackBerry email almost got the devices banned in a number of countries.
Interestingly, there are no stories of the US government threatening to shut down BlackBerry service because they couldn't read the email. According to Reuters, U.S. authorities are able to tap into BlackBerry messages. The article also notes that "... security experts say that many governments around the world enjoy the ability to monitor BlackBerry conversations as they do communications involving most types of mobile devices."
Obviously, a heads up for anyone that sends email wirelessly.
Just how protected is your wireless email from spying?https://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=i
Starting with the basics, wireless email may be sent over Wi-Fi or a data network from a cellphone company.
WiFi over a router that you control is easily encrypted. WPA-TKIP and WPA2-AES are reasonably secure as long as you chose a long password that's not in the dictionary. And, WPA and WPA2 encryption apply to any and all data traveling over the air, not just email. For more on this, see my September 2009 article "The Best Security for Wireless Networks."
On a public Wi-Fi network, a VPN can be employed to also encrypt all data coming and going. For more on this see my article "Being Secure on Public Wi-Fi: VPN, Firewalls, File Sharing."
Without a VPN, email sent over a public Wi-Fi network can still be encrypted using webmail with secure HTTPS web pages. Gmail is a great choice as Google encrypts all web pages, not just the login page. Yahoo is a poor choice, they only encrypt the login page.
But email is also available using dedicated email software (Outlook, Thunderbird, Outlook Express, etc.) rather than webmail. Many, if not most, email software employs no security at all. It is available however, and we'll discuss it more later.
While Wi-Fi encryption is well-understood by many, encryption on CDMA and GSM cellphone networks is a bit more obscure.
In discussing this back in February 2008 Steve Gibson said that these encryption technologies have been cracked. They are old and were designed when there was little computational horsepower available in cellphones.
"It's not like, you know, CDMA and GSM has been cracked to the degree, for example, that Wi-Fi has been. But there are papers on the 'Net that talk about how this stuff can be cracked. So it's not like there's super-strong, industrial-grade, current state-of-the-art crypto. The problem is, these technologies, these digital cellular technologies are so old, and now so widely deployed, that they can't be updated without obsoleting the entire network. And they're, I mean, they're encrypted to the extent that you have to really, really, really want to crack them in order to get inside them. But it is possible. Has been done."
There is also another way to tap into cellphone-based transmissions. At the recent Defcon convention, a hacker mimicked a cell tower and simply told the phone to turn off encryption. Kim Zetter writing for Wired describes it:
"A security researcher created a cell phone base station that tricks cell phones into routing their outbound calls through his device, allowing someone to intercept even encrypted calls in the clear. The device tricks the phones into disabling encryption and records call details and content before theyre routed on their proper way through voice-over-IP. The low-cost, home-brewed device, developed by researcher Chris Paget, mimics more expensive devices already used by intelligence and law enforcement agencies called IMSI catchers that can capture phone ID data and content. The devices essentially spoof a legitimate GSM tower and entice cell phones to send them data by emitting a signal thats stronger than legitimate towers in the area."
Encryption is essential
Regardless of the encryption, or lack of it, employed by the transmission system (Wi-Fi, GSM, CDMA), email software, be it on a computer, smartphone or any portable device, should offer encryption of its own.
For example, someone with her own domain may get her email from either the registrar that registered the domain or the company hosting her website. GoDaddy is a big player in this field and they offer instructions for iPhone users on how to send and receive encrypted email from their iPhones. But, iPad owners that follow other instructions from GoDaddy, will send email in the clear. Not only messages, but email passwords too are transmitted in plain text.
Three protocols are used with email, POP and IMAP for reading, and SMTP for sending (typically someone reads email with either POP or IMAP). Each protocol comes in both a secure/encrypted version and an insecure edition. The secure versions employ the same SSL/TLS used by secure web pages and may be referred to as POPS, IMAPS and SSMTP, a naming standard familiar to anyone who has dealt with secure HTTPS web pages.
The secure email protocols also connect using different ports. Ports are logical entry points on a server computer, in this case a computer running POP, IMAP or SMTP server software.
The secure version of IMAP connects to the IMAP server using port 993. The secure version of POP connects to POP server software using port 995 and secure email is sent using either ports 465 or 587. With web pages, insecure HTTP uses port 80 and secure HTTPS uses port 443.
Be aware, however, that what is encrypted by the secure email protocols is the connection between the email software on your computing device and the email server that it communicates with. For sending email, this means messages are encrypted between you and the SMTP server that actually sends your email. Oftentimes the SMTP server is provided by your ISP, but large companies and serious techies may run their own.
What is not encrypted, however, is the transmission of the email message out from the SMTP server to the server computer that stores email for the recipient. This article is focused on wireless email however, and using SSMTP rather than SMTP insures that email traveling over the air is encrypted.
To be sure of end-to-end encryption, the email message themselves need to be encrypted before they start their journey. The ability to send messages that are, themselves, encrypted is another topic altogether. Let me just say that an encrypted message can be sent using an encrypted protocol, and nothing says that both of these can't be done through a VPN, adding yet a third layer of encryption.
The classic issue with encrypting the actual messages is that both the sender and recipient need to use similar software and it can be difficult to set up initially. For most people these hurdles are too high.
I recently attended a hacker conference where the guys that setup the wireless network gave a wrap-up presentation on the last day. In discussing how the network was used during the conference, they were surprised to find both POP and IMAP traffic. This elicited shock and awe from the attendees. How could anyone be so un-informed as to read insecure email during a hacker conference over a wireless network? It boggles the mind.
Michael Horowitz wrote his first computer program in 1973 and has been a computer nerd ever since. He is a regular contributor to eSecurityPlanet.com.
Follow eSecurityPlanet on Twitter @eSecurityP.