Thursday, April 05, 2012


E-mail is an acronym for electronic mail and is a digital text message sent from one device to another. These devices can be computers, smartphones or tablets. E-mail was one of the initial uses of the Internet and today comprises a large percentage of the total traffic over the Internet.

Over the years e-mails have become so common that we rarely give them a second thought. We have gotten so used to e-mailing that we send them through an insecure internet without a pause.

Kenyans are slowly appreciating the importance of e-mail security due to various high profile cases involving e-mail hacking.

Are E-Mails Secure?

Many people have the misconception that e-mails are secure messages, they are not. We attach confidential files to our e-mails, hoping that no one opens them. Sending these unprotected e-mails is usually convenient in the short-term. However this insecurity can be very costly in the long-term.

The passing of the USA PATRIOT Act in 2001 clearly illustrated how insecure e-mails are. This Act states that any data (including e-mail) which is housed, stored or processed by a company, which is a U.S. based company or is wholly owned by a U.S. parent company, is vulnerable to interception and inspection by American authorities.

This means that an American law enforcement agency can use this Act on an American company like Microsoft (Hotmail), Google (Gmail) or Yahoo to request and obtain user data to them. Your e-mails in Yahoo, for example, can be intercepted and inspected by the American authorities anytime.

This concern is global. The Dutch government in 2011 barred U.S. companies from providing data processing and cloud-based services so as to prevent sensitive citizen data from being compromised by U.S. authorities.

Internal corporate e-mail does not fall in this category. However most companies use MS Outlook, a product of Microsoft.

Why E-Mails would be targeted by Hackers

Next to SMS messages, e-mails are very popular mediums of communication. They are therefore a veritable source of personal information for example e-mail account user names/passwords, bank PIN codes, credit card account numbers and other private information.

E-mails are also a rich source of corporate secrets. In this heightened competitive business environment, corporate espionage targets e-mails as sources of strategic plans, upcoming projects, transactions details and other valuable business data.

How are E-mails Hacked?

There are various techniques that can be applied to hack into an e-mail account. Some are highly complex. I will however outline one of the most effective, and simplest, methods of how an e-mail account can be hacked into. Generally when hacking the rule of thumb is to make the attack as simple as possible because simplicity ensures faster access to the target device or account

One of the most popular techniques is attacking an e-mail account through keyloggers. A keylogger poses a serious threat to any computer (tablet or smartphone) user because keylogger’s can be used to intercept passwords and other confidential information entered via the keyboard.

Keyloggers are software programs that are designed to secretly monitor and log all the keystrokes a user makes on a computer’s password. Keyloggers did not start off as illegal hacking tools. System administrators in companies sometimes used them to track what employees did throughout the day. They were also used by law enforcement agencies to analyses and track criminal activities.

Software keyloggers are introduced into the target computer through e-mails. A user receives an e-mail from either a known or unknown source. This e-mail will have an attachment which the user is requested to open or download. Once the attachment is double clicked the keylogger installs itself. A keylogger can also be installed via a web page or when a file is downloaded from peer to peer networks like Bittorrent.

Once installed the keylogger will record all the keystrokes that the user makes and this will definitely include email passwords. It will then send this information to the hacker’s remote computer at pre-set times. With the username and password of an e-mail account it is easy the hacker has effectively hacked into the email account.

Whether it is a corporate email or a free e-mail service like Gmail, keyloggers are very effective in obtaining log-in information.

How can you safeguard your E-Mails?

Protecting against keyloggers requires the installation of an antivirus program and keeping it up to date. By installing an effective anti-virus you will safeguard your log-in credentials.

However e-mails can also be intercepted in transit. To protect emails in transit the average computer user can install S/MIME (Secure/Multipurpose Internet Mail Extensions) in the computer. This is a protocol that secures your emails by using digital signatures and encryption.

By digitally signing an e-mail it is possible to prove who the sender of that e-mail was. However this does not stop anyone from reading it as it transits through the internet. Encryption then comes in handy by making sure that the e-mail is unreadable during transit. The signing works in tandem with the encryption and this makes it extremely difficult to intercept and read the e-mail.

For free to use web-based emails PGP (Pretty Good Privacy) is another appropriate solution for the ordinary computer user. It is a signing and encrypting software that works well with popular browsers like Chrome and Firefox and is widely used for encrypting and securing e-mails. The fundamental difference is that it embeds with your browser.

Another solution that would defeat keyloggers would be to implement centralized encryption protocols that shift the encryption functionalities from the individual desktop to a dedicated e-mail gateway. An e-mail gateway is a server that connects two or more electronic mail systems and transfers messages between them. Encryption technology is integrated into these servers with other security components such as virus scanners and firewalls. This solution is however highly complex and expensive and would be best suited to a corporate organization.