The Idea Fountain

For some, email is a critical tool that has become an essential part of everyday communication. Like a cell phone, those who have one, find it very difficult to live without one. Could your business survive without a phone system? Unlikely. Could it function without web presence or without email? Possibly. But both of those technologies can potentially contribute so much recognition and revenue that it is unlikely that your business would choose not to implement them. There is no doubt small businesses such as gift shops or shoe repair shops might not gain much from either technology- some owners don't even wish to expand their business since they are already overwhelmed. Many businesses are not in that comfortable position and welcome all the solicitation they can get in order to make ends meet.

Of course you can live personally live without a phone, a web page or email, but would you want to? That really depends on your experience with the technology. Do you like receiving unsolicited phone calls? Very few people, if anyone, does. But there is a whole industry that was born doing just that- telemarketing. As soon as there was a postal service... there was mass mailing and junk mail (equivalent to spam). As soon as there was a phone system there was unsolicited and prank phone calls (equivalent to spam). As soon as there was email the same phenomenons occurred... but for some reason people have been affected by the abuse much more. Part of this is because it is not very costly to send electronic spam and another reason is the laws governing the electronic age are not keeping up with the rapid changes. Would you send money to someone if they sent you a piece of snail mail requesting money? Would you give out your credit card number or pin number to someone who sent you mail or telephoned you such a request? I should think not at the very least I hope you would have reservations about doing such. What is it about email that people lose their sense of judgment and fall victim to phishing scams?

This brings to light a very important aspect about unsolicited email, or spam as it is called. Not only is spam email annoying to get, it is very costly. Spam causes many problems for the whole email ecosystem. Email providers (ISP's, work, etc.) must take measures to deal with unsolicited email. They must buy more disk space, get more bandwidth, install faster computers, install and maintain anti-spam and anti-virus tools, deal with downtime caused by email viruses, deal with decreased worker productivity, the list goes on. Billions of dollars are spent combating these issues. It is difficult enough to deal with the fact that “trusted” people send virus riddled spam when they unknowingly are infected with viruses. New industries have been born to deal with these problems.

We have noted two major problems facing email systems- spam and phishing. There are others to mention as well: privacy issues; the fact that email is considered a trusted path into your organization, home, your computer, your life; no way to track who has given out your email address to others; email is not a simple concept anymore- you need filters and checkers and anti-exploitation education etc.; can be costly to you if your network, system, or private information is compromised; a single place at which to be located (you think that usually is a good thing).

To address these issues, many approaches have been suggested and implemented. For spam, there are filters based on rule sets and statistical heuristics. For viruses and Trojan horses there are anti virus tools that scan for finger prints or signatures left by the viruses. Phishing messages may be considered spam and can be dealt with as such, but truly, education is one of the only ways to stop phishing expeditions, the other is not to receive them at all.

One major problem with spam and malware (viruses, worms, and Trojan horses) is that they are continuing to be changed and modified to get around the current utilized defenses. This no doubt indicates a strong offensive posture by people against our information infrastructure. 90,000+ known viruses for Windows machines alone? Spammers are continuing to evolve their methods to get around filters by creating messages that score well with the statistical trackers or by misspelling words just enough to make them still readable or by creating in-line picture emails of the spam. It is obvious that we are being worked against. One must continue to update your virus definitions and update your spam filters. Some people even resort to changing their email addresses and abandoning their mailboxes- a total space waster for email providers. Let's face it- we are up against information terrorists who try to harass, extort, and damage our lives using the tools that we enjoy using, such as the phone, email, our web browser, etc.

How do we reduce the negative effects of spam, phishing, malware, the problem of a single place at which to be located, privacy issues, tracking who has or has given out your email address, the trusted path problem, the problem of complexity, the problem of expense and the issues of cost and inconvenience if you or your computer equipment is compromised.

Summary of Email Problems and Solutions

Spam and Phishing email and malware. What you don't get wont hurt you.

Single point of contact. You would think that the old tactical concept of make only one way in and guard it as best as you can. But keep in mind the old adage- don't keep all your eggs in one basket. The single point of contact soon becomes a single point of compromise. This point also has many privacy concerns that are related to it. If you can still collect email in one location but not have a single email address, you can eliminate the single point of compromise.

Privacy issues. Many people associate their identity to their email address. This is not necessarily a bad thing because you need to communicate to your bank, your business partners etc. But with a single point for notification together with "the weight" of your emailbox, it makes you tend to want to keep your email address and not change it even when it is compromised. You correctly feel that the contents of your emailbox are very hard to abandon. And when you wish to sever relations or communications with a contact, things can become difficult. Even if a person can't contact you since you block them, they can still spread your email address around and cause great volumes of email to reach you or they can slander you or impersonate you etc. Email must have a level of anonymity to it in order to address privacy issues.

Tracking who has or has given out your email address. The privacy issue can very easily lead to this weakness in email. How do you know who has your email address? Can you even remember half of the people you have given your email address out to? The answer is most people have no idea for both questions. Why is this an issue? Well it relates to lowering your profile on the Internet. The more people that know your address the more people will try to send messages to you. If you knew a company was selling your information, would you continue to do business with them? A businesses privacy policy can say anything it wants. Unless there is a legal challenge against a company for violating a Privacy Policy they could continue to sell your information. If there is no hard punishment to them, what do they really have to lose? The company can pack it up and start a new one and do it all over again. If you can track who uses your email you can choose to not communicate with them.

The trusted path problem. In order to get information into your organization, you need to let information in. Sounds reasonable. This problem is multifaceted and therefore traditionally requires a dual-pronged approach to address. First, it must be determined what is valid, non-harmful information. Second, the path and email addresses should not be “trusted”. To solve this harmful information issue, anti-virus scanners are put in place to check attachments. This requires updates by the email administrators and teams of researchers to keep this information up to date (paid for by maintenance costs). To solve the trust issue requires sender validation techniques. This could be done a multitude of ways but Digital Signatures are the most reliable way but at an expense. One issue with Digital Signatures that is subtle is that if you automatically sign the messages without a manual pin number requirement, a virus can automatically sign the messages. The pin entry requirement, prevents a virus from sending out scores of emails as a valid sender since it does not know the pin. Of course, a virus could perhaps Snoop for such a pin perhaps. The second way to solve this issue is to NOT have the email residing “within' your organization. For a business or government agency, this option has too many drawbacks to even be considered seriously, but for as a personal email solution, it seems quite appropriate. If you can provide a way to give effective Sender Validation and Validate the attachment payload, you can allow the message into your organization, with caution.

The problem of complexity. If a system is too complex to use, most people won't bother using it. This problem is only solved by efficient Interface and operation Design and email user education.

The problem of expense. If a system is too expense, it is unattainable. Those that have a system in place, the continued cost increases makes the email system become a burden to use and maintain. A recommendation may be to use Open Source/Free solutions. There are many options out there, such as AMaViS, AVG, Spam-Assassin, etc. For individuals, there are a slew of email providers out there but none of them solve all the problems outlined in this paper.

The issues of cost and inconvenience if you or your computer equipment is compromised. The only true solutions to this problem are: make sure your systems don't get compromised (very hard thing to do), try to prevent the spread of compromise when it does happen (anti-virus software helps tremendously), and have good backups of your data and a plan in place for rapid recovery. All of these concepts are beyond the scope of this blog entry.

What is the Best Approach?

One of the best defenses is not to be there. You must increase your defensive posture by lowering your profile, shielding yourself, reducing your visibility and keeping the target moving. It is much harder to hit a small moving camouflaged target. That is what needs to be done in the email world.

[Idea Fountain]

Devise an elegant way to collect and manage email in one location but not have a single email address, you can eliminate the single point of compromise.

posted by TheGuardian  # 12:22 PM