FIR B2B podcast #119: Our favorite email newsletter tips

Paul Gillin and I are old hands at email newsletters. Paul had his own for several years and has produced several for his clients. I currently publish two: my own Web Informant, which I have been doing almost weekly since 2003, and Inside Security which is part of a group of newsletters. We share a few tips from our years of experience.

The first is to know your audience and segment them for best results. This post in Marketing Week documents how marketers are segmenting the audiences at a much finer level than they previously did thanks to an explosion in behavioral data from third parties. One bottled water vendor was able to dramatically boost the response rate of its YouTube ads with an email newsletter sliced by 16 different segments. The survey found that behavior and location are the most effective segmentation methods, with the old stalwarts like age and gender being the least effective.

We discuss how to craft your subject line and choose a coherent theme as well as how to pick the optimal length and number of hyperlinks to include. If you do use links, beware of URL shortening services, since many as spam filters block them. There’s also the question of whether to make your newsletters text-only or to go the HTML route. If you choose the latter, be sure to test each newsletter with different browsers and different screen depths. Finally, we cover how to choose the right tool for the mailings. We’ve used a variety of them over the years, and each has different strengths and weaknesses. Some of these topics are mentioned in this piece for Marketing360.

We’d love to hear from you about your favorite email newsletters and tips for creating your own. You can listen to our 16 min. podcast here:

Dealing with CEO Phishing Fraud

When we get emails from our CEO or other corporate officers, many of us don’t closely scrutinize their contents. Phishers count on this for their exploits. The messages often come around quitting time, so there is some sense of urgency so we will act before thinking through the consequences. 

Here is an example of a series of emails between “the boss” (in reality, the phisher) and his subordinate that happened in November 2017. You can see the growing sense of urgency to make a funds transfer happen, which is the phisher’s stock in trade. According to FBI statistics, this type of fraud is now a $12 billion scam. And yes, the money was actually sent to this attacker.

KnowBe4, which sells phishing training services, categorizes the scam into two separate actions:

  1. First is the phishing attempt itself. It is usually called spear phishing, meaning that the attacker has studied the corporate organization chart and targeted specific individuals. The attacker has also examined who has fiduciary responsibility to perform the actual funds transfer, because at the heart of this scam it is all about the money that they can steal from your business.
  2. Next is all about social engineering. The attacker has to appear to be convincing and act like the boss. Often, the targeted employee is tricked into divulging confidential information, such as bank accounts or passwords. Many times they use social media sources to amplify their message and make it seem  more legit.

The blog post mentions several different situations that are common with this type of fraud:

  1. Business working with a foreign supplier.
  2. Business receiving or initiating a wire transfer request.
  3. Business contacts receiving fraudulent correspondence.
  4. Executive and attorney impersonations.
  5. Confidential data theft.

A new blog post by Richard DeVere here provides some good suggestions on how to be more vigilant and skeptical with these emails. 

  • Examine the tone and phrasing of the email. One time a very brusque CEO — who was known for this style — supposedly sent a very polite email. The recipient flagged it as a potential phish because of this difference.
  • Have shared authority on money transfers. Two heads are better than one.
  •  As Reagan has said, trust but verify. Ask your boss (perhaps by calling directly) if this email really originated from him or her before acting on it. Phone calls and texts can be spoofed from your boss’ number. As the illustration above shows, this is quite common. Take a moment to process what is being asked of you.
  • Report the scammer to the right authorities inside and outside your company.

The bottom line: be wary and take a breath when you get one of these emails.

Helm Email Server: secure and stylish, but has issues

I had an opportunity to test drive the Helm personal email server over the past couple of months. I give them an A for effort, and a C+ for execution. It is a smallish pyramid that can be used to self-host your own email domain.

It has some great ideas and tries hard to be a secure email server that is easy to setup. And its packaging and reviewer’s guide is a design delight, as you can see from the photo below. But it has a few major drawbacks, especially for users that want to do more than protect their email correspondence.

If you want to read a more thorough test, check out Lee Hutchinson’s Ars review here. While I didn’t test it as thoroughly or write about it as much as he did, I did try it out in two different modes: first, as a server on a test account that Helm reserved for me. Then I reset the unit and tried it to serve up email on one of my existing domains. I will get to an issue with that latter configuration in a moment.

My biggest issue is its lack of support for webmail clients. I understand why this was done, but I still don’t like it. I have been using webmail exclusively for my desktop and laptop email usage for more than 10 years, and only use the iPhone Mail app when I am on the phone. Certainly, that leaves me open for exposure, man-in-the-middle, etc. But I am not sure I am willing to give up that flexibility for better security, which is really at the center of the debate.

Brian Krebs blogged that users can pick two of security, privacy and convenience, but only two. That is the rub.

If you are concerned about privacy first and foremost, you are likely to want to use encryption on all of your emails. That is probably for very few folks. Even with zero-trust encryption, this isn’t easy. Helm doesn’t support any encryption such as PGP, so this audience is off the table.

If you are concerned with convenience, you are probably going to stick with webmailers for the time being. So this audience is off the table too.

If you are concerned with security first, maybe you will consider Helm. But it is a big maybe. If you already use a corporate email server and your company has hundreds of mailboxes, I don’t think any IT manager is going to want to have a tiny box like Helm at the center of their email infrastructure. And if you are a SMB that has < 100 mailboxes, perhaps you might move from GSuite or O365, but it will take some work. Certainly, the pricing tipping point is around a dozen mailboxes, depending on the various options that you choose for these SaaS emailers.

Hutchinson’s piece in Ars says, “Helm aims to give you the best of both worlds—the assurance of having a device filled with sensitive information physically under your control, but with almost all of the heavy sysadmin lifting done for you. If you’re looking to kick Google or Microsoft to the curb and claw back control of your email, this is in my opinion the best and easiest way to do it.” I would agree with him.

However, the issue for this last group isn’t the email, but the other things that depend on email that they already use seamlessly: calendars, contacts, and email notifications. Setting up calendars and contacts will take some careful study before you actually configure them. This is because you have to read and understand the web-based support portal pages so that you know what the steps are before you do the configuration. I ended up creating several device profiles before I got all this together, because I couldn’t access the existing details to set up the servers etc. (I understand why you are doing this, but still calling them “device profiles” is confusing.) And then I still had issues with getting things setup for my calendar and contacts. The pretty reviewer’s guide really falls down in this area.

One plus for the security audience is that it supports DMARC/SPF/DKIM with no extra effort. (See the screenshot below.) They don’t make a big deal of this, other than a brief nod to it in the support pages here. My report from mail-tester can be found here, showing that this was implemented correctly.

Another sticking point for me is the use of the smartphone app for configuration and reporting. I have had problems with other consumer-grade products that do this – such as most smart home devices, the Bitdefender Box (I did an early review of this for Tom’s Hardware but haven’t looked at it for a while since then), and some SMB router/firewalls. The problem is that your screen real estate is very limited, forcing you to make some bad UI tradeoffs. For example, a notification alert comes up on my phone during certain times.

One issue that Hutchinson also had is that if you use Helm to serve up your own domain, it needs to take control over your domain’s DNS settings. You can use its smartphone app to add your own custom DNS records, but it isn’t as flexible as say the average ISP DNS web-based management screens. Speaking of DNS, Helm doesn’t support DNSSEC because of the way it moves your email traffic through its AWS infrastructure.

Finally, the backup process didn’t work for my pre-configured unit and I never got a successful backup, even after initiating several of them. It worked fine for my hosted domain. There is no phone message notification of either success or failure: you have to check the app, which also seems like a major omission.

If you aren’t happy with the security implications of Microsoft/Googleplex owning your messages and are a small business that doesn’t use much webmail, then Helm should be a great solution. It costs $500 initially, with $100 annually for a support contract.

 

The end of IBM/Lotus Notes

Last week, IBM sold off its Domino/Notes software business unit to HCL. While you probably haven’t heard of them, they are a billion dollar Indian tech conglomerate. Sadly, this represents the end of one era for Notes. It certainly has had a long and significant life span.

 

“Notes’ longevity is amazing,” says David DeJean, who co-wrote one of the first books about it back in 1991. “What other corporate software product has had that kind of run? Notes’ success started with its chameleon-like ability to go into a company and work the way the company worked. It let companies computerize their operations at their own pace. Other software packages have been the software of “No” where Notes was almost always the software of ‘Sure.’”

I was present at its conception in the late 1980s, when Ray Ozzie had the idea for what was then an unknown software category that was labeled at the time as groupware. It was the first time that a PC software program could be used to connect multiple computers in a meaningful way, and be used to create applications that leveraged the group. DeJean recalled that these apps were at the heart of what made Notes work: “During a crucial moment in the computerization of the enterprise in the 1990s, Notes applications proliferated like rabbits. It was very easy for companies to get into Notes, and very hard to get out.”

When Notes came out. I was working as an editor at PC Week. My colleague Sam Whitmore told me that “it took us a while to get our brains around the idea of its replication feature. Most of us found it redundant to email.” That was its biggest challenge, and well into its middle age Notes’ biggest competitor continued to be ordinary email. Many of my press colleagues carried a long-standing hatred for it. Nevertheless, Whitmore also recalls that “Lotus appreciated how technical we were, that we understood what Ray Ozzie was bringing to the world. Perhaps because of this, Lotus offered PC Week a lot of money to produce a special report on Notes.”

I had first-hand experience using Notes when I worked at CMP in the early 2000’s when I was an editor at VAR Business and also at EETimes. The CMP IT department had written quite a few Notes applications for various editorial and sales tracking purposes, again showing how extensible it could be.

This is something that many of its critics didn’t really understand, both then and now. One of its earliest customers was  PriceWaterhouse, now PwC. Sheldon Laube was running the IT operation there and made the decision to purchase 10,000 copies of Notes back in 1990. He told me that this “started a transformation at the firm. Notes was truly the first personal computer software product that changed the nature of how people used PCs. Until Notes came along, PCs were personal productivity tools, with the majority of uses being spreadsheets, word processing and presentations. Notes created a social use for personal computers and enabled teams of people, spread across geographies, to communicate, collaborate and share information in a way which was not possible previously. It was the tool that moved PCs and networks onto every desk in every office of PW around the world.”

This is an important point, and one that I didn’t think much about until I started corresponding recently with Laube. If you credit Notes as being the first social software tool, it actually predates Facebook by more than a decade. Even MySpace, which was the largest social network for a few years (and had more traffic than Google too), was created in the early 2000s.

Notes was also ahead of its time in another area. “Notes was a precursor to both the web and social media,” says Laube. “It was all about easily publishing and sharing information in a managed way suited to business use. It is the ease of management and the ability to control information access within Notes securely which allowed its rapid adoption by business.” Laube reminded me that back then, information security was barely recognized as necessary by IT departments.

This isn’t completely an accurate picture, mainly because Notes was focused on the enterprise, not the consumer. Notes “mixed email with databases with insanely secure data replication and custom apps,” said David Gewirtz in his column this week for ZDnet. He was an early advocate of Notes and wrote numerous books and edited many newsletters about its enterprise use. “It was enterprise software before enterprise software was cool.” He wrote about how Notes had elements of Salesforce, Dropbox, Atlassian, Zendesk and ServiceNow — years before any of these products were even invented. Another aspect of Notes that doesn’t get much attention is its integrated group calendars and contacts. Now we take these elements for granted — until they don’t work — and expect them in many communications tools. Back in the early 1990s, this was a rare feature. Scott Mace, who runs the site CalendarSwamp, remembers complaining about how hard shared calendars were back in the late 1990s, and how Notes was an early standout then.

Notes has gone through many transitions in its long life: After IBM acquired it, Big Blue extended the software to Domino, which combined Notes with web services and eventually was used to provide a managed hosting solution as well. Ozzie told me that  Notes was in essence an amazingly powerful applications server with captive clients. This differed from the web model, where web clients were free and Netscape and others made money from selling their own application servers. IBM added the web server because they had to: Ozzie said if they hadn’t, Notes would have died quickly in the web era. Instead, it still flourishes.

Another thing that doesn’t get much attention is that IBM believed so much in Notes that it made it its corporate communications standard for many years. One of their reasons — and a major motivation for many other customers — is that Notes offered an end-to-end encrypted email system, something that wasn’t common at the time.

Even so, IBM was a poor fit for Notes because it was too slow to innovate. While having a web front-end solved one big problem for Notes (its very thick client software), it wasn’t enough to compete against the world of open source and the rich software development of the web. As the web took over the software world, Notes became more of an anachronism, and more nimble solutions (including one product called Nimble, btw) became more attractive to corporate software developers. Ozzie said, “Shame on IBM for losing the corporate email market” to Microsoft and then Google. He reminded me that back then, we had different email systems that couldn’t connect with each other, even within the same office.

Betsy Kosheff, who did PR for Lotus back when it was sold to IBM, told me, “IBM had no business doing software innovation. That point was very obvious right from the acquisition. It’s not their fault – IBM is just not designed that way. I imagine their India-based buyer will be looking for more operational efficiencies. They’re probably not looking for the next big idea, which is what was so much fun about Notes and being part of that product in the early days. I’m not saying you can’t possibly create an entrepreneurial division with exciting innovations from within a larger company. I’m just saying they didn’t do it at IBM and probably not at any other billion dollar IT company.”

Ozzie reminded me that when Lotus was sold to IBM, they were in a head-to-head battle with Exchange. Microsoft had the edge because they owned the operating system and had majority share with office applications. IBM could offer a broader software portfolio that could attract customers.

Was Notes too early for its time? Ozzie says no: “I am just pleased that things have continued to evolve in collaboration tools.There are still things related to human interaction, such as distributed trust and managing overload that we first learned in Notes that have yet to be embraced by anything in the enterprise social world.”

The many ironies of the post email era

It has been 20 years since Marshall Rose and I wrote  our book about Internet email. Since then, it has become almost a redundant term: how could you have email without using the Internet? For that matter, how can you have a business without any email to the outside world? It seems unthinkable today.

But for something so essential to modern life, Internet email also comes with multiple ironic situations. I will get to these in a moment.

To do some research for this essay, I re-read a column that I wrote ten years ago about the evolution of email between 1998-2008. Today I want to talk about the last ten years and what we all have been doing during this period. I would call this decade the post email era because email has become the enabling technology for an entire class of applications that previously weren’t possible or weren’t as easy ten years ago. Things like Slack, MFA logins, universal SMS, and the thousands of apps that notify us of their issues using emails. Ironically, all of this has almost eclipsed the actual use of Internet email itself. While ten years ago we had many of these technologies, now they are in more general use. And by post-email I don’t mean that we have stopped using it; quite the contrary. Now it is so embedded in our operations that most of us don’t even think much about it and take it for granted, like the air we breathe. That’s its second irony.

When a new business is being formed, usually the decision for its email provider comes down to hosting email on Google or Microsoft’s servers. That is a big change from ten years ago, when cloud-based email was still being debated and (in some cases) feared. I have been hosting my email on Google’s servers for more than ten years, and many of you have also done the same.

Another change is pricing. This has made email a commodity and it is pretty reasonable: Google charges $5 per month for 30 GB of storage or $10 per month with either 1 TB or unlimited storage. If you want to go with Microsoft, they have similarly priced plans for 1 TB of storage. That is an immense amount of storage. Remember when the first cloud emailers had 1 GB of storage? That seems so quaint — and so limiting — now. For all the talk back then about “inbox zero” (meaning culling messages from your inbox as much as possible), we have enabled email hoarding. That’s another irony.

Apart from all this room to keep our stuff, another major reason for using the cloud is that it frees up the decision as to which email client to run (and to support) for each user. A third reason is that the cloud frees up users to run multiple email clients, depending on what device and for what particular post-email task they want to accomplish. Both of these concepts were pretty radical 20 years ago, and even five years ago they were still not as well accepted as they are now. Today many of us spend more of our time on email with our phones than our desktops, and use multiple programs for our email, and don’t give this a second thought.

Why would anyone want to host their own email server anymore? Here is another irony: one reason is privacy. The biggest thing to happen to email in the past ten years was a growing awareness of how exposed one’s email communications could be. Between Snowden’s revelations and Hillary’s server, it is now crystal clear to the world at large that your email can be read by your government.

When Marshall developed the early email protocols, he didn’t hide this aspect of its operations. It just took the rest of the world many years to catch on. As a result, we now have companies that are deliberating locating in data havens to prevent governments from gaining access to their data streams. Witness ProtonMail and Kolabnow, both doing business from Switzerland, and Mailfence, operating out of Belgium. These companies have picked their locations because they don’t want your email finding its way into the NSA’s Utah data centers, or anywhere else for that matter. And we have articles such as this one in Ars that discuss the issues about Swiss privacy laws. Today a business knows enough to ask where its potential messages will be stored, whether they will be encrypted, and who has control over its encryption keys. That certainly wasn’t in many conversations — or even decisions about selecting an email provider — ten years ago.

One way to take back control over your email is literally to host your own email server so that your message traffic is completely under your control. That has been a difficult proposition even for tech-savvy businesses — until now. This is what Helm is trying to do, and they have put together a sexy little server (about the size of of a small gingerbread house, to keep things festive and seasonal) which can sit on any Internet network anywhere in the world and deliver messages to your inbox. It doesn’t take a lot of technical skill to setup (you use a smartphone app), and it will encrypt all your messages from end-to-end. Helm doesn’t touch them and can’t decrypt them either. Because of this, the one caveat is that you can’t use a webmail client. That is a big tradeoff for many of us that have grown to like webmail over the past decade. Brian Krebs blogged this week that users can pick two items out of security, privacy and convenience. That is the rub. With Helm, you get privacy and security, but not convenience (if you are a webmail user). Irony again: webmail has become so pervasive but you need to go back to running your own server and email desktop clients if you want ironclad security.

Speaking of email encryption, one thing that hasn’t change in the past ten years is how it is rarely used. One of the curiosities of the Snowden revelations was how hard he had to work to find a reporter who was adept enough at using PGP to exchange encrypted messages. Encryption still is hard. And while Protonmail and Tutanova and others (mentioned in this article) have come into play, they are still more curiosities than in widespread general use.

Another trend over the past ten years is how spam and phishing have become bigger problems. This is happening as our endpoints get better at filtering malware out of our inboxes. This is one reason to use hosted Exchange or Gmail: both companies are very good at stopping spam and malicious messages.

It is somewhat of an ironic contradiction: you would hope that better spam processing would make us safer, not more at risk. This risk is easy to explain but hard to prevent. All it takes is just one user on your network, who clicks on one wrong attachment, and a hacker can gain control over your desktop and eventually your entire network. Now that scenario is a common one witnessed in many TV and movie episodes, even in non-sci-fi-themed shows. For example, this summer we had Rihanna as a hacker in Ocean’s 8. Not very realistic, but certainly fun to watch.

So welcome to the many ironies of the post email era. Share your thoughts about how your own email usage has evolved over this past decade if you feel so inclined.

More on password managers

Many of you have written me since getting a similar extortion email over the past few months. The emails all have similar characteristics: they usually mention an older password that you have used on one of your accounts in the subject line, and then suggest that the sender is monitoring your computer with spyware and will send out some compromising information about you if they aren’t paid the ransom.

As I said back in July, these emails shouldn’t be answered, or even opened. The sad fact is that if you are still using something with this password, you probably should be motivated to clean up your act and do a better job with your passwords.

I usually tell my correspondents to use this as an opportunity to do two things. First, to install a password manager. I use LastPass but there are plenty of others. These tools make your logins more secure because you can create complex passwords that you can’t remember, and more importantly, you don’t need to remember them either.

The second item is to use an authenticator app on your smartphone. These apps are probably the best security you can use to protect your accounts. Google, LastPass, Microsoft, Duo, Authy, and numerous other vendors have free ones. They work in conjunction with a one-time code that changes every minute or so. When you login to your accounts with this app enabled, you have that amount of time to enter the code that is shown on your phone’s screen into the web form as part of your login process. If someone has your password, they won’t be able to see this code and properly login.

Even better than using these authenticator apps is to make use of a special FIDO hardware key. Both Google and Yubico sell them. They are more secure but less convenient, because you have to remember to have the key on you when you need to login.

Certainly, there are other alternatives to authenticator apps and keys. Some of you have enabled a different authentication process with your logins, such as using an SMS text message to receive these one-time codes. This is much less secure than either the authenticator apps or the hardware keys, because a hacker can arrange to send this code to their own phone. Sadly, many websites (such as my bank) only support codes sent via the SMS method.

But here is the issue: apart from having authenticator apps and password managers, some of you are still writing your passwords down somewhere, and this is the most insecure thing you can do. Even if you keep a piece of paper in a locked safe, it is still less useful and less secure than the combination of password manager + authenticator app that I described above. That special piece of paper does you no good when you are across town from your office, for example.

There was this recent exchange on Twitter between Capital One and a customer, where the bank’s representative told the customer to not use a password manager. One person commented, “Hey Capital One! 1992 called. You need to hire a more up-to-date Security Officer.” Another recent study showed that password managers weren’t familiar or necessary to more than half of those surveyed.

Some of you have gone to great lengths to store your passwords on your phone’s address book, using a special code that will jog your memory about which password you have chosen for a particular site. Given the compromises that the mobile version of Facebook Messenger has at reading and distributing your contact data, this is also asking for trouble. It really isn’t worth the effort.

One of my readers called me about a month ago in a panic when he got the extortion email message. Once I calmed him down (he was up half the night worrying about it), we came up with a plan, such as I outlined above. I checked back with him recently and he did implement half of my suggestions. But he argued, “I can repeat my passwords on less sensitive accounts, because I don’t have anything to worry about with those accounts. There is nothing to steal here.” Wrong on these counts:

First, every reused password is another way for a hacker to worm their way into your digital life. Let’s say you purchase something from an online retailer, and never return to that site ever again. Meanwhile, you have forgotten that you saved your credit card on the retailer’s site, and then you have forgotten which retailer it was. When that retailer suffers a breach, your credit card is now at risk.

Consumers aren’t alone in reusing their passwords. A study for One Identity of 1000 IT professionals shows some poor security practices in place in several countries. They noted that admin passwords are often shared, among other bad practices.

Maybe you have a reused password for something blander, such as the account to your local library so you can download an ebook or two. Again, that library could be hit by an attacker, and that login could become compromised and reused on some other site. Hackers have automated routines that try username/login pairs across hundreds of websites, testing if you have used them elsewhere. While the hacker may not steal anything of actual monetary value, they are stealing and using your identity. So just don’t reuse them, ever. Please.

Second, whatever system you have developed to avoid using a password manager doesn’t scale. The more websites you need logins for, the more likely you are to forget you already used one of your favorite combinations. My password manager has more than 200 logins. Granted, I am an extreme case, but still your digital life is probably has dozens of logins too.

Third, you could argue that most modern browsers have password saving features to make it easier to login to websites, so you don’t need a password manager. Again, this gives you a false sense of security, particularly if you laptop or phone is lost or stolen. It is child’s play to read your saved password list on your device, and then you have a whole lot of hurt. When you install a password manager, you should turn off the saving password feature in your browser to avoid conflicts.

All the password managers have automated checks to tell you when you are about to reuse one of your existing passwords. Why would you have dupes with using the password managers? This is because you might not have changed all of your old passwords, and the manager is on the look out for one that it already knows about and has squirreled away.

Finally, another nice thing about password managers is that you can have your logins available for all your devices, even if you move around from laptop to phone to desktop. It just makes a lot of sense to use them. So take some time, and get on board, and be secure.

It is time to get more serious about protecting your email

Did you get a strange email last week from someone that you didn’t know, including one of your old passwords in the subject line? I did, and I heard many others were part of this criminal ransomware activity. Clearly, they were sent out with some kind of automated mailing list that made use of a huge list of hacked passwords. (You can check if your email has been leaked on this list.) It really annoyed me, and I got a few calls from friends wanting to know how this criminal got ahold of their passwords. (BTW: you shouldn’t respond to this email, because then you become more of a target.)

But the question that I asked my friends was this: Do you still have logins that make use of that password? You probably do.

Email is inherently insecure. Sorry, it has been that way since its invention, and still is. All of us don’t give its security the attention it needs and deserves. So if you got one of these messages, or if you are worried about your exposure to a future one, I have a few suggestions.

First, you need to read this piece by David Koff on rethinking email and security. It brought to mind the many things that folks today have to do to protect themselves. I would urge you to review it carefully. Medium calculates it will take you 17 minutes, but my guess is that you need to budget more time. There is a lot to unpack in his post, so I won’t repeat it here.

Now Koff suggests a lot of tools that you can use to become more secure. I am going to just give you four of them, listed from most to least importance.

  1. Set up a password manager and start protecting your passwords. This is probably the biggest thing that you can do to protect yourself. It will make it easier to use stronger and unique passwords. I use LastPass.com, which is $2 per month. For many of my accounts, I don’t even know my passwords anymore because they are just some combination of random letters and symbols. If you don’t want to pay, there are many others that I reviewed at that link here that are free for personal accounts.
  2. Create disposable email accounts for all your mailing lists. Koff suggests using 33mail.com, but there are many other services including Mailinator.com, temp-mail.org, and throwawaymail.com. They all work similarly. The hard part is unsubscribing from mailing lists with your current address, and adding the new disposable addresses.
  3. Even with a password manager, you need to make use of some additional authentication mechanism for your most sensitive logins. Use this for as many accounts as you can.
  4. Finally, if you are still looking for something to do, at least try encrypted email. Protonmail.com is free for low-end accounts and very easy to use.

There is a lot more you can to make yourself more secure. Please take the time to do the above, before you get someone else trying to steal your money, your identity, or both.

Understanding email encryption

Earlier this week, we had a major storm with the release of a new report about email encryption issues.Called Efail, it starts with this research paper and website. What I want to talk about today is the following:

First, the vulnerabilities described in the Efail documents were well known, with some of them been around for more than a decade. Basically, if you use HTML email to read your email – which if you are concerned about privacy you shouldn’t be doing in the first place – certain email clients combined with plug-ins for PGP or S/MIME will expose encrypted data to a hacker, if the hacker has access to your email stream.

Second, notice the if in the last sentence. That is a very big condition. Sure, hackers could target your network or email flow, but chances are unlikely.

Third, the amount of bad reporting was immense, with most reporters missing the fact that there was nothing wrong with the PGP or S/MIME protocols themselves, only poor implementations. (The Efail authors do a solid job of reporting which clients are at issue.) There are numerous encrypted email solutions that aren’t affected by Efail.

Part of my problem with the reporting is the way that Efail was disclosed, with little or no advance notice to security analysts and other affected parties. This didn’t help matters.

One of the more alarmist posts was from the EFF, which weighed in with some very confusing suggestions. That is both unusual (since they are level-headed most of the time on technical issues) and unfortunate (because they are suggesting that folks stop using encryption). That isn’t a good idea, especially if you are one of the few that actually use PGP in your daily life. (Lesley Carhart’s tweet was spot-on.)

There were some standout reports that I will recommend. First, if you are new to email encryption, the best general source that I have found is Andy Yen’s TED talk from several years ago. He explains how encryption works and what to look for and why you need it. Yen happens to work for Protonmail, which is certainly a good starting place to use encrytion. The best overall report is from Steve Ragan at CSOonline, who documents the disclosures and what you need to do to update your email clients in this post. Finally, if you are ultra-paranoid, you should turn off HTML rendering in your email client.

 

Becoming a better master of my email domain

This post adds my own personal experiences to improving the email authentication protocols of my own domain. I wrote about these issues in general for iBoss earlier this year and described the three protocols (SPF, DKIM and DMARC) and how they interact with each other. These protocols have been around for a while, and implementing them isn’t easy and hasn’t been very popular, outside of perhaps Google-administered email domains.

A recent survey from Barracuda shows how the majority of folks haven’t yet set up anything in their environments, as you can see by this graphic below. Another survey from Agari (who sells DMARC managed services, so they have something of a self-interest) says 82 percent of federal government domains lack DMARC protection. To try to fix this, the feds are getting more serious about DMARC, requiring it across all agency networks soon. 

So I wanted to be able to lead by example and actually put these tools in place on my own servers. That was easier said than done.

I first contacted Valimail in August. They have a managed email authentication service and agreed to work with me to get me set up. Valimail knows what they are doing in this space. As an example, a few weeks ago one researcher posted how he could deliberately break some DKIM records if he created some oddball email messages. Turns out Valimail has this covered and posted a counter reply. They claimed that the researcher didn’t really understand how it was used in practice.

And that is the issue: these protocols are very, very hard to implement in practice. Getting my domains setup wasn’t easy: part of that was my fault, and partly because this is a knotty area that has a lot of specific knobs to turn and places where a misplaced comma can wreck your configuration. So I am glad that I had them in my corner.

Let’s talk about what was my fault first. I have two different Internet providers for my domains. First is GoDaddy, which registers my domains. I have always felt it is a good idea to separate my content from my registrar, which is where my second provider, EMWD.com, comes into play. They host my blogs and mailing lists. The problem is that the three email protocols touch on aspects of both what the registrar has to do and what the content hosting provider has to do, and so I found myself going back and forth between the two companies and their various web-based control panels to add DNS entries and make other adjustments as I needed. For your particular circumstances, that may not be necessary. Or it could be more complicated, depending on how many individual domains (and sub-domains) you own and how you have set up your email servers.

When you first sign on with Valimail, they run a report that shows how messed up your email system is. Now right here I want to stop and explain what I mean. Your email system is probably working just fine, and your messages are flowing back and forth without any real issues. Except one: they aren’t using the full power of the various authentication protocols that have been developed over the years. If you don’t care about spam and phishing, then stop right here. But if you do care — and you should — then that means you need to get email authentication done correctly. That is the journey that I have been on since this summer.

OK, back to my story. So I got a report from Valimail that looked like this.  It shows that I made several mistakes in configuring my mail server because it uses a different domain (webinformant.tv) from the domain that I use for sending individual emails (strom.com). Duh! It was embarrassing, after all these years claiming to be this email “expert” (I did write a book on corporate email use once upon a time) and yet I still missed this very obvious mistake. But that is why you hire outside consultants to help you learn about this stuff.

That wasn’t my only problem. Second, I was using WordPress as my blogging software. Now, what does this have to do with email, you might ask? My problem was I didn’t immediately make the connection either. Some of my emails weren’t being authenticated properly, and it was only after further investigation did I realize that the comments that were being collected by my blog were the culprits. WordPress uses email to notify me about these comments. Luckily, there is a plug-in for fixing this that was available. Of course, it still took some effort to get it working properly.

This is why you want someone like Valimail to be working with you, because the chances of making any errors are huge, and your email infrastructure can be a bigger project that you realize, even for a small organization such as my own operation.

I have one other technology piece in my mix. One of the reasons why I chose EMWD is because they offer cheap but really good hosting of Mailman, which is a Unix-era email server that I have been using for more than a decade for my weekly Web Informant newsletters. It isn’t as fancy as Mailchimp or some of the other more modern mailers, but I also am familiar enough with its oddities that I feel comfortable using it. So any DKIM/DMARC/SPF installation also had to make some changes to its parameters too. Luckily, The folks at Valimail knew which ones to tweak.

So it took several months of elapsed time to work with Valimail to get things correctly setup. And that is probably a good thing because uncovering all the various applications that make use of email in oddball ways will take some time, particularly if you are a decent-sized company. Most of the elapsed time for my situation was because I was busy on other matters, and also because it took me several tries to understand the scope of what I had to do. Also, because Valimail’s typical customer is a larger enterprise, they weren’t very familiar with the cPanel interface that EMWD (like a lot of smaller ISPs) employs, or working with WordPress, so they had a learning curve too.

The team that helped me was very patient, which was great because I did need a lot of hand-holding (in the form of JoinMe meetings and screen sharing sessions) to walk me through the various processes. But what this demonstrated to me is how ingrained using email for various tasks can be, even for a company of one employee.

So the moral of the story: even if you know what you doing, this is one area that requires very specialized knowledge. But if you want to make an effort to reduce spam and phishing, you should implement all three of these protocols. And you might end up fixing some other email issues across your enterprise along the way too.

Why you should be afraid of phishing attacks

I have known Dave Piscitello for several decades; he and I served together with a collection of some of the original inventors of the Internet and he has worked at ICANN for many years. So it is interesting that he and I are both looking at spam these days with a careful eye.

He recently posted a column saying “It sounds trivial but spam is one of the most important threats to manage these days.” He calls spam the security threat you easily forget, and I would agree with him. Why? Because spam brings all sorts of pain with it, mostly in the form of phishing attacks and other network compromises. Think of it as the gateway drug for criminals to infect your company with malware. A report last December from PhishMe found that 91% of cyberattacks start with a phish. The FBI says these scams have resulted in $5.3 billion in financial losses since October 2013.

We tend to forget about spam these days because Google and Microsoft have done a decent job hiding spam from immediate view of our inboxes. And while that is generally a good thing, all it takes is a single email that you mistakenly click on and you have brought an attack inside your organization. It is easy to see why we make these mistakes: the phishers spend a lot of time trying to fool us, by using the same fonts and page layout designs to mimic the real sites (such as your bank), so that you will login to their page and provide your password to them.

Phishing has gotten more sophisticated, just like other malware attacks. There are now whaling attacks that look like messages coming from the CFO or HR managers, trying to convince you to move money. Or spear phishing where a criminal is targeting someone or some specific corporation to trick the recipient into acting on the message. Attackers try to harvest a user’s credentials and use them for further exploits, attach phony SSL certificates to their domains to make them seem more legitimate, use smishing-based social engineering methods to compromise your cell phone, and create phony domains that are typographically similar to a real business. And there are automated phishing construction kits that can be used by anyone with a minimal knowledge to create a brand new exploit. All of these methods show that phishing is certainly on the rise, and becoming more of an issue for everyone.

Yes, organizations can try to prevent phishing attacks through a series of defenses, including filtering their email, training their users to spot bogus messages, using more updated browsers that have better detection mechanisms and other tools. But these aren’t as effective as they could be if users had more information about each message that they read while they are going through their inboxes.

There is a new product that does exactly that, called Inky Phish Fence. They asked me to evaluate it and write about it. I think it is worth your time. It displays warning messages as you scroll through your emails, as shown here.

There are both free and paid versions of Phish Fence. The free versions work with Outlook.com, Hotmail and Gmail accounts and have add-ins available both from the Google Chrome Store and the Microsoft Appsource Store. These versions require the user to launch the add-in proactively to analyze each message, by clicking on the Inky icon above the active message area. Once they do, Phish Fence instantly analyzes the email and displays the results in a pane within the message. The majority of the analysis happens directly in Outlook or Gmail so Inky’s servers don’t need to see the raw email, which preserves the user’s privacy.

The paid versions analyze every incoming mail automatically via a server process. Inky Phish Fence can be configured to quarantine malicious mail and put warnings directly in the bodies of suspicious mail. This means users don’t have to take any action to get the warnings. In this configuration, Outlook users can get some additional info by using the add-in, but all the essential information is just indicated inline with each email message.

I produced a short video screencast that shows the differences in the two versions and how Phish Fence works. And you can download a white paper that I wrote for Inky about the history and dangers of phishing and where their solution fits in. Check out Phish Fence and see if helps you become more vigilant about your emails.