I have updated my review of top email encryption tools for CSOonline/Network World this week. Most of the vendors have broadened the scope of their products to include anti-phishing, anti-spam and DLP. I last looked at these tools a few years ago, and have seen them evolve:
HPE/Voltage SecureMail is now part of Micro Focus, part of an acquisition of other HPE software products
Virtru Pro has extended its product with new features and integrations
Inky no longer focuses on an endpoint encryption client and has instead moved into anti-phishing
Zix Gateway rebranded and widened its offerings
Symantec Email Security.cloud has added integrations
In my post today, I talk about recent trends in encryption and more details about each of these five products.
But there is no substitute for actually visiting the hallowed ground where this all happened, which I finally did last weekend when I was in London on a consulting assignment. I was fortunate that I had a colleague (and avid reader) who lived nearby and was willing to take me around: he hadn’t been there in a while. I have included some photos that I took during my day at Bletchley Park, and it was great to finally see Colossus in all of its mechanical glory. As you can see from this photo, it looks more like an attic of used spare parts but I can assure it is quite a special place.
When most people think of decrypting codes, they think a “Matrix” style special effect where gibberish is turned into readable text (German in this instance). Or when you open a file and hit a button that will automatically decrypt the message. This is far from what happened in the 1940s. Back then, it was a herculean effort that involved recoding Morse code radio signals, transferring them to paper tape, using various cribs and cheat sheets to guess at the codes, and then processing the paper tapes through Colossus. What we also don’t realize is that these two rooms full of gear were built without anyone actually seeing the actual German Lorentz coding machine that was used to encrypt the messages to begin with. (The Bombe, a much simpler device, was used to decrypt Enigma codes.) It looks like a very strange machine, but obviously something that was designed to be carted around in the field to send and receive messages.
Sadly, the reconstructed computer is not doing very well. This is no surprise, given that it is made of thousands of vacuum tubes (what the Brits call valves, which evokes an entire Steam Punk ethos). Only a few segments of the process that was used for the decrypts could be demonstrated, and it seems a collection of volunteer minders is kept very busy at keeping the thing in some working order. Here you can see an illustration of what it took to use the Bombe machines, which were more mechanical and didn’t involve true digital computing.
If you decide to visit Colossus, you will need to go to two separate places that are only a short walk apart. The first is the Bletchley Park estate itself, where there are several outbuildings that contain curated exhibits about the wartime effort, including several tributes to the some of the thousands of men and women that worked there during the war. One of the more notorious was Alan Turing, and you can see a mock up of his office here. After the movie The Imitation Game came out, his popularity rose and the park was quite crowded, albeit it was a holiday weekend. There are copies of some of his mathematical papers (shown below), a brick wall that honors many of the park’s contributors, and the formal apology letter from the British government that cleared his name. Turing’s 1950 paper was one of the seminal works in the history of digital computing and was also shown in one of the exhibits. What I found fascinating was how much of this stuff was being soaked up by the ordinary folks that were wandering around the park. I mean, I am a geek but there were school kids that were absorbed in all of this stuff.
One of the lesser-known individuals that was honored at the park was a double agent that was known by Garbo, because he was such an impressive actor. I read this book not too long ago about his exploits, and he played key roles in the war effort that had nothing to do with computers. He invented entire networks of imaginary spies when he filed his reports with the Germans that were so convincing that they moved their troops before D-Day, thus saving countless Allied lives.
But the entry to the park doesn’t get you to the reconstructed Colossus, and for that you have to walk down the road and pay another fee to gain access to the British computer history museum. It has numerous other exhibits of dusty old gear, including the first magnetic disks that held a whopping 250 MB 2 MB of data (I think it was mislabeled) and were the size of a small appliance. It was interesting, although not as much fun nor as comprehensive as the museum in San Jose, California. I hope you get a chance to visit both of the Bletchley places and see for yourself how computing history was made.
Phishing and email spam are the biggest opportunities for hackers to enter the network. If a single user clicks on some malicious email attachment, it can compromise an entire enterprise with ransomware, cryptojacking scripts, data leakages, or privilege escalation exploits. Despite making some progress, a trio of email security protocols has seen a rocky road of deployment in the past year. Going by their acronyms SPF, DKIM and DMARC, the three are difficult to configure and require careful study to understand how they inter-relate and complement each other with their protective features. The effort, however, is worth the investment in learning how to use them.
In this story for CSO Online, I explain the trio and how to get them setup properly across your email infrastructure. Spoiler alert: it isn’t easy and it will take some time.
The story has been updated and expanded since I first wrote about it earlier this year, to include some new surveys about the use of these protocols.
I first met Adrian Lamo back in 2002. I was teaching a high school networking class and I thought it would be cool to have the kids experience a “real” hacker, since so many of them aspired to learn how to get into the computerized grading system that the school ran. It wasn’t a very exciting teachable moment, as I recall. But Lamo made a big impact on me, as he couch-surfed in my New York suburban apartment.
Sadly, I learned that last week he died at age 37 in Wichita, KS. The cause of death hasn’t yet been determined, and he had been living in the area for the past year, according to reports. Lamo moves around alot, thanks to a rather interesting personality that could best be described as on the autism spectrum. When I met him, he had the symptoms of obsessive-compulsive disorder and was later diagnosed with Aspberger’s. One of his quirks was that it would take him a while to leave my apartment every morning: he had a sequence of steps to follow in a very specific order before he could walk out the door.
Lamo was a study in contradictions: both very bright and very socially awkward, a Sheldon Cooper before his time. He had a high sense of morality. At the time Lamo stayed with me, he had been arrested for breaking into several different computer systems, including that of the freelancer database of the New York Times. His method was to find an open Web proxy server and use that to gain entry inside a corporate network. (It is still a common entry point method, although many companies have finally figured out how to protect themselves.) He never profited financially from these attacks, instead he would often leave hints on how a company could close these proxies and improve their security. He was sentenced to house arrest for the Times attack.
At the time we met, he was called the “homeless hacker” – not because he was living on the streets, but because he was young and had no fixed address, and would go from couch to couch as the mood took him. I offered him a place to stay and a chance to get to know him better, thinking how cool could that be? Little did I know.
When I told my then-teenage daughter about his impending visit, she was rather incredulous (you have someone wanted by the police staying with us) but ultimately she was won over by his geek cred – she had a problem with her cell phone that she recalls him fixing in a matter of seconds.
Lamo is remembered in various tributes in the past few days with his role in the Wikileaks/Cablegate case of 2010, when he divulged the name of Private Manning to the feds as the leaker. Both then and now, his decision was vilified in the hacking community, with numerous online threats.
I had a chance to speak to Lamo back in 2011 and recorded the interview for ReadWrite, where I was working at the time. It covers a lot of ground:
He has some very wise comments about the importance of government secrecy, and the freedoms that it enables for us all. Lamo saw the Manning case from the other side, as a case that would be eventually remembered supporting our freedoms. It was a real issue for him, because as a hacker he could certainly understand what Manning was trying to do, but as someone who also understood the role of our military he couldn’t in good conscience allow her to leak all that data. When Manning contacted Lamo he had a crisis of conscience and made his decision. He struggled over harming Manning, whom he considered a friend, or harming countless others who would be placed at risk because of Manning’s leaks. He wishes Manning had come to him before making the documents public.
This is certainly an interesting position for a hacker to take, to be sure. He was vilified in the hacker community because of it, but I think he made the right decision. “Who would have thought that when we first met ten years ago that I would have been involved in the single biggest intelligence leak in history,” he told me. How true.
He continued to work as a security consultant, helping corporations understand better security practices as well as going out on the speaking circuit. Ironically, his preferred method of communications more recently was FedEx! “I’m a little bit of a Luddite these days,” he said.
Lamo left this planet far too soon. He was a very smart guy and had a very solid moral compass, and those two traits guided his actions all his short life. I am sad that he is no longer with us, and hope that his life can be noted and celebrated for his accomplishments, verve and significance.
The short answer is a resounding Yes! Let’s discuss this topic which has spanned generations.
The current case in point has to do with terrorists using WhatsApp. For those of you that don’t use it, it is a text messaging app that also enables voice and video conversations. I started using it when I first went to Israel, because my daughter and most of the folks that I met there professionally were using it constantly. It has become a verb, like Uber and Google are for getting a ride and searching for stuff. Everything is encrypted end-to-end.
This is why the bad guys also use it. In a story that my colleague Lisa Vaas posted here in Naked Security, she quotes the UK Home Secretary Amber Rudd about some remarks she recently made. For those of you that aren’t familiar with UK government, this office covers a wide collection of duties, mixing what Americans would find in our Homeland Security and Justice Departments. She said, “Real people often prefer ease of use and a multitude of features to perfect, unbreakable security.” She was trying to make a plea for tech companies to loosen up their encryption, just a little bit mind you, because of the inability for her government to see what the terrorists are doing. “However, there is a problem in terms of the growth of end-to-end encryption” because police and security services aren’t “able to access that information.” Her idea is to serve warrants on the tech companies and get at least metadata about the encrypted conversations.
This sounds familiar: after the Paris Charlie Hebdo attacks two years ago. The last person in her job, David Cameron, issued similar calls to break into encrypted conversations. They went nowhere.
Here is the problem. You can’t have just a little bit of encryption, just like you can’t be a little bit pregnant. Either a message (or an email or whatever) is encrypted, or it isn’t. If you want to selectively break encryption, you can’t guarantee that the bad guys can’t go down this route too. And if vendors have access to passwords (as some have suggested), that is a breach “waiting to happen,” as Vaas says in her post. “Weakening security won’t bring that about, however, and has the potential to make matters worse.”
In Vaas’ post, she mentions security expert Troy Hunt’s tweet (reproduced here) showing links to all the online services that (surprise!) she uses that operate with encryption like Wikipedia, Twitter and her own website. Jonathan Haynes, writing in the Guardian, says “A lot of things may have changed in two years but the government’s understanding of information security does not appear to be one of them.”
It isn’t that normal citizens or real people or whatever you want to call non-terrorists have nothing to hide.They do have their privacy, and if we don’t have encryption, then everything is out in the open for anyone to abuse, lose, or spread around the digital landscape.
As you loyal readers know (I guess that should just be “readers” since that implies some of you are disloyal), I have been using and writing about email encryption for two decades. It hasn’t been a bowl of cherries, to be sure. Back in 1998, when Marshall Rose and I wrote our landmark book “Internet Messaging,” we said that the state of secure Internet email standards and products is best described as a sucking chest wound.” Lately I have seen some glimmers of hope in this much-maligned product category.
Last week Network World posted my review of five products. Two of them I reviewed in 2015: HPE/Voltage Secure Email and Virtru Pro The other three are Inky (an end-to-end product), Zix Gateway, and Symantec Email Security.cloud. Zix was the overall winner. We’ll get to the results of these tests in a moment.
In the past, encryption was frankly a pain in the neck. Users hated it, either because they had to manage their own encryption key stores or had to go through additional steps to encrypt and decrypt their message traffic. As a consequence, few people used it in their email traffic, and most did under protest. One of the more notable “conscientious objectors” was none other than the inventory of PGP himself, Phil Zimmerman. In this infamous Motherboard story, the reporter tried to get him to exchange encrypted messages. Zimmerman sheepishly revealed that he was no longer using his own protocols, due to difficulties in getting a Mac client operational.
To make matter worse, if a recipient wasn’t using the same encryption provider as you were using, sending a message was a very painful process. If you had to use more than one system, it was even more trouble. I think I can safely say that these days are soon coming to an end, where encryption is almost completely frictionless.
By that I mean that there are situations where you don’t have to do anything, other than click on your “send” button in your emailer and off the message goes. The encryption happens under the covers. This means that encryption can be used more often, and that means that companies can be more secure in their message traffic.
So will that be enough to convince users to start using encryption for normal everyday emailing? I hope so. As the number of attacks and malware infections increase, enterprises need all the protection that they can muster and encrypting emails is a great place to start.
What I liked about Zix and some of the other products that I tested this time around was that they took steps to hide the key management from the users. Zimmerman would find this acceptable, to be sure. Some other products have come close to doing this by using identity-based encryption, which makes it easier to on-board a new user into their system with a few simple mouse clicks.
I also found intriguing is how Zix and others have incorporated data loss prevention (DLP) and detection into their encryption products. What this means is that all of these systems detect when sensitive information is about to be transmitted via email, and take steps to encrypt or otherwise protect the message in transit and how it will ultimately be consumed on the receiving end.
DLP has gone from something “nice to have” to more essential as part of business compliance and data leak hacks, both of which have increased its importance. Having this integration can be a big selling point of making the move to an encrypted email vendor, and we are glad to see this feature getting easier to use and to manage in these products.
Finally, the products have gotten better at what I call multi-modal email contexts. Users today are frequently switching from their Outlook desktop client to their smartphone email app to a webmailer for keeping track of their email stream. Having a product that can handle these different modalities is critical if it is going to make a claim towards being frictionless.
So why did Zix win? It was easy to install and manage, well-documented and had plenty of solid encryption features (see the screenshot here). It’s only downside was no mobile client for composing encrypted messages, but it got partial credit for having a very responsive designed webmailer that worked well on a phone’s small screen. Zix also includes its DLP features as part of its basic pricing structure, another plus.
We have come a long way on the encrypted email road. It is nice to finally have something nice to say about these products after all these years.
In my post from last week, I addressed some of the concerns in the growing conflict between security and privacy. One of the issues that I didn’t talk about, as several readers reminded me, is the difference between privacy and anonymity. This is often summarized by saying, “I don’t care if someone tracks me, I have nothing to hide.” Well, consider the following scenarios.
Scene 1. You are hiking on a remote trail. As you are enjoying the view, someone is taking pictures with their smartphone and pointing their camera in your direction. So essentially your image is being taken without your consent. At first, you think this is fine: after all, you are anonymous, just some random hiker. But when the photographer posts your image on their social feed, your face is recognized thanks to the site’s software. And now, not only are you identified, but your location is also specified. So you have been tagged without your consent. One way around this is to wear specialized clothing that defeats flash photographs, as shown here.
Scene 2. You maintain a very active Pinterest account and post numerous pictures when you are at various events, or when you travel to distant cities. One consequence of this is that anyone who spent time looking at your account could see where you have been and what you have done.
Scene 3. Beginning in 2007, employees of the UK-based News Corp. regularly hack into celebrities’ voicemail accounts. They are sued and eventually pay various fines. Eventually, things come to boil in 2011 and others are charged, and one staffer is actually jailed. Testimony reveals that thousands of phones were involved and dozens of staffers had access to the collected information.
Scene 4. In the neighborhood where I live in St. Louis, the community monitors nearly 100 cameras that continuously capture video imagery to aid in solving crimes. Several dozen people have been arrested as a result of investigations using these images, which are available to law enforcement personnel. While they don’t have facial recognition software yet, it is only a matter of time. But what if anyone could access the video feeds online and monitor what is going on?
Scene 5. Your online activities are being tracked. One of the stories that I wrote about tracking online fraud recently was how security researchers were able to use machine learning to predict when an endpoint device could be considered compromised. They found a series of common characteristics that were easy to discover, without any sophisticated software. These included freshly made cookies (fraudsters clear their cookies often while regular users almost never do), erased browser histories, 32-bit Windows running on 64-bit CPUs and using few browser plug-ins. While any of these factors taken alone might be from a legit user, combined together they almost always indicated a machine used by an attacker.
Still think you have nothing to hide? Maybe so, but it is a bit creepy to know that your digital footprints are so obvious, and show up in so many places.
Some vendors, such as email encryption software Mailpile, have gone to great lengths to document how they address their users’ privacy. Given their market focus, it isn’t surprising. But still the level of detail in that document is impressive. “People should be able to communicate privately,” as they state in their document. That means no eavesdropping on email content, supporting authentic messages and privacy when it comes to the message metadata and storage too. What I liked about the Mailpile manifesto was their non-goals: “Mailpile is not attempting to enable anonymous communication. Most people consider e-mail from anonymous strangers to be spam, and we have no particular interest in making it easier to send spam.”
So as you can see, there is a difference between being anonymous online and maintaining your privacy. Like anything else, it is a balance and everyone has their own trade-offs as to what is acceptable, what isn’t, and what is just creepy. And expect new technologies to upset this balance and make these choices more difficult in the future.
As some of you who follow my work know, I have had a long history of using and complaining about email encryption programs, ever since working with Marshall Rose on our breakthrough 1998 book on enterprise Internet messaging. Rose was one of the key innovators of the Internet email protocols that we still use today, and a wonderful co-author.
Since those dark days, email encryption has certainly gotten better, as I wrote this past summer when I tested a bunch of products for Network World. But is it good enough to pass muster with academia? Not yet, at least on the level of the average undergraduate recruited for a recent academic paper in the “Johnny Can’t Encrypt” research series.
And last month, a team at BYU tried again, this time using Gmail and Mailvelope. They gave their teams 30 minutes, with only one out of ten being able to get the job done. The most common mistake was encrypting a message with the sender’s public key, a rookie mistake. There were other user experience issues with the Mailvelope browser plug-in, and some students were clearly very frustrated and vented their low opinions of Mailvelope to the researchers.
PGP has been around a long time, since 1991 when it was created by Phil Zimmermann. Phil is still active in the field, having worked on a newer series of “Silent” email products. I spoke to another Phil involved with PGP, Phil Dunkelberger, who ran PGP and now is running a major effort to spread encryption to the world, Nok Nok Labs. He told met that their results “weren’t surprising, given that they were testing technology that has its roots in the 1980s. The problem is balancing ease of use with key management, and products need to focus on solving both issues if they are going to succeed in the marketplace.” While not singling out Mailvelope specifically, the history of email encryption is filled with other efforts that have failed because of these fundamental flaws.
I will admit that PGP, in whatever vintage (the current version that I have used is v10) isn’t the easiest software to use. Since it was sold to Symantec, it has fallen on disuse and there are a lot of other tools out there that are better alternatives. I was a bit surprised at all vitriol directed at Mailvelope by the BYU students: I gave it a brief spin and it seemed to work reasonably well. Perhaps I would have chosen Virtru (pictured above) or some other tool.
Thanks to Ed Snowden, we are more sensitive to how we manage our encryption key infrastructure, and also understand the difference between encrypting the actual message data – the message body and attachments – versus the metadata contained in each message, such as subject lines and recipient names. As I wrote this summer, “encryption has finally come of age, and is appealing to those beyond the tinfoil-hat set.”
Certainly, we still have a long way to go before encryption will become the default mechanism for email communications. But today’s tools are certainly good enough for general use, even by the average undergraduate. Now we have to move on to using encrypted messaging apps.
Whether you think Ed Snowden is a patriot or a traitor or somewhere in between, it certainly has been an interesting couple of years in the secure email business. It is a continued series of ironies, starting with the fact that Snowden had trouble convincing his chosen scribes to make use of encrypted email technology itself to transmit his documents. As I wrote about earlier this year, since Snowden’s revelations, more people have been motivated to employ encryption than ever before.
Ironically, it seems that the type of encryption that you use can make you a target of the spy agencies, who can scoop up your transmissions and figure out your origins. As Bruce Schneier said in a post last year, “There’s nothing that screams “hack me” more than using specially designed al Qaeda encryption software.”
That is a scary thought. But I don’t want to debate this here; instead I wanted to take a closer look at both new and older email encryption technologies and how much they actually protect your communications.
I took this two-year mark of Snowden’s unintended flight to Russia to write this review of seven different products for Network World. They include Hushmail, ProtonMail, Datamotion SecureMail, HP’s Voltage SecureMail, Tutanota, Virtru and AppRiver. Using one of them will certainly be better than not using any encryption, even if it raises your profile with certain three-lettered agencies. Tutanova’s Outlook plug-in is pictured above.
Voltage Security has a secure email client for both iOS and Android devices that mimic the same user interface of the device’s email apps. It is easy for IT to manage and scale without a lot of hassle for email message storage and key management. It is easy for business users to adopt without cumbersome certificates and web links.