This is the second article in a series devoted to introducing readers to secure online behaviors. In the first article, we saw how users have come to rely on the Internet for exchanging business and personal information. The largest amount of traffic being carried over the Internet today is in the form of electronic mail. Today's sophisticated e-mail programs handle not only text, but also graphics, animation, video, and attachments that can include executable programs, word processing and spreadsheets. Despite the use of firewalls and anti-virus programs that are intended to protect Internet and e-mail users, user behavior is still the key to Internet security. As a result, proper e-mail behavior is very important. This article will discuss secure e-mail behavior by looking at the various threats posed by using e-mail applications, as well as the steps users should take to minimize those risks.

E-Mail Applications: Client-Based and Web-Based

There are two different types of e-mail that are commonly used: client-based and web-based. Client-based systems, such as Outlook and Eudora, require the user to install software on their computer; this software is used to go online and connect to a mail server that handles delivery and receipt of users' messages. Advantages of using a client-based e-mail program include the ability to store messages locally, to save on connection charges, and to keep attachments on the local computer for easier access.

There are also disadvantages of client-based e-mail. For example, large attachments included with messages can tie up system resources while downloading mail from the server. The user is restricted to accessing e-mail only through the machine on which the e-mail program is installed, thereby limiting user mobility. From a security standpoint, client-based users are vulnerable to the security flaws that may be present in programs such as Outlook and Eudora, and users are responsible for the security of the system, so they must take the necessary steps to ensure their own security.

The other option for e-mail is web-based access, such as Hotmail and Yahoo that offer a web interface to send and retrieve mail. In this case, no e-mail program application needs to be downloaded to the users' machine, as the e-mail account is accessed through the Internet. Web-mail offers several advantages over client-based e-mail, including the ability to easily access e-mail from any location, controls, such as file-size limitation, offered by the server itself, and filtering rules, such as automatically deleting spam messages, which are handled by the system. Online virus checking is another common option offered by most web-mail services. Online service providers will generally be responsible for the maintenance of the systems on which the service is provided, thereby alleviating users of that responsibility.

Regardless of whatever protections client and web-based mail may offer, users are never completely protected against all risks while using e-mail. These risks will be discussed below, as will some of the behaviors that users can practice to minimize their vulnerability to these risks.

Password theft

On most e-mail systems, the only information needed to get to a user's Inbox is the authentication information: the user's username and password. Most home or small business users make no attempt to use passwords that are hard to guess, opting instead for simple passwords that can be easily remembered, such as a spouse's name, a pet's name, or a simple numeric combination. Unfortunately, these can also be easily guessed. In addition to guessing passwords, hackers may also use password crackers, programs that try all words found in a dictionary against a username and determine the correct password to access the user account. (For more on password crackers, please see A. Cliff's SecurityFocus article Password Crackers - Ensuring the Security of Your Password.

Using weak passwords will jeopardize the security measures of any e-mail program. More alarmingly, because many users use the same password for many applications, if an e-mail password is successfully stolen, the user's entire system may be in jeopardy. To avoid having their passwords stolen, it is important that users select passwords that are difficult to guess. It is strongly recommended that the password not be a direct translation of some fact about the user (such as a birthday, spouse's name, etc) that potential crooks can gain easy access to through social engineering (techniques that trick people into revealing passwords or other personal information that can be used to compromise a system's security.) Generally speaking, it is recommended that users choose passwords that 7 - 9 characters. The passwords should also incorporate characters from each of the following character sets:

• Upper case letters (A, B, C,)
• Lower case letters (a, b, c)
• Numbers
• Non-alphanumeric characters (&, *, #)

It is also recommended that users change passwords on a regular basis. This can make it quite difficult to remember the passwords; however,. Also, passwords should not be written on post-it notes or taped to the monitor, since they may be accessible to anyone who may be near your computer.

Password theft is more common when using web-based e-mail because when a web browser accesses a server, it stores some information in the browser cache. This information, which can include password information, remains in the cache after a user logs out of the system. Because of this, web-based mail systems offer multiple authentication options for logging in securely. When using 'Standard' login, the username and password is sent in clear text between the browser and web server. As a result, passwords may be easily captured or intercepted in transit by a knowledgeable hacker. To prevent this from happening, a second option, 'Secure login', should be used. In this option, the information sent between the user and the web server is encrypted (using a technique call 'Secure Sockets Layer' or SSL) so the information is not readable even if intercepted. (For users interested in verifying if the communication is being done securely, a lock on the web page shows when the session is being encrypted and clicking on the lock will reveal additional information such as details about a digital certificate and degree of encryption being used during the session).

On many web-based e-mail programs, a third option is also available that is used when using computers in shared environments (such as public libraries, computer labs, and Internet cafes). To prevent authentication information from being stored, the 'Shared computer login' option makes sure all cached pages containing users' data is deleted when the user logs out, thus preventing any curious individual from stumbling across users' personal data by looking through the cached files.

To avoid the inconvenience of logging in and out of web-based e-mail programs, some web sites also offer the convenience of keeping the user logged in by storing the password in the browser cache or in a cookie. Users should be careful when selecting this option since any other user may be able to use the account if the original user steps away from the computer. This option should only be used if no one else has physical or network connection to the users' computer.

Information Theft

E-mail was developed with convenience, rather than security in mind. The truth of the matter is that all of the information that users include in their e-mail is transparent, meaning that it can be read at any point in time between transmission and reception. If individuals are disclosing private information, such as credit cards, passwords, personal information, this can be very risky. Furthermore, people acting on behalf of their businesses may be in the habit of exchanging sensitive or proprietary information by e-mail. This can also be very risky.

In order to mitigate the risks, there are certain things that users can do. First of all, users should not exchange any information over e-mail that they do not want strangers to read. While this may sound somewhat paranoid, it may be better to err on the side of caution: better safe then sorry. Unfortunately, this is not always possible. If private or sensitive information must be exchanged, users should become accustomed to using encryption programs. Readers interested in trying encryption are encouraged to download the free program Pretty Good Privacy (PGP).

Filtering

Most e-mail users are familiar with spam, unwanted, unsolicited advertisement e-mails. While spam is generally more an annoyance than a security concern, it can be used to overload a users' system. An e-mail filter can be employed to protect against spammers. The filtering capabilities in a system allow users to make decisions about where the incoming mail should be directed. To manage e-mail, it is a good idea to initially setup folders such as 'Work', 'Home', 'Business', 'Projects', 'Trash', etc. The user can then set rules that will automatically forward incoming mail to the appropriate folder. When message headers contain words and phrases that are commonly used by spammers, such as "Make Money Now", they can be directed to the 'Trash' folder.

Filtering also can look for e-mail addresses in the header of a message. A common trick used by spammers is to bcc: (blind carbon copy) thousands of users to facilitate mass mailing. Filters can be setup to trash all messages in which the user is not the primary recipient. For web-based programs, some additional filtering options include the ability to restrict incoming mail according to the users' address, domain names, subject line headers, attachment file size, etc. It may take a while to setup proper rules, but once this is done, they can facilitate efficient use of e-mail and increase user productivity.

Computer Viruses

The proliferation of computer viruses continues to be a thorn in the side of Information Technology professionals and users. Viruses have the potential to cause damage to valuable data and to tie up systems and networks. A new virus may wreak havoc by deleting files and making services unavailable to users. Viruses are programs or instructions that are written to intentionally cause damage when executed, such as displaying a harmless message on the screen (to promote a hacker cause such as 'Legalize marijuana'), deleting all files in the operating system directory, or capturing user information over several days and surreptitiously mail this to a hacker address. Viruses may be programmed to replicate themselves and mail copies of themselves to every address in the infected user's address book. Finally, a virus may lodge itself in the startup directory so it is activated each time the computer is started, this can be used to monitor the actions of the user after a predetermined interval by mailing the information without the user knowing about it.

Viruses are often distributed by e-mail because virus-writers know that e-mail can spread the virus very quickly. The primary means of spreading viruses is through attachments, files that are attached to the e-mail that the recipient then opens up, thereby activating the malicious program.

Anti-virus Software

It is purely common sense to run anti-virus software in order to protect against viruses. However, anti-virus programs are not load-and-leave software, they require on-going upkeep. It is important that users get in the habit of regularly updating their software, preferably as often as once a week. Most reputable anti-virus vendors offer update services on their website so that users can ensure that their programs are able to detect the most recent viruses. It is also important that users periodically (once a year, for instance) update the engine of their anti-virus software so that the program is as powerful and efficient as possible.

Attachments

E-mail attachments from unknown sources are considered to be very dangerous since they have the potential to contain any type of script, virus and/or executable program that can cause severe damage to files and/or disks on the users' computer. In fact, even attachments from trusted sources may contain scripts or macros that the sender unknowingly passes along to the recipient. On downloading an attachment and opening it, a user can trigger a sequence of events that may cause a series of events, often without the user's knowledge.

There are several secure behaviors that users should practice to minimize their risk of infection by viruses through attachments. The first is that users should never open an attachment from an unknown source. The best idea is to delete any attachment, along with the entire e-mail, that comes from unexpected sources. Secondly, if an unexpected attachment is sent from a known address, such as a friend, family member or colleague, users should get in the habit of confirming with the sender that he or she sent the attachment and that the attachment is safe. Remember, some viruses are programmed to proliferate by sending themselves to every address in the victim's address book, so a virus may have been sent from a friend's e-mail without their knowledge. The third practice to adopt is to always scan attachments with an anti-virus program prior to opening it, just to make sure that the attachment is not infected.

E-Mail Preview Window

Some viruses are sent as executable attachments that contain scripts or macros that are run when the attachment is launched. Some attachments can even be launched automatically after being downloaded. It is therefore a good idea to turn off options that launch programs automatically and setup filters to screen out executable files or script programs. Many e-mail programs have a 'Preview' option that allows the reader to see the first few lines of a message by selecting the message subject. While this feature can be very helpful, some viruses have been written that will execute upon being previewed by this feature. As a result, users should disable the preview option. While this step will eliminate the convenience of the preview feature, it will also reduce the risk of activating a malicious script.

Conclusion

Realizing the need to help users increase the security of e-mail, many companies are proposing innovative solutions. Some examples of these are messages that can only be opened by users who have authenticated themselves using Smart Cards, Tokens, or Biometric technologies (such as fingerprint or retinal scan), messages that cannot be forwarded or printed, e-mail that is electronically shredded after a certain amount of time specified by the user etc. Even when these solutions are fully tested, implemented and become widely acceptable, there will almost certainly be continued risks in using e-mail. Regardless of technological advances, e-mail users should always practice good, secure e-mail habits. It is hoped that the secure behaviors introduced in this article will help users minimize their security risks.

In addition to the e-mail risks that we have discussed here, surfing the World Wide Web brings other security risks. In the next article we will look at these risks and threats, and will discuss secure behaviors for the Internet.

To read Secure Online Behavior, Part Three: Using the World Wide Web, click here.

Dr. Sunil Hazari is a faculty member in the R. H. Smith School of Business and Office of Information Technology at University of Maryland, College Park. His teaching and research interests are in the areas of E-commerce security, usability, and infrastructure design.