Your Email Is Under Attack — Fight Back!

Go directly to the Your Email Is Under Attack, but You Can Fight Back Infographic!In late September of 2016, Yahoo! announced a massive security breach whereby hackers stole information from around half of their one billion users. The catch? The security breach occurred in 2014.

Data from the Ponemon Institute shows that the average time it typically takes for companies to identify a breach is 191 days. It then takes, on average, 58 days to contain and resolve a breach. So how did a major email provider like Yahoo! let a security breach of this magnitude occur and consequently go unnoticed for two years? So far, there are no insights into how this happened.

The worst part about this particular breach is the far-reaching effects it may potentially have on Yahoo! users’ privacy. When The New York Times interviewed Alex Holden of Hold Security about this, he explained, “The stolen Yahoo! data is critical because it not only leads to a single system but to users’ connections to their banks, social media profiles, other financial services and users’ friends and family.” That’s true of all email hacks.

Here’s the deal: over 180 billion email messages are sent out every day. They come from Yahoo!, Gmail, Outlook, and other email providers — each of whom has its own method for encrypting email. It’s clear enough from this recent attack that it’s not enough to rely on providers’ encryption methods. As a user, you’ve got to take responsibility for your own email security and privacy.

If you want to stop waiting to be the victim, check out the infographic below to find out how you can fight back.

Your Email Is Under Attack, but You Can Fight Back

Your Email Is Under Attack, but You Can Fight Back

From coordinating work projects with colleagues to planning next year’s family reunion, emails have become essential to our everyday lives. But are your contacts the only ones reading your email? Are you the only one sending email from your account? The truth is, you may not know. This infographic will help you detect threats and secure your inbox.

The Numbers

  • There are over 4.1 billion email accounts worldwide
  • Worldwide, about 183 billion email messages are sent daily
  • Major Email Providers
    • Gmail
      • 425 million global users
      • About 80% of emails sent from Gmail to other email providers were encrypted as of October 2015
      • About 61% of emails sent from other email providers to Gmail were encrypted as of October 2015
    • Yahoo!
      • 200 million global users
      • Early 2014 made encryption default, making communications 100% encrypted between Yahoo! users
    • Microsoft Outlook
      • 400 million global users
      • Messages encrypted around 50% of the time
  • Hacking is a major problem as these recent examples illustrate:
    • Comcast
      • Event: NullCrew FTS hack on email servers
      • When: February 6, 2014
      • Results:
        • NullCrew FTS claimed they hacked 34 servers via a single vulnerability
        • Published sensitive information
          • List of company’s mail servers
          • A link to the root file
        • Breach sat open for 24 hours
          • Vulnerable to malicious hackers before being closed and a statement issued
    • Google
      • Event: accounts attacked
      • When: 2014
      • Results:
        • 4.93 million accounts compromised
        • English, Russian, and Spanish speaking accounts
        • Usernames and passwords posted to a Russian bitcoin forum
        • As many as 60% of accounts were still in use when posted
          • Some accounts posted could have been compiled from older hacks from outdated accounts on other sites
        • Possible that passwords originated from a non-Google website
    • Yahoo!
      • Event: Attempted email hack
      • When: 2014
      • Results:
        • Malicious software used a list of Yahoo! Mail accounts and passwords
          • Probably from a compromised third-party database
        • Tried to get names and email addresses from Yahoo! email users’ sent messages
        • Yahoo! immediately advised users to reset passwords
    • Mail.ru, Gmail, Yahoo!, and Microsoft
      • Event: Millions of email usernames and passwords released
      • When: May 2016
      • Results:
        • Original reports stated 272 million accounts had been hacked
        • They later found that it was not a large-scale attack, but instead a compilation of information that had been collected from third-party sites over a long period
        • Yahoo! denied the attack
        • Google stated that 98% of the data was “bogus”
        • Mail.ru reported that only .018% of the information released on their accounts was current and correct
        • Since the data was collected over time, much of it was out of date
          • The immediate reaction from media caused the hack to seem much worse than it was
    • Democratic National Committee (DNC)
      • Event: DNC emails were hacked and released to WikiLeaks
      • When: 2016
      • Results:
        • Nearly 20,000 emails between DNC members were stolen, among other data
        • Some US officials believe Russian intelligence was involved in the attack
        • The leak caused waves in the 2016 Presidential election

The Growing Popularity of Encryption

  • Email threats are making encryption more attractive to users
    • Even if servers are compromised, the user’s mail is not
    • Encryption also helps against:
      • Hackers
      • Viruses
      • Phishing
      • Spam
      • Identity theft
  • How encryption helps
    • Garbles email messages into a code
      • Military-grade public key encoding systems are available
    • Makes snooping more difficult, time consuming, and expensive
    • Generally, both the sending and receiving email providers need to support encryption
      • Increasingly, email providers are encrypting messages using Transport Layer Security (TLS).
        • Including
          • AOL
          • Comcast
          • Hotmail
          • Facebook
          • Yahoo
          • Twitter
          • LinkedIn
          • Microsoft Outlook
      • Some providers also use Elliptical Curve Diffie-Hellman Exchange
        • Creates a one-time decryption key
        • Providers include
          • Google
          • Facebook
          • Twitter
  • What the major email providers are offering
    • Google
      • Automatic encryption of emails using Transport Layer Security (TLS)
        • Both sender and receiver must have TLS for encryption to be secure
      • User-friendly End-to-End plugin for Chrome
        • Allows encryption both in transit and on the server
        • Encrypts emails even from Google’s eyes, restricting its marketing strategy of scanning user emails to show targeted ads
        • More secure encryption regardless if the other party has encryption software
        • Could even help prevent security agencies like the NSA from reading the emails
    • Yahoo
      • Uses Secure Socket Layer (SSL)
        • Seen by the “HTTPS” in the browser bar
      • Considered less secure than Perfect Forward Secrecy (PFS) encryption
        • SSL allows attackers to capture an encrypted session and find a key to it later
        • PFS have temporary keys, making decryption more difficult at any time
      • End-to-end encryption
        • Modified version of Google’s plugin
        • Should communicate securely with Gmail as well as Yahoo! users
    • Microsoft Outlook
      • End of 2013, Microsoft promised stronger encryption
        • Default encryption for internal messages
        • Include PFS encryption

Lock Down Your Inbox

  • Aspects of Email Security
    • Spam filtering
    • Attachment scans
      • Roughly 10% of viruses are delivered this way
    • Firewalls
      • Secure instant messaging
      • Spyware protection
    • Identity protection
    • Unsafe content blocking
    • Encryption
  • Safe practices
    • Have anti-virus software installed
    • Use strong passwords that are changed regularly
      • Use different passwords on different sites
      • Don’t reuse email passwords elsewhere
    • Delete emails from suspicious sources
      • Strangers
      • Unexpected links or attachments
      • Suspicious emails from friends and family
        • They may have been hacked
    • Don’t click on links or attachments unless they are trusted
    • Delete spam and forwarded chain emails
    • Use “BCC” option for large email address lists to reduce spammer access
      • BCC is Blind Carbon Copy
      • Keeps email addresses “blind” to other recipients so the sender doesn’t share them among strangers
      • Helps prevent spam-bots and viruses from sifting through the email for new targets
    • Don’t respond to pleas for personal information or passwords unless verified by calling the company, bank, or institution directly
    • Sign out of accounts when finished checking them
    • Have separate email addresses for:
      • Friends and family
      • Banking and financial matters
      • Subscriptions and competitions
    • Many public wi-fi connections do not encrypt
      • Use the encryption software on your device
    • Use two-step verification for logging in
      • Makes logging in more difficult for unauthorized users
      • For a new or public computer or mobile device, an “untrusted” device since it hasn’t been used to log in before, the user is sent an authentication code via text, phone, or email as a second step to sign in
      • Offered by Gmail, Apple, Dropbox, and Facebook
    • Lock devices to require passcodes to access them

With diligence in using security features and wisdom in removing suspicious messages, email users can continue to connect confidently without putting their inboxes at risk.

Sources: google.com, usatoday.com, microsoft.com, computerweekly.com, sourcedigit.com, zdnet.com, businessinsider.com, engadget.com, chatdanger.com, theguardian.com, digitalunite.com, theguardian.com, ibtimes.com, pcmag.com, techdirt.com, theregister.co.uk, techrepublic.com, rutgers.edu, fortune.com, nbcnews.com

Sources

Brenda is a freelance writer. She works with us through her company The Digital Inkwell. You can find her tech work (especially on WordPress) throughout the internet. In addition, she publishes science fiction and fantasy stories under the name Brenda Stokes Barron. She lives with her husband and two children in southern California.

Download this infographic.

Embed Our Infographic On Your Site!

[signup-form id="3807"]
Twitter Facebook

Discussion

What Do You Think?

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>