Sending confidential emails in Gmail

We are pretty used to sending encrypted emails in office or work environment with outlook or other mail clients and PKI and S/Mime certificates in place.

I was trying to explore how to make my email from Gmail more secure (of course can't ask for moon on a free service). Look what I found Gmail does offer confidential mode. Here are the settings.

First feature observed here is that you will not be able to forward, copy, print, or download such emails. 

You could send the mail without passcodes where another Gmail user can open it without passcodes but the ones on other services would be mailed a passcode to open the mail.

If you choose SMS passcode then you would get a screen to enter the recipient phone number on hitting send (would not work if your don't have the number this option will not work).

An option to set the expiry on mail (the mail auto deletes) is also present.

Although this feature looks more like a two factor authentication rather than encryption, something is better than nothing.

PS - Thanks Google for considering such a feature on personal email service.

List of Enterprise Security (Information) Architecture Frameworks

There a many ways in which an enterprise information security can be designed. There are multiple architecture frameworks that can be followed. Below is a list of some open frameworks.

›SABSA - Sherwood Applied Business Security Architecture

›DoDAF – The U.S. Department of Defence (DoD) Architecture Framework

›Extended Enterprise Architecture Framework (E2AF) – from the Institute For Enterprise Architecture Developments

›Federal Enterprise Architecture –The United States Government (FEA)

›MODAF –The UK Ministry of Defence (MOD) Architecture Framework

›NIH Enterprise Architecture Framework

›Open Security Architecture

›IAEAF – Information Assurance Enterprise Architectural Framework

›SOMF – Service-Oriented Modelling Framework

›TOGAF –The Open Group Architecture Framework

›Zachman Framework

Our lives in days of technology

How much is your personal data worth?

I was reading the news when I came across 'Verizon - Yahoo' deal where the former want to buy out core business (flickr, Tumblr etc) of the latter. Some interesting stuff caught my eye and I wanted to share it with readers of this blog. This would be more of a back of envelope calculation and the views expressed are my personal opinion.

So Verizon plans to buy Yahoo (core business), who failed to mention some significant data breaches in the past.

There had been two but I would be talking of the 1 billion record breach in 2013. The records stolen are  names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or un-encrypted security questions and answers.

Verizon asked for a $350 Million rebate in the asking price after the breach was revealed to them. This might be a seemingly low figure but according to a Washington Post Article Verizon studied user behavior after the breach and found that number of users leaving Yahoo services were not significant enough to demand a Billion Dollar rebate. The article also states that Verizon would split liabilities with remaining Yahoo business (after sale).

So if we take this figure of $350 Million and double it considering split liabilities, it amounts to $700 Million. Then divide it by 1 Billion which is the number of records breached we get a figure of $0.7 or 70 cents a record.

It is however of a lot more worth to the user of Yahoo whose records were leaked, as these records can be used to wreak a lot of havoc.

Impact of human error in breaches

We tend to blame a system for security breach. Reality is that human error voluntary or involuntary is the number one cause of cyber security breaches. Here are some points to consider:

1. Social engineering: This is currently the biggest cause of leak in the system still. Phishing is an example of social engineering. In simple language any means by which a human can be coerced to divulge confidential information is social engineering. Abject lack of infosec awareness still plagues most organizations and individual. Honestly basis of cyber security is mere common sense.

2. Backdoors or zero day hacks: These are attacks that either take advantage of a poor piece of code or  ill configured devices. Again who configured or coded them in the first place?

3. Lack of stakeholder commitments: Small and medium scale businesses that are not heavily into IT tend to ignore the presence of cyber threat to their business as usual. These are most likely to fall prey to scam, spam and malware. They do not realize that it is not the IT infrastructure that faces threat, it  is the information that is vulnerable to attacks.

4. Security is a virtue not a product: Decades of research and effort to improve quality has been put in as people realized its importance in the industrial revolution era. In information revolution era people should understand that security has the same importance as quality.

5. To err is human: True that humans cannot be 100% all the time but a conscious effort can bring numbers close to that. Plus there are means and measures like continuity plan and disaster recovery for the rest of the percentage.

6. Information security is nerdy gobbledygook: May be so is theory of aerodynamics. Does it prevent anyone from flying? You have an information that you have to protect, all you need to know is how. Leave the rest to the researchers.

7. I have antivirus syndrome: Just get over it man! They are not enough. Like I said earlier it is your data that is vulnerable. There are 100 more ways in which you share your personal data willingly to unintended audience.

To add to this I am putting an interesting number here: "... potential annual cost to a company in the event of a successful phishing attack is around $3.7 million.." (Source). What is interesting is that most of the loss is due to loss of employee productivity, so there goes your quality!

Backdoor

 

Backdoor: Gaining unauthorized, often hidden, access to a system after bypassing security measures in place. Users are unaware a lot of times. Anomaly detection could be used to scan for existing backdoor.

Detect Phishing / Malware in an Email

There are countless mails for promotions or otherwise in your inbox, a lot of which have malicious intent. Some of them try to extract your personal information. Others might just carry a file that can infect your computer. Here are some tell tale signs to detect a spurious email.


This is a classic social engineering trick to make it seem like the mail is from a reliable source. In below figure it says it is from Reserve Bank of India. It also carries an attachment and has no subject.

This is the first sign as RBI does not send such emails. One should not open such emails and mark them as spam or delete them right away. 

Modern email services do filter many such mails automatically but some emails do pass the filter.

On opening the mail you can notice the email id as something completely unrelated to RBI, confirming that it is a potentially dangerous email.

You can see that there is an image file attached. This file should not be opened or downloaded. The file could be of any format (.zip, .doc etc.) This is a clear sign of a malware and opening it on your system might have severe effect. 

Small pieces of  code can be easily embedded in the file to install on your system and can vary from doing nothing to installing a keylogger or a virus.

 

On opening the header of the mail we can see complete details of the sender. This is called mail header showing complete details of the sender. 

It is easy to understand that a central government institute like RBI would not have an email id as shown in the image.

 

What to do if you see such a mail?

 

This part is simple. Just delete or mark the message as spam. If your email is handled by an IT team, notify them.

 

Detecting Emails such as the one discussed in this post is pretty straight forward. Sometimes even the email id also seems to be genuine. It can happen in case a mail server is hacked and is used to send spurious emails. It might also happen that you receive such emails from a person you know! This happens when their email account or the device where it's client is configured is compromised

 

Best policy for emails is to follow these simple steps:

1. Be very careful with emails from unknown senders.
2. Check the email header for clues.
3. Do not open the attachments in unsolicited mails before checking.
4. If you have a doubt that your friend's account is compromised, verify.
5. Delete or spam such mails.

Many of us are not aware about such threats and even aware people fall prey to them, so please be careful.