The majority of my favorite security disaster stories have one thing in common: e-mail. Either it's a garden-variety e-mail worm knocking out SMTP servers, an insecure SMTP relay, an unpatched Windows machine abused as a junk e-mail proxy, or data interception using a packet sniffer.
But at the top of the list of e-mail security woes is simple human ignorance. Users often take for granted the fact that e-mail is only one of many methods of data transmission, and sometimes it's not the best way to communicate information.
At any point between two Internet locations, it's possible to passively record digital data—and this often occurs. Technology advances so rapidly that feature-rich e-mail client software often lulls people into a false sense of security. But just because your e-mail software looks good and doesn't crash doesn't ensure its security.
Even with advanced data encryption tools such as Pretty Good Privacy (PGP), a recordable trail of information still exists. It's in system logs, leftover on hard drives, and perhaps even captured "on the wire" at any point between your computer and someone else's.
I'm not the first person to note the ridiculous trust that people place in e-mail, but I think people just aren't listening. At the basic level, the SMTP protocol used for e-mail transmission and relay is just a stream of data.
Like most Internet protocols, SMTP data streams have no encryption or any other protection. There are newer implementations of SMTP that can use Secure Sockets Layer (SSL), but these systems must remain backward-compatible with the existing clear-text SMTP standard.
Encrypting e-mail content before sending is generally a best practice for bolstering e-mail security. But PGP is no substitute for using a little common sense and being more aware of e-mail security issues in general. And that means accepting that sometimes e-mail isn't the best method of communication.
A few days before I wrote this article, I had a lengthy discussion about e-mail security with a coworker, specifically referring to the interception and storage of e-mail at multiple locations. Remember that even if you've encrypted the data itself, it's still possible to determine where e-mail came from and went to via e-mail server logs.
Of course, I'm not saying that people shouldn't use e-mail, but we should use it wisely and with more thought. But for sure, the only way to guarantee e-mail security is to not use e-mail at all.
Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.