RETURN ON TECHNOLOGY: Beware: e-mail is bastion of many security lapses

Tell the truth-you’ve “Googled” yourself, haven’t you? All of us have, or at least we should. It’s interesting for me to do it for myself, because I’ve been an Internet denizen since before the Web was woven, when all most of us did was exchange e-mails.

What chills me sometimes is how far back the Google results for my name can go, clear into the mid-1990s in some cases. The ‘Net never forgets anything. If you have doubts about that, go to www.archive.org, the famous Web “way-back machine” and look up IBJ’s Web site from November 1996. A little different from today’s, huh?

Not only does the Internet have an eidetic memory, but it’s alarmingly unprotected, too. The little packets of data that fly around the Internet pass through a plethora of computers in many locations before they’re assembled at their destinations, and any one of those way stations can read what’s in the packets.

That includes personal information, real estate quotes, stock prices and all the rest of the business communication we’re so used to plopping into those handy little messages. And if we don’t put sensitive facts into our e-mails, our recipients often do when they forward them. A lot of business e-mail users put compromising or proprietary information in e-mails all the time, without a thought of what might happen to it all.

Many security lapses are unintentional. For example, a “blast,” or multiple-recipient broadcast, may be sent by just putting a lot of e-mail addresses into the “To” field. But then all the recipients know who got the message, and they now have those recipients’ e-mail addresses, too. That’s how those addresses get leaked to spammers. Using the “BCC” field prevents it. E-mails also have legal and regulatory importance, and have figured in a good many lawsuits. The problem of hasty, misleading and insecure emails will only get worse as more of us send e-mail from our phones, rather than our computers.

E-mail was never designed to be secure, anyway. It was designed to be simple. Only much later did security become an issue. There is software that will encrypt e-mails for you, so you can send all those packets around the Internet with confidence. Encryption scrambles the message, so even when it’s stored on servers it can’t be read by the casually nosy. You won’t get most encryption schemes past the Secret Service, but they work fine for ordinary business.

Two of the most popular encrypting standards are PGP (Pretty Good Privacy) and S/MIME. As usual in computer technology, the two standards are incompatible, and they’re struggling for ascendancy. Opensource software like Linux, Firefox and Thunderbird tend to favor PGP, while Microsoft seems to have largely thrown its weight behind S/MIME. In fact, if you have either of the past couple of versions of Microsoft Outlook, you have encryption built in using S/MIME (not PGP, too, alas).

One problem with Outlook’s approach is that, to use the S/MIME encryption, you have to get a digital ID, and that costs money. Another is that the recipient has to have a compatible e-mail decrypter. PGP doesn’t need a third-party “key”; it uses one it generates itself.

PGP has a more interesting history, too. It was created by Phil Zimmerman back in 1991, when the U.S. government was starting to get nervous about bad guys using encryption software. But good guys need encryption, too, and preferably encryption the government can’t decode at will, so in anticipation of a law regulating encryption software, he got PGP done first.

The federal government still investigated him for a few more years before finally dropping the case. You can buy PGP plug-ins for Microsoft Outlook from companies like Veridis (www.veridis.com). Software rebel Zimmerman went on to vent his capitalistic instincts by founding PGP Inc., where he still works on occasion as a consultant. PGP (www.pgp.com) has several PGPbased products, including one that works with Microsoft Outlook.

If you want to have some fun with your encryption, investigate steganography. You can embed messages in pictures, using special software. The resulting photo can’t be told from the original with the naked eye. Imagine sending an e-mail with a picture of a puppy and the message, “This is Irvin, our new Irish setter,” but with an embedded message in Irvin’s picture saying, “The buyer won’t move for less than $1.3 million.”

Everybody in the security business is well aware of steganography, of course, and a routine scan of the “steg pic” will show the hidden message. As security goes, it’s right up there with Pig Latin. Security measures like it are called “security by obscurity.” But you can also embed encrypted messages in the picture, making it both secure and obscure. Play with steganography using software from www.newfreedownloads.com.

Altom is an independent local technology consultant. His column appears every other week. Listen to his column via podcast at www.ibj.com. He can be reached at timaltom@sbcglobal.net.