April 13, 2016

Encryption the rage, email missing in conversation

Aleks Gostev

There is and always has been an inherent tension between an individual's right to data privacy and wider security concerns. This is unlikely to change, although the priority may shift depending on the geopolitical or security context. The important thing is to strike the right balance. Encryption sits at the heart of data privacy, and as the recent news shows, the debate about encryption is a heated one.

Can anyone doubt that making products more secure makes the world a safer place? I don’t think so. And we can applaud the efforts of Apple and WhatsApp to protect the privacy of their users’ data by introducing end-to-end encryption into their instant messaging services.

Their actions mean that email is now the most insecure form of digital communications. Free email services transmit messages across networks in plain text and users have no guarantee that their data is stored safely.

Not surprisingly, email is one of the primary vectors for cyberattack. It enables malicious actors to gain access to users/company’s networks, their information and their money. The content of emails are themselves a target for attackers. At Kaspersky Lab, we regularly encounter attacks that target email databases. We see more and more Chinese-speaking actors attacking companies with the aim of accessing their emails. And one of the most recent and certainly the largest example of data exfiltration – the “Panama Papers” – is also believed to have come about following the breach of an email server last year. It’s frighteningly easy for attackers to get their hands on messages in plain text.

End-to-end encryption will prevent attacks such as those known as Man in the Middle, where a malicious actor intercepts the email between the user and a server. But somehow that level of protection is rarely provided.

Encrypting email by default, or out-of-the box is hard. There are tools and plugins that an experienced user can use, but you need a certain level of computer knowledge to properly install and use encrypted mail. The majority of Internet users don't have such skills. There are some free encrypted email services on the market like ProtonMail, but unless these services have a billion users, they will not become a global solution to the problem of insecure email.

Email is the communication method most in need of encryption. The sooner – the better. The solution needs to come from the top email software developers, such as for Microsoft's Outlook Exchange. WhatsApp got it right: encrypt everything, for one billion users, in one go. Email, it's your turn now.

By Aleks Gostev, Chief Security Expert, Global Research and Analysis Team (GReAT), Kaspersky Lab

Back to top


Post a Comment

Newer Post Older Post Home