Mail Security

Parallel Polis Cryptosession workshop

 

Pavol Lupták, Nethemba

Hacking the webmail!

  • The effectiveness of common scenarios most attackers usually use (sorted from the most effective one to the least one):
    • Social Engineering (harvesting / background checks, spearphishing, caller ID spoofing, ..) 
    • Exploitation of vulnerable webmail application (Horde, Squirrelmail, RoundCube, etc)
    • Credential enumeration for given mail services (works probably the best for known reputable free webmail services)
    • Exploitation of SMTP/IMAP server

Credentials enumeration

  • SMTP AUTH
  • SMTP ENUM (VRFY, EXPN, RCPT) 
  • IMAP AUTH
  • POP3 AUTH
  • All services can be easily targeted with Hydra smtp, imap and pop3 plugins
  • Possibility to use dictionary (-P) or generated charset (-x)
  • More secure is try the given passwords with all possible logins (-u)

Current mail security issues

  • TLS/SSL clients can be used for IMAP/POP3, but there are not well supported by MUAs 
  • Most people 
    • use simple guessable passwords
    • do not use two-step authentication
    • do not use any email encryption (PGP, S/MIME)
    • use a complex free webmail from untrusted provider with many web application vulnerabilities

Improve your mail security!

  • Enable two-step authentication ( https://www.google.com/landing/2step/ )
  • Set the strong and unique passphrase
  • Use PGP and/or S/MIME encryption
  • Use secure webmail services that use encryption by default, e.g. https://protonmail.com, https://www.hushmail.com, https://tutanota.com, https://www.mailpile.is, https://scryptmail.com
  • Build and use your own physical server, store it in the secure physical location, use SMTP/IMAP over TLS only, use full disk encryption 

Two-step Authentication

  • Practically eliminates brute force enumeration of your login/password
  • Special SMS token is sent during the first authentication or special application is used for the authentication (e.g. Google Authenticator)
  • Of course, it useless if your both computer and smartphone are compromised at the one time.

Set strong & unique passphrase

  • Avoid to use any dictionary passwords (wordlists for all world languages are publicly available)
  • Avoid to use any dictionary passwords with number or letter prefixes or suffixes 
  • Use passphrases (more words at once) instead of passwords
  • Do not use the same password/passphrase on multiple services

Use Mail Encryption

  • Despite the fact true hackers probably do not use PGP and S/MIMEs (because of many issues, e.g. absence of Forward Secrecy), it can help you a lot
  • If you use GMAIL, start with https://www.mailvelope.com/
  • Use Thunderbird with Enigmail PGP plugin
  • For Android there is APG and PGP KeyRing implementation
  • You can use K9Mail, Kaiten Mail, K-@ with APG (still PGP/MIME support is missing) or Squeaky Mail with PGP KeyRing (with PGP/MIME support)
  • For S/MIME there are CipherMail or MailDroid
  • My favorite mail client candidate is R2Mail2 with great PGP and S/MIME support at once (but it is not an opensource)

Use Secure Webmails

  • Most free mail services including Gmail do not offer any kind of encryption (of emails or used storage)
  • They may provide all your emails to the government agents in case of court order
  • Probably the best countries for secure emails: 
    • Switzerland
    • Iceland and other Scandinavian countries
  • Protonmail.com, Hushmail.com, Tutanota.com, MailPile.is, Safe-mail.net, SCRYPTmail.com, use different approach to maintain security

Prefer anonymity?

  • Always use Tor or i2P browser accessing to your Webmail service
  • Known Tor hidden Webmail services - Lelantos, Sigaint (be prepared for police raids ... )
  • Also see http://www.emailquestions.com/encrypted-email-service-providers
  • New interesting approaches worth to check:
    • BitMessage https://bitmessage.ch/
    • Mute http://mute.berlin/
  • If you are an activist, check https://mail.riseup.net/

Build your own secure mailserver

  • Use your own physical server located in the secure physical location 
  • Use full disk encryption
  • Use SMTP/IMAP over TLS
  • Use strong passphrases / two-factor authentication
  • Use PGP / S-MIME certificates
  • Secure server management using TLS client certificates
  • We can help you with that (www.chrantesvojesukromie.sk, www.chrantesvesoukromi.cz)