TECHNOLOGY SPECIAL REPORT

Battening Down the E-Mail Hatches

Viruses delivered by e-mail, phishing attacks and spam are becoming as much a part of using computers as accidents, tolls and bumper-to-bumper delays on the freeway are in commuting to work each day. Both situations cause frustration, steal productivity and cost money.

Phishing scams trick e-mail recipients into clicking a link in the message to reach a vendor’s Web site to enter account numbers, order information and passwords. The messages look so official that the victim doesn’t notice the Web site is only a look-alike version. Using look-alike websites is called spoofing. E-mail security company MessageLabs recently reported that phishing and spoofing activities increased from 279 to 215,643 since late last year.

Computer security experts are seeing alarming increases in the number of incidents in which spam and viruses penetrate e-mail systems and wreak havoc on corporations and their employees. The Federal Trade Commission reports tens of thousands of complaints about ID theft each week.

But unlike the highway commute, e-mail inboxes do not have to be repositories of doom and gloom. If everyone used secure e-mail with authentication, viruses and worms would not be able to propagate. Spoofing wouldn’t work, and phishing expeditions would yield no harvest.

TechNewsWorld talked with leaders of Internet security firms about workable solutions to these worsening e-mail problems. These tips from the experts show that both consumers and enterprise e-mail users can batten down their e-mail hatches to prevent a flood of security breaches.

Canning Spam

As Dave Strickler, CEO of MailWise, sees it, eliminating spam is a function of cutting off its profit level. MailWise does this with an artificial intelligence engine.

“Like any good con artist, the quest for profits means that whatever barriers are put in place will be breached by spammers. If you build a moat, spammers will build a bridge. If you build a fence, spammers will dig a tunnel. There simply is too much profit in spamming for them to give up. The only way to stop spammers is to remove the profit from spamming,” Strickler told TechNewsWorld.

The most logical way to do this, he said, is to remove spammers’ ability to reach their potential customers. Toward this goal, use of artificial intelligence to fight spam is rapidly gaining ground.

“When the spammers breach the current filter protection, and they always do, the artificial intelligence engine acts as a smart sentry at the gate and immediately creates a new and different kind of filter. By constantly changing the filter, less and less spam gets through, and the spammers’ potential customer base disappears. Without customers, there is not profit. Without the profit, there is no spam,” said Strickler.

Educating Users Is Key

Jahan Morek, chief security architect of Sigaba and a UCLA professor, believes vendors have to do a much better job of educating consumers before e-mail truly will become secure. Sigaba provides enterprise messaging security solutions.

“Secure e-mail products have been around for 15 years. Most consumers and businesses didn’t adopt them,” Morek told TechNewsWorld. “Vendors need to educate their customers. E-mail is such an integral part of business that it is difficult for people to change their messaging routines.”

For e-mail security products to work, they shouldn’t require any change of the user’s behavior. The e-mail address should not change, and the security product should not route mail to an off-site filtering server before delivering the messages to the user.

“Otherwise, people give up, frustrated with the new system,” said Morek. “Under the hood, if the e-mail is encrypted, it’s secure. But ease of use should be the primary goal of any e-mail security product.”

What Corporations Must Do

According to some security experts, companies are in a better position than individual workers or consumers to improve e-mail security. But many companies simply don’t have enough incentive to take preventative action. They fail to recognize the long-term risks, especially because spoofing and phishing are relatively new problems.

Sigaba officials recommend five things organizations should do to protect their consumers and their brand reputation. They are:

1. Use tamper-proof, antispoofing secure messaging technology for e-mail and instant messaging. This is the only solution to the problem today.

2. Use secure messaging when communicating with customers so that messages can be traced directly back to the legitimate sender.

3. Don’t require users to download special software or pay for e-mail because of the bad deeds of others.

4. Enable secure online customer-service instant-messaging chat sessions to confirm identities. These can be embedded as applets directly into e-mail messages.

5. Take an active role with customer security. It is essential that companies provide customers with security information and reporting capabilities.

What Consumers Must Do

According to a Federal Trade Commission (FTC) survey, one in eight respondents were victims of identity theft in the past five years. That ratio increased alarmingly in recent months, causing the Department of Justice to make reducing this crime a priority this year.

Sigaba officials recommend that consumers take five steps to make their e-mail safer:

1. Assume all e-mails are suspicious unless you are certain they are legitimate. Delete suspicious e-mails immediately.

2. Never respond to suspicious e-mails or click on hyperlinks in the body of such messages. Disable the preview pane feature so hidden code is not automatically activated.

3. Avoid providing your primary e-mail address, especially when signing up for Web services, subscriptions or forms. Instead, get a free Internet e-mail account that can be changed periodically.

4. Report suspicious e-mails to the FTC at uce@ftc.gov or call the help line at 1-877-FTC-HELP. Also, contact the company that was “spoofed” directly.

5. Ask vendors what they are doing to implement antispoofing measures.

Authentication Required

James Kott, director of production management at MessageGate, said enterprises must define what constitutes unwanted e-mail for their employees before filtering software can be effective. MessageGate provides a software solution to corporate e-mail security by managing around-the-clock rule updates.

MessageGate’s products filter incoming messages for signs of spam, unwanted mail, phishing and fraud attacks. The company’s software also filters outbound e-mail messages to make sure unauthorized, sensitive information is not released.

“A greater sense of security is emerging as a result of spam, viruses and phishing attacks on enterprise messaging systems. This is pushing out the development of authenticating technology. But it will take time to implement,” Kott told TechNewsWorld.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Jack M. Germain
More in Security

LinuxInsider Channels