Are your emails safe?

April 12, 2021
|In For the web, Security and Privacy, Featured
|By Andreas Arno Michael Voigt

Are your emails safe?

Today communications and computer systems are increasingly endangered by external attacks and even if we may think we are safe because we believe we have adopted precise precautions, we are not. By now the news is continuing at an incessant pace, 500 million accounts hacked on Facebook, millions of accounts hacked on gmail, free, or other services and we fail to understand that we too, in spite of ourselves, unknowingly, are involved and often become a vehicle of spammers and criminals who use us for purposes that we do not even remotely want to know. Things get very complicated when we talk about mailboxes used for professional and/or work reasons, considering that the Privacy Guarantor has begun to impose rather severe penalties that can even bring a business to its knees. We need to protect ourselves and to protect ourselves we need to think about what needs to be done upstream, not when the disaster has occurred.

For those who use Gmail

Many ask me which is the safest email service to use. I have to disappoint them, it doesn't exist. Or better yet, it's not the correct question. There are paid services, free services and you need to become aware of what you have to do to be safe or in any case guarantee your customers the security of the data entrusted to us. One of the most used platforms even by freelancers is GMAIL. It is usual to receive an email from your accountant called studiocommercialista@gmail.com. And it is also quite widely believed that GMAIL is one of the safest mailing services in the world. But it is not, indeed.

Incidentally, the GMAIL used in its free configuration is not secure because no email is 100% secure but even more, a free service is precisely free and has limitations, indeed, it must have limitations. You should read the service supply agreement before entrusting your communications to third parties. Reading the contracts, we understand that the responsibilities that Google takes are very few in case of data-breach or better still, no responsibility. If they break into your mailbox and steal the data that is stored, emails sent, emails received, these are your problems and if you have not taken sufficient measures to protect your customers' data, the Privacy Guarantor will ask you to account for it by imposing fines. which can do a lot of harm.

The use of paid GMAIL changes a lot. Google itself says so. However, it starts from a cost of 4.68/month Euro per mailbox to reach 15,60/month and coincidentally one of the features that is highlighted says: "Management and security controls".

The 15,60/month version claims: “Advanced management and security controls, including Vault and advanced endpoint management”. Because the problem is not only the security of the structure, Google underlines the fact that it is also necessary to "educate" the user on the need to adopt correct control and security measures on his behavior starting from the tools he uses to access his mailboxes. mail, Android, IOS, or mail client like Thunderbird or Outlook or whatever.

If we then reason on the fact that the cost of the service is expressed per box, in the case of an articulated study with several people it is easy to imagine that the overall cost for a good communication structure and relationship with the outside world can become a considerable burden.

All of which translates to this: do you want security? pay and also salty and learn to behave correctly.

For anyone using Microsoft Exchange

Basically nothing changes compared to GMAIL. The principle is the same, the prices are the same and for example the monthly cost of 12.50 Dollars also includes Office 365

The Privacy Shield that fools you.

The Privacy Shield, or the "privacy shield" between the EU and the US, is a self-certification mechanism for companies established in the US who wish to receive personal data from the European Union. In particular, the companies undertake to respect the principles contained therein and to provide the interested parties (ie all subjects whose personal data have been transferred from the European Union) with adequate protection tools, under penalty of elimination from the list of certified companies (“Privacy Shield List”) by the US Department of Commerce and possible sanctions by the Federal Trade Commission. The European Commission has considered that the system offers an adequate level of protection for personal data transferred from an individual in the EU to a company established in the United States and that, therefore, the Shield constitutes a source of legal safeguards with regard to transfers of data in question.

The EU-US Privacy Shield has been in effect since 1 August 2016.

The Shield is applicable to all categories of personal data transferred from the EU to the US, including business information, health or human resources data, provided that the US company receiving such data has self-certified its adherence to the scheme.

Unfortunately the pact has been broken.

The European Court examined the first decision (2010/87 on standard contractual clauses) and found that this, although based on contractual provisions which, as such, are not capable of binding States to comply with them, contains effective mechanisms which allow , in practice, to ensure that the level of protection required by Union law is respected and that transfers of personal data, based on these clauses, are suspended or prohibited in the event of a breach of these clauses or in the impossibility of respecting them.

The second decision (2016/1250 on the adequacy of the protection offered by the EU-US shield) instead establishes the primacy of the needs relating to national security, the public interest and compliance with US legislation, thus making it possible to interfere with the fundamental rights of persons whose data are transferred to that third country.

According to the Court, the limitations on the protection of personal data resulting from the internal legislation of the United States are not framed in such a way as to respond to requirements substantially equivalent to those required, in EU law, by the principle of proportionality and strict necessity.

So? What does the Privacy Shield have to do with my emails?

Translated, in a nutshell, it means that systems such as Gmail and Microsoft Exchange are not protected by the Privacy Shield and must be taken into account during the Audit and Privacy By Design in order to appropriately inform their customers with a correct DPA (Data Protection Assessment).

Let's recap: Gmail p Microsoft Exchange yes, if paid, at what cost? It depends on how many mail accounts you want to use and if you want to use your own corporate domain. And in any case, outside the Privacy Shield, which puts us at risk in the face of an intervention by the Privacy Guarantor, with penalties that can become considerable.

Well, we get it! But what does this have to do with the security of our e-mail? Calm and cool, here we come! A little calm!

Principle of ownership of personal data

Let's establish a fixed point and that is that the Privacy Guarantor has established a principle: Personal data are not yours but are owned by the people to whom those data refer.

On the basis of the legislation that regulates this right, therefore, each individual can claim that his personal data are collected and processed by third parties only in compliance with the rules and principles established by the laws on the subject, both of the European Union and of the individual national states . The purpose of the legislation is to give the interested party the power to dispose of their data, ensuring that the individual has control over all the information concerning his private life, and at the same time providing him with the tools for protecting this information.

And for the sake of precision:

  • Everyone has the right to the protection of personal data concerning him.

  • Such data must be processed fairly, for specific purposes and on the basis of the consent of the data subject or another legitimate basis established by law. Every individual has the right to access the data collected concerning him and to obtain their rectification.

  • Compliance with these rules is subject to the control of an independent authority.

On the basis of what has been written above, it becomes clear how the security of one's IT and external communication systems is a very hot topic that commits us all to reflect on how we are used to managing our business processes.

The correct behaviors to be safer

The first thing we must remember is that the first solution is our behavior. What are the correct behaviors to adopt? I list several. Unfortunately, when working with collaborators and employees, it happens that not everyone adopts correct and equal behaviors, someone always escapes from the "fence" and you have to be very careful. But if you begin to understand that the personal data that is used in communications are the property of the respective people to whom these data refer, it is easier to induce responsible and considerate behavior and to avoid many problems.

  1. Do not open attachments without checking the sender of the email.
  2. Don't use automatic attachment opening.
  3. Always check the sender of the received email
  4. Use all fields of the email correctly
  5. Correctly use the "Subject" field and briefly and correctly describe the subject of the email. It is useful for those who receive the email because they immediately notice if the email has been written specifically for them and it is useful for searching the thousands of emails that we archive every week when we need to find something specific.
  6. Use ONLY ONE recipient per email in the "To:" field. If we need to insert more recipients, in that case we put our address in the "To:" field and in the "CCn:" (Hidden Carbon Copy) field the addresses of all the other recipients. This protects the privacy of the recipients who will receive the mail addressed to "Undisclosed Recipient" and will not find his mailbox spammed everywhere.
  7. Avoid making unlimited Replays of messages using the mailbox as a chat.
  8. Avoid sending heavy attachments and possibly send Zipped attachments.
  9. Do not fill emails with images at the bottom with logos, signatures, social media icons or anything else. Many have blocked the automatic display of images and the result you get is just confusion and clutter.
  10. Do not open suspicious emails.
  11. Change your mailbox password at least once every three months and use complex strings. If you don't want to remember special characters, upper and lower case, we suggest using whole sentences that you can easily remember like: "yesterday-my-dog-jack-played-with-frisbee". You still get an excellent result. Simpler passwords are easily hacked with a few brute-force operations and from there, the damage is done.
  12. Do not use your work email for your social profiles, EVER!
  13. Where possible, always use double authentication.
  14. It has nothing to do with security but please DO NOT USE CAPITALS. The upper case means SCREAMED and is bloody nasty and rude.
  15. Make a daily backup of your mail, do not leave all communications on the server, it is a practice not only advised against but strongly penalized by the Privacy Guarantor.

These seem to be trivial recommendations but ironically, hackers and spammers rely on users' carelessness. We know, they're really banal and you've heard, said, hackneyed thousands of times but apparently it's not enough!

Gmail no, Microsoft Exchange no, What to do?

Given that we have not said no but have simply made you aware of the risks you run, however, there are practical, interesting solutions that keep you safe, assuming and not granted that the behavior of individuals then reflects the minimum union necessary to avoid ruining everything. Furthermore, given that we have not said that you cannot use GMAIL or Microsoft Exchange but that to do so you need to be GDPR Compliant, let's try to give other answers as well.

Alternatives to Gmail and Microsoft Exchange:

Protonmail

Switzerland-based, GDPR Compliant platform using end-to-end encryption. Very good service, extremely safe but not cheap. To tell the truth, commercially speaking they have not achieved the success they deserved and have remained a bit "at stake" even if technologically speaking the service is impeccable.

Fast mail

Fast Mail is a valid alternative to Gmail, very functional and complete with an affordable price but it is necessary to verify the Compliance relating to the GDPR since it is an American platform in any case.

QBOX Mail

A very valid alternative, all Italian and GDPR Compliant. The enterprise version costs 3.60 Euros per mailbox and 1 Euro for every 25 GB of additional space. We can only warmly recommend it. In our opinion it is one of the most interesting solutions.

There are many other cloud mail service providers as well, it's a world that can be explored. But in order not to give overabundant information, we stop here.

Owned SMTP server or mailserver.

How many of you have a site and a domain and take advantage of the mail server integrated within your own web server where the site is hosted? It is one of the most frequent situations.

Provider's SMTP server

The SMTP servers of established providers are also recognized as reliable by other providers. Also, their spam filters are considered to be particularly effective due to the large amount of data they process. However, in the case of free offers, there are usually strict limitations regarding the number of e-mails per day, the size of the attachments and the storage space of the mailbox.

The offers are presented on several pages:

Internet service providers: Internet service providers (ISPs) such as IONOS often offer an e-mail address for an Internet connection with which the company's SMTP mail servers can be accessed.
Email Provider: The most typical way for individuals to send email to friends and family is to use the webmail application of a free email provider such as Gmail, Yahoo or Libero. The only requirement is an e-mail address that matches the domain, with which the provider's SMTP server can be used for personal correspondence. All you have to do is configure your mailbox for the correct SMTP server address. Below you will find a summary of the most popular providers and their addresses.
Hosting service providers: Many hosting packages, such as those from IONOS, contain an SMTP server by default, which can be used to handle internal and external company mail traffic.
Specialized providers: some companies have specialized in renting SMTP servers, among which are for example Amazon SES and SparkPost, which allow the rental of the required hardware.

We strongly advise against this solution

Own SMTP server

With some basic technical knowledge you can set up your own SMTP server. For example, a Raspberry Pi can be set up with the appropriate software as the hardware basis.

The advantages are obvious: no provider restrictions on use, full control over all settings and independent data management. In addition, having your own server is ideal for familiarizing yourself with the technical mechanics of e-mail traffic. But there are also downsides: Due to the dynamic IP address peculiar to private Internet accesses, private SMTP servers are often classified as spam by large email providers. A problem that can only be solved with a few renovation measures and/or additional costs. However, if you only want to send your e-mails to another private client, an own SMTP server is in any case a good alternative. It is therefore necessary to have a fixed IP.

Eh but they are not roses and flowers indeed. Bringing an SMTP server into your home or using the one linked to the hosting of your website has consequences that can even be serious if you are not able to manage the problems.

Owned SMTP server or mailserver.

How many of you have a site and a domain and take advantage of the mail server integrated within your own web server where the site is hosted? It is one of the most frequent situations.

When you manage your own SMTP server for receiving and sending correspondence, you need to take into account some aspects that can also be unpleasant:

The system up time. Generally the various ISP providers especially the "low-cost" ones such as Aruba or Register do not have an SLA and do not guarantee up-time. It means that over the course of 365 days a year it is possible that your hosting and therefore your domain is not reachable, that the sent emails do not go out or that those that are to be received do not arrive at their destination. If the DNS are unreachable, your mail system is completely shut down. Hosting providers who guarantee in writing, by contract, an up-time that is greater than 99.99% of the time over a year, exist but the service starts to cost. We provide a 99.99% SLA and in fact the cost of our hosting is not comparable to that of Aruba.

The redundancy. An SMTP server linked to your hosting space is generally located in a place, which is a server-farm, if that blows up, as happened recently with OVH or with Aruba in the recent past, both the site and your whole IT structure for sending and receiving emails can go to ramengo. Therefore being able to count on a redundant structure where, in the event of a breakdown or shut-down of my computer system, a parallel structure can immediately come into operation. We could open a separate chapter on redundancy and go into the smallest details, but this is not the place to do it. let's say that redundancy is defined as a system that is capable of duplicating certain functions and therefore guaranteeing continuity of services in the event of a failure.

The advantages of using a proprietary SMTP Server. I try to list them:

  • Ability to manage multiple email accounts without increasing costs
  • Possibility to autonomously manage your own sending/receiving policies
  • Possibility of internally maintaining an updated archive of one's mail and of the traffic of communications with the outside world
  • Possibility to name/rename your mailboxes autonomously and without external intervention
  • Possibility of establishing (depending on the chosen provider) the addresses and/or IPs to be blacklisted or whitelisted.
  • Ability to independently establish anti-spam policies
  • Ability to independently establish the markings, DKIM, SPF and DMARC which are the ones that many forget and are the main cause of blacklisting your domain.

Disadvantages of using a proprietary SMTP server

The disadvantages are innumerable especially if your structure is not prepared and there is no adequate awareness of the risks you run by bringing a mail server to your home. Technical, legal and operational issues could also discourage this path, much depends above all on the level of technological culture present in one's structure.

  • Inability to indemnify yourself as all the responsibilities for managing and archiving email messages weigh on your structure.
  • Exposure to all types of attacks and the need to take all measures to limit or cancel them.
  • Possibility of having moments of "darkness" in which the server is slowed down by other operations or is even unable to perform its functions.
  • Need to implement a ferocious anti-virus and anti-spam control policy (to tell the truth, this applies a bit to everyone today)
  • Need for a systematic and efficient backup policy (this is true for everything today, by now).

It is also true that many "professional" providers make available protected, certified or in any case almost vulnerability-free SMTP servers and therefore the dangers arise solely and exclusively from the operator's inattention or from his recklessness and irresponsibility, however let's say that hosting the placed on the same structure where the webserver is hosted may not always be a correct policy, on the contrary.

Conclusion

Ok, nice but in conclusion? What to choose?

There is no single answer, it depends on the circumstances and also on the operation. We recommend using a cloud mailserver when the corporate structure is small or microscopic and an SMTP server when the structure requires having at least a dozen mailboxes if not 20. More for a reason of costs than anything else because having an SMTP server hosted in a safe, efficient structure that correctly marks the servers and uses valid and correct security protocols, it always has a discrete advantage over everything. It is true that potential problems are brought within that one would like to remain outside. Even in terms of the GDPR, if on the one hand it will be necessary to adopt a correct Privacy Policy, it is also true that in the event of a Data Breach, the consequences can be much more serious with the use of cloud systems managed by third parties. Therefore, a good SMTP server and shrewdness in mail management should solve 90% of the problems for small businesses or professional activities. A good partner who provides an adequate hosting service, an on-site technician who knows how to install an email client correctly, a good backup system, a firewall and an always up-to-date antivirus, a router with ferocious control over ports and yes can almost sleep soundly. Then anything can happen, mind you, but in principle this is what we suggest.