how to guard against impersonation

Discussion in 'privacy technology' started by cellist, Nov 14, 2015.

  1. cellist

    cellist Registered Member

    Joined:
    Nov 14, 2015
    Posts:
    6
    I'm the administrator of a two-computer home wireless network. I have a hunch that the issues
    normally discussed here are far more complex than mine. But in other discussion venues, dealing
    with email security and privacy issues are pretty much limited to "don't click on any links in an email
    from an unknown sender." I'm hopeful that here I'll find some advice that is a bit more robust.

    Let me give an example that illustrates the kind of concern I have. Suppose I get an email from
    joesmith@freemail.com. I know someone who uses the email username joesmith and we routinely
    exchange email messages. But when I look closely, I notice the email provider, freemail.com. The
    person I exchange messages with uses a provider called payformail.com. So, I realize that this
    message is not from the person I exchange email messages with.

    This kind of scenario concerns me because 1) I may fail to look carefully at the sender address of
    every message I get; 2) When I get a message from joesmith@payformail.com, how can I be certain
    that a clever hacker isn't impersonating the individual I know and trust?

    Are there home consumer products available that can address these concerns? Are there best practices that I can employ (beyond "don't click on any links in an email from an unknown sender") to minimize such risks?

    TIA
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    It's pretty common to get spam from your correspondents. Sometimes it's because someone's email account got pwned, and all email addresses found there get used in all possible to/from combinations. Sometimes spammers just flood numerous addresses at foo.com, using dictionary-based software that picks likely usernames. Same idea as SSH brute forcing.

    Play safe by disabling HTML rendering, and blocking embedded images. Don't open unexpected attachments. If in doubt, first email the sender and confirm that they sent it. If there's something dangerous that you want to open, first copy it to a USB flash drive, and open it in Tails.
     
  3. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    Welcome, and you've come looking for help and with the right mindset! Which is what we all have to keep doing, because there are no "certainties", only relative degrees of likelihood.

    Any application (at either end) is potentially untrustworthy, and the most attacked ones are the browser, the email client, and common applications such as Acrobat and Word. The internet backbone itself is sadly not trustworthy either, nor are service providers or email servers.

    Engaging brain is absolutely the right initial step, which you are well aware of. But even the experienced are fooled by "phishing" emails from time to time. So other defences, preferably in layers will help you. Backup are good! Paying attention to up-to-date applications and operating systems, and their configuration is a good place to start. On Windows, you'd normally be running a competent A/V. People here also worry about "zero-days" which are vulnerabilities which are not trapped by A/V or bug-fixes. Controls for those are various, but look for "sandboxes" and "virtual machines". Also look up strong passwords, password managers and two factor authentication.

    Regarding impersonation, digital solutions are normally based on certificates which "sign" any communication (and can help encrypt the content and ensure it hasn't been altered). But, even with that, you need some way of independently verifying their certificate, which can be done by swapping digital fingerprints in person if you want that! There are other online mechanisms to get better trust as well. The most widely respected way of doing this is to use GPG mail, and there are good open source solutions for that, including for Thunderbird or Outlook. It's a steep learning curve, and you need the cooperation of your correspondents - this is not a particularly simple solution, but it works if you take the trouble. If you look at mirimir's GnuPG key link above, that's a form of trusted publication of his/her public key which you would use if you wanted to communicate that way.

    Quite a lot of people think that traditional email solutions are never going to be particularly secure, and so there is a great deal of information here about alternative communication (e.g. with IM). The eff.org have some useful links, e.g. https://www.eff.org/secure-messaging-scorecard
     
  4. cellist

    cellist Registered Member

    Joined:
    Nov 14, 2015
    Posts:
    6
    @mirimir and @deBoetie

    Thanks. You've both given me useful points of departure for further research.
     
  5. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    Good ideas above. I especially like using gpg/pgp signing/encryption with trusted friends, and have done so with some on this thread. It is very easy to compose a normal email, and right before sending it you digitally sign it with your pgp/gpg key. The receiver then simply verifies the signature (takes a second) and is certain it came from who contends to have sent it. If I digitally sign the email body you can be somewhat certain my attachment is also safe. There are ways to sign those as well.

    Now for many friends that refuse to use digital security you should consider a couple of other safe things. Always open your email in a solid sandbox and/or virtual machine. Preferably both because its so easy to do. Should something slip past you its going nowhere because its "trapped" inside the virtual container that you created for the purpose. I only go online in such a setup so simply closing my browser clears EVERYTHING I just did off the machine. Simple stuff really, but its a real time saver compared to re-building an entire OS because I was too lazy to setup the config.
     
  6. cellist

    cellist Registered Member

    Joined:
    Nov 14, 2015
    Posts:
    6
    @Palancar
    I'm looking at the cpg4win documentation: "Therefore OpenPGP offers the option of exchanging encrypted data and e-mails without authentication by a higher-ranking agency." Am I correct that this means that I don't have to purchase a certificate if I choose OpenPGP for my digital signing?

    You've touched on one of the primary obstacles for me. Many of my personal email correspondents will not even consider investing the effort to implement digital signing. And, won't I run into the same sort of issues with commercial institutions? Are such institutions likely to support digital signing for correspondence in which they don't include any confidential or sensitive information?
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    True. PGP is based on mutual trust. You have to trust the sender's public key. And whomever you send encrypted e-mail to must trust your public key.
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    I'm not sure what you mean by "trust". Let's say that I email someone to ask for their public GnuPG key. They send it to me. Maybe I also get it from their website, one of the keyservers, Keybase or wherever. Let's say that they're the same.

    Now I can somewhat trust that signed messages from that address are genuine. And I can send encrypted messages to it. However, if an adversary has stolen the private key, they could spoof messages with valid signatures. But once we have encrypted dialogue, I can trust that messages quoting my stuff aren't spoofed. Even then, however, it's possible that an adversary controls the email account. So if it really matters, we confirm through other channels.

    Anyway, my point is that "trust" is a continuum.
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Actually, the question was "I don't have to purchase a certificate if I choose OpenPGP for my digital signing?" And the answer is yes, you can use a PGP certificate. See the Certificate section of this web article for a detailed explanation: http://www.pgpi.org/doc/pgpintro/
     
  10. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    Many good points here. Unfortunately for almost all of us it will end in frustration because I am betting most of your REAL NAME friends will not use gpg. So, in the end you should concentrate on protecting yourself against contamination by containing the files in virtual space to at least keep the computer from getting pwned by malware.

    I have a dozen or two psuedo friends where gpg is the norm for our message exchanges. Real Name is just what it is. I use separate computers for what seems to be two unique worlds. Any other privacy folks here find it differently on their end?
     
  11. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    As far as I know, nobody I know in meatspace uses encryption. But then, I don't talk about encryption in meatspace, so o_O
     
  12. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    I am trying not to splinter this thread. Lately, along the lines we are talking about so far, I have been researching encrypted phone and text. I am conversing with family and real name friends about it. Hardly anybody wants to bother with it even though some of the programs are so transparent you would hardly know you are speaking "locked down". This is the same general issue that gpg/pgp users have with contacts in email. Generally speaking folks just don't get it and are happy with "them" being able to listen and observe stuff.

    I am becoming more aware now because of Paris. I am wondering if encrypted phone usage is going to be perceived like TOR? Truthfully I don't have much to hide at all. I just want to have my privacy respected and be left alone.
     
  13. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    My objective is to restore (for myself) what I think is the constitutional and rule-of-law position, namely that "they" can get my stuff in clear IF they have probable cause with a warrant - that's what I'm OK with as a citizen. But because of the mass surveillance land grab, and the huge loss of trust, I'm not left with good options; but I'm extremely unhappy with having my information on huge suspicion-less databases because of false positives, data sharing with all and sundry, risk of theft and malpractice, and lack of recourse (including difficulty of establishing standing and the disgusting shyster-lawyer behavior of public officials with bottomless legal finances).

    The danger of course will be that reclaiming your rights by using strong communication encryption will likely be treated as suspicious and subject to "equipment interference" - and this will even be done algorithmically with no warrant or anything else.

    Bruce Schneier has a piece on the unprincipled attacks on encryption and Snowden that have resurfaced recently.
     
  14. cellist

    cellist Registered Member

    Joined:
    Nov 14, 2015
    Posts:
    6
    What's Tails?
     
  15. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
  16. passwordischeese

    passwordischeese Registered Member

    Joined:
    Nov 18, 2015
    Posts:
    3
    A very simple idea is to get joe to put a unique string of characters in his email signature. And you also have a unique set in your email signature. That way if you get an email from joe, which does not have the signature - you know its not from him. Such as

    |Sgv2rn`8[uK/*hbZu]}^.D>l'AOY

    When joe sends you an email, his signature line must have your code, and vice versa. You would both have to decide before hand what your codes were.

    But a scheme like this only works up to a certain point. If joe exchanges email with other people, and they had bad intentions, they may copy and paste the signature. But once a signature is automatically added to email, people forget its there. A spoofer may not even notice it.

    A good software tool for creating random strings & passwords can be found below. The website also creates random strings & passwords.

    https://defuse.ca/passgen.htm

    But apart from using GPG, your brain is the best tool. If you are not sure an email has come from joe, just email joe and ask "Hey Joe, did you just send me an email about xyz...etc"

    Cheers.
     
  17. cellist

    cellist Registered Member

    Joined:
    Nov 14, 2015
    Posts:
    6
    Yes @cheese, you're correct. I can probably tell from content and context when a message is from joe et al.

    It's the one from, say, mybank@wellKnownBank.com that can be troublesome. I ask myself, "Is it safe to click on a link in that message?" wellKnownBank.com is not going to participate in GPG with me. I've spoken (literally spoken, phone call) with my bank's online support about the issue and they say "no way GPG." They did affirm (only verbally, of course) that I can be confident that any message addressed from mybank@wellKnowBank.com will be from them.

    I've implemented a filter in my email client to tag any message from a sender not in my address book. But it doesn't offer a function to disable clicking on a link in a message from an unknown sender. So, if I (or the other person on my 2-computer network) get lazy and ignore the "unknown sender" tag, I risk going to a malicious site. And the verification process -- contacting a sender by phone or even by email -- is often impractical.
     
  18. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    There is always a risk of browsing, obviously more than a malicious one.

    And there are various controls to add extra layers of defense:

    Sandboxie on Windows
    Firejail on Linux
    Virtual Machines with revert to snapshot

    These ensure that any malware/bad sites that do get through, have restricted ability to do anything, and are wiped on exit so the malware disappears.
     
  19. cellist

    cellist Registered Member

    Joined:
    Nov 14, 2015
    Posts:
    6
    I've concluded that some flavor of GPG and/or some form of virtualization are the only "guarantee" against impersonation. Unfortunately, none of those are practical for most of my email activity. I will continue to research what steps I can implement within my email client and by utilizing extensions and addons.

    As the initiator of this discussion, I want to express my appreciation for the helpful information given here. This forum is unusual in both the quality of content and the level of civility with which participants express themselves.
     
Loading...