E-mail encryption use low despite potential for snooping

[InfoSec News <isn () C4I ORG>]

http://www.nj.com/newsflash/index.ssf?/cgi-free/getstory_ssf.cgi?f0008_BC_E-MailSecurity&&news&newsflash-financial


By ANICK JESDANUN
The Associated Press
3/11/01 2:12 PM


CAMBRIDGE, Mass. (AP) -- Elana Kehoe doesn't like the idea of
governments and hackers reading her e-mail as it traverses the
Internet. So a few weeks ago, she installed a tool to scramble her
messages.

But she's having trouble using Pretty Good Privacy encryption. She
knows of only four other PGP users, including her husband, Brendan.
That means everything else goes through regular e-mail, which is as
private as sending a postcard.

Kehoe has tried to persuade friends to install the free software, too,
but they couldn't be bothered.

"Since I don't know that many people who use PGP, I don't know what I
can fully do with it now," said Kehoe, a Dublin, Ireland, resident
visiting Cambridge for a computer conference this past week.

Her plight reflects a larger problem with e-mail security. Fewer than
10 million people use PGP, the most popular method for encrypting
e-mail. That's out of a worldwide Internet population approaching 400
million.

"We've had trouble getting PGP employed across the breadth of
society," lamented Philip Zimmermann, the inventor of PGP. "There
needs to be more consciousness raised about privacy, but ease of use
certainly has been a factor."

Zimmermann said PGP has become simpler. Users now control it with
mouse clicks whereas early versions required typing in commands.

But Zimmermann acknowledged that more could be done. He recently
joined Hush Communications Corp. in Dublin, which is trying to
simplify PGP by moving the entire process to the Web.

Sending e-mail unencrypted is inherently insecure. Network
administrators at Internet service providers and employers can read
messages at one of several transit points.

The FBI has deployed Carnivore to scan e-mail traffic, and hackers can
use software initially designed for network administrators to diagnose
Internet problems. Security experts say more sophisticated hackers can
even change messages in transit, without the sender or recipient ever
knowing.

Without encryption, financial, medical and other sensitive information
could fall into the wrong hands.

In fact, Kehoe and her husband had to chide her mother for sending
credit card numbers and their accountant for sending tax totals and
Social Security numbers using regular e-mail.

"There's a lack of understanding about the way e-mail is transmitted,"
said David Sobel, general counsel for the Electronic Privacy
Information Center in Washington.

The Computers, Freedom and Privacy conference this past week devoted
several sessions to encryption and PGP, which marks its 10th
anniversary in June.

Part of the problem is analogy. You refer to electronic messages as
e-mail, not e-postcards. Most software for sending e-mail carries
pictures of envelopes, not postcards.

Furthermore, most people use whatever software ships with their
computer.

Though free encryption programs are available for noncommercial use,
running them takes several steps: Finding software, installing it,
creating digital keys to lock and unlock messages, distributing keys,
telling friends to do the same.

And even if Internet users suspect they should do more to protect
their e-mail, they figure there are bigger targets.

"Your average everyday user on Yahoo! has a general attitude of `We're
not talking about anything important,"' said Jon Matonis, chief
executive of Hush.

That may be true about e-mailing photos or commenting about the
weather. Imagine, though, e-mailing a doctor about an AIDS test, only
to have filtering software installed on your employer's e-mail server
see the word "AIDS" and automatically forward the message to your
health insurance company.

Jeff Jones, vice president of PGP marketing at Network Associates
Inc., which employs the original PGP team, said a European financial
institution once faced unauthorized withdrawals because customers had
been e-mailing passcodes. He would not name the company.

The IRS has a policy against communicating with taxpayers via e-mail,
and Janus mutual fund company warns customers not to send transaction
and account information via regular e-mail.

Many doctors refuse to respond to unencrypted e-mail.

"I'm not so sure patients are so aware of the pitfalls," said John
Abess, a Charleston, S.C., psychiatrist who also advises the Web site
Healthology.

E-mail encryption generally involves a dual-key mechanism known as
public key infrastructure. Under that scheme, one key locks a message,
and a different key unlocks it.

People who want to receive encrypted mail distribute a public key that
locks messages. A sender uses that person's public key to encrypt the
message, which can be unlocked using only the recipient's private key.

The first version of PGP appeared in June 1991. Zimmermann and the PGP
team initially had trouble with the U.S. government, which considers
encryption a form of munition. The government ultimately backed off
from prosecuting Zimmermann and slowly lifted export restrictions on
PGP.

A competing standard called S/MIME is used by companies like VeriSign
Inc.

Other techniques include Secure Socket Layer, suitable for Web-based
communications, and IP Security, used in virtual private networks that
companies deploy for remote workers. VPN, however, does not address
snooping by employers.

Human-rights workers abroad have begun using encryption to prevent
oppressive governments from identifying sources and techniques.

But those able to figure out how to use PGP are sometimes still
reluctant as long as most e-mail worldwide remains unencrypted.

"The very use of strong encryption signals to the government that this
is a group to be watched," said Minky Worden, electronic media
director for Human Rights Watch. "In China, the use of PGP alone is
enough for you to get rounded up."


------

On the Net:

Network Associates' PGP unit: http://www.pgp.com

Free version: http://www.pgpi.org

EPIC list of tools: http://www.epic.org/privacy/tools.html

Zimmermann: http://www.philzimmermann.com

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".