Tag Archives: free email providers

Cybersecurity is just too much trouble for the general public, claims study

8 October 2016

In report ‘Cybersecurity is just too much trouble for the general public, claims study’ published on 6 October at the Tripwire state-of-security blog, Graham Cluley cites from the NIST study Security Fatigue:

“Participants expressed a sense of resignation, loss of control, fatalism, risk minimization, and decision avoidance, all characteristics of security fatigue. The authors found that the security fatigue users experience contributes to their cost-benefit analyses in how to incorporate security practices and reinforces their ideas of lack of benefit for following security advice.”

We should not be surprised ‘that the public is suffering from “security fatigue” and a feeling of helplessness when it comes to their online security’. Most of the advice for end users in the information security domain is just puzzling. Let me make this clear with an example.

Renowned German Stiftung Warentest assessed 15 e-mail providers in the October 2016 edition of the Test magazine. Focus of the assessment was data privacy, ‘the protection of customers and emails against unwanted looks’. And, of course, usability. Table 1 below shows the Stiftung Warentest quality ranking.

Provider Quality Ranking (1)
Mailbox.org Tarif Mail 1.4
Posteo 1.4
Mail.de Plusmail 2.2
GMX Topmail 2.3
Web.de Club 2.3
Web.de Freemail 2.5
GMX Freemail 2.6
Telekom Freemail 2.6
Freenetmail Basic 2.7
Telekom Mail / Cloud M 2.7
1&1 Mail Basic 3.1
AOL Mail 3.1
Yahoo Mail 3.2
Microsoft Outlook.com 3.3
Google Gmail 3.4

Table 1: Stiftung Warentest rankings

(1)    Quality Ranking: 0.5 .. 1.5: Very good, 1.6 .. 2.5: Good, 2.6 .. 3.5: Average

At a first glance, the table suggests that it is sufficient to use one of these providers (all were rated from very good to average) and security is guaranteed.

Unfortunately, this assessment is very misleading. Email encryption is just one aspect of information security. It protects against cyber criminals, state-sponsored attackers or insider attacks because the information is not readable unless the attacker has access to the encryption key.

If an attacker is able to compromise a user’s account, e.g. through a password phishing attack, he might have full access to all emails, although they are encrypted.

To secure an account against phishing with frequent password changes and the use of individual passwords for different services, is not sufficient. And usability is bad, even if password managers are used. Two-Factor Authentication (TFA) or one-time passwords are the tools of choice to enhance security against phishing attacks.

Table 2 shows the Stiftung Warentest results updated with details about TFA availability.

Provider Quality Ranking (1) TFA available With soft token With SMS With hard token
Mailbox.org Tarif Mail 1.4 (2) Yes Yes Yes
Posteo 1.4 Yes Yes  
Mail.de Plusmail 2.2 Yes Yes Yes
GMX Topmail 2.3 No
Web.de Club 2.3 No
Web.de Freemail 2.5 No
GMX Freemail 2.6 No
Telekom Freemail 2.6 No
Freenetmail Basic 2.7 No
Telekom Mail / Cloud M 2.7 No
1&1 Mail Basic 3.1 Undef. (2)
AOL Mail 3.1 Yes Yes
Yahoo Mail 3.2 Yes   Yes  
Microsoft Outlook.com 3.3 Yes Yes Yes
Google Gmail 3.4 Yes Yes Yes Yes

Table 2: Rankings updated with details about TFA

(1)    Quality Ranking: 0.5 .. 1.5: Very good, 1.6 .. 2.5: Good, 2.6 .. 3.5: Average

(2)    It was not possible to determine whether TFA is available from the provider’s homepage

Only 7 of the 15 email providers allow the use of a second factor. The limitation to one aspect of information security creates puzzling results and a false sense of security. It is therefore no wonder that consumers show the ‘characteristics of security fatigue’.

TFA with soft tokens is under normal conditions activated within seconds, and very easy to use. From my point of view, service providers should create the needed attention and force the use of TFA. It is not sufficient to notify the users of new waves of phishing attacks.

Have a good weekend.

Some thoughts on Email Filtering and Anti-Spam

14 March 2015

I fully agree with Paul Kubler’s post ‘Here’s Why Email Filtering Needs to be More than Just Anti-Spam’ published last Friday on LIFARS.

In my opinion we have to tackle this problem from at least 3 sides.

First of all it is time for the e-mail providers to take action. In my post about free email providers I showed, that none of the major German providers use properly configured anti-malware systems. I estimate that the number of phishing attacks could decrease by 90% if just the email providers would reject all mails with malicious content or attachments when they are deposited.

Second, it is important to spark the users attention. Awareness campaigns, with well-made but harmless phishing attacks, and direct feedback, will raise the attention and save a lot of hassle. Train the users in identifying the main features of phishing attacks and the proper counter measures to take.

Finally, we can implement some technical measures to support the users to act correctly in the case of malicious email:

  • Configure your email client program to display all mails in plain text.

In this case all links are displayed in plain text. Even an unexperienced user can see that the link is not part of the sender’s domain and most likely part of a cyber-attack.

Sample Phishing Mail displayed in plain text format

Sample Phishing Mail displayed in plain text forma

  • Turn off attachment preview.

A previewer must read an attachment for display. In the worst case malicious code included in an attachment is executed and compromises your system.

  • Turn on SmartScreen filtering.

SmartScreen Filtering will block access to know malicious sites.

That’s it for today. Have a good weekend.

Free email providers are preferred distribution channels for malware

21 February 2015

Thursday morning I got a very puzzling e-mail. A collection agency informed me of an allegedly not paid invoice and threatened me with defaulted interest and overdue fines.

But, I conduct no business with Pay Bank AG. In addition the mail was sent from a GMX, a Germany based free mail service, address and not from the Pay Bank AG domain.

This was just another spam mail, but, compared to others, well and convincing written. The message was crystal clear: Open the attachment!

In the evening I checked the attachment and found nested zip files. The inner zip file contained a program that appeared to be the data-gathering malware Win32/Zbot.gen!plock (TROJ_DLOADR.JCQ). Fortunately the anti-malware program on my computer removed the malware during download to my hard disk.

Sending malware in nested zip files ensures that the anti-malware systems on the e-mail provider’s mail-in servers become not aware of the malicious attachments. Scanning of archives is very time-consuming because the anti-malware system has to open the archive and to scan all files inside. Therefore nearly all anti-malware systems are configured to ignore nested zip files..

But what amazed me was that apparently no e-mail provider runs an in-depth scan of attachments. From the e-mail header I found that the mail was sent from the attacker’s computer PC14-050 to mail.gmx.com (GMX) and via mailin55.aul.t-online.de (T-Online) to SNT004-MC3F11.hotmail.com (Microsoft).

Since the malicious attachment wasn’t removed on his way to the inbox on my computer, GMX, T-Online and Microsoft use a similar, inadequate anti-malware configuration on their mail-in servers. As always, the last line of defense is the anti-malware system on the end-user’s computer.

In my opinion, this is an enormous waste of resources. Every day millions of malicious attachments clog the internet because of inadequate anti-malware configurations. We could save a lot of bandwidth for really important business, and much hassle, if mail-in servers would just reject any e-mail that has known malicious attachments.

That’s it for today. Please configure the anti-malware program, which is installed on your computer, to perform in-depth scans of attachments. Safety has priority over speed!

Have a good weekend.