E-mail insecurity - Penn Printout, Nov 1993

The University of Pennsylvania's Online Computing Magazine

November 1993 - Volume 10:3

E-mail insecurity

By Dave Millar and Stephen W. Thompson

Though e-mail is widely used at Penn, it has its drawbacks. Just as the phone enables obscene calls and the fax fails to protect private documents, e-mail makes discomforting behaviors possible.

Consider the following

Forgery. Forgery occurs when someone makes e-mail look like it came from someone else. In October, five University of Wisconsin freshmen sent forged e-mail messages announcing the resignation of one administrator and the "coming out of the closet" of another. Forgeries such as Wisconsin's destroy our trust of e-mail. While the possibility of tracing deters forgeries, they still happen, and they can easily go undetected.

Privacy Intrusions. These individuals might view your e-mail without your permission:

Postmasters, when mail is improperly addressed
Intruders who break into your account
Unintended recipients when mail is improperly addressed
Snoopers who intercept a message on the network without authorization

Tampering. Someone may intercept mail and alter it before it reaches the recipient. Or, someone could alter a message before forwarding it to others.

Harassment. In the past, people have received obscene messages, threats, or have been inundated by hundreds of messages.

With all of these problems, should we abandon e-mail? Certainly not! Instead, consider these pointers.

What can you do?

Be careful what you say in e-mail. Generally, system administrators make every effort to respect e-mail privacy. However, despite precautions, your e- mail may not remain private. Remember that copies of e-mail messages maybe kept by the recipient or on system logs long after the sender deletes the message.

Don't jump to conclusions. If you receive out-of-character remarks in a message, give the sender the benefit of the doubt. Confirm that the sender wrote the message before you take any action. The message might be forged, or your correspondent might have intended humor or sarcasm.

Guard your password. With your password, someone else could forge e-mail from you, delete your e-mail, or forward it to other people. A Penn student learned this lesson when he lost his wallet containing his e-mail account and password. Someone used his account to forge obscene messages to students and faculty. Avoid risk by changing your password periodically, especially if you suspect someone knows it. See Penn Printout April 1, 1993, page 10, for information on choosing good passwords, or search PennInfo (keyword "security").

If you receive harassing e-mail, contact your mail system administrator ("postmaster" from many machines) or the University Information Security Officer (Dave Millar, millar@pobox or 898-2172). For violations of laws contact Public Safety (768-7150).

There is hope on the horizon. An Internet Privacy Enhanced Mail (PEM) standard has been developed, which offers e-mail users encryption and the ability to authenticate their messages so that recipients can be certain that the message could only have come from the sender.

And remember, Penn's policy on Ethical Behavior with Respect to the Electronic Information Environment prohibits the forging, alteration or unauthorized viewing of others' e-mail. Search PennInfo using the keyword "policy" for details.

DAVE MILLAR is University Information Security Officer in the Office of Data Administration; STEPHEN W. THOMPSON is a Data Analyst in the Office of Data Administration.