search
top


When Organizations Do Not Use Email Encryption

When Organizations Do Not Use Email Encryption

For this article, I had originally written it a few months ago. However, I didn’t get the chance to post it at that time. And, in a fortunate and positive way it turns out that my post will be some what less relevant than originally intended for the readers. When I initially had started this article, I had noticed an issue which seems to crop up anytime I am working with an organization. Many important organizations still lack basic security tools and options. In the example of this article, it looks into the lack of use of email encryption and secure email systems.

Now before I get into the nitty gritty stuff I want to list out a disclaimer. Everything I conduct, list, and discuss on my blog is and has always been for educational purposes. None of my articles are made or should be used to attack machines out there. All information on my blog is for the better purpose of learning better security methods.

Disclaimer

Now this article is not meant to bash government organizations in any way what so ever. This article is here to teach that any and all types of organizations can easily lack basic security measures.The point of this article is to educate these organizations, other types of analysts, and in general create security awareness.  On a personal level, I believe education is the way to ensure everyone around us makes use of better and more secure security practices.

Now in NO! part do I endorse anyone to use the following information to attack any government systems. This article is purely for educational purposes only. I also expect within some time the organizations that read this will have fixed and mitigated the security issues.

*UPDATE – The RCMP did in fact upgrade their email servers recently to a more state of the art email filtering system. I’m extremely glad they have done this, and it puts more faith in knowing the Canadian government is putting in additional security layers to protect their employees and citizens. At the time of my post they were making use of no encryption at all. A huge +1 for the technical team at RCMP/Canada Government.

Do Email Providers Support Encryption for Emails?

I found it very difficult to actually find a free email provider that did not use encryption. You would think out of all of the various free online email providers, that there would be one that lacks all forms of security. However, that was not the case for the top 2 pages on Google using the terms “free email account“. Making use of TLS (preferred TLS) is practically standard option with most email services out there. So, I was very surprised that over time I have seen many organizations NOT making use of encryption or using legacy systems. One reason many free email providers may be using encryption is most out of the box email software comes encryption ready as a default option.

Find a Target

For starters, we need an email address to get things going. Technically, we could use a fake email address and still get some decent results. But let’s make this more fun and interesting after all, it’s all about having fun and learning along the way. So, I’ve decided to search for random RCMP articles, they are bound to have an RCMP officers name in it. I eventually found an article and as most organizations make use of ([email protected]). I was able to trace a valid email address that existed. Now, if the email address did not exist this would still work since the initial goal here is to see if email encryption is an option or not. Here is a random news article that lists a possible name (http://bc.ctvnews.ca/rcmp-officer-charged-with-assaulting-suspect-in-surrey-1.3567793)

Check their email servers

Let’s check to see if they make use of encryption for their emails. I personally use CheckTLS.com. This website is extremely useful and creates a real time email connection to the specified organizations email systems. In this sample out of the respect for the email user, I have hidden the persons email address which had consisted of their first & last name.

rcmp TLS

In the example (see the screenshot above), we can clearly see that the email server does not support encryption. Now, the RCMP domain was used in this example, but virtually any domain name can be used provided they have a MX email record. We would be able to check any domain name that makes use of any email services. Connecting to each of these email servers would allow someone to determine if encryption is an option on the server, as clearly stated in the screen shot (TLS is not an option on this server).

Research email server software versions

Now for someone that was conducting a complete pen test. The next step would be to gain information regarding the actual email system.

  • What type of email software is being used? 
  • Is the version up to date or outdated? (Older versions might mean there is a chance a vulnerability exists).
  • Is the OS outdated?
  • Are there any other services open and/or running

 

As you can see we could gain a lot of important and/or dangerous information going down this route. In my case I stopped at the email encryption since my objective isn’t out to attack an organization. But, a true pen tester would have the opportunity to take things much further at point. To server the purpose for this article and the basis of email encryption using CheckTLS to view if encryption is enabled is sufficient enough for us,

Conclusion

In the end, the point of this article is to point out how easy it is to find out if certain organizations and domains use email encryption. As time goes on and security practices become more of a norm for all companies and organizations. We should start to see majority of emails at least in North America making use of encryption and providing some form of confidentiality.

If you would like to read up on more email security. I’ll be posting an upcoming article listing out ways to prevent spoofed and spam emails using SPF, DKIM & DMARC.



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

top