Guide To Email Security

Table Of Contents
Introduction......................................................................................................................................................................................................... 3 How.To.Protect.Yourself. ....................................................................................................................................................................................... 4 . What.To.Do.If.You.Get.Hacked............................................................................................................................................................................... 5 The.Hackers.Life................................................................................................................................................................................................. 6 . Email.Is.Gold....................................................................................................................................................................................................... 7 How.An.Attack.Works............................................................................................................................................................................................ 8

Introduction To Email Security

by Brandon, deliverability engineer
Were.a.paranoid.bunch.at.Mailchimp..We.proudly.wear.tinfoil.hats,.we. have.secret.hideout.rooms.with.steel.walls,.and.we.have.fireman.poles. and.slides.throughout.the.building.for.quick.evacuation..We.also.have.at. least.24.rottweilers.with.freakin.lasers.on.their.heads..Wed.go.into.more. detail,.but.lets.just.say.that.security.is.a.serious.matter.at.Mailchimp..We. take.it.so.seriously.because.our.customers.shouldnt.have.to.worry.about. their.data..We.spend.a.lot.of.time.talking.about.bad.guys.and.acting.like. bad.guys,.to.figure.out.how.they.think..Our.team.invests.a.lot.of.time. and.money.into.writing.code.to.protect.ourselves.and.our.customers,.and. we.have.lots.of.software.and.hardware.to.protect.our.infrastructure..Our. security.methods.are.there.to.help.keep.you.safebut.when.it.comes.to. protecting.yourself.and.your.subscribers,.you.have.some.responsibilities. of.your.own..In.this.guide.well.cover.how.you.can.protect.yourself,.what. to.do.if.your.data.has.been.compromised,.some.basics.on.why.an.attacker. might.target.you,.and.why.email.data.is.important.in.the.first.place..We. hope.this.guide.scares.you.into.taking.some.precautionary.measures.to. ensure.your.data.is.safe. According.to.the.Ponemon Institute,.the.value.of.a.customer.record.is. $204.in.the.US..For.some.people.the.value.is.much.higher,.and.for.others.its.much.lower..Some.people.use.the.simple.dollars.earned.divided. by.list.size.equals.dollar-per-email.value.calculation..(So.if.you.made. $120,000.off.your.campaigns.and.had.5,000.subscribers,.then.each. subscriber.is.worth.$24.).Though.some.are.worth.more.than.others,.that. calculation.shows.you.how.valuable.email.addresses.are..And.even.if. youre.not.earning.money.off.your.subscribers,.theres.great.responsibility.in.protecting.the.email.addresses.they.provide..Hackers.want.those. addresses.because.they.know.how.to.extract.and.extort.money.from. unsuspecting.people,.tarnish.your.brand.and.cause.some.serious.financial. hassles.for.you..If.you.and.your.service.providers.arent.taking.the.proper. precautions.to.protect.your.customers.data,.then.youre.doing.a.grave.disservice.to.your.business.and.subscribers.

*ATTENTION: EXTREMELY IMPORTANT OBLIGATORY LEGAL DISCLAIMER This guide is intended to serve as a resource on the topic of email security. It is not intended to be professional advice, nor is it a complete compendium of the information available in this area. The Rocket Science Group, LLC d/b/a MailChimp expressly disclaims any and all warranties about the information contained within. In sum, while we think this is an awesome guide on the topic, use of the information contained within the guide is entirely, completely, definitively, absolutely, positively, 100% at your own risk. If you have questions or need specific advice for your situation, please contact a knowledgeable professional.

How To Protect Yourself

You.can.never.be.too.cautious.when.it.comes.to.protecting.yourself,.your. business.and.your.valuable.data..Here.are.some.tinfoil-hat.tips. 1..Keep ALL of your systems completely up to date..Not.just.your.operating.systems,.but.your.browser,.Adobe.Reader,.Java,.flash,.etc..These.ancillary.applications.are.generally.the.most.problematic.and.easiest.to.hack. Keep.your.anti-virus.programs.up.to.date,.and.if.possible,.use.anti-virus. software.that.has.a.firewallor.at.the.very.least.malwareprotection..Try. something.like.Comodo. 2. Run anti-virus and malware scans daily. As.in,.every.single.day. 3..Secure your networks and wifi..Do.NOT.allow.employees.to.use.their. home.computers,.guest.computers,.smartphones.or.iPads.on.your.network.. Secure.your.wifi.using.WPA2.or.stronger..If.you.have.mobile.workstations. inside.or.outside.your.networks,.never.use.insecure.wifi,.like.your.local. coffee.shops.connection..If.you.must.use.this.type.of.connection,.keep. your.usage.to.an.absolute.minimum...Read.up.on.Firesheep.to.learn.how. much.information.gets.transmitted.on.an.open.wifi.connection. 4. Secure your smartphone with a password or security lock..If.its.stolen,. call.your.provider.immediately.and.disconnect.your.phone..Passwords.are. extremely.important.when.it.comes.to.security..Use.different.passwords. for.every.site.you.do.business.with...Do.NOT.use.the.same.password.twice. (see:.Twitter Spam Attack Tied to Gawker Security Breach)..Each.site. should.have.a.unique.password..Consider.using.1Password,.KeePass.or.a. similar.utility.to.help.keep.track.of.all.your.passwords..Keep.in.mind.that. if.someone.steals.your.computer.or.gains.access,.they.can.steal.your.password.database..So.make.sure.your.master.password.is.unique.and.difficult. to.guess..Use.at.least.10-digit.passwords.with.numbers,.letters,.symbols. as.well.as.different.cases..If.you.use.the.same.password.everywhere,.its. extremely.easy.for.an.attacker.to.try.your.username.and.password.at.each. and.every.site.theyre.after. 5..Use a single machine for financial transactions..It.shouldnt.be.used. for.anything.other.than.banking,.and.should.only.be.connected.via.a.wired. connection..Dont.keep.this.computer.powered.up.unless.its.being.used. 6..Be careful what information you share publicly. If.youre.interviewed. for.something.that.will.be.published.online,.make.sure.you.dont.mention. software.vendors.or.business.vendors.you.use,.unless.you.can.be.100%. sure.that.your.software.and.business.vendors.will.not.be.hacked. 7..Never open email, IMs and social-media notifications from people you dont know, havent heard from in a long time, or look suspicious. This. type.of.communication.is.often.malicious,.so.skip.it.to.be.safe..If.youre. unsure,.dont.reply.to.the.communication,.and.call.the.person.for.confirmation..Assume.everyone.is.compromised.

What To Do If You Get Hacked

Hopefully.youre.protecting.your.data.like.a.champ.and.nobodys.after.you.. But.if.you.do.get.hacked,.heres.how.to.handle.it. 1..If its a virus or malware on a machine, disconnect ALL machines from your network immediately..At.this.point.its.best.to.involve.a.local.IT. company.or.consultant.whos.trained.in.removing.malware..Dont.turn.on. any.systems.until.the.threat.has.been.completely.removed..If.you.must.get. to.a.system,.make.sure.its.not.on.the.internet,.and.assume.that.anything. and.everything.on.that.system.is.infected. 2..Change all passwords, and security questions and answers that may have been affected..Make.sure.you.do.it.from.a.secure.machineif.you. change.passwords.on.an.infected.machine,.youre.giving.the.attacker.all. the.info.they.were.after.on.a.silver.platter..Use.a.secured.network.that. you.trust..If.your.systems.were.hacked,.dont.trust.your.network.until.all. machines.have.been.given.the.all.clear. 3..Contact your service providers and software providers, and ask them to do a scan for potential data breaches on your account..Also.ask.them.to. lock.your.account.from.further.access.if.you.feel.the.account.is.what.the. attacker.was.after,.or.if.the.account.is.important.enough.to.lock.down. 4..Check your email. Ensure.that.theres.nothing.in.your.deleted.items. that.relates.to.communication.with.your.service.and.software.providers. 5..Notify your friends, clients and business vendors that you were compromised..Let.them.know.that.they.shouldnt.trust.further.communication. from.you.until.otherwise.noted.

The Hackers Life

Discussions.about.hackers.usually.end.with,.Why.dont.they.just.get.a. job?.The.truth.is,.hacking.is.their.job,.and.they.often.make.good.money. (or.enjoy.what.they.do)..The.laws.in.many.countries.are.lax.enough.that. cybercrime.isnt.considered.serious,.or.theres.just.so.much.other.bad. stuff.going.on,.it.doesnt.bubble.up..Many.countries.even.overlook.this.behavior.because.the.criminals.pay.off.and.support.government.officials..The. book.Fatal System Error by.Joseph.Menn.goes.into.more.detail.about.that.. Whether.someone.is.paying.government.officials,.or.the.laws.just.dont. apply,.it.really.doesnt.matter..These.criminals.exist,.and.theyre.out.to.get. any.and.all.information.they.can..So.why.do.they.want.your.data? 1..To target your personal and/or business finances..Stealing.financial.account.information.is.easy.these.days..Its.even.easier,.and.far.more.useful,. to.steal.credit.card.information. 2..To target your computers and technology infrastructure..Botnets.allow. an.attacker.to.use.many.machines.to.attack.other.machines,.steal.information.and.commit.various.other.acts.of.evil..Once.the.hacker.controls. your.computer.they.can: All.attacks.are.planned..Theres.an.end.goal,.and.because.this.is.the.attackers.job,.he.spends.lots.of.time.planning.and.plotting.every.step..Just. like.that.new.promotion.you.planned.in.November,.the.attacker.planned. the.malicious.attack.on.your.Social.Media.Manager..Many.people.think. hackers.dont.put.much.thought.into.attacks,.and.while.the.419 scams. and.bad.spelling.in.most.SPAM.might.make.you.think.hackers.are.stupid,. thats.far.from.the.truth..In.the.book.Social Engineering: The Art of Human Hacking,.Christopher.Hadnagy.provides.information.on.how.much. effort.a.hacker.will.put.into.planning.and.executing.an.attack..Its.like.a. chess.gamebut.unfortunately,.most.of.the.targets.have.no.idea.theyre. part.of.the.game..If.you.have.any.type.of.online.presence,.then.you.are,. have.been,.or.very.shortly.will.be.under.attack..So.you.must.behave.like. youre.under.attack.and.secure.your.assets.at.all.times.

Log.every.keystroke.you.type..The.software.that.records.the.keystrokes.is.even.built.to.show.fake.login.pages.for.financial.institutes. to.log.your.credentials. Steal.information.from.your.hard.drive..The.attacker.owns.your. machine.and.can.get.at.any.piece.of.data.they.want..Stealing.your. accounting.database.and.cracking.the.username.and.password. shouldnt.take.more.than.a.few.Google.searches. Use.your.system.to.send.SPAM..The.majority.of.SPAM.is.sent.through. systems.controlled.by.botnets..If.your.system.is.under.the.control.of. a.hacker,.they.can.send.hundreds.of.thousands.of.pieces.of.SPAM. from.your.system.without.you.ever.knowing.it.

3..To target your customers. Maybe.you.have.some.high-profile.clients.that. the.attacker.is.after..Maybe.a.client.is.listed.on.your.site.or.sent.an.issue. via.Twitter..Its.easy.to.figure.out.who.your.clients.are,.and.its.an.easily. accessible.entry.point.for.an.attack. 4..To target employees. A.hacker.can.easily.target.your.employees.using. social.media.and.direct.attacks..Its.easy.to.find.ways.to.get.at.your.employees,.like.using.family.members,.college.or.high-school.friends.found. through.Facebook..If.an.attacker.targets.one.of.your.employees,.he.can. gain.insight.into.your.business.practices.and.target.your.entire.company.

Email Is Gold
Email.addresses.are.extremely.valuable.in.todays.economy..Referencing. back.to.our.quick.calculation.in.the.introduction,.you.can.see.that.an. email.address.can.be.worth.a.lot.of.money.to.your.business..Our.identities,. important.accounts.and.vital.information.are.attached.to.email.addresses.. Chances.are.your.financial.institutions.use.your.email.address.as.your. username..Your.social.media.accounts,.like.Facebook.and.Twitter,.tie.to. your.email.address..Your.email.address.is.a.unique.identifierbut.more. importantly,.its.a.communication.mechanism..We.use.email.to.transmit. all.kinds.of.important.information,.and.we.use.email.more.and.more.each. day..Evil.hackers.want.the.email.accounts.for.various.reasons..This.is.just. a.small.list.of.some.stuff.they.might.be.after:

Hackers.have.found.that.companies.who.use.ESPs.generally.have. clean.lists..A.clean.list.means.fewer.bounces.and.potentially.an.engaged.list..And.that.means.the.list.will.deliver.to.the.inbox.and.have. a.higher.likelihood.of.clicks.and.opens. The.hacker.wants.your.email.addresses.to.send.your.subscribers.. malicious.stuff..Maybe.your.email.list.has.important.users.like.congress.members..If.they.can.trick.your.subscribers.into.clicking.links. and.visiting.bad.sites,.they.can.then.gain.access.to.machines.they. were.targeting. The.hacker.is.planning.a.much.larger.attack.and.is.just.harvesting. email.addresses. The.hacker.is.planning.to.resell.your.subscribers.

Know.that.lists.used.by.marketers.often.have.highly.engaged.readers.and. good.email.addresses..If.the.hacker.wanted.to.target.your.customers,. they.could.easily.imitate.your.campaign.content.and.trick.your.users.into. following.a.link.to.a.malicious.site..Chances.are,.the.engaged.readers.will. click.like.they.normally.would..The.list.is.valuable.to.you,.but.its.just.as. valuableif.not.more.soto.the.hacker... Theres.also.a.large.market.for.buying.and.selling.email.addresses..So. not.only.can.the.hacker.use.the.email.addresses.for.direct.attacks,.but. they.can.then.sell.the.addresses.to.a.list.broker.for.further.gain..Think. that.through.the.next.time.someone.approaches.you.about.selling.a.list chances.are.most.of.the.addresses.were.gathered.unethically.

How An Attack Works

Remember,.the.hacker.has.an.end.goal..In.this.section.well.build.a.scenario.and.walk.through.how.an.attack.is.planned.and.carried.out.. Lets.say.your.site.is.a.popular.foodie.blog..You.have.a.cool.newsletter.signup.on.your.site,.and.you.allow.people.to.comment.on.your.blog.. Somewhere.along.the.way,.you.were.interviewed.on.a.food.website.about. how.you.handle.your.business,.and.most.importantly,.your.marketing.. You.told.everyone.that.you.use.this.really.cool.newsletter.service.called. MiamiMail,.that.you.have.280,000.subscribers,.and.the.list.grows.by. 2,000-3,000.subscribers.a.week..Its.so.much.to.maintain.that.you.hired. Debra,.a.social-media.expert,.Quinn,.an.email-marketing.guru,.and.Vince,. a.programmer.who.works.with.the.MiamiMail.API..You.also.talk.about.your. guest.bloggers.and.some.of.the.famous.chefs.that.actively.participate.on. the.blog.and.answer.questions.in.the.comments..You.just.built.this.great. new.recipe.section,.where.the.same.famous.chefs.comment.on.the.posts.. Arthur.is.a.hacker,.and.hes.just.come.off.a.series.of.attacks.against.major. car.dealers..He.wants.to.change.things.up.and.reads.the.article.about.your. site..It.piques.his.interest.because.you.gave.some.specific.details..Heres. what.Arthur.knows.about.your.business: 1..You.use.MiamiMail. 2..You.have.a.substantial.list,.and.its.growing.quickly. 3..Arthur.knows.about.at.least.four.people.in.the.company:.Debra,.Quinn,. Vince.and.you. 4..Arthur.also.knows.some.famous.people.who.use.your.blogging.tool. 5..Those.famous.people.participate.in.the.recipe.section. Arthur.takes.this.data.and.begins.to.research.the.following: 1..MiamiMail..Find.out.anything.and.everything.out.about.them..He.trolls. the.support.forums,.signs.up.for.a.free.account,.learns.about.the.API.and. even.experiments.with.the.system.to.send.a.few.test.campaigns. 2..Your companys About page. That.really.cool.Team.page.came.in.handy!. Arthur.finds.a.few.other.employees.and.then.begins.researching.your. employees.and.building.profiles.for.Debra,.Quinn,.Vince.and.you..He.finds. your.Twitter,.Facebook.and.LinkedIn.profiles..He.also.finds.out.your.home. addresses,.personal.email.accounts.and.a.few.other.pieces.of.information. he.purchases.using.some.stolen.credit.cards.he.got.from.that.car.dealer. scam.he.ran.last.week. 3..The famous chefs..If.Arthur.cant.trick.your.employees,.he.might.be. able.to.trick.one.of.the.chefs.and.maybe.gain.some.access.to.the.blog. Over.the.years.weve.seen.SPAM.grow.in.maturity...SPAM.has.moved. from.poorly.spelled.419.scams,.to.simple.phishing.scams,.and.now.we. see.smarter.and.more.targeted.SPAM.and.phishing.attacks..Hackers.have. exposure.to.tools,.data.and.blackhat.ESP.systems.that.allow.them.to.run. sophisticated.campaigns.against.targeted.victims..We.see.hackers.use. levels.of.sophitication.beyond.what.most.marketers.use,.like.advanced. segmentation,.dynamic.content.using.conditional.merge.tags,.and.combining.other.data.sources.to.target.recipients.more.effectively..With.combined. data.sources,.they.can.effectively.attack.your.employees.and.users..If.the. attacker.cant.obtain.enough.information,.there.are.sites.where.a.few.dollars.can.provide.them.with.just.about.anything.they.want.to.know..Just.as. you.read.your.campaigns.results,.the.hacker.is.using.reporting data.from. their.malicious.software..When.they.launch.an.attack,.they.use.the.stats.to. tweak.and.refine.future.attacks. Arthur.builds.his.campaign.to.drive.his.victims.toward.a.site.or.series.of. malicious.sites..These.campaigns.allow.him.to.learn.more.about.the.computer.systems.involved,.gain.access.to.the.owners.system,.or.even.worse,. damage.your.infrastructure.as.a.whole..He.wont.just.target.employees hell.target.business.associates,.family.members.and.friends..Arthur..may. even.use.a.series.of.campaigns.to.learn.more.information.or.gain.access.to. specific.computer.systems.

So what is a malicious site?

Years.ago.someone.would.receive.a.virus.in.an.email,.click.it,.and.get.infected..Those.tactics.are.still.used,.but.these.days.most.attacks.use.driveby.malware..The.basic.idea.is.that.you.visit.a.site.that.the.hacker.controls.. Theyve.embedded.some.javascript.or.code.that.runs.and.infects.your. system..You.didnt.have.to.click.anythingyou.simply.visited.the.site.and. got.infected..If.Arthur.plays.his.cards.right,.hell.infect.the.right.machines.. Even.if.he.doesnt.get.to.the.systems.he.wanted,.hell.use.the.other. systems.to.learn.more.information.or.attack.elsewhere..And.what.does.an. infected.machine.provide.Arthur.with?.Malware.infections.can.include. keyloggers,.remote.access.and.access.to.all.the.data.on.your.machine.or. network..Once.infected,.Arthur.has.unfettered.access.to.your.information... Keyloggers.allow.him.to.watch.all.your.keystrokes..Yes,.EVERY.keystroke... Malware.is.designed.to.run.without.you.ever.knowing.it.has.been.installed.. . Arthur.can.sit.and.watch.and.collect.and.learn..With.time.hell.gain.access. to.all.of.your.systems.or.in.this.case.gain.access.to.your.MiamiMail.account..Once.he.has.this.access,.hell.steal.your.subscribers.and.start.the. process.all.over.again..At.this.point,.he.can.target.your.subscribers.to.gain. access.to.their.systems,.attempt.to.steal.credit.cards.and.more..He.can. continue.mining.data.from.your.system,.or.rent.or.sell.your.system.to.other. hackers.for.other.needs.. Read.more.about.malware..Scary,.huh?.We.suggest.rottweilers.with.lasers.