Email Security and You - 14 Jun 2001

In Three Big Security Problems, I described the three biggest security threats to your small office/home office (SOHO) computer or network: an insecure OS, unused open ports, and backdoor programs. Although those three risks are prominent, there’s always another risk lurking nearby—email. For most users, the incredible convenience of email is also a possibility for disaster.

Reading and sending email threatens the internal security of your system's data. Innocuous as it may seem, email is a very unsafe system whose primary vulnerabilities depend on the user's trust. Although most users install virus scanners to protect against untrusted Web downloads, many of these same users trust email. They often open any attachment without considering that the attachment might contain a virus or other code designed to open their system to an external attack.

Roughly 90 to 95 percent of all virus attacks come through email. That’s not to say that the Internet isn’t a breeding ground for viruses. Every day, attackers write and post new viruses on the Web. However, email is still the most viable and efficient way to distribute code that infects other systems.

Although the Melissa and Gnutella worms lasted a short time, they demonstrated that worm viruses are a real threat to IT security and can damage a SOHO's reputation with its clients. Email worm viruses work by emailing themselves to other users. The email arrives with an innocent-looking subject line and a message that the attacker has designed to distract users, persuading them to open an attachment. Often, the attachment is scripting code or an executable that takes advantage of specific functions in certain email programs that let the code email itself to any or all entries in a user's address book. It’s a vicious cycle that takes users days to remove from email systems and consumes precious bandwidth on an already crowded Internet. Although some attackers design worms simply to annoy others and boost their own egos, others install Trojan horse programs that are serious security threats to your computer or network.

You can install antivirus software on your systems to notify you of a virus, but you probably don’t need these warnings if you follow one rule: Don't open email attachments or execute attached programs unless you're completely sure you know the sender and are expecting the attachment. Worms can’t spread if you don't execute the code. Even worms with embedded Trojan horse code can’t install on your system unless you activate the code. Being alert and cautious is the best way to protect your SOHO against email security threats.

Microsoft holds a large share of the desktop OS market, with many people using Internet Explorer (IE) and Outlook as their main connectivity applications. As a result, security vulnerabilities in these products quickly become well known with virus and worm coders often targeting Microsoft OSs and Internet utilities. Fortunately, IE and Outlook Express come with built-in security features, and Microsoft has released patches to secure any vulnerabilities in the software. Here are some suggestions to further secure these applications.

  • In July 2000, Microsoft released a security update containing critical security information for both Outlook and Outlook Express. You can access this information and download the patch from the Microsoft Web site.
  • Microsoft also has a security patch for a specific ActiveX control, scriptlet.typelib. A malicious attacker can use this ActiveX vulnerability to execute script code that can damage your computer. You can find this update file on the Microsoft Web site. (Windows 2000 users do not need to apply this patch.)
  • IE and Outlook Express offer a software security feature called zones. You can configure zone settings to respond to various threats, depending on the source, and set prompts to notify you when an attachment might contain a virus.

To adjust the IE zone configuration, follow these steps:

  1. Open IE and select Tools, Internet Options.
  2. Select the Security tab, click Restricted sites, and click Custom Level.
  3. In the Security Settings window, scroll to Scripting and click Active Scripting to disable the setting. Click OK each time to close the dialog boxes.

To adjust the Outlook Express zone configuration, follow these steps:

  1. Open Outlook Express.
  2. Select Tools, Internet Options and select the Security tab.
  3. For optimum security, select the setting for the zone Restricted sites (More secure). Click OK to close the dialog box.

Outlook also has some vulnerabilities of its own. In midsummer 2000, Microsoft released a patch to prevent a rash of worm viruses. The patch prevents the user from accessing specific types of file attachments, notifies the user when an external program attempts to access the address book, and reconfigures Outlook’s default security settings. Some users might feel that a total ban on certain types of attachments is too strict, but others might find it perfectly appropriate. Only you can decide whether to install this patch. Because each user needs to consider many factors for individual situations, my colleague Tom Syroid, author of Outlook 2000 in a Nutshell (O’Reilly), has a four-part expose on the Outlook patch on the publisher's site.

As a final step, you can disable Windows Scripting Host (WSH) on your Windows-based systems to immunize yourself from the threat of VBScript viruses (code with .vbs extensions), such as the LoveLetter virus. If you're completely sure that you don't need WSH, Sophos has a Web page devoted to removing WSH. Symantec also offers a program, noscript.exe, that disables but doesn't remove WSH so that you can determine whether disabling WSH cripples any of your day-to-day functions.

The bottom line: Being sensible about email is as good a guard as any other. In Three Big Security Problems, I warned SOHO users not to trust spontaneous Internet downloads—the same advice goes for email attachments.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.