Sunday, December 18, 2022

Improving Personal Email Security

by Steve Endow

Last week I discovered that my personal information was included in 2 massive data breaches in under 24 hours.

This was the last straw for me.

Yet Another Data Breach


Background

Data breaches aren't new, and have unfortunately become so common that I don't think they garner any more than an eye roll or a shrug these days.  Here is just a partial list of breaches that occurred in 2022.  I happen to know that December 2022 is missing several significant entries.  And this doesn't include all of the shady data brokers who buy and sell your data constantly.

https://tech.co/news/data-breaches-2022-so-far

I don't see data breaches decreasing any time soon, and I assume that we will continue to see an increasing number of breaches in coming years.  It's going to get far worse before it gets better.

So what does this have to do with email?

The problem is that several of these breaches have included my "personal" email address.  

So what's the problem with that?

Unfortunately, several sites use email address as the username for their site login, or for password resets, or as an additional layer of verification.  So I can expect brute force attacks on the sites.  And attacks on my email account.  And password reset attempts.  And lots of email phishing.  And more spam.

My personal email address has become like my Social Security number.  On it's own, an SSN is a pretty meaningless, useless number.  But when it becomes tied with your identity, and is used to authenticate you, it becomes valuable.  Email has long been a vector for spam and phishing, but it has now become a proxy for identity.

With these two recent breaches, I realized that my email address has become a security risk.  By using my personal email on dozens of web sites and apps and services, it has been tied to my identity and to several web sites and services that I've used over several years.  Want to perform OSINT on Steve?  Just scan 15 recent massive data breaches to find his email, name, phone, address, and who knows what else.

Now we can attack that email account, and bang against a bunch of widely used web sites to see if we can attack his accounts and attempt password resets.  If you're skeptical at all about this, trust me--this process is trivially easy for an experienced cybersecurity expert or malicious 'hacker'.   I have no question that my 12 year old Security Intern could follow a simple set of instructions to attack my accounts.  Just listen to a few episodes of the Darknet Diaries podcast to hear how astonishingly easy it is for pros to compromise accounts.  It happens routinely every day in penetration tests and red team exercises.  Every. Single. Day.

So what is the answer?

I don't know if it's THE answer, but one answer is to use unique email addresses for EVERY account or web site or login.  Every. Single. Web site.

The understandable reaction is:  "That's insane! How can you possibly use a different email address for every web site???"

Let me explain...


Old School

I was aware of the concept of using variations of an email address, such as steve+netflix@emailcompany.com.  The plus sign has been supported by many email services for many years.  This is often recommended as a way to determine which web site leaked or sold your data to a spammer.

I've also been informed that some providers support periods anywhere in the email address, such as steve.netflix@emailcompany.com, where this address resolves to steve@emailcompany.com.

There are two problems with these techniques.  First, it's trivially easy to determine your "real" email address and then target you or your logins.  Second, you can't usually stop spam or phishing email sent to steve+netflix once the email gets published in a breach. 

Thankfuly, there is a new method.

There are now services that let you generate as many random email address "aliases" as you want, and all of those email "aliases" can point to any "real" email address you want. 


The Password Analogy

I would never publicly share any of my passwords.  That seems obvious.

But is it any more acceptable to publicly share my username?  "Hey everyone, my username for Mega Bank of The East is steve@emailcompany.com!"  That's literally what happens every time I send an email from my personal email account.  And now that several of my email addresses have been in multiple data breaches, those addresses can be used on any web site that uses email as the username. 

After these recent data breaches, I realized that my email address is nearly as important as my password.  It's 50% of my login on some web sites.  Why shouldn't I attempt to improve the security of those usernames?

And how do I manage my passwords?  With a password manager.  I generate a unique, complex, random password for every web site.  I never re-use the same password on any two sites.  And I don't know a single password for any web site or login!  I couldn't tell you my the password for a single bank, credit card, subscription, or ecommerce web site.  Everything is managed by my password manager.

So why would I re-use the same email address on dozens of web sites?

Well, because it's a major hassle to create a new email address for every web site. And a major hassle to manage them.  

It used to be a major hassle.  Just as I can easily generate and manage unique random passwords for every single web site, I can now easily generate a unique random email address for every single web site. 


Modernization

Based on a quick search, I found two services that offer "email alias" management.  

SimpleLogin

AnonAddy

After reading a few reviews of the two services, I chose to try SimpleLogin.  It seemed to offer a more comprehensive solution that would better fit my needs.

(I later learned that Proton Mail includes a free SimpleLogin subscription with their Proton Mail Unlimited plan, so that made SimpleLogin the easy choice for me.)

Just as you use a password manager to generate and store hundreds of unique random passwords so that you never re-use passwords, SimpleLogin generates and stores unique random email aliases so that you never re-use an email address.  Think of the email aliases as random usernames that individually have zero meaning or value.

Install the SimpleLogin browser plugin and mobile app and a new random email address is just one click away.

Any time an email is sent to one of the alias addresses, it is immediately forwarded to any email account that you choose.

Just as my password manager stores my unique random password for a site, it can also store the random unique email for the site.   SimpleLogin also makes it very easy to quickly find an existing alias. 


How does it work?

Once you setup an account on SimpleLogin, you can use one of their several generic domain names, or add your own custom domains.  

Click on the browser plugin and it will suggest an alias based on the web site URL--or you can generate a completely random address using words or a GUID.   You can click on the drop down to choose their domain or one of your custom domains.

NOTE: I highly recommend setting up at least one custom domain and using that for any important email aliases. See "Dependency Risk" below for more info.


Browser Plugin Generates Random Alias

Then just paste that email address in the web site.


SimpleLogin then tracks that alias and makes it easy to manage and monitor the alias.

Random alias is just like a random password


Once you have your SimpleLogin account configured, it is incredibly easy to use.

Today I updated 40 accounts with email aliases.  Every time I get a new message in my old personal email account, I'll update that account with an alias.  Every time I login to a web site, I'll make sure it's using an alias.

It will probably take a few weeks to retrofit most of my active accounts.  I probably have hundreds of old logins or accounts that I no longer use, so those will probably take a while to update or close.


Interesting Benefits

Using a unique email address for every single web site produces some interesting benefits.

1. You never have to share your "actual" email address.  You can use email aliases for everything.  100% of the time.  Never, ever give out your "real" email address again.  

2. You can route any alias to any email Inbox.  Want some aliases going to Gmail, others going to Proton Mail, and others going to a work address?  No problem.

3. Data breaches and phishing are limited to one alias.  Every email alias you generate is a throw away value.  Data breach at Uber?  No problem, generate a new alias, update your Uber account, and disable the old alias.  Spam coming to your PayPal alias?  Generate a new alias and update your PayPal account--no more spam.  Someone tries to phish you at your "patreon.4zat8u@aliasemail.xyz" alias?  Just another throw away alias.

4. Your email address is no longer your identity.  Nobody will ever need to know what your "real" email address is.  Your Inbox address will no longer be fixed or sacred.  You will literally never need to use your "real" email address.  Even you won't need to know your "real" email address, as you will never share it with anyone.  Your "real" email account will be no more valuable to you than any random password in your password manager.  You will just login to some email account and see all of the email that is forwarded to that particular Inbox.  It won't matter what the address is to that Inbox.

5. Your email aliases are disconnected from your email Inbox.  If you want to change email providers right now, how long would it take you to update the email address on all of your accounts?  Online banking, streaming, subscriptions, newsletters, ecommerce sites, utilities, etc.  Once you are setup on SimpleLogin, you can enter the address of a new "Inbox" and one click later, all of your email is sent to that new Inbox.  You could literally use a new "real" email address every month with a single click without changing a single account on a web site.  

6. No more spam.  In theory, if I use an alias for every single web site or service, I will never have any spam.  If I start getting spam on my DoorDash or Substack alias, I can easily update my account with a new alias and disable the old alias.  Spam no longer goes directly to my Inbox.  It must go through a unique alias, which will identify the source, and can be easily turned off.


It doesn't have to be perfect

"But what about _____?" you may ask.

Sure, I'm assuming there are some loopholes or limitations I haven't yet encountered.  But compared to the alternative that I'm living with now, this is a huge improvement.


Won't it be a hassle and one more thing to maintain?

I don't think it will be any harder than generating and managing unique complex passwords.

The one situation that will have more friction is when a human is involved.

Receptionist at my dentist:  "What email address should we send the bill to?"

Me:  Send it to dentist.a6q9y@mymailalias.cc

Receptionist:  "Uh, what?"

People are so used to Gmail or Yahoo or Hotmail personal email addresses that a custom domain will cause some confusion.  

Today I had to email someone to use an alias for a newsletter.  He replied, "Did you type that address correctly?  It ends in .co?  Is that right?  Did I miss a character?"

Fortunately, those IRL situations are not very common, and when they do arise, the SimpleLogin mobile app makes it very easy to create a new custom alias on the fly.


Replies

But what about replies?  If I receive an email sent to alias postmates.4ztt9@myemailalias.xyz and need to reply, won't the reply expose my "real" email address?

They've thought of that.

Somehow, I don't yet know how, the reply will be routed through SimpleLogin so that it appears to be sent from the alias email address.  So my "real" email address should not be exposed. But, that does mean that recipients may see "dentist.a6z9y" as the sender, rather than "steve", so I need to look into whether I can adjust that to be something like "Steve Endow <dentist.a6z9y@mymailalias.cc>"

Also, it does appear that the reply header will include some strange information, such as references to a random address, like "sallysmith_at_gmail_com_ddkhlrldlcwldow@simplelogin.co".  


UPDATE:  I think figured out how the replies work.

When someone sends an email to me at pizzahut.t57lw@mymailalias.xyz, SimpleLogin creates an alias for the *sender* email address.  The sender email address looks something like "customerservice_at_pizzahut_com_smucgrcouz@simplelogin.co".  When I reply to the email, it is sent to that @simplelogin.co "sender alias" address.  That allows SimpleLogin to receive the email, strip out my "real" email address, and replace it with pizzahut.t57lw@mymailalias.xyz.

So SimpleMail is intercepting my inbound emails and relaying them to me, and it is also intercepting my outbound emails and relaying them to the recipient.

That would seem to add a layer of complexity to what is normally a relatively simple process, but it does seem to work, and it obviously provides some value.


CAVEAT:  Given how replies work, if I need to initiate an email to someone, I first have to create a "Contact", which will generate an email "alias" for the recipient.

https://simplelogin.io/docs/getting-started/send-email/

This is obvious not a typical step when sending an email.  It also means that sending an email to a new recipient requires 2 steps:  Create a SimpleLogin Contact associated with the alias I want to use, then save that contact in Proton Mail.   

It also means I have to be more careful--I can't just fire off an email directly from Proton Mail--that would expose my "real" inbox address.  That's going to take some practice, but fortunately most of my personal email is inbound--order confirmations, newsletters, etc.


Spam Blocking

I'm assuming that Proton Mail and SimpleLogin know what they are doing regarding avoiding spam blocking, and that their SMTP servers are able to reliably deliver my outbound email.  But I'll have to see how it goes.

I've had a few of my emails from nearly every free and paid email service get blocked at some point--likely due to content rather than the sending server or address--so I will just have to keep an eye on it.


No more free email accounts

As part of my email security upgrade, I'm eliminating all free email accounts.  Nothing is free, so I'm now explicitly paying for a secure email service.  

I registered 6 new domains that I can use for aliases and "real" email.  I then signed up for Proton Mail Unlimited, as they are one of the more popular "secure" email providers.  The Proton Mail subscription is cheaper than most streaming services, so I'm happy to pay for it.

I then linked my SimpleLogin account to my Proton Mail account, which gave me a free SimpleLogin Premium subscription--making the Proton Mail Unlimited subscription a bargain.

At this moment, I literally have no idea what the "real" email address is for my Proton Mail account.  I simply don't know what it is without looking it up.  But it no longer matters.  That "email address" is no longer meaningful.  At all.  It's just a generic "inbox" where my email shows up.   I login and see my email, regardless of address or alias.  

Tomorrow I could change the email address associated with my "inbox", and with a single click in SimpleLogin, all of my email will flow to the new inbox.  

It's a very strange experience to realize that I no longer have a "personal" email address.  I just have email aliases that magically route email to an arbitrary inbox.


Dependency Risk

I am definitely putting heavy reliance on SimpleLogin for all of this.  Alias creation, management, routing, and SMTP is handled by SimpleLogin.  If they have an issue, there goes my email.  If they go out of business, I'll be scrambling to find a replacement.

In theory, these risks exist with any email service, including Gmail, which apparently recently had issues

UPDATE:  After thinking about how to mitigate this risk, I realized that I would only need to change my MX DNS records to a new SMTP service, and then setup a "catch all" email address.  All of the email sent to my custom domains setup on SimpleLogin would be routed to the new SMTP provider.  This could all be done easily in an hour or two.

This contingency plan should work for all custom domains I have setup on SimpleLogin.  However, if you use one of the non-custom default SimpleLogin domains (simplelogin.com, 8alias.com, slmail.me, etc.), then those alias would not be routed to your new SMTP service.  You would have to change your email for to any web sites where you used aliases with those default domains.


Credit Reporting Confusion?

In the United States, we have a few large "credit reporting" corporations.  These "credit agencies" ostensibly provide "consumer credit reports" that facilitate consumer lending in the United States. 

In order to provide consumer credit scores and reports, these companies collect staggering amounts of highly detailed information on US consumers.  That includes email addresses.

While I don't know that email address, or any contact info, is used in the calculation of a consumer's credit score, or any assessment of their credit worthiness, it is likely used to track consumer accounts.  Bank accounts, credit card accounts, mortgages, cell phone accounts, etc.  

If I use tmobile.g34yt@mymailalias.xyz for a T-Mobile account, then apply for an airline miles credit card account using american.p29gt2@mymailalias.xyz, and then get a car loan using creditunion.3wit4@mymailalias.xyz, ultimately, I will potentially have dozens of email addresses submitted to the major credit agencies.

I don't know if this will cause any complications.

I've seen my full credit report, including every piece of data that the agencies have on me--literally hundreds of pages or jibberish, and I've seen several incorrect spellings of my name, incorrect addresses, incorrect employers, etc.  I'm assuming that my new random email aliases will just be added to that pile, with little consequence for me.

But if you are a young US resident or are trying to build credit in the US, this may be a consideration or risk factor.


Theoretical

I just set all of this up over the last 2 days, so I'm still learning.  So far, other than the friction with silly humans and potential weirdness with replies, I haven't had a single issue.  But I assume that I'll find some weird scenario or some technical quirk that will represent an issue or limitation with this setup.

If you know of any limitations or issues, please post a comment below and let me know.


Is this overkill?

"Steve, you're being paranoid. Just use 'plus' email addresses with a Gmail account. That's plenty good enough."

Why am I going this route?  I met someone who works for one of the largest software companies in the world.  He does security analysis, penetration testing, and red teaming.  He knows the risks.  He sees the hacks and compromises every day.  He exploits vulnerabilities, OPSEC mistakes, and uses OSINT as part of his job.  

He is the one who mentioned that he uses this email alias technique for all of his personal accounts--which sent me down this path.  He knows that using email aliases adds another layer of security to his  OPSEC.  He knows that aliases make OSINT more difficult.  Is he being paranoid?  Is this security expert foolishly wasting his time with aliases?  

This technique isn't for everyone--it's a bit technical, a bit cumbersome, and probably more than the average consumer can handle.  But it's not particularly difficult for me.

Another interpretation is that you don't have to achieve "perfect" OPSEC and security--you just need to have enough OPSEC and security to be a more difficult target than everyone else.  ("You don't have to outrun the bear...")  If a hacker can compromise dozens of accounts with shared email addresses and no 2FA, they'll have plenty of victims and won't bother trying to attack accounts with unique email aliases and unique complex passwords and 2FA and FIDO.  Or they'll just use social engineering to completely bypass account passwords, or find a software security vulnerability to breach the network of the service provider.  In which case I tried...


Friends and Family

A question I had while setting all this up:  Should I use aliases with friends and family?

I'm not concerned about hiding my email from friends or family, but it is possible that an email account of a friend or family member could be compromised, thus exposing my "real" inbox address in a data breach.  That compromised account then sends out phishing and spam emails to every address in the inbox and address book.

I see such email account breaches regularly with companies I work with, but I don't recall it happening to a friend's personal email account.

It's easy enough to create a single alias "friends@mymailalias.xyz" for friends, and "fam@mymailalias.xyz".  My family knows I'm a supergeek, so they'll just roll their eyes and humor me.  My friends will just confirm their belief that I'm a bit weird, but I don't think they'll have a problem with it.  But...


The Hard Part

Things get tedious if you are trying to completely hide your "real" inbox address.  If you never, ever want to share that with anyone, the issue is not the email aliases you'll need to create--it's literally one click or even zero clicks with SimpleLogin (you can setup all sorts of generic addresses).

The issue is with outbound emails that you send to a new recipient.  If I want to hide my "real" inbox address, it looks like I have to create a "reverse alias" on SimpleLogin.  This is an alias email address I send to that both identifies which outbound alias I want to use, as well as the email recipient.

If that's kinda confusing, well, yes, it's kinda confusing.  If you use SimpleLogin and set one up, it's just a few clicks and makes sense, but it's not easy to explain.

Once I setup those reverse aliases, I then need to copy that address, which will look like:

"doctor at medicalgroup.com" <doctor_at_medicalgroup_com_atosu4@simplelogin.co>

I then need to make sure that I use that alias whenever I send an email to the doctor.

And more importantly, if I want to never expose my real email, it means that I will always have to send  emails to reverse aliases.  Always.  100%.  No mistakes.  I could never send directly to a real email address from my real inbox address.

That sounds like a hassle.  And the chances of me maintaining that level of discipline is zero.  Fortunately, for my use case and threat model, I don't think I need that level of caution.

But if I do eventually start getting spam sent directly to my "real" inbox, I will be annoyed, so I'll see how it goes.


UPDATE:  It Will Keep Happening

I wrote this blog post on December 18, 2022.

4 days later, the LastPass password manager service disclosed a significant customer data breach.  A threat actor accessed a LastPass cloud storage repository that included backups of customer "vault" files and full customer contact information.

https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/

Yet Another Data Breach

The threat actor now has a valuable shopping list of email accounts, and full contact information that can help them compromise accounts, perform password resets, and use in new phishing campaigns.

And it gets better (worse?). LastPass intentionally does not encrypt web site addresses in password vaults.  So in addition to the threat actor knowing your name, your email, phone number, billing address, and IP addresses, they also know every web site for which you have a login.

The attackers can now attempt password guessing and password resets on those accounts. If they have an exploit to access email accounts or can perform password resets on email accounts, that's a gold mine.

Web sites have made our email addresses an essential part of security.  An email address has become a proxy for our identity.  Email is used for some logins.  Email is used for password resets.  Email is used for account "verification".  If an attacker knows the single email address that someone has used across 30 different web sites, I'm assuming they are a much more lucrative target than someone who has taken the time to use a different email address for every web site.


UPDATE:  January 30, 2023

I have now created 170 email aliases through SimpleLogin.

170 Email Aliases

SimpleLogin has been very easy and convenient to use and I haven't had any issues with the service itself, or email delivery.

A few things I've observed and learned as I've switched over to email aliases.

1.  Some sites do not allow you to change the email address for your account.  This seems absurd, but they exist.  If you want to change your email, you can try to contact the web site or company.  In one case, a support rep was able to manually change my email in their system.  Another web site I contacted had no ability to change the email address--they told me I had to cancel the account and create a new one under the new email address.  This is absurd, but they are the exception.

2. It seems that changing your email on many web sites automatically opts you back in to marketing email.  I've seen this on many web sites--after switching over to an email alias, I immediately started receiving marketing junk mail from them on the new address, even though I did not opt in when I changed my email.  So expect to unsubscribe to several marketing lists as you migrate.

3. Some companies use third party services that require separate logins.  For example, the cybersecurity certification organization (ISC)² has an account management system on its own web site where you register to be a member, take training, or pursue a certification.  But they use a hosted platform called BrightTalk for webinars and CPE programs--and that site requires a separate registration.  (ISC)² then uses yet another web site, Credly, to provide "badges" and certifications.  Credly requires its own account, and forced me to use the same email that I used on (ISC)² in order to claim a badge.  Not surprisingly, Credly is presumably looking to attest to the certifications provided by (ISC)², so they want to try and link to my (ISC)² identity via email address.

So that's one company requiring 3 different logins, where I'm using 2 different email aliases.  The clear expectation is that a normal human would use their work email for all 3 web sites, thus linking all 3 accounts.  And providing all 3 services with user tracking across sites, marketing lists they can sell to third parties and spam shops, and all serving as fodder for future data breaches.  Lovely.  I don't yet know if using the aliases will cause any complications if I do get certifications--will those certs be tied to an email address that can't easily be changed?  I will eventually find out.  It seems that Credly does let me add an email address, but I don't yet know if I can completely change my default email and remove an old alias, while also updating my (ISC)² email alias.

4.  I have not yet formally transitioned "friends and family" to aliases--everything from parent teacher conference scheduling, or sending news articles to friends.  I've continued to use my work email or one of my free email accounts for convenience.  I hope to eventually figure out a simple way of managing aliases for those situations, but those are less critical for me at the moment.


Steve Endow is a Microsoft MVP in Los Angeles.  He works with Dynamics 365 Business Central and related technologies.

You can also find him on Twitter and YouTube, or through these links:  links.steveendow.com


No comments:

Post a Comment

All comments must be reviewed and approved before being published. Your comment will not appear immediately.

Business Central Simple Tip #4: Exporting Leading Zeroes to Excel and then CSV- It works fine!

by Steve Endow This may seem obvious to some, but I've learned through many painful lessons that unless I actually test a scenario and s...