Taoiseach using private email servers - a la Hilary Clinton

Impetus

This morning's Irish Times has an article on Enda Kenny's use of non-government email servers. I never cease to be amazed by the number of people in business and politics who use 'free' email services, like gmail, yahoomail, and the Apple and Microsoft equivalents. Services where the user is the 'product' or more appropriately perhaps the victim.

Hilary Clinton was running her own email server, which is a very challenging task (to keep secure).

By using free email services, politicians and others are exposing themselves and the parties they communicate with to needless security risks.

There are many, inexpensive email services, which operate from countries with strong data privacy legislation that use secure connections between the client (browser or email application) and the email server.

Irish email users are particularly at risk, given the need for most internet traffic to transit Great Britain or the USA, where there is a high probability it will be ransacked by the intelligence gathering mafia.

Even if Kenny used a government server, I suspect that his email traffic to/from Ireland would be equally liable to Anglo-ransacking.

It seems to me that gov.ie urgently needs to:

1. Educate email users about the risks of using 'free' email services. Data Privacy.ie is not doing its job remaining silent about these issues.

2. The government needs to set up additional 'personal' email domains for ministers etc, so their non-official (difficult to define) communications remain as secure as possible.

3. The government's email server should have a secure backup, perhaps in Germany, where communications to and from Ireland could be encrypted until they arrive at the Continental based server. Mails to non-Irish email addresses routed via the Continental server, would need a different domain name, to stop email replies etc from outside of Ireland being routed, in the clear to so called 'secure' Irish email servers.

4. The continental email server should be connected to the Irish system using at least two layers of encryption - a) a strong VPN between Dublin and wherever the server is located b) TLS 1.2 travelling over the VPN to secure the communication between the client and the server and c) For secret traffic, each email should itself be encrypted using (at a minimum) eg GnuPG end to end and transmitted over the tunnel, using maximum key sizes + TLS 1.2 platform, or one of the French military grade encryption products.

http://www.irishtimes.com/business/economy/taoiseach-admits-he-uses-personal-email-account-for-official-business-1.2904976

ItHurtsWhenIP

Impetus wrote: »

...

3. The government's email server should have a secure backup, perhaps in Germany, where communications to and from Ireland could be encrypted until they arrive at the Continental based server. Mails to non-Irish email addresses routed via the Continental server, would need a different domain name, to stop email replies etc from outside of Ireland being routed, in the clear to so called 'secure' Irish email servers.
...

I'm surprised you are suggesting our Government should trust Germany after you warned us all only 2 months ago about Hitler's return and their surveillance and storage of data being on a par with the scary GCHQ.

Perhaps they have "re-educated" you while you were back there and you are now a collaborator of German state forces. :rolleyes:

Impetus

ItHurtsWhenIP wrote: »

I'm surprised you are suggesting our Government should trust Germany after you warned us all only 2 months ago about Hitler's return and their surveillance and storage of data being on a par with the scary GCHQ.

Perhaps they have "re-educated" you while you were back there and you are now a collaborator of German state forces. :rolleyes:

Well perhaps Switzerland. Having said that I doubt if Frau Merkel, herself a victim of Anglo information theft, would have much interest in the un-encrypted digital exhaust of gov.ie, surfacing in that country - even if the domain was to be irlgov.eu for the German (or Swiss) email server platform.

GreenFolder2

The issue is usually down to the corporate systems being very restrictive or obsolete. You'll get someone trying to attach a large word file and hitting an arbitrary limit of maybe 20MB.

Next thing you know they've got an address @gmail.com

Also with both Microsoft and Apple products I've found they've defaulted to saving things into OneDrive and iCloud and often, especially if you're not particularly tech savvy, they're so user friendly that the end user may not even realise they're saving stuff into a server.

Then you've people using services like WeTransfer and Dropbox without any official authorisation from IT departments.

Most of it comes down to inadequate tools being provided by corporate systems though and lack of awareness by end users that they're potentially breeching IT security. Email isn't much use without some kind do large attachment handling system / proper file sharing that is done on a known system.

That being said many of these commercial services, when using two factor security etc are probably more secure than many poorly managed corporate systems anyway. However the risk is you've no idea what level of security the end user has applied. They could be all protected by an easy to guess password, two factor turned off and the same password used for everything.

Graham

Impetus wrote: »

3. The government's email server should have a secure backup, perhaps in Germany, where communications to and from Ireland could be encrypted until they arrive at the Continental based server.

Why would you want the secondary mail server to be hosted out of country?

GreenFolder2 wrote: »

The issue is usually down to the corporate systems being very restrictive or obsolete. You'll get someone trying to attach a large word file and hitting an arbitrary limit of maybe 20MB.

Not the case here.

GreenFolder2

It's usually down to ignorance and lack of clarity on what's permissible. Rarely down to any kind of malicious intent.

Impetus

GreenFolder2 wrote: »

The issue is usually down to the corporate systems being very restrictive or obsolete. You'll get someone trying to attach a large word file and hitting an arbitrary limit of maybe 20MB.

Next thing you know they've got an address @gmail.com

Also with both Microsoft and Apple products I've found they've defaulted to saving things into OneDrive and iCloud and often, especially if you're not particularly tech savvy, they're so user friendly that the end user may not even realise they're saving stuff into a server.

Then you've people using services like WeTransfer and Dropbox without any official authorisation from IT departments.

Most of it comes down to inadequate tools being provided by corporate systems though and lack of awareness by end users that they're potentially breeching IT security. Email isn't much use without some kind do large attachment handling system / proper file sharing that is done on a known system.

That being said many of these commercial services, when using two factor security etc are probably more secure than many poorly managed corporate systems anyway. However the risk is you've no idea what level of security the end user has applied. They could be all protected by an easy to guess password, two factor turned off and the same password used for everything.

I have tried to use AWS S3 to send large encrypted files via an email link, and in many cases, the corporate firewall at the other end refused the other party access to the Amazon AWS url. In any event I can't see why government and corporate email systems limit the size of attachments to less than they need, for some arbitrary security tick box issue.

In relation to multi-factor authentication, this too can be compromised by the determined. The user with the MF calculator logs into the other system, and a keystroke logger steals their entire login (including the code that changes every 30 seconds), and uses it in real time for the thief to gain access. Meanwhile the person who thought they had MF logged in securely, is presented with fake HTML, perhaps designed to steal some more information from them. At the other end, the thief is logged in and good to go, using a VPN (which routes his communications back via the legit client) which was installed as part of the installation of the keystroke logger. The system sees the IP number it was expecting.

You need an onion approach. At least two different multi-factor authentication processes, one of which takes place on another clean pc, which is used exclusively for the purpose of this application, and nothing else (eg banking). Or some alternative confirmation mechanism that travels over different platforms. This might be combined with access to a 'presentation system' at the other end - rather than direct access to a database server, to prevent vandalism. Some banks use this for home banking and branch access to central servers. The clients see and interact with a copy of their account information.

I know someone who works for a large company in England, and they use one of the major banks, and they have a GBP 1 million limit on CHAPS payments (which is GB's real-time payments system). Which is reckless in the extreme in my view.

Graham

Impetus wrote: »

In any event I can't see why government and corporate email systems limit the size of attachments to less than they need, for some arbitrary security tick box issue.

It's probably safe to assume you don't work in any area related to IT security and you have no actual knowledge of:

• The restrictions in place in any of the organisation types you mentioned.
• The reasons for those restrictions
• Alternative arrangements they may have in place to facilitate the transfer of large volumes of business related data.

Impetus

Graham wrote: »

Why would you want the secondary mail server to be hosted out of country?

Because I suspect that all data travelling in and out of Ireland is subject to surveillance on a full content basis (not just traffic data).

So send the non-Irish destined email via somewhere less untrustworthy, and vice versa on email traffic coming in. And if they don't bother too much with Joe Soap's email contents, I have no doubt that they watch gov.ie email closely (I don't know what domain gov.ie uses for email).

Back in the day with eircom or Telecom Eireann or whatever they were called at the time were doing some large corporate deals, via London, they encrypted everything. All the large companies (eg Airbus, Siemens, the big banks, and their type) encrypt communications, generally end to end. Being a telco, they will be acutely aware of what goes on and what is possible. And they will be involved with surveillance activities too.

AnCatDubh

Impetus wrote: »

In any event I can't see why government and corporate email systems limit the size of attachments to less than they need, for some arbitrary security tick box issue.

More likely a data management issue.

Storage may be cheap but managing storage is more likely to be the significant and unseen part.

Impetus

Graham wrote: »

It's probably safe to assume you don't work in any area related to IT security and you have no actual knowledge of:

• The restrictions in place in any of the organisation types you mentioned.
• The reasons for those restrictions
• Alternative arrangements they may have in place to facilitate the transfer of large volumes of business related data.

Everybody who works with a computer, especially in a professional, business or political capacity should be aware of the issues. And of course there are alternative ways to transfer large volumes of data. But you have time pressures, and too much stuff goes unprotected.

Impetus

AnCatDubh wrote: »

More likely a data management issue.

Storage may be cheap but managing storage is more likely to be the significant and unseen part.

Probably. But you can encrypt 4GB of data in storage just as easily as 10 MB. I suspect much of the limitation on attachment size is a function of old systems created back in the day when you had tiny processors, and poor bandwidth.

Graham

Impetus wrote: »

Because I suspect that all data travelling in and out of Ireland is subject to surveillance on a full content basis (not just traffic data).

ignoring the tinfoil hat elements. You appear to misunderstand the purpose of a backup mail server.

It's also evident you have no knowledge of how inter-governmental IP traffic is routed.

GreenFolder2

I just mean that you'd be shocked at how many corporate systems allow users to have a single password for IMAP without any multifactorial security or have very primitive security on webmail access etc etc.

I'm sure the government IT systems are fairly solid but, I'm regularly shocked at the sheer complacency I see in SMEs and even in web hosting. Things like a control panel to manage domain settings only protected by a maximum of 8 character password and no multifactorial security of any type.

In a lot of cases commercial email and cloud providers actually have far more sophisticated security than many office systems that are open to the outside world.

Graham

Impetus wrote: »

I suspect much of the limitation on attachment size is a function of old systems created back in the day when you had tiny processors, and poor bandwidth.

You suspect wrongly.

Impetus

Graham wrote: »

You suspect wrongly.

Looking at three of your postings, Graham, I suspect you may have some close knowledge of practices in this area.

The purpose of my postings are to make people aware of the current environment, as I see it. Even if we are talking about 'diplomatic bags' as an alternative to file attachments, journalist Laura Poitras* was detained and questioned some 39 times at airports (in the five 'eyes countries') (with her luggage examined with a fine tooth comb, no doubt) presumably in an attempt to dissuade her from engaging in investigative journalism. And she is not alone. Do yourself a favour see the Snowden movie while you are at it.

*https://en.wikipedia.org/wiki/Laura_Poitras

Impetus

If one was to advise a politician or similar in public office (which I am not), I suspect that one of their motivations for using a 'private email service' might have something to do with avoiding freedom of information requests (FoIA). Is it worth risking one's communications from being 'hacked' by somebody else, rather than an FoIA requester? I am not suggesting that An Taoiseach or anybody else is motivated in this direction. But the risk is present, nevertheless.

Graham

Impetus wrote: »

Looking at three of your postings, Graham, I suspect you may have some close knowledge of practices in this area.

Correct

Impetus wrote: »

The purpose of my postings are to make people aware of the current environment, as I see it. Even if we are talking about 'diplomatic bags' as an alternative to file attachments

Most (if not all) government departments can facilitate the digital transfer of very heavily encrypted files of almost any size without resorting to physical media, out of country networks or public IP transit.

Without getting into specific technologies used anywhere; there are commercially available mail proxies/gateways/web proxies to facilitate the content scanning of inbound/outbound mail/attachments and files. One of the functions of this software is to prevent the accidental or deliberate transfer of sensitive/commercial data.

Similarly, there are commercial products that can appropriately restrict the transfer of such data onto physical media.

Graham

Impetus wrote: »

If one was to advise a politician or similar in public office (which I am not), I suspect that one of their motivations for using a 'private email service' might have something to do with avoiding freedom of information requests (FoIA). Is it worth risking one's communications from being 'hacked' by somebody else, rather than an FoIA requester? I am not suggesting that An Taoiseach or anybody else is motivated in this direction. But the risk is present, nevertheless.

There are exemptions from FOI access requests that would render the above largely unnecessary. I suspect that's one of the reasons 'journalists' on an FOI fishing exercise largely restrict their requests to expenses.

CIARAN_BOYLE

Graham wrote: »

• Alternative arrangements they may have in place to facilitate the transfer of large volumes of business related data.

The problem is that most personnel not involved in IT security aren't aware of this either.

Graham wrote: »

Most (if not all) government departments can facilitate the digital transfer of very heavily encrypted files of almost any size without resorting to physical media, out of country networks or public IP transit.

Staff don't know this and in some cases would prefer to courier over a usb key to avoid sending unsecure e-mail when the actual e-mail service won't send an attachment.

Graham

CIARAN_BOYLE wrote: »

The problem is that most personnel not involved in IT security aren't aware of this either.

People within the organisations generally become aware when they're blocked from doing/transferring/sending/copying something.

Ive worked for two large cloud providers who were oh-so proud of their clouds yet still used dropbox everywhere for sharing files. Its not just in government. IT Security everywhere is a joke. Part of this is because IT Security policies(particularly badly thought out ones) get in the way of getting business done so are resisted. Another reason is its not explained to employees why that rule or policy exists. Finally, there is little communication between employees and InfoSec/IT Ops, on why certain things are needed.

One place I worked they gave out iPod Nanos to everyone at the Christmas party and everyone started plugging their iPod into their computer to charge them. Then war broke out with InfoSec giving out to people for doing that and potentially spreading malware. So I suggested we install USB wall sockets and dot them around the office. Now everyone had somewhere to charge their phone or iPod with no risk of malware infection. End of drama.

Another place they didnt want people smoking beside the side security door as it was intimidating for people going past, because theres nothing more intimidating than 5 developers having a smoke break :rolleyes:. So the developers started smoking outside the fire exit. The fire exit door was a swing shut type so someone propped a brick against it to stop it swinging shut. What happened next was predictable. Someone forgot to remove the brick on a friday evening, They came in on Monday morning to find all the PCs had been nicked.

Why do I work in InfoSec? Its a bit like hitting yourself with a hammer - it'll feel really good when I eventually stop.

Graham

Deleted User wrote: »

Ive worked for two large cloud providers who were oh-so proud of their clouds yet still used dropbox everywhere for sharing files. Its not just in government.

The assumption there is that the likes of dropbox are accessible.

Deleted User wrote: »

One place I worked they gave out iPod Nanos to everyone at the Christmas party and everyone started plugging their iPod into their computer to charge them. So I suggested we install USB wall sockets and dot them around the office. Now everyone had somewhere to charge their phone or iPod with no risk of malware infection. End of drama.

Alternatively they could have blocked access to the USB ports other than for approved devices.

Graham

Graham wrote: »

The assumption there is that the likes of dropbox are accessible.

Not sure I follow what you mean?

Graham wrote: »

Alternatively they could have blocked access to the USB ports other than for approved devices.

There is a plethora of solutions they could have employed. My point was, InfoSec's initial plan was to just tell people not to do it. But people still did it. So InfoSec shouted a little louder. A little bit of joined up thinking is all that was needed.

jacksie66

This post has been deleted.

Graham

Deleted User wrote: »

Not sure I follow what you mean?

It would be unusual for the likes of DropBox to be an issue because they would be blocked directly or indirectly.

Graham

Graham wrote: »

It would be unusual for the likes of DropBox to be an issue because they would be blocked directly or indirectly.

Again I think you missed my point. In both of these companies dropbox was allowed, encouraged even for sharing files among users. They weren't being blocked.

And actually I have seen dropbox allowed in numerous companies. From what Ive seen its actually unusual for it to be blocked.

Graham

Deleted User wrote: »

Again I think you missed my point. In both of these companies dropbox was allowed, encouraged even for sharing files among users. They weren't being blocked.

Dumb companies will learn when it costs them.

Deleted User wrote: »

I have seen dropbox allowed in numerous companies. From what Ive seen its actually unusual for it to be blocked.

There are certain types of organisation where access to such services would be incredibly unusual.

Graham

Graham wrote: »

Dumb companies will learn when it costs them.

I wouldn't count on it.

Graham

Deleted User wrote: »

I wouldn't count on it.

Obviously I've no idea what sort of companies you're referring to.

In recent times I can't think of a single blue chip, financial institution, government department, MNC (of any maturity) that hasn't had stringent security in place. It's usually driven by best practice, corporate governance, legislation and self-preservation.

Graham

Graham wrote: »

Obviously I've no idea what sort of companies you're referring to.

In recent times I can't think of a single blue chip, financial institution, government department, MNC (of any maturity) that hasn't had stringent security in place. It's usually driven by best practice, corporate governance, legislation and self-preservation.

As I said the two companies I refferred to were cloud providers so big MNCs. As a former security consultant I have visited about 30 companies in the British Isles over the last 4 years and stringent is not the word I would use to describe their security stance. This would be an eclectic assortment of government, defence, public and private organizations though obviously as a result of NDAs I can't go into which.

Honestly, in some places it was shocking. Many places had GRC teams and dedicated InfoSec, but you can tick every box on the PCI-DSS self assessment, and you can have policies covering everything, but often times none of that prevents me going from unprivileged user to Domain Admin in a matter of minutes.