User responsibility can lessen risks, keep the color in e-mail communication Published Feb. 28, 2007 By AETC Computer Systems Squadron RANDOLPH AIR FORCE BASE, Texas (AETCNS) -- Bold. Colorful. Eye-catching. Until recently, those terms could be used to describe many e-mails sent from AETC users. However, many users command-wide recently experienced the frustration of no longer being able to make their communications stand out through the use of Hyper Text Markup Language formatting in e-mail. Now, along with a healthy dose of responsibility on the part of all users, the color has come back into e-mail. One of the mandatory changes associated with the recent implementation of INFOCON Level 4 required the disabling of HTML formatting in e-mail because of that format's vulnerabilities to exploitation. This change resulted in users receiving e-mails only in plain text format. Plain text does not allow writers to bold, underline, italicize, highlight text with color, or change font style or size. The use of plain text formatting hampered some mission processes, but was safer because the format does not support hyperlinks and other embedded code. An attacker may try to get a user to use a hyperlink to go to a malicious website and open a file or program. That file or program can then allow the attacker access to information on the computer or even allow the attacker to gain full control of the computer from a remote location. Malicious code (such as viruses, spyware and malware) can be hidden in seemingly harmless e-mail attachments. Once the attachment is opened the malicious code infects the computer, often without the authorized user even being aware of the infection. AETC users were recently again allowed to receive HTML and rich text formatted e-mails. This privilege requires all members to be especially careful when using e-mail. Vulnerabilities associated with hyperlinks and malicious code normally require some sort of action by the computer user before the vulnerability can affect the computer. Anti-virus software, firewalls at the network perimeter and personal firewalls on desktop computers are all part of the Air Force's Defense-in-Depth approach to countering malicious attacks on our computers. "These technical controls work well, but they can be bypassed," said 2nd Lt. Ryan Ostler, AETC Network Administration chief. "It only takes one authorized computer user to visit a malicious website or open an infected e-mail attachment to compromise a computer and possibly an entire network." "Whether it is for political, financial or personal gain, attackers probe our network defenses daily looking for weaknesses they can exploit," said Lt. Col. Gary Haines, AETC Computer Systems Squadron commander. "Using e-mail as a means to circumvent our defenses has rapidly become a favorite weapon of these aggressors. It is the responsibility of every computer user to constantly be on guard for suspicious e-mails," said Colonel Haines. "A good rule of thumb is to verify the sender and authenticity of any e-mail prior to taking any action based on the e-mail's content." Members of the AETC Enterprise Security Branch provide three easy-to-remember tips to recognize suspicious e-mails: 1. If an e-mail looks suspicious, it's suspicious. 2. If an e-mail asks for personal information, it's suspicious. 3. If an e-mail asks you to take any action you normally would not, it's suspicious.