How Private Is Your Email
By Richard Lowe
Many years ago I was a consultant for a company who
decided they wanted to perform a security audit of their
computer systems. One of the components of their system
that I was requested to check out was email. My client
wanted to determine if their email was secure.
It took me all of a minute to determine that their
email was totally and completely insecure. Fortunately
for them, this was in the days before it was common
for company computer systems to be directly connected
to the internet, because their email messages were stored
in plain text in a well known system location. In fact,
not only were the email messages stored in a completely
insecure manner, but deleted messages were not actually
deleted until an administrator purged them - and since
they didn't have anyone doing that there was a complete
record of company emails going back years in the past.
I had spent about thirty minutes on this part of the
audit so far and was ready to move on when one of the
email messages caught my eye. It was a particularly
juicy romantic message from one employee to another.
Well, romantic is not the right word - highly x-rated
would be more like it.
Curious, I continued looking through the emails (off
the clock, of course, since I had already accomplished
my mission as regards email) to see what else was stored
in the single message file.
I stayed up all night long, highly amused at what I
saw that day. Believe me, I read some serious blackmail
material (if I was that kind of person). Lots of office
romance, some flirting, X-rated messages and other similar
things. I remember one particularly scandalous series
of hundreds of emails going back and forth between one
man and a woman (both single) recounting their relationship
for years. Every date, every x-rated encounter was written
up in long, detailed messages. This was very entertaining
stuff indeed.
After a few hours I got bored and stopped reading.
I was tempted to keep a copy of the email data but resisted.
That was not part of my mission. Fortunately, it was
also not part of my job to report on indiscretions committed
by various employees. My job was to find and fix any
insecurities, and that's exactly what I did ... I erased
the file and set up an automatic purge to permanently
delete old emails. At the time that was the best that
I could do.
I learned a very important lesson that day - email
is not private. Not by any means.
Not much has changed in the intervening years. In fact,
email messages are generally not encrypted in any way.
In fact, I have never received an encrypted email and
I've only sent a few in my entire life.
Just so you completely understand, a normal email message
is NOT the equivalent of a letter send through the normal
mail. In that case, you write your note on a piece of
paper, put it in an envelope and drop it into the mail.
As far as email is concerned, a better analogy is of
a postcard. Your messages are "written" on the electronic
equivalent of postcards. What does this mean to you?
Anyone can look at your message. Quite literally, anyone.
Let's look at the process to illustrate how and when
an email message could be read by another person.
1) You write the email using your email client. The
client may create that email as a text file in a temporary
folder on your hard drive. If someone looked at your
hard drive they could find the email. And it's not any
better if you use a web based email client such as Hotmail.
These leave files in the Temporary Internet Folder,
which can easily be recovered. Remember that the next
time you read your emails at work...
2) You do type in the email address to which an email
is sent. You could accidentally type in the wrong address.
Worse yet, if you have distribution or mailing lists,
you could accidentally type in one of those, which may
cause an email to inadvertently be sent to the wrong
person or people. For example, if there was a "Joe S
Smith" and a "Joe M Smith" at your company with very
close email addresses, you could easily send to the
wrong person.
3) The email gets sent to your SMTP server (this is
the system which accepts your email message and forwards
along towards the destination). At this point, the message
could, in theory, be read by someone tapping your phone
(or cable) connection. It's not likely (unless you are
a spy or something) but it's possible (and not all that
hard).
If you are at work, well, the email probably gets
sent to your SMTP server through something called a
proxy server (the computer which manages the connections
to the internet).
If so, a copy of the email could be stored on the proxy
server. In theory, this could be examined by someone
who had access to that server. If you happen to send
the email from your companies own email system, it is
highly likely (especially in larger companies) that
the email will be examined by context checking software.
This is looking for curse words, sexual harassment,
resumes and any other inappropriate content. Any emails
found which violate company policy may be directly routed
to personnel.
4) Okay, the email gets delivered to the SMTP server
which it is stored, still as a simple plain text file,
until it is sent to the next SMTP server. You see, emails
never go directly from your outbox to someone's inbox.
They move from server to server until they find their
way to their destination. Each server keeps a copy of
the email until it is forwarded to the next one.
5) SMTP servers are computer programs and they can
be programmed to do malicious or unusual things. For
example, a law enforcement agency could, in theory,
program an SMTP server to make a copy of any emails
directed to a particular person, and send those copies
to their office. A hacker could, in theory, program
an SMTP server (or examine messages coming across the
wire) to look for series of characters that looked like
credit card numbers (they are pretty obvious). These
email messages could be directed to the hacker's own
mailbox, thus giving him a steady supply of income.
6) At any of these SMTP servers, the email could be
examined by anyone who has access to the email system.
The internet "wire" could also be "tapped" and the email
message captured on the fly (this is highly unlikely
but it is possible).
7) Since software is simply a series of rules created
by human beings, it is possible for an SMTP server to
misunderstand how to route your email. Thus, a message
could be sent to the wrong recipient (this has happened
to me a few times) or to the wrong SMTP server.
8) There is no guarantee that the person who receives
a message is actually the person who is the intended
recipient. Someone else could be using their email client,
for example, or an SMTP server may have misdirected
the email to the wrong inbox. In this case it works
exactly like the post office - the mailperson puts the
mail in your mail slot, but he does not guarantee that
you will be the one who picks up the mail. And since
most emails are just text, they can be read by whoever
happens to receive them without any problems.
9) Naturally, once an email is receive it is stored
on the hard drive of the recipient. They are usually
stored in text files (for normal emails) or in the Temporary
Internet Folder (for web based emails).
10) Of course, once someone does receive an email he
or she is free to forward that email onto just about
anyone, starting the whole process over again.
11) At any point in this entire scenario, the email
message can be backed up or archived. In this case,
it can be recovered later and delivered to the wrong
person.
So please, the next time you send those highly personal
messages remember that they can be read by anyone. You
have no way to know where these things wind up or how
long they will last. The could pop up anywhere at anytime
with a vengeance.
About the author:
Richard Lowe Jr. is the webmaster of Internet Tips And
Secrets at http://www.internet-tips.net
- Visit our website any time to read over 1,000
complete FREE articles about how to improve your internet
profits, enjoyment and knowledge.
|