Email security vulnerabilities during transmission, due keystroke loggers and human error

Email security and secure messaging vulnerabilities

Secure Data Email Security
Credit Card Data
RFID Protection
Blocking Spam
Internet Scams and Fraud

Now that a very high percentage of written communications are sent via email, confidentiality and security of email contents take on enormous importance. Here we touch on just a few aspects of this security issue. Our observation is that human error, both by the individual transmitter of email and by whoever is in charge of email procedure, is the most prominent source of security leaks after interception by national intelligence services.

E-mail traverses the internet in a series of hops from one server to another until it reaches your ISP (Internet Service Provider) from whose server you download it. At any one of the intermediate or end servers it can be read, diverted or stored. Sometimes this is the inevitable consequence of normal practice. E-mail stays in your POP account until you download and delete it. These are not the same thing. If you read your e-mail at various locations, you might wish to leave it in your POP account for download to a single archive before you delete it. While stored in your POP account, it can be read as plain text by anyone with legitimate or abusive access to the server. Furthermore, these servers are backed-up by any good ISP, and backup tapes, with your e-mail recorded, can remain archived for years.

Every good ISP offers the option to have copies of incoming e-mail sent to a second or third recipient. This is extremely useful for business purposes, but of course someone with access to your ISP's server can just as well divert a copy of all your e-mail to an address unknown to you. Here you depend on the soundness of your ISP, usually without problems. ISPs are, after all, very concerned to protect the interests of their customers in today's competitive environment.

E-mail completely incorrectly addressed might be delivered to an unintended recipient but most likely ends up in a bounced e-mail buffer on your ISP's server. These are usually deleted periodically but could of course be read. If the domain name is correct but the specific recipient is incorrect (for example instead of ), the message usually goes to the webmaster of the corresponding web site if no other default maildrop is specified. From our own experience, we can provide three anecdotal examples of persistently incorrectly addressed e-mail that does go to unintended recipients. The first involves use of a country extension such as rather than .com. The senders of the e-mail don't know or forgot that the extension is not .com. Since the .com address in this example belongs to ammonet, we receive an unintended steam of e-mail with highly confidential attachments. As a goodwill service to the intended recipient company, we have aliased all of the appropriate e-mail addresses so that most of this e-mail is now automatically redirected to the correct recipient. A second example involves an incorrect return address configuration which the individual involved seems incapable of correcting, despite numerous requests from us to do so. Again, the unintended domain name belongs to ammonet and we receive frequent e-mails, with both personal and business attachments, sent by users who know the correct e-mail address but who have clicked the return button on their e-mail software. The third example is simply a matter of two hotel e-mail addresses that differ by a single hyphen. The two hotels continually received one another's communications because of the similarity of the domain names. Use of different reservation addresses doesn't help in this case because default mail is inevitably misdirected.

Aside from the vulnerability of your e-mail to being read by individuals to whom it is not addressed while it is stored on the server of your ISP or at some intermediate server on the internet, there are other security flaws. These are characteristic of the increasingly popular HTML mail format whereby e-mail messages look like web pages. A few lines of javascript can be embedded in such a message in a manner which is not visible to you as the recipient. This enables text to be secretly returned to its original sender every time the message is forwarded to another recipient, as long as the recipient's e-mail software is javascript-enabled. The most widely used e-mail programs that are vulnerable to this exploit are Microsoft Outlook, Outlook Express and Netscape Messenger 6. Since many users click "reply" during long e-mail exchanges, a javascript insert of this kind can enable an individual to receive copies of all messages that form part of the exchange. Such an exchange of messages could be, for example, a confidential discussion of the original message. Even if you disable your javascript, you cannot be sure that your interlocutor has done the same.

Site Map | |

All text, translations, images and coding are Copyright © 1997-2024 ammonet InfoTech. All rights reserved.