E-mail Wire-Tapping

Did you know your E-mail could be "wire tapped"? It can, we now know of an exploit that allows the sender of an e-mail message to see what has been added when the message is forwarded with comments to other people. They do this by getting a silent and secret return of each E-mail. Hence the term "e-mail wire-tapping" because intruders can surreptitiously monitor your E-mail when you on-forward them.

1) Who would want to ‘Tap’ my email and why?

Why would anyone want to do this you ask? Well, if you are someone who conducts business using e-mail consider the following:

An interested party can monitor the path of your confidential e-mail messages and any additional written comments you might attach.

If you are negotiating a business deal via e-mail, the other side can learn inside information from your side as the proposal is discussed using your company's internal e-mail system.

A bugged e-mail message could capture literally thousands of e-mail addresses (yours included) as it is forwarded around the community.

Commercial entities may seek to offer e-mail wire-tapping as a service to your competitors and others, and remember the Internet is international so these entities need not reside in Australia.

2) How does someone ‘tap’ my email?

Further, this exploit does not make any use of any programming errors, viruses or bugs in the e-mail program. Rather it uses standard documented features of a popular programming language that can be embedded in E-mails. It only requires the person reading a wire-tapped e-mail message to be using an HTML-enabled e-mail program that has certain options switched on by default!

3) How do I know if someone is ‘tapping’ my email?

Even scarier a wire-tapped e-mail message is difficult to detect. An individual can avoid the e-mail wire-tap by turning off the problem in the e-mail program. However, if the individual forwards the message to someone who has option turned on, that person's forwarded messages could still be wire-tapped. Even worse, copying the original message into a new e-mail, rather than forwarding it, may not defeat the exploit.

4) There is a difference between tracking your email (?) and ‘tapping’ your email. What is the difference?

Cookies are sometimes used to track a person's movements on the Web and to see whether or not they've opened their mail. Spam operators will use this method to "harvest" email acounts

5) What exactly are cookies?

Cookies are also used to track site visits and identify return visitors. For example e-commerce sites, cookies are most often used to keep track of a customer's shopping cart and their order. Without cookies, in fact, most e-commerce sites couldn't 'work'

6) How can we protect ourselves from these email ‘tappers’?

But before you become too disillusioned take heart, there are fixes available. Firstly you can switch of the options that cause the problem within your E-mail program. Be aware this exploit affects the most popular e-mail programs, those being of Outlook, Outlook Express, and Netscape 6 Mail. Secondly, you can change your E-mail program to one that is not affected by this type of nonsense (the same type of nonsense I might add, that allowed viruses like "Melissa" and the "I love You" versions to run absolutely rampant around the world)!

Recommendations for Users

It is possible to partially eliminate the email wiretapping problem by turning off JavaScript in HTML email messages. Here are instructions for various email readers vulnerable to the problem:

Outlook Express 5
Outlook 2000
Netscape Messenger 6

Turning off JavaScript is only a partial solution because a wiretapped message will still work if it is replied to, or forwarded, to someone whose email program is vulnerable to the exploit.

Another approach for Outlook users is to download and install the Outlook email security patch, available at:

http://www.microsoft.com/downloads/details.aspx?FamilyId=2B231231-AC83-4688-9C8D-DCDCB544FB3C&displaylang=en

This patch disables JavaScript in email and provides protection against computer viruses transmitted as attached files. This patch was created by Microsoft after the ILOVEYOU virus last year. Because the patch removes some functionality from Outlook, it is a good idea to carefully read over the patch description before installing it.

Please note that turning off JavaScript in email still leaves JavaScript enabled in a Web browser. Because JavaScript is used extensively at Web sites, the Privacy Foundation does not recommend turning off JavaScript in a Web browser.

Arthur Hissey
Computer Research & Technology
www.crt.net.au