Re: Web mail intercepted! How?

[Mark Owen <mr.markowen () gmail com>]

On 4 Aug 2005 03:56:31 -0000, pagoda33 () sbcglobal net
<pagoda33 () sbcglobal net> wrote:
> We're going to start looking tomorrow... any ideas on how to proceed?

First, what kind of free webmail?  A major player or a little unknown
site offering a gb of free storage.  Look at his/her sent e-mail to
check that s/he didn't accidently send it or bcc it to the wrong
person.  If the site is a little start-up place their is always the
chance that they were compromised.

Second,  does your employee use any kind of a proxy?  Even if it is
one of those  anonymizer applications installed that automatically
forwards everything to a proxy to help keep you anonymous.  Anything
sent over a proxy should be considered in public domain.  For that
matter, anything sent out on the Internet unencrypted should already
be considered public.

Last, double check to make sure no keyloggers are installed.  Software
or hardware.  Is your employee connected to a hub or a switch?  If
hub, anyone else sharing that hub could have easily sniffed the
information sent.  If switch, check the logs to see if their have been
numerous or duplicate ARP requests.  Check every computer that shares
the hub/switch for sniffing or other network gathering tools.  Does
your employee share his/her computer with anyone else?  What about IT?
 Anyone in IT besides you?  Are they trustworthy?

Who would have a motive to share the e-mail?
Are we 100% sure that it's not an ID10T error caused by a pebkac?

Just a few rants/thoughts.


-- 
Mark Owen