A Trick to Snoop on E-Mai

[Eric Wolbrom <eric () SHTECH NET>]

http://www10.nytimes.com/2001/02/05/technology/05JAVA.html

February 5, 2001

A Trick to Snoop on E-Mail

By AMY HARMON

For those still harboring the illusion that e-mail exchanges are
private, a watchdog group has uncovered a new trick that enables
someone to essentially bug an e-mail message so that the spy would be
privy to any comments that a recipient might add as the message is
forwarded to others or sent back and forth.

The maneuver does not take advantage of any security flaw in e-mail
software. It is simply one feature of a fancier and increasingly
common form of e-mail known as HTML mail, which enables users to send
and receive e-mail messages that look and act like a Web page.

With the spying technique, a few lines of a programming language
called JavaScript, often used on Web sites to create pop-up windows
and navigational aids, can be embedded in such a message. This
implant, not visible to the recipient, enables the text to be
secretly returned to its original sender every time it is forwarded
to another recipient, as long as the recipients' e-mail programs are
set up to read JavaScript.

Although HTML e-mail often includes images and animations, it can
also be made to look like a plain text e-mail. To figure out whether
a message is HTML or text, a user can right-click on the message
body. If one of the menu choices that appears is "view source," it is
HTML mail. By choosing "view source," a user would be able to see any
JavaScript code embedded in the message. But whether the code was
designed to bug a message would likely still be difficult to
recognize for someone unfamiliar with the computer language.

"I looked at this and I said, `Whoa,' because it lets you spy on
people, and it's so easy," said Richard M. Smith, chief technology
officer for the Privacy Foundation, an educational and research
organization based in Denver that plans to publicize and demonstrate
the technique today.

"Most of us won't release a computer virus, but this is something
people would use, particularly if a service started offering it," Mr.
Smith said. "It's just kind of human nature."

Invisible tags sometimes called Web bugs are widely used in HTML
e-mail by marketers and others to detect whether an individual has
opened an e-mail message. The Congressional Privacy Caucus has
announced plans to hold hearings to investigate the use of Web bugs
later this month. Mr. Smith said that it was now clear that
JavaScript could be used to create a more powerful Web bug so that
not only can someone find out when a message is read, but also what
is being said about it.

Because many e-mail users continue to hit "reply" during long e-mail
exchanges rather than initiating new messages, the JavaScript code
could enable an individual to eavesdrop on an entire conversation
between business associates about a proposal he or she had e-mailed
to one of them, for example. It could also be used to harvest e-mail
addresses when a message like a joke was forwarded over and over to
groups of people across the Internet.

The widely used e-mail programs that are vulnerable to the exploit
include Microsoft Outlook, Outlook Express and Netscape Messenger 6.
America Online users and users of Web-based e-mail programs like
Hotmail would not be affected.

By going to the "preferences" command under the edit menu in Netscape
Messenger, users can turn off JavaScript in about five steps. To
disable JavaScript in Microsoft Outlook and Outlook Express takes
about 15 steps, which are outlined on the privacy foundation Web site
at www.privacyfoundation.org. The newest version of Outlook Express
comes with JavaScript turned off, as a result of customer feedback, a
Microsoft spokesman said.

"At this point in time, it's really a personal choice everybody has
to make whether they are more concerned about a security risk or
about the advanced functionality you get by having these features
enabled," said Lisa Gurrey, product manager for Microsoft Office. "We
are just doing the best we can to give our customers different
options."

But turning off JavaScript does not necessarily mean that e-mail
cannot be spied on, because a bugged message will still be returned
to its original sender if it is replied to or forwarded to someone
who reads the message with an e-mail program that is vulnerable.

Today, the Privacy Foundation plans to provide public demonstrations
of the process, which the group calls "e-mail wiretapping" and
believes to be illegal. The group is calling for the major vendors of
e-mail programs to provide their software with JavaScript
automatically turned off. The potential for such e-mail spying was
first discovered by Carl Voth, an engineer in British Columbia, who
brought it to the attention of Mr. Smith at the Privacy Foundation.

"What bothers me is that in this case, my vulnerability is a function
of what you do," Mr. Voth said. "I can be careful, I can take every
precaution, I can turn off JavaScript, and it doesn't matter. If my
neighbor isn't diligent and I send him an e-mail, I'm still
vulnerable."
--
____________________________________________________________________
Eric Wolbrom, CISSP                     Safe Harbor Technologies
President & GCD                         106 Corporate Park Drive
Voice 914.644.6060 ext. 6000            White Plains, NY 10604
Fax   914.644.6050                              http://www.shtech.net

We are here to help you keep your communications yours!!!
_____________________________________________________________________

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".