Email or See Mail?

A friend of mine, Michelle Shavers, was an up-and-coming force at NetDynamics, a large networking company in the Silicon Valley. About a year ago, Michelle called me to talk about a problem she was having with one of her colleagues.

Since the colleague in question was a high-level executive from her company, she never did tell me the man's name. (We'll call him Mr. X.) What she did tell me was that every time she went to a staff meeting, Mr. X was two steps ahead of her. His responses were so well thought out that they rolled off his tongue like prepared speeches. She seemed certain that he already knew exactly what she was going to say.

My first impressions were three-fold: (1) Mr. X clearly did not like Michelle; (2) Mr. X may have been trying to take over Michelle's organization; or (3) Mr. X was trying (for whatever reasons) to squeeze Michelle out. I, on the other hand, really liked Michelle. She knew how to get a job done and she didn't let anyone stand in her way. So, when she came to me for help, I was more than willing to give her a hand.

Deep down, I have to admit, I was also dying to get the inside scoop, the gory details if you will, on Mr. X. As a security professional, however, I knew that information wasn't really necessary.

Michelle inquired, "Linda, this guy's pretty technical and he has access to a lot of technical people. Is there any chance that he's reading my email?"

Good question. I responded by asking Michelle three simple questions. "Are you encrypting your email?" "No." "Is Mr. X located in your building?" "Yes." "Is he on the same floor?" Again, "Yes."

I asked those last two questions because I was trying to figure out if Mr. X was on the same network as Michelle. I knew that if Michelle had responded "Yes" to either of those last two questions, it would have been fairly simple for Mr. X to read her email.

I let her know that since she wasn't encrypting her email, anyone could be reading it. I also offered to come over to her company and demonstrate just how easily it could be done.

Michelle was very interested in the demonstration. Reading someone else's email was clearly a violation of company policy. (It probably is at your company as well.) As it turned out, Michelle had authorization to run any tools and tests on her network that week, because her engineers were testing out new software that they just developed. The timing for this demonstration couldn't have been any better.

Personal Data Accessed

I met Michelle to run the demonstration later that day. It wasn't complicated. Sitting down at her keyboard, it took me about 30 seconds to pull a snooping tool off the Internet. I entered one command at her keyboard to run the downloaded program, and voila! The first email message appeared. As Michelle's jaw dropped to the floor from sheer amazement at how simple this was to do, I turned my head away from the screen. I let her know that in all the years I had been security auditing, I had never read even one piece of unauthorized personal information. When I conduct security audits, I list important files and directories to prove risk, but I never look at the files' contents.

Michelle's eyes were still glued to the screen. "Jeez, that message is to the company president!"

I realized then that I'd definitely made my point. I killed the snooping tool and said, "Now you know why your company needs to deploy encryption. I'm going to leave this tool on your system just in case you need to show the company president how easy it is to read his email."

Of course, this didn't completely resolve Michelle's problem with Mr. X. I had demonstrated how easily Mr. X could have read her email, but she still had no proof that he had done so. Of course, it didn't really matter whether she had proof. Mr. X had so much power that proving he was reading her email might have destroyed Michelle's career instead of his.

On the other hand, now that Michelle knew that her email was vulnerable, she understood why it was essential for her company to add email encryption to their security budget. And, until that technology was deployed, Michelle knew that she had to restrict the contents of her email.

Michelle and I never discussed this email incident again. I do know, however, that today Michelle's company is working hard to deploy email encryption software.

Summary: You Have the Right to Waive Your Right to Privacy

Unlike the other case histories in this book, this scenario doesn't deal with an actual audit. It does, however, identify a major risk in an area of technology that many of us have grown to rely on almost daily.

Business people like Michelle place their information and careers at risk almost daily without realizing it. We assume that since we would never read anyone else's email (and probably don't know how), it simply isn't done. This is a bad assumption.

Not only is it easy for someone to wander through your email, it's also simple to acquire free snooping tools from the Internet. And, if you're expecting bits and bytes of fragmented message portions from the snooping tool to hit your screen, you'll be quite surprised to see how polished the "stolen" messages are. Just have a look at the screen, as illustrated in Figure 10-1.

Now, imagine that email message had been sent by you instead of by Michelle. How would you feel, knowing that someone else was reading your email? Would you feel that your privacy had been violated? You should! Whether you're a civilian sending a personal message to your lover or planning a new corporate strategy, or a Marine corporal saying "Hi" to the kids, you still have an inherent right to privacy.

Yet, if you're sending out email without using encryption, you are unknowingly waiving that right. I always tell people, "If you're not encrypting your email, don't put anything in your messages that you wouldn't mind seeing on the front page of The Wall Street Journal."