Email interception questions

Factual Questions
1

These questions came to me while reading this thread on email encryption.

Keeping it simple, if I email someone a plain text username and then send the associated password an hour or two later, is it likely that the packets will be picked up by the same ne’er-do-well and relate back to the username message? This is assuming that someone isn’t spying on an office in particular, but is merely opportunistically sniffing traffic.

Further, who *are *these people? I just did a tracert to UCLA.edu (I’m in New York). It returned 22 lines. Are email spying concerns limited to people with access to those 22 IP addresses? What are those addresses, random computers or ISP-level servers? Are people putting themselves between my computer and those IP addresses (or between those hops)? Are people out there seeing my actual IP address when they tracert to some site? Or is my router or modem dropping any traffic not specifically intended for my machine? Is my router/modem constantly receiving and ignoring packets from my neighbours? Does consumer-level hardware have built-in safety features (or lack of ability) to prevent someone from listening in on this traffic?

2

When you send an email it goes via a couple of stages. In the simplest form your email client program connects directly to an email server - say via SMTP (simple mail transfer protocol) and has a little chat with the server in order to send the email. Later your recipient will connect to that server and using some other protocol (ie POP or IMAP) will slurp up any waiting emails. In reality, since the advent of spam, most email servers won’t accept any arbitrary connection, and so you will connect to your own ISP’s email server, which will itself talk to the receiver machine. So the email will typically get sent in three (or even more, especially if exiting form a large organisation) hops.

Each of these hops is routed between network components, and these components are what you see in a traceroute. Apart from the endpoints none of these machines will be a computer, but will be a router/switch of some form. Oftentimes a very very big router or switch. The internet operates in such a manner that there is often more than one route from one place to another. You could, in principle, see different routes with different runs of traceroute. However given that the Internet is built on top of very high capacity backbone links, the routes taken tend to be reasonably stable. SMTP typically uses TCP (transmission control protocol) to carry its connection to the server. TCP provides a reliable connection, and copes with things like packet loss and packets arriving out of order (perhaps even via different routes). So when an email is sent, each hop will typically set up a TCP connection between the endpoints, and then communicate over that. By default the communication takes place in clear text. However it is possible to have the email client and server negotiate via SASL to use a secure authenticated and possibly encrypted communication. Whether encryption is supported for you is another matter. The secure proptcol is often used by ISPs to allow customers to connect back to the email server from outside (say if you are on the road) and still be able to send emails.

The function of the switches and routers in the network are to send all the packets on the correct path to reach their destination. Most network designs don’t send packets down a link unless the recipient is down that link. (Local area networks such as token ring and early Ethernet implementations do however.) ADSL is point to point, but cable modems operate more like shared Ethernet, and a cable modem is dropping packets intended for your neighbours. So yes, a cable modem could (in principle) enable someone to see their neighbour’s traffic. However in order to prevent this the traffic is typically encrypted over the link. So whilst you could see that there is traffic, you would need to break the encryption to see what it was. The strength of this encryption is the weak link in the chain.

Sniffing traffic when it is on the main backbone links is not viable for a petty sniffer. That requires access to the carrier level equipment and is the province of government agencies, not ordinary criminals. It is only at the end points that it becomes viable for petty hacker style sniffing. Consumer end gear has pretty much no protection against interception except for encryption. Line tapping an ADSL link would probably work. Much like tapping a phone. WiFi links are probably the softest target. Zero or poor security setup on these makes life easy for tapping many people’s connections.

3

It’s also possible the recipient managed to expose his email password, in one of many ways. (Typing it once at an Internet kiosk at the airport, say, or on a buddy’s computer that happens to be infected with a keylogger.) At that point, bad guys could be regularly copying every incoming email without any further access required, so they’d have no trouble matching the user name you sent to the following password.

4

Other than the NSA, I have not heard of significant cases of traffic intercept since Stoll’s Cuckoo’s Egg (where he hooked line printers to serial cables).

Nowadays with extreme high speed serial fiber and T3/OC3 you would need some serious technical equipment to intercept transmissions. and even more serious equipment to record and analyze all that traffic. Even compromising routers at one end instead of physical intercept, unless you have a specific target in mind, you will generate far too much traffic to route a copy to yourself. That’s why the NSA installed their own hardware in the telephone company closets to spy on Americans in contravention of the laws.

As for local intercepts - again, unless you compromise the local switch system (a bit easier with physical access to the switch) and make your personal line a monitor port - it’s not possible. Original ethernet braodcast all traffic to everyone on the LAN, but modern tech uses switching - a packet only goes to the wire that the recipient is on.

the more likely candidate is Starbucks. If you are sitting in a coffee shop using wireless, all that traffic can be read; the time to break a wifi encryption, especially the older ones (WEP), is minimal. But then, your computer is exposed to anyone else on the same wifi - hopefully you have secured it so that “EVERYONE” does not have read, or worse, write, to your disk; and you’ve applied WIndows Updates so the known security holes are plugged. Also, if your IT people are clever, you use VPN from there to the work network, or HTTPS to your web email, so there’s an added layer of traffic encryption much more difficult to break.

I suspect most email compromise happens at the ends - people who compromise a server and gain (mail) administrator access would have free reign to read all emails on that server. People who crack your email password can read your mail.

In fact, Stoll’s book is a fascinating read to see how lax security was in those days. Hackers who gained root (admin) access simply scanned the disks for “password”, for exampl. They would find memos (“new admin password is XXXXX”) and emails (“I’ll be gone for a month, here’s my user and password if you need my files…”).

Nowadays, people keep old emails around for years. (I just checked, and I have useless junk as far back as 2002 despite changing computers about 5 times). Someone doing a search will breach your process - the first email will have the word “password” and “I will email you the…” so the perp only has to look for the next few emails from you; odds are the one that has only one word - “Plugh!123” is the one with the password.

So the short answer is - don’t worry about interception. Worry about end computer compromise.

5

Let me get this straight. Disregarding local breeches and assuming no one is particularly interested in us (i.e. we are not being investigated by the government, crazy stalkers aren’t hiding in the bushes, etc.), if I and the recipient are both on wired connections it is highly unlikely that email correspondence between us will be intercepted and read. I’ve been under the impression that it was a Very Bad Idea to transmit sensitive information in plain text over email. Again, I get that either sender or recipient can have other security issues, but if I’m understanding things correctly, that’s not a problem in the mere transmission of data.

What about the admonition to not use a commerce site that is not HTTPS?

Or am I wildly misinterpreting the responses so far?
In terms of wireless connections, that’s a whole different thing. Assuming that my machine is completely up to date and I’ve marked the network as “public” (on a Win7 machine), I assume I’m fairly safe to use and surf. But what about sites that ask for login information? Is that a Very Bad Thing to do while travelling? Given that I travel a fair amount, is there any way around it? How do business people function on the road if they can’t log in anywhere?

6

You hear of numerous cases every year where the end computer or end local network is compromised. (Here we`ll also include your neighbourhood in cable-TV internet systems).

I cannot think of a case of hackers intercepting long-distance internet traffic for fun and profit.

HTTPS provides an additional security - while there have been 2 recent cases of certificate compromise (Flame virus and a Dutch(É) signing authority) in general, the certificates used in commercial HTTPS traffic are fairly robust. They are encrypted with the name of the site. If you go to HTTPS://www.paypal.com, the certificate says that is the name. It is almost impossible for the average hacker to fake that certificate - it is encrypted by only a few rootsigners. If you go to a fake HTTPS site, or one that has not paid for a commercially signed certificate you will get that famous certificate error. I can tolerate that connecting to my work, but if I get that from paypal or the bank, it should set off alarm bells.

7

People can sniff your traffic and decode it. Again, the proper login should happen on a secure site, or at least your password should be encrypted over the wire. SO if a hacker is super determined to target you and pour his resources into it, he might eventually figure out your passwords.

Using your password on a public machine is not a good idea.