Arras
enthusiast
Reged: 05/24/04
Posts: 263
Loc: B.C., Canada
|
|
In "Digital Fortress", Brown describes Susan Fletcher's e-mail tracer program as an application that attaches invisibly to an e-mail, and then executes when it finally arrives at its destination, sending back the recipient's actual e-mail address before deleting itself to cover its tracks. She uses this to discover the real identity of "North Dakota", whose e-mail passes through an anonymous remailer.
While this may play well for movie audiences, e-mail simply doesn't work that way. There *are* ways to trace e-mail, and I'll get to those in a moment, but first let's look at why Susan's tracer would never work:
(1) Mail attachments are never "invisible", no matter how small they are. E-mail has a clearly-defined structure to it, and if you want to embed a program in the mail it needs to be attached explicitly as a MIME part. There's no way to specify that the attachment should be "invisible".
(2) The tracer program she was attaching to her mail would have to be executed by the recipient, just like any other virus/worm/Trojan. Just *receiving* the attachmed program does not trigger its execution, unless you're relying on some exploit in the recipient's mail client (in which case you'd need to know what mail client he's using). Furthermore, in sending this tracer to a supposed associate of Tankado's, Susan would have been counting on a presumably knowledgeable person to do a very stupid thing--execute an unknown program sent by an unknown party. With e-mail-based viruses/worms/Trojans as rampant as they are (and have been for the better part of the last decade), it's hard to imagine a computer-savvy person falling for such a trick.
(3) Even if the tracer program had been executed by the recipient and then deleted itself, it would leave behind evidence in the recipient's mail server's logs.
Now, having said that, people *do* use clever and deceptive E-mail tracking techniques these days--spammers in particular. Their interest is in verifying that your e-mail address is in fact valid, and whether you actually opened the spam they sent you.
Spammers do this by taking advantage of the fact that modern mail clients support HTML. With HTML you can embed image links, and the recipient's mail client is usually only too happy to load those images from a remote web server--a server that the spammer controls. If you look closely at the mail he sends you, you'll see an image tag in the HTML that points to his web server, and contains some extra tracking information at the end, e.g.
<IMG SRC="http://some.web.server/product.jpg?id=398482773">
This tells your mail client where to get the image from, and when your mail client dutifully connects to the spammer's web server to do so, it also passes along that tracking number (398482773). In the spammer's database, he knows that 398482773 is the number associated with the e-mail address he used to reach you, so when he sees this in his web server's logs, he has confirmation that your e-mail address is valid, and that you actually opened the e-mail (since the image would not be loaded by your mail client otherwise).
There's no attachment for you to have to click on, no executable code to run. It's all done by taking advantage of your mail client's built-in HTML capabilities. These are called "web bugs", incidentally.
You can block this tactic by configuring your mail client not to load images from remote servers (or not to load them at all). Some mail clients make this easier than others, and of course if your mail client doesn't support HTML at all, web bugs can't affect you.
As for whether Susan Fletcher's tracer could have been implemented with web bugs, it certainly could. It would not have been entirely "invisible", however--the recipient could always have checked the raw contents of the e-mail to see the web bug, and a paranoid recipient would be all but guaranteed to do so. On the other hand, disguising the tracer e-mail as spam would probably work quite well at slipping under the recipient's radar, though there's also the growing risk that the recipient's mail server may use a spam filter that blocks/discards such junk mail before relaying anything to his mailbox (these days more intelligent spam filters look explicitly for web bugs).
|
WKShadow
Beloved Angel
Reged: 06/02/04
Posts: 79
Loc: Myrtle Beach, SC
|
|
Speaking of HTMl and web bugs, is that the same thing used when I try to unsubscribe. Isn't that jsut another way for the sender to verify my email? (cuz I noticed I seemed to be in a list of names similar to my email. Is that a listserve?) 
|
Arras
enthusiast
Reged: 05/24/04
Posts: 263
Loc: B.C., Canada
|
|
Unsubscribe links (or any HTML links) in an e-mail are similar to web bugs, yes, except that they need to be clicked on to work. The web bugs I was describing don't even require you to click on anything--they just try to load an image from a remote web server, so when your e-mail program opens the mail, the deed is done.
Generally speaking, you should only try to unsubscribe from lists that you know you subscribed to in the first place. Most spam these days claims to be "opt-out"--they'll claim that you must have subscribed at some point in the past, possibly on one of their affiliates' sites, etc., but they offer you the chance to unsubscribe yourself by clicking on a link. If you do that, one of several things could happen:
(1) You could actually be removed from that particular spammer's list. Great! Now you just have to do that for every other list you're on. Unsubscribing quickly becomes a full-time job, particularly since you never subscribed to these lists in the first place.
(2) More likely, the spammer now has confirmation that your e-mail address is valid, and that you read his mail. More promising from his point of view is that you were gullible enough to click the "unsubscribe" link, which makes you statistically more likely to be the kind of person to buy the products spammers advertise. In other words, you migrate to the spammer's VIP list, and instead of getting removed from future mailings, you end up getting a lot more of them.
(3) You could get placed on a "complainers" list that the spammer maintains, to be treated to something worse. Not that spammers are particularly discriminating people to begin with, but if they have reason to dislike you they may go out of their way to subscribe you to a virus distribution channel. This can actually help the spammer, too--many of the viruses (well, worms) that have been developed over the past year have been designed to turn the victim's computer into a spam relay. If your machine becomes infected, the spammer can then use your computer to broadcast spam, to better hide his tracks.
To reiterate, only try to unsubscribe from lists that you know you subscribed to in the first place. There are many valid, legitimate mailing lists (listserves), but you won't usually find yourself on a legitimate mailing list without first subscribing (and usually confirming that subscription) yourself.
|
Dave_Howe
stranger
Reged: 12/13/04
Posts: 4
Loc: Manchester England
|
|
Re: "mime attachments are never invisible"
investigate the RFC for Mime Multipart/related - RFC 2387 - and you will find an interesting concept, of mime parts that are *hidden* from the viewer and can be referenced in the html of the mail as embedded objects such as a SWF.
Combine this with the known bugs and exploits for IE (used as the rendering agent in Outlook and Outlook express, sadly the most popular email software in the world) and you can have an email that carries with it a program, which once executed by merely viewing the email, covers its own tracks then emails back details from the viewing machine.
|
Dachande
stranger
Reged: 02/05/05
Posts: 2
|
|
You don't even have to use images as links. Windows has exploits in it that allow code to be placed as the image and when you try and view the image it could do anything you want. This way you could have a 1px by 1px image and when you view the email you see nothing, but the code is run in the background. You could then use an open port and send a reply. Simple!
|
Arras
enthusiast
Reged: 05/24/04
Posts: 263
Loc: B.C., Canada
|
|
Quote:
Dave_Howe said:
Re: "mime attachments are never invisible"
investigate the RFC for Mime Multipart/related - RFC 2387 - and you will find an interesting concept, of mime parts that are *hidden* from the viewer and can be referenced in the html of the mail as embedded objects such as a SWF.
The key phrase there is "invisible to the viewer". There's no way to conceal an attachment from the software parsing the mail. Whether and how your e-mail client displays attachments is up to its developer (and in some cases configurable by the user).
My point, though, is that the evidence is still contained in the original MIME-encoded e-mail sitting in the target's mailbox. The target's mail client will display the decoded contents, but most mail clients also offer an ability to view the "raw" (i.e. encoded) contents as well, and of course the mail file itself can be viewed with any text editor. Anyone bothering to do a little investigation would discover the "hidden" content, provided the receiver hasn't already deleted the mail. From the standpoint of someone sending a bit of tracer code, the risk of leaving this evidence behind on the target's computer is impractically large, particularly if the target works in a paranoid environment.
It's also worth noting that spam and mail-borne viruses have encouraged the development of software that closely inspects the raw and decoded contents of the e-mail you receive, and these filters look explicitly for embedded malware, web bugs, and suspicious MIME structures in the process. With more people using these kinds of tools to defend their mailboxes against spam and malware, it becomes much harder to "hide" such tracer code from the target--it gets flagged as suspicious automatically.
|
Lightstar
stranger
Reged: 03/28/05
Posts: 4
Loc: Florida
|
|
You don't know jack shit about computers. First off, you can hide an application in an e-mail and make it invisible. Second, you don't have to have the reciever activate the tracer, it activates upon opening of the e-mail. My dad worked for the NSA as a cryptographer. I would know.
--------------------
-Lightstar
You've just been blinded by the starlight.
|
Arras
enthusiast
Reged: 05/24/04
Posts: 263
Loc: B.C., Canada
|
|
Quote:
Lightstar said:
You don't know jack shit about computers. First off, you can hide an application in an e-mail and make it invisible. Second, you don't have to have the reciever activate the tracer, it activates upon opening of the e-mail. My dad worked for the NSA as a cryptographer. I would know.
If you want to argue on the basis of credentials, I write anti-spam and anti-virus software for a living, specifically mail server scanners (witness Maia Mailguard), and I lecture on related topics such as cryptovirology and malware. Your uncle Jack and I have known each other for more than 25 years 
It is my business to understand e-mail-borne threats and how to neutralize them at the mail server, before they ever reach the recipient's mail client. When I speak of "visibility," I'm not talking necessarily about what the mail client exposes to the end-user, but rather what any raw mail processor (e.g. a mail filter or scanner) can see in the mail. There are certainly tricks to fool a mail client into not displaying an attachment to the end-user, but any application that offers a "raw" view of the mail will expose the malicious code for what it is, to humans and applications that know what to look for.
Web bugs are a perfect example of this sort of thing. They're HTML call-backs, essentially, and rely on modern e-mail clients to blindly try to load remote links (such as images) in HTML code. A mail filter can detect these trivially and neutralize such links before they are sent to the HTML processing engine--a feature that has been incorporated into many mail clients these days. I catch and neutralize several hundred of these attempts on a daily basis in my personal e-mail.
Now, if you want to talk about exploit-ware--malware written to exploit known vulnerabilities in specific mail clients--that's a similar matter. Once the exploits become known, new filter patterns are written to detect their characteristics in arriving e-mail. Only so-called "zero-day" exploits, which are as-yet unrecognized, will slip through to the recipient. With more and more ISPs and end-users running anti-virus and anti-spyware software on their machines, pre-processing their mail for them, the delivery of exploit-ware is unreliable.
More to the point, reliance on exploit-ware requires knowledge of the recipient's specific mail client--do you know she's using Microsoft Outlook? If she's using Mozilla Thunderbird, or Eudora, that exploit won't work. It even requires assumptions about the platform the recipient is using--an exploit that targets Thunderbird under Windows won't necessarily affect someone running Thunderbird under Linux, or on a Mac. It's far from reliable as a tool for targeting a specific recipient, unless you know these things ahead of time. Even then, the target recipient may read her mail from multiple platforms and with multiple clients--perhaps Outlook Express on a Windows box at home, Thunderbird on a Mac at work, and via Yahoo! web-mail when she's traveling.
My point (as I believe I've stressed several times by now) is that it would be drop-dead stupid for the NSA or any other organization to try to pull a stunt like this with e-mail, particularly against a target who is known to be paranoid in the first place and technically competent (e.g. Tankado). There is no way to hide the evidence, since the exploit code must be transmitted in full to the recipient. It will have passed (in uninterpreted, raw form) through multiple mail relays by then, including one or more mail filters (any one of which might quarantine the item for being suspicious), and thanks to financial sector rules like the Sarbanes-Oxley Act, an increasing number of companies are required by law to archive all of the mail they send or receive on write-once media (e.g. CDs or DVDs). Such archives would preserve the evidence indefinitely.
|
Lightstar
stranger
Reged: 03/28/05
Posts: 4
Loc: Florida
|
|
You have proved me wrong. I am sorry.
--------------------
-Lightstar
You've just been blinded by the starlight.
|
8549176320abc
enthusiast
Reged: 05/02/05
Posts: 219
Loc: UK
|
|
I takes a big man to admit that - you could never become a politician though!
--------------------
Governments offer us safety for our freedom. It is by seeing this safety as false that we are freed.
|
RoseyORyan
member
Reged: 04/03/05
Posts: 128
Loc: Scotland
|
|
Hey Arras,
Stick with us kid!Interesting little thread containing loads of commonsense and learning (we never stop learning).
Hey Abacus :-)
Nicely put!
Rosey :-)
|
Ski
stranger
Reged: 06/12/05
Posts: 2
|
|
Has anyone heard of "ECHELON"?
check this site out:
http://cryptome.org/echelon-60min.htm
|
Arras
enthusiast
Reged: 05/24/04
Posts: 263
Loc: B.C., Canada
|
|
Quote:
Ski said:
Has anyone heard of "ECHELON"?
Certainly; it's been around for decades. Pick up a pay-phone at an international airport sometime, call a friend and use the word "bomb" in your conversation, and then time how long it takes airport security to converge on you. That's the sort of thing ECHELON was ostensibly designed to help with.
The trouble, of course, is that the same eavesdropping technologies that can help tip us off to impending acts of terrorism can also be turned against the population at large. It's not just diplomatic cables and airport pay-phones anymore, it's Internet traffic, satellite communications, and cellular phone networks as well.
The head-shakingly fraught part of it all, really, is the arrangement that participating nations have with one another to spy on each other's citizens--since spying on their own citizens may be deemed illegal according to their own constitutions. The U.S. spies on British citizens, while the U.K. spies on American citizens, and both countries tacitly agree to exchange information. Canada and Australia are also participants in this sordid enterprise, with similar agreements.
The advent of widespread strong encryption is throwing a bit of a wrench in the gears, however. While privacy advocates advise ordinary citizens to encrypt their e-mail and such, the courts have lately started viewing the presence of encryption software (e.g. PGP) on a suspect's computer as "circumstantial evidence" of a desire to commit a crime. Not a good precedent to set.
There's some interesting information about this and other related topics on the Digital Fortress Secrets Page, incidentally.
|
Ski
stranger
Reged: 06/12/05
Posts: 2
|
|
Hey thanks Arras!
A lot of info and knowledge you have, I guess being in cypto field keeps you on top of things.
The fact the computers and the internet have started a lot of new laws is just a new part of life. And with the 911 event we can expect to see even more new laws that will limit our freedom of privacy and speech.
|
Arras
enthusiast
Reged: 05/24/04
Posts: 263
Loc: B.C., Canada
|
|
Quote:
Ski said:
And with the 911 event we can expect to see even more new laws that will limit our freedom of privacy and speech.
Ironically, encryption technology is at the heart of the battle for freedom of speech not just in developed countries, but in third-world dictatorships where electronic communications are gated and scrutinized as a matter of course by government officials. Even a relatively innocent e-mail can get you arrested if you send it from the wrong country in the clear. Police seizures of computer equipment are commonplace, and often foreign aid workers are accused of being spies if anything remotely interesting gets found on their laptop computers.
This chilling reality was driven home to me about a year ago, when I received an e-mail from an organization that supplies free software to NGOs (Non-Government Organizations, i.e. foreign aid organizations). The writer was thanking me for the open source anti-spam and anti-virus product I developed, but he also wanted to explain to me the need to provide support for strong encryption all the way down to the mail database itself. He shared the harrowing tale of aid workers in the former Yugoslavia who had been arrested for providing dissidents with the means to spread their message outside the country via the Internet in spite of government bans. The aid workers for the most part got off easy, spending time in jail and losing their computer equipment before being deported. The dissidents--who were identified via the data on the aid workers' laptops--were executed.
Needless to say, I was moved to add strong encryption features to my software overnight. It also brought home to me just how vital it was that the encryption be well-implemented, since a flawed implementation could cost someone her life. It highlighted the fact that for some people in some parts of the world, encryption is the only safeguard they have for their freedom of speech.
What most people don't realize is that e-mail is not a particularly secure medium. In fact, e-mail is more like a postcard than a sealed envelope--anyone that handles the mail as it travels between the sender and the recipient can read it. The sender's company can read it. The company's ISP can read it. The recipient's ISP can read it. And all of the higher-level traffic carriers that link those ISPs can read it. If anyone at any of those levels wishes to scan for mail that contains certain patterns (say, credit card numbers) or keywords, there's nothing to stop them--unless you encrypt the contents before sending the mail.
Unfortunately, a lot of people have this belief that if you're using encryption in your communications it's because you have something to hide. You're up to something. You're conspiring with someone. Never mind the fact that we routinely fold our cheques when we put them into envelopes, or enfold them in another sheet of paper to obscure the fact that we're sending money in the mail. And we know the vulnerabilities of postcards, such that we keep our public writings very innocent for the most part, saving the more scandalous bits of our personal correspondence for sealed envelopes. But encrypt an e-mail to a friend? That seems excessive to most people, and smacks of paranoia. "As if my personal e-mail is interesting enough for anyone to want to read..."
At the same time, encryption is also being used by criminal organizations, terrorists, and "freedom fighters" of every stripe, and a lot of innocent people worry that if they start encrypting their e-mail they'll start looking like Bad Guys to the authorities. It's the old, "if you're innocent, what have you got to hide?" argument. If courts of law are going to take a biased view of a case because encryption tools were found on your computer, then your right to online privacy is at serious risk.
Conversely, encryption is used against us on a regular basis in the form of computer viruses and worms, most of which use some form of code obfuscation to hide themselves from virus scanners. The payload of a computer virus is usually encrypted in one manner or another, so that its contents appear to be random, making it harder for virus scanners to recognize a fixed sequence of bytes. The code to decrypt the virus is included in the clear, of course, though it, too, can be cleverly disguised using a tactic called polymorphism or metamorphism that allows the same code to be written many different ways.
Just to add fuel to an already raging fire, a new crop of computer worms makes use of encryption in novel ways, taking the victim's computer hostage by encrypting all files of a certain type (e.g. documents, spreadsheets, text files, source code, images, etc.). The worm's authors then demand a ransom, which must be paid before the victim is sent the decryption key.
Encryption is just a tool like any other. It can be used in the service of good deeds as well as evil ones, and just as it can safeguard your privacy and save the lives of foreign aid workers, it can also conceal the plots of terrorists and render your own data useless to you. Do the benefits outweigh the costs? I think so. The right to free thought, free speech, and free association is too valuable to discard just because we're afraid of something. If we start down that slippery slope, trading rights for security, we'll only encourage the powers that be to increase our sense of insecurity, until our rights become meaningless. We just have to look at the places we send foreign aid workers to understand what that end result looks like.
|
Kwiky
stranger
Reged: 07/01/05
Posts: 3
|
|
Just curious if there is any explaination for her using the hybrid language for the code to her email program. I wonder if that could help explain the error.
I don't have the book in front of me so I can't remember what languages she was using but I know they were a hybrid for some reason.
Sorry if this sounds stupid just thought that kinda helped eplain it to my ignorant mine.
|
8549176320abc
enthusiast
Reged: 05/02/05
Posts: 219
Loc: UK
|
|
You are thinking of LIMBO, I can't think why it would be important to use a hybrid language, so it was probably just put in as an interesting detail.
--------------------
Governments offer us safety for our freedom. It is by seeing this safety as false that we are freed.
|
EVDebs
enthusiast
Reged: 07/10/05
Posts: 272
|
|
I haven't read Digital Fortress, only Angels&Demons, but this looks more interesting than DaVinciCode to tell you the truth. I am curious about the NSA and Microsoft's 'backdoor' as mentioned in
Crypto expert: Microsoft products leave door open to NSA
http://www.cnn.com/TECH/computing/9909/03/windows.nsa/
"The discovery "highly suggests" that the NSA has a key it could use to enter encrypted items on anybody's Windows operating system, said Ian Goldberg, chief scientist at Zero-Knowledge Systems."
Since NoSuchAgency would want the security of TotalInformationAwareness that seems to be going offshore now to the Bahamas via Ben H. Bell's company www.zmetro.com/archives/000901.php
do you think the NSA really has this ability ? Does that make me feel better nowadays ... what successes has the NSA had by doing this if they indeed do have that capacity ?
|
Michelangelo
journeyman
Reged: 08/22/05
Posts: 66
|
|
Could be real but maybe not at the moment
|
EVDebs
enthusiast
Reged: 07/10/05
Posts: 272
|
|
Michaelangelo
According to nonfiction books, like James Bamford's excellent Puzzle Palace and Body of Secrets (on history of the NSA), and probably in David Kahn's Codebreakers (which I haven't read but haven't read but probably says the same thing as Bamford), the NSA is always around 5 years ahead of the general public when it comes to the technology.
"Could be" usually means "probably" with the NSA ! William Arkin's book Codenames also shows some interesting projects these intelligence agencies have. Right now, Able Danger, regarding the hijackers on 9-11, were known about a year PRIOR to 9-11. That project was shut down in early 2001...by whom and why ? MSM is just starting to ask the pertinent questions.
|
Michelangelo
journeyman
Reged: 08/22/05
Posts: 66
|
|
Yes that is true.
And yes the NSA probably do have such technology in development but not in use well not often if at all
|
Previous
Index
Next
Threaded
Edit
Reply
Quote
[Re: