Email Content Encryption: Typosquatting Raises Questions.

Two researchers set up copycat sites that mimic the look of legitimate Fortune 500 websites.  Over six months, they received over 20 gigabytes of email which included passwords, confidential memos, litigation documents, and other assorted missives.  The real problem, as far as I can tell, is no typosquatting.  Rather, the real question is: why are people sending such confidential information in an unprotected format?  I mean, what about using data encryption?


Typosquatting: Not Just For Email



What is typosquatting?  According to wikipedia.org, it’s a form of URL hijacking that uses a person’s propensity to make typos in the URL address bar.  For example, the entry for typosquatting at Wikipedia can be found at http://en.wikipedia.org/wiki/Typosquatting.  An example using typosquatting would be http://enwikipedia.org/wiki/Typosquatting. If you don’t see the difference, it lies in the presence of the period between en and wikipedia.


Why would people obtain URLs that are obvious typos?  For a number of reasons, aside from research purposes.  Such as, to make money.  For example, it was theorized last year that Google made nearly $500 million from ads displayed on sites that displayed nothing but ads but were similar variations of popular URLs (the ZDNet article I link to proposes zddnet.com as an example — there’s an extra “d” in there).


The fact that Google made money also means someone else made money, since Google pays a cut of their revenue.


Email Holds Plenty of Other Unpleasant Surprises



But even if we were to live in a world free of typos and typosquatters, the architecture of how email operates makes it a bad decision to fire off emails without adequate protection.  You definitely want to use data security tools like encryption software to protect any sensitive information, such as attachments that contain next year’s budgets for your division, assuming it’s one of those “for your eyes only” kind of thing.


For example, email is designed to bounce from server to server until it reaches its intended destination.  In the past, I’ve likened it to tossing a message in a bottle into the sea, expecting it to be delivered correctly to some particular address.  Of course, in the real, physical world, it makes no sense. But, this is actually how email gets delivered, even if it’s to the computer three cubicles over.  The kicker: any server that passes on the email is able to read and copy the contents of the electronic missive.


Another example: whoever is in charge of your email setup also has access to your emails, be it some unnamed guy at an ISP or Jim over at IT.  He (or she) can read any emails that pass back and forth.  In fact, such admins can copy any and all emails…and probably do, in order to stay in compliance with data retention laws.


Plus, when you consider all the other ways the contents can be leaked, you’ve got to wonder — and I’m repeating here myself — why would people send confidential emails without having them protected in the first place?



Related Articles and Sites:
http://gizmodo.com/5838708/how-researchers-stole-20-gb-of-e+mail-from-fortune-500-companies
http://it.slashdot.org/story/11/09/09/1619201/Researchers-Typosquatting-Stole-20-GB-of-E-Mail



Comments (0)


Let us know what you think