Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1119
  • Last Modified:

Email security -Hotmail / gmail / yahoo staff - how easy for staff to see our emails ?

How easy is it for the likes of gmail / hotmail / yahoo etc. staff to access our emails. I have a client who is reviewing security in many aspects of his life.

If he uses a free email account such as hotmail etc.  Are the hotmail staff able to view his emails if they choose to?
Also I assume without the email being encrypted, any server where the email message passed through can also obtain the content of that email right?

Is this just generally the way it is and therefore all should assume that email, unless encrypted is totally insecure?

Thanks for input
0
afflik1923
Asked:
afflik1923
4 Solutions
 
Sean MeyerCommented:
Gmail, Hotmail and Yahoo all use secure https connections now.  There are many security measures in place for the privacy of email by any of these companies.  Now if they get a warrant from the feds for your mailbox then theose measures will allow it to be viewed.  Each of those companies relies on trust and if it was easy to enter a mailbox noone would trust them.
0
 
Sean MeyerCommented:
FYI -- The https is the same type of connection used to connect to your bank.
0
 
afflik1923Author Commented:
Hi,

Yes I am aware of the HTTPS connection, but I was thinking that the staff are sitting at the server where all the emails are stored. I see the HTTPS link as protecting the link form the web browser to the server. However what about the staff sitting at that server.

Just in the same way I could filter off the email to another account on a company server running ,say exchange, maybe the hotmail staff could.

For example, although I might not have the password for a member of staff in a company I look after who is running exchange, I could easily grant a user who I have access to, rights over that mailbox and view the emails that way without the end user knowing about it.

I was wondering whether the hotmail / gmail staff could do that if they wanted.
Obvioulsy I would assume they woul dbe breaking policy / the law, but could it happen?

Another easy way might be for them to create a forwarding rule for example to filter off all email sent to say, my hotmail address to another email address and there they monitor all emails sent to me.
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
Sean MeyerCommented:
Is it possible.. yes.  But they do have policies and procedures in place to prevent that sort of thing.  In the end it is all about trust.  They make a LOT of money off advertising to people and if people could not trust their information is secure they lose a lot of money.  Their policies will not allow the Joe Blow system admin to view "Person X's" account. Anyone with access to the data will have audits of their access. It is more likely that your computer is hacked and your data read while you read it on their site than one of those services policies failed and allowed someone to view your data.

Here is Microsoft's statement ---

Security of Your Personal Information
Microsoft is committed to protecting the security of your personal information and information collected for advertising purposes. We use a variety of security technologies and procedures to help protect your personal information from unauthorized access, use, or disclosure. For example, we store the personal information you provide on computer systems with limited access, which are located in controlled facilities. When we transmit highly confidential information (such as a credit card number or password) over the Internet, we protect it through the use of encryption, such as the Secure Socket Layer (SSL) protocol.

If a password is used to help protect your accounts and personal information, it is your responsibility to keep your password confidential. Do not share this information with anyone. If you are sharing a computer with anyone you should always log out before leaving a site or service to protect access to your information from subsequent users.

0
 
Sean MeyerCommented:
So for the client just remind them that those services make BILLIONS of dollars off providing free email services and it is going to be one of the most secure methods of accessing a secure email account.  Those services are also spending Hundres of Milliions to Billions on security to make sure they can provide a secure environment to make their money.
0
 
Sean MeyerCommented:
Will they try to sneak some advertising into your web browser based off some algorithmic analysis of your email?  Probably but that is what is providing the free service.
0
 
afflik1923Author Commented:
OK thanks. When I'm aksing this question I'm also predicting what questions may be asked of me when I present the solution so I want to be prepared. This is what I pretty much expected and in fact it's going to lead me to conclude that in some ways a hotmail account is more secure then an preivate email account provided by my company, because I could without his knowledge setup something to filter off his email and he would be trusting me on this (of course I would not do this, but it is my duty to report all possibilities). Where as hotmail, even if an enemy of his knew some high up contact within Hotmail, it is still unilkely they would be able to access his email without being found out.

I think this is a fair enough conclusion.
0
 
Sean MeyerCommented:
Agreed.
0
 
Russell_VenableCommented:
Even if he uses a free public email account doesn't guarantee that his emails won't be filtered. There are many ways this can be accomplished. If your relying on privacy you need to encrypt everything and have a personal computer to receive and decrypt these messages. This cut's out any filtering software that will capture(passwords, key strokes, statistical reporting applications..., screen captures, many more) from happening. The risk is smaller in the sense it's not tied to corporate server where anytime they choose they would have access to your digital files on a corporate environment owned and operated by them verse a business(Microsoft) that is not owned and run by that company severely hinding any ownership of your transactions from that side of the gate. Any transactions coming from side A (the corporate business named "________") has the right to protect there own interest. So using a email client on that side cuts your privacy in half as well.  You can use SSL to encrypt your data transfer scheme, but if they are crafty and your info goes through a proxy after the information is decrypted. Then you are hosed and your information that was once encrypted is now public to that corporation to read publicly like the evening news.  Best practice is not to expose anything that is considered to be confidential/Sensitive in nature in a less secure environment. They have the control. What measures do you have to protect against unknown statistical user analysis reports when at work? Answer should be nothing in a legal environment where you are authorized to conduct business there. You shouldn't have access to low layer environments as a regular user. Which would be the only way to truly have privacy is to block filtering software from working as designed. In all due reality if you have a enemy at hotmail.com. Why in the world would you have a account there? Security by obscurity. Use a not so widely known but secure email provider that will cut down on paranoia of known enemy personnel harvesting your information. Creating a bottleneck to possibilities of "John doe" working there and would also bypass certain spyware looking for that type traffic. As far as I have seen from the internals of hotmail servers is that there are few operators with clearance to even enter the room to do maintenance/upkeeping of the servers. The only time they are allowed to access your account is based off of need-to-know. For example; lost password, digital criminal forensics investigations, physical harddrive backup's known as hot swapping drives. Usually in a extreme case of a very bad malware attack. There are a lot of factors that can go into this. The greatest question that should be going through the users mind is "How much worth is it to go through all this trouble to protect data?" Risk assessments are a gold mine for people planning to protect there own investments and personal information.
0
 
btanExec ConsultantCommented:
This seems to touch on privacy policy from those companies. But as extracted below they do not infringe unless need for recovery on user request or law enforcement coming in. But it can never stop a insider threat - meaning a super admin becoming bad and disgruntled and defame the company with data leakage - hopefully it is not one of those wikileaks.

But true enough, email header is definitely available and with the backup storage of archive old email of users, there is always all possibilities to access them. The key is what do they want to do to it cyber/corporate espionage or sabotage being the primary? But what if a staff machine being infected with malware get connected to administer the backend email server (or even using a thumbdrive to transfer file), the email server may be infected, the malware can get their way in and looking way to go out. There is element of strict company policy to enforce compliance of physical and IT security too. They had to work hand in hand. At least after the firesheep saga (sniffing on non SSL transaction), SSL is deemed necessary and not option. They support that. Also the key is to establish well audit trail (but they would store for long too).

Overall, I would not say that an user need not totally go for encrypted email (e.g. S/MIME or PGP type). There is already many information out for a social user in the social network - the safest is to stay as caveman but we know it is not possible at this age. He will not be the only one that is fearful of privacy and he can leave it to the public sector policy - as a user he cannot do much since he already "click" to agree on the privacy policy. The key is he should up his security posture such that his machine will not be one of those bot and become another leakage channel e.g. abuse his email account to spam others or even talk to C&C server. The recent Coreflood stoppage by the Department of Justice (together with ISP) are evident that infected machine should not join and stain the internet - not totally possible but best effort...

So balance security with business impact, and do not have security as a afterthought or seen it as a product (it is a process lifecycle)....

Just some thoughts...

====================


http://info.yahoo.com/privacy/us/yahoo/details.html

Employee and Contractor Access to Information - Yahoo! limits access to personal information about you to those employees who we reasonably believe need to come into contact with that information to provide products or services to you or in order to do their jobs.

We respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims.
We believe it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of Yahoo!'s terms of use, or as otherwise required by law.

http://mail.google.com/mail/help/about_privacy.html

Google does not share or reveal email content or personal information with third parties. Email messages remain strictly between the sender and intended recipients, even when only one of the parties is a Gmail user. Of course, the law and common sense dictate some exceptions. These exceptions include requests by users that Google's support staff access their email messages in order to diagnose problems; when Google is required by law to do so; and when we are compelled to disclose personal information because we reasonably believe it's necessary in order to protect the rights, property or safety of Google, its users and the public.

http://www-hotmail-com.com/privacy-policy/

How Do We Use the Information That You Provide to Us? Broadly speaking, we use personal information for purposes of administering our business activities, providing the products and services you requested, to process your payment, to monitor the use of the service, for our marketing and promotional efforts and to improve our content and service offerings, and to customize our site’s content, layout, services and for other lawful purposes.
0
 
afflik1923Author Commented:
Thanks for the information on this one. All very useful and appreciated.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now