Have you ever sent an email from a personal email account at work such as Hotmail, Gmail, or your personal account at your service provider? When you do that you might assume that since you are sending the email from a central system it would not be possible for the recipient to obtain information about you beyond what you give them and an email address. Unfortunately this is not true. Information is leaked in many ways. SMTP, DNS, HTTP all can leak information about a particular individual or organization. In my experience, most people know this is possible, but fail to grasp the ease with which information about a person or company can be discovered.
Here is a simple example to illustrate. I have found when speaking to many users of email, they feel that their location could not be determined by the recipient in an email unless they specifically give it, or it would be at least difficult to find out. They even feel more comfortable with this statement when they are using their personal email from a terminal at work or a Internet cafe via a browser.
I was recently corresponding with a friend of mine. She has a Rogers email account that she uses for her personal email. She sent me a response to an email. By looking at the email itself, there is no information that would give away where she was located. However, if I look at the email headers a wealth of information is available. Let’s focus on one piece.
* headers not required for purposes of entry have been removed and others edited as required to protect identities
The ‘Received:’ header above displays an IP address. Taking that IP address and doing a ‘whois’ (shown below) reveals the company name where the email originated.
* removed ISP information and edited company info to ensure privacy
How could this information be used? If someone wanted to surreptitiously gather intelligence on a target, one could send a email to a target asking an innocuous question. By responding the target has unknowingly revealed their place of employment. A few searches on Google, a picture on Facebook of yourself and family members … you get the idea.
This type of information gathering has valid uses. Determining a time-line of a target and their actions from a corporate or legal investigation, determining if your spouse is cheating on you, or your teenage child is lying are some examples.
I am not suggesting that you should try to hide this or not use the Internet. I am also not suggesting it will be fixed anytime soon, if ever. I am suggesting to be aware. Be aware that in todays world, data about yourself is being leaked all the time and any determined individual or group can find out what you are up to with minimal effort. Be aware that even the most common activity leaks data.
How secure or anonymous do you feel when using the Internet?
