Sources of Error When Identifying Misuse of Corporate Internet Services - A Cautionary Note
Lawrence Stewart Centre for Advanced Internet Architectures. Technical Report 040224A Swinburne University of Technology Melbourne, Australia [email protected]
Abstract-This technical report aims to investigate the ease in the event suspect behaviour is taking place, use this with which unsolicited content from the Internet can be fetched evidence to identify employees and possibly take by an email client triggered by specially formatted HTML disciplinary action. email. It also looks at the default behaviour of a number of A couple of recent incidents involving the dismissal different popular email clients across the Windows and of employees over the sending of emails containing FreeBSD platforms, and their configuration options. We found pornography [1] has further stirred the debate. that it was surprisingly easy to get the tested email clients to download images from the Internet with no prompting. Such The important question one must ask in all this is activity could leave traces in corporate ITS server logs or on a does an entry in a server log or a picture stored in an user's local machine which could be misconstrued as breaking employee's local cache signify intent to contravene company IT policy and result in an employee's dismissal. The company policy? results of this investigation are meant to educate IT personnel With a couple of quick experiments, we were able to about the need to exercise caution before jumping to conclusions prove that the answer to this question is in fact “no”, and about the activities of an individual. They are also meant to that it is very easy to make an honest mistake, or even educate email users about the risks involved when using email possibly maliciously try to frame someone using the and how to avoid walking into traps by being aware of the current email technology as it is. configuration options of the email client they use and understanding what they do. II. METHODOLOGY Keywords- Lawful interception, framing, inappropriate For this report, we decided to focus on how to trigger content, email, caching the downloading of images to a client machine. There are other forms of content that could have been I. INTRODUCTION investigated, but all of them end up with the same net result of the client's machine having to make requests to The widespread use of electronic mail (email) as a a foreign host which is the all important factor. fast, reliable means of communication has worked its way into every facet of modern day life and work. For There are two main ways an image can be these reasons, it has been widely adopted in the work incorporated into an email. It can be directly attached to place. Combined with the ever increasing use of the the email, or it can be linked to the email from a remote Internet in day to day work, corporate information location and loaded on opening the email. The second technology departments are having to keep up to date option is of interest for this report, as it results in the and manage their resources effectively and efficiently. client's computer following the embedded link and downloading the content the moment the email is Part of these responsibilities is to ensure that opened. This can be accomplished by writing the email resources are being used for work related purposes and in hypertext markup language (HTML), which is now a not being abused by employees. There have been a standard email format recognised by most popular email number of instances in recent years of employees losing clients. their jobs for inappropriate use of their corporate information technology services. A. Email format IT departments have gradually been addressing these There were two simple ways identified to load issues by taking a “big brother” stance and monitoring images on a user's machine without their consent. First the traffic flowing over the network, using proxy servers was to embed a HTML tag inside the body of the with ban lists to make it difficult for employees to visit email. The second was to use some javascript in the websites considered inappropriate, and so forth. Many body of the email to do the fetching of the pictures. This corporations have gone to great lengths to ensure method would be ideally suited to attempting to frame accountability in their networks. The net result of this someone, as you can fetch images without even has resulted in everything flowing through the network displaying them, so unless the client is savvy enough to being traced and logged in one form or another. With inspect th source of the email, they would not even simple, freely available tools, network administrators are know content is being downloaded. able to keep logs of traffic patterns for employees, and
CAIA Technical Report 040224A February 2004 page 1 of 6 In order to make the above two methods difficult for imgSrcs[0] = the average user, most email clients (and all that were "http://www.stanford.edu/~robevans/robbiebigju tested for this report) do not allow you to compose mp1SM.jpg"; emails in raw HTML. They take your text and generate imgSrcs[1] = the HTML tags behind the scenes. In order to generate "http://www.stanford.edu/~robevans/DSCF0012.JP our own raw HTML emails, a small python [2] script G"; was written to talk directly to a simple mail transport protocol (SMTP) server. We were then able to transfer imgSrcs[2] = any information we liked in an email without the "http://www.stanford.edu/~robevans/DSCF0018.JP limitations imposed by an email client. G"; We sent two different emails in order to test the two imgSrcs[3] = different methods outlined above. The first was a "http://www.stanford.edu/~robevans/DSCF0056.JP standard HTML formatted email with a single G"; embedded tag. The email contents that were sent imgSrcs[4] = are listed below. "http://www.stanford.edu/~robevans/DSCF0057.JP G";
border="1">