How HP bugged e-mail

Hewlett-Packard employed a commercial service that tracks e-mail paths to bug a file sent to a CNET News.com reporter, an HP investigator said Thursday.

HP investigators used the services of ReadNotify.com to trace an e-mail sent to reporter Dawn Kawamoto in an attempt to uncover her source in a media link, Fred Adler, an HP security employee, said during testimony before a U.S. House of Representatives subcommittee.

Adler's testimony, for the first time since the HP boardroom drama erupted, specified how the company bugged the e-mail it sent to Kawamoto. Moreover, Adler said that it's still company practice to use e-mail bugs in certain cases.

"That was and still is current policy," he said. "It still is sanctioned by my management as an investigative tool, we have used it in the past for investigations, for determining the locations of stolen product and what-not, and we have also assisted law enforcement."

The tracking mechanism provided by ReadNotify would allow investigators to see who opened the file attached to the e-mail, Adler said. The objective was to determine whether the journalist would forward the e-mail to her source, and to then determine the source of the leaks of HP confidential information.

Through ReadNotify, investigators would see when the e-mail attachment was opened and the Internet Protocol, or IP, address of the computer it was opened on, Adler said. An IP address can disclose the geographic location of a user, as well as the Internet service provider used to connect to the Internet.

"We suspected it would be Mr. Keyworth that would be the recipient," Adler said, referring to George Keyworth, the HP board member who has admitted he leaked information to the media.

Video: Exec: HP traces personal e-mail
Investigator Fred Adler reveals tactics during congressional hearing on Thursday.

During a press conference at HP headquarters last week, Michael J. Holston, a lawyer hired by HP, said that bugging e-mail did not yield results in this case.

ReadNotify, which operates as an online service, provides a free trial that lets anyone send 25 bugged e-mails, according to its Web site. Subscriptions are offered starting at $24 per year. A premium $36-a-year subscription is required to bug files such as Office and PDF documents. A similar service operates as MailTracking.com.

ReadNotify's service makes bugging e-mail a matter of pointing and clicking. The ReadNotify Web page will generate a document with an image. This image, a green check mark, can simply be dragged and dropped into the document that needs to be traced. The check mark becomes transparent after being dropped.

Users of the service register their e-mail addresses with ReadNotify, then simply append ".readnotify.com" to any e-mail address they send mail to if they want the message to be tracked. Recipients won't see this suffix, but could tell from the e-mail headers that the message was relayed.

In the default ReadNotify setting, an e-mail recipient could discover something is awry because a return receipt message may pop up, but the service also has an "invisible tracking" setting, according to the Web site.

ReadNotify offers a range of tracking options. Users can see the IP addresses of those who opened bugged e-mails or documents, including details on when the mail or file was opened. The service also shows some data on the PC and e-mail program. If the mail or file was forwarded, it shows the same data on that person.

The ReadNotify service appears to use what's known as a Web bug, a technique also employed by some e-mail marketers. An e-mail or a document sent through ReadNotify includes hidden links to one or more files hosted by the service. When the message or the file is opened, the program retrieves the files and by doing so checks in with ReadNotify.

[Johnny Mnemonic]

Pretexting?

Am I the only person that has been a little
confused by this new term? To me, pretexting
would be something akin to something like
"wmd: a pretext to war", rather than misrepresenting
yourself in order to gain knowledge. Granted, "wmd"
or other pretexts are generally mis-representations,
but they are different in context. The proper
terminology is "social engineering". Commonly
used in the malicious hacker/cracker context
of which this clearly falls under.

[SeizeCTRL]

I'm with you...

I see this more as social engineering. Also, in all honesty, I do not think HP is totally in the wrong here. If someone is leaking trade secrets and whatnot, I think they have a right to determine the leak and follow all necessary trails.

It's funny how the government does this kind of thing all the time... but as soon as a big name company does it, it's the most horrendous invasion of privacy the world has ever seen. Surely people aren't that naive that they believe they have some ulitmate ammount of privacy in this day and age. Is it really that big of a deal that someone got your phone records? The method used is really no different than dumpster diving... chances are you throw away old phone bills. Besides you probably throw away more private information than you realize, so the point it leaves your house and into your garbage can, anyone willing can find out anything about you.

[catch23]

From Dictionary.com

"the misleading appearance or behavior assumed with this intention"
the 'intention' being "to conceal a true purpose or object"

So Social Engineering is just a form of Pretexting. The WMD argument was itself a form of Social Engineering, intending to get people to do somthing based on artifically generated fear.

[rcrusoe]

Another reason to avoid HTML mail

readnotify's use of web bugs and iframes in html email is bad enough, but I understand they also exploit bugs in MS Word docs (and perhaps other documents) to track those attachments.

ASAIK, I would be safe from these methods since my email client mail.app (Mac) is set to display plain text only and OpenOffice doesn't allow these "phone home" tricks.

Unfortunately most of my users have Outlook and MS Office so they have yet another reason to wish MS would put some "features" in their software that are really needed, rather than just ribbon menus.

[catch23]

Try reading the article

They use the same trick with PDF's, so your Mac and defaults mean nothing.
Unless your running a good 2 way firewall (which neither the Mac or PC ships with) your as hosed as the us.
Of course, at least we have ribbon menus.

[mveronica]

Another solution....

you could also encrypt the email attachments or email messages in HTML with email anti-theft software, converting documents into .ecc's. This unfortunately will not stop them from tracking the email, but it prevents them from being able to access its contents.

[ballssalty]

A good firewall...

Another friendly reminder to have a good software firewall like ZoneAlarm installed to prevent this from working and to disable HTML in Outlook.

[hadaso]

Firewall?

A firewall doesn't stop web-bugs if it doesn't stop other outgoing http requsts.

Disabling HTML in Outlook would not work for serious email users because they don't use Outlook... A good email client would render HTML but not the webbugs within it, and othor kinds of nasty things embedded within HTML. FastMail.FM's webmail client have been blocking images and defanging various HTML elements and still showing HTML email for years now (with whiltelisting of trusted sources). Many other email clients, web-based and PC-based do the same.

[jtpickering]

Firstly, I don't give a darn. Secondly, thanks for the additional regs.

"Occasionally, we're asked about privacy and legal issues," Drake said. Essentially, ReadNotify believes an e-mail author can do whatever he pleases with the message, including tracking it. "It is important to understand firstly that just because an e-mail comes into your inbox, it does not make it yours. When a person puts the effort into thinking up an e-mail and composing it: that e-mail is theirs."

So, following this argument, every piece of junk mail and catalogue that appears in my mailbox or is couriered to me is not my property? I wonder if they could fine a recipient if/when the recipient destroys or throws that property away?

Mr Drake, if you do not have a law degree and international legal experience, your opinion in this matter is no more helpful than my 5 year-old's.

Sounds like more legislation is on the way....

[gggg sssss]

sherlock holmes would found a clue

There are many many things you cannot do with that catalogue - you cannot copy the pictures and put them on your website or your own catalogue - you cannot use the text in the same manner for instance - and neither can your 5 year old. Although he might get away with using them in a school project. Even better, if he does, then he furthers the advertiser's message - at no additional cost to him.

[Mark Donovan]

How CNet bugs e-mail

CNet's newletters are bugged. To be fair, the practice is disclosed in CNet's privacy policy, but the bugging is nonetheless as reprehensible and unethical as HP's actions.

It's time that CNet end the use of web bugs in its e-mail. While CNet's disclosure applies to those who subscribe to its newsletters, the web bugs also track forwarded e-mail. There's little difference between HP and CNet bugged e-mail.

Here's a typical CNet web bug. This type of bug is defeated by not loading images from e-mail.

[computerlegalexperts.com]

Potential for abuse???

Well, this is interesting from a privacy perspective. What is remedy the when someone sends something unlawful or unethical and you didn't ask for it?????

Steve
Computerlegalexperts.com
http://www.computerlegalexperts.com

[chuck_whealton]

Re: Potential for Abuse

I agree with what you appear to be saying - that this may have some potential for abuse.

I mean it sounds like at least some of their use of it was warranted; searching for stolen products, etc., but this does seem to have quite a bit of potential to be misused.

Charles R. Whealton
Charles Whealton @ pleasedontspam.com

[hadaso]

web-bugs and the DMCA

Like any other written material, email messages are automatically subject to copyright laws in all countries that have joined the Berne Convention Copyright Treaty, and nothing may be done with them without explicit permission from the author. If the author wishes to control the use of her work using any kind of security scheme, including tracking the distribution of the copyrighted work by use of various tracking techniques including but not restricted to the use of the standard tracking technique often refered to by the name "web-bugs", then it is illegal to circumvent this kind of copyright protection device and doing so violates the anti-circuvention clause of the DMCA!

[SimonHobson]

what about illegal use of a computer ?

Where does neutering web bugs stop being violating "... the anti-
circuvention clause of the DMCA!" and become a legitimate
technique to protect your own computer from misuse by others
who are attempting to have your computer executing something (a
file download) without your knowledge or permission ?

I guess the answer is to follow the money - the DMCA is approved
of by the big money so it trumps other laws. I just wish the US
would keep that policy to itself and stop exporting it to the UK !

[ambigous]

Disclaimer

I found this in ReadyNotify's Terms of Service:

"You agree that You will not..."

"...(vi) transmit, or otherwise facilitate the transmission by anyone, of unsolicited, erroneously labeled and/or intentionally deceptive e-mail messages..."

Considering the nature of their "service," that's a fairly potent disclaimer!

[cowen80194]

Well now we need to create a way to patch this "BUG" before it is exploited by Spammers, and the like.

There are legitimate uses for this possibly but the staggering possibility that this will be abuse by illicit users and that TRUMPS any legitimate use that this "service" may have.

First it starts out with tracking and then it moves on to hidden downloads that contain key logging software and zombie bots.

All that would need to happen is a few email server get attacked and taken over start adding these codes and every unsuspecting person that receives an email would become a target. With all these zombies being created to go an attack at will. DDOS problems would be ram-pent.