[ISN] Firms Fret as Office E-Mail Jumps Security Walls

From: InfoSec News (alerts@private)
Date: Thu Jan 11 2007 - 22:03:23 PST


January 11, 2007

SAN FRANCISCO, Jan. 10 -- Companies spend millions on systems to keep 
corporate e-mail safe. If only their employees were as paranoid.

A growing number of Internet-literate workers are forwarding their 
office e-mail to free Web-accessible personal accounts offered by 
Google, Yahoo and other companies. Their employers, who envision 
corporate secrets leaking through the back door of otherwise 
well-protected computer networks, are not pleased.

Its a hole you can drive an 18-wheeler through, said Paul D. Myer, 
president of the security firm 8E6 Technologies in Orange, Calif.

It is a battle of best intentions: productivity and convenience pitted 
against security and more than a little anxiety.

Corporate techies who, after all, are paid to worry want strict control 
over internal company communications and fear that forwarding e-mail 
might expose proprietary secrets to prying eyes. Employees just want to 
get to their mail quickly, wherever they are, without leaping through 
too many security hoops.

Corporate networks, which typically have several layers of defenses 
against hackers, can require special software and multiple passwords for 
access. Some companies use systems that give employees a security code 
that changes every 60 seconds; this must be read from the display screen 
of a small card and typed quickly.

That is too much for some employees, especially when their computers can 
store the passwords for their Web-based mail, allowing them to get right 
down to business.

So far, no major corporate disasters caused by this kind of e-mail 
forwarding have come to light. But security experts say the risks are 
real. For example, the flimsier security defenses of Web mail systems 
could allow viruses or spyware to get through, and employees could 
unwittingly download them at the office and infect the corporate 

Also, because messages sent from Web-based accounts do not pass through 
the corporate mail system, companies could run afoul of federal laws 
that require them to archive corporate mail and turn it over during 

Lawyers in particular wring their hands over employees using outside 
e-mail services. They encourage companies to keep messages for as long 
as necessary and then erase them to keep them out of the reach of legal 
foes. Companies have no control over the life span of e-mail messages in 
employees Web accounts.

If employees are just forwarding to their Web e-mail, we have no way to 
know what they are doing on the other end, said Joe Fantuzzi, chief 
executive of the information security firm Workshare. They could do 
anything they want. They could be giving secrets to the K.G.B.

Hospitals have an added legal obligation to protect patient records. But 
when DeKalb Medical Center in Atlanta started monitoring its staff use 
of Web-based e-mail, it found that doctors and nurses routinely 
forwarded confidential medical records to their personal Web mail 
accounts not for nefarious purposes, but so they could continue to work 
from home.

In the months after the hospital began monitoring traffic to Web e-mail 
services, it identified a couple hundred incidents, said Sharon Finney, 
DeKalbs information security administrator. I was surprised about the 
lack of literacy about the technology we depend on every day, she said.

DeKalb now forbids the practice, and uses several software systems that 
monitor the hospitals outbound e-mail and Web traffic. Ms Finney said 
she still catches four to five perpetrators a month trying to forward 
hospital e-mail.

The Web mail services may also be prone to glitches. Last month, Google 
fixed a bug that caused the disappearance of some or all of the stored 
mail of around 60 users. A week later, it acknowledged a security hole 
that could have exposed its users address books to Internet attackers.

Even the security experts most knowledgeable about the risks of e-mail 
forwarding to personal accounts acknowledge doing so themselves.

Of course I do it; who doesnt? said Kimberly Getgen Bargero, vice 
president for marketing at Sendmail, an e-mail software company in 
Emeryville, Calif. Ms. Bargero said she often used her Yahoo Mail 
account on business trips so she does not have to access her corporate 
network remotely.

It is difficult to quantify exactly how many otherwise model employees 
are opting to use services like Yahoo Mail or Googles Gmail over their 
companys authorized e-mail programs. Sophisticated users at the 
companies most lax about e-mail security can automatically forward all 
of their work e-mail to their personal accounts, hopscotching over the 
various requests for passwords meant to ward off intruders.

The more casual e-mail scofflaws send only the occasional message to 
their personal accounts or just cc messages to their Web in-boxes to 
preserve them for later use even when the messages contain sensitive 
company information.

Some companies frown on office use of any Web-based accounts, even for 
personal messages. At the business software maker BEA Systems, Anthony 
Bisulca, a senior security analyst, estimated that around 30 percent of 
his employees were using private e-mail accounts in the office, even 
though the companys Internet policy clearly prohibits it.

But it is not easy to wean people off of their online mailboxes. Of 
course they scream, said Todd Wilson, an operations manager at the 
Bloomberg School of Public Health at Johns Hopkins University. They look 
at me like I have three heads.

Mr. Wilson said that the use of the Web services had become a huge 
concern, partly because copies of the forwarded messages sit untouched 
on the schools servers, taking up space.

Many corporate technology professionals express the fear that Google and 
its rivals may actually own the intellectual property in the e-mail that 
resides on their systems. Gmails terms of service, however, state that 
e-mail belongs to the user, not to Google. The companys automated 
software does scan messages in Gmail, looking for keywords that might 
generate related text advertisements on the page. A Google spokeswoman 
said the company has an extensive privacy policy to ensure no humans at 
Google read user e-mail.

Paul Kocher, president of the security firm Cryptography Research, said 
the real issue for companies was trust. If you cant trust employees 
enough to use services like Gmail, they probably shouldnt be working for 
you, he said.

Many companies apparently do not have that level of trust. In a survey 
conducted last year, the e-mail security firm Proofpoint found that 37 
percent of companies in the United States used software to monitor 
office use of Web mail.

The Internet companies themselves are looking to take advantage of 
consumer preferences for Web based e-mail services. This year, Google 
plans to introduce a more secure version of Gmail for use in large 

But Microsoft and other providers of traditional internal e-mail 
systems, which the research firm Radicati says generated $2.5 billion in 
sales last year, are helping companies combat employee use of the Web 

The new version of Microsofts corporate e-mail service, Exchange Server, 
offers administrators improved tools to monitor the content of employee 
mail and block forwarded messages.

At the same time, upgrades to Exchange and Microsofts e-mail program 
Outlook have made it easier for traveling employees to access e-mail on 
the corporate network from a Web browser. Microsoft also recently began 
urging corporate technology departments to give employees more storage 
space in their e-mail accounts.

But the Web services are improving as well, and employees will no doubt 
continue to find them tempting.

We have as high a security standard as any company, said Ms. Bargero of 
Sendmail, and sometimes it is just too difficult to access our e-mail.

Copyright 2007 The New York Times Company

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Thu Jan 11 2007 - 22:15:38 PST