• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Webmail security from ISP hacker

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Anonymity // Privacy // Spam

View previous topic :: View next topic  
Author Message
magudi
Just Arrived
Just Arrived


Joined: 30 Mar 2008
Posts: 0


Offline

PostPosted: Sun Mar 30, 2008 2:49 pm    Post subject: Webmail security from ISP hacker Reply with quote

I have no alternative but to use one particular ISP where I live. I know there is one person who works there who has informed others, for his private reasons, of the IP of people sending webmail.

My question is, is there any protection I can use to preserve my anonymity from this guy whilst using webmail?
Back to top
View user's profile Send private message
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Sun Mar 30, 2008 4:54 pm    Post subject: Reply with quote

You can use Tor to shield your IP from the webmail server. Using Tor, you don't connect directly to the target server, but instead connect to a network of relays, where the last relay is the one that connects to the server. Therefore, the webmail server will think your IP is in fact some other random IP inside the Tor network of relays. That is the IP which will be stored on the webmail server's logs, and possibly sent out in the headers of emails you send (many webmail servers send your IP out in the mail headers, so it may be possible for recipients to see your IP even without the rogue ISP employee).

Now, it depends on much access this person has inside the ISP. If he's only checking the webmail server's logs, then he'll be unable to get any information related to you since the webmail server itself doesn't know your true IP. If, on the other hand, he can check outgoing connection logs for all customers, he could do a timing correlation attack: by checking all outgoing connections from customers made at the same time as the webmail server received the connection that sent your email, he could find your IP even without there being a direct trace from you to the webmail.
Back to top
View user's profile Send private message
magudi
Just Arrived
Just Arrived


Joined: 30 Mar 2008
Posts: 0


Offline

PostPosted: Sun Mar 30, 2008 4:58 pm    Post subject: Thanks Reply with quote

Thanks for the information. I suspect he can get all the information he needs but if he does a timing correlation attack would he be able to go beyond knowing that I was connected at the time when the email was sent? Would he be able to trace the message as having been sent through my connection?
Back to top
View user's profile Send private message
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Tue Apr 01, 2008 8:30 pm    Post subject: Reply with quote

I'm assuming this webmail server we're talking about belongs to your ISP, correct? That is, it's the server for the email account that your ISP gives you?

Using Tor, you'd have a situation like the scheme below:
Code:

                          INTERNET
                      +-----------------+
+-----------+         |                 |          +-------------------+
| Your PC ==|=========|== Tor network ==|==========|=== Webmail server |
|           |         |                 |          |                   |
|           |         +-----------------+          |                   |
|           |                                      |                   |
|           +--------------------------------------+                   |
|                           YOUR ISP                                   |
+----------------------------------------------------------------------+

There is no direct connection between your PC and the webmail server; however, an attacker that is able to monitor traffic at both ends can check the packets going into the webmail server and look for packets going out from its clients' PCs at the same time. This applies to your ISP, since it controls both your connection and that of its webmail server.

An example: say the attacker sees an email sent by you, and he notices the IP is a strange one, outside of your ISP's IP block. He may just think you've sent the email from a cybercafé or the university or something, and leave it at that. However, if he happens to suspect you might be using Tor (for example, the Tor IP will most likely be in another country, which might seem suspicious to him), he could go and look at the connection logs on the webmail server, looking for the timestamps of the data packets which established the connection for that email.

Say he sees a data packet initiating the connection from the Tor IP to the webmail server, which arrived at the server at 16:23 and 17.56000 seconds. He then starts to look at the connection logs of their clients, searching for a client whose PC sent out a packet around the same time. If he finds that a data packet left your PC at 16:23 and 17.10000 seconds (that is, only a few miliseconds before), that's a hint that the connection may be coming from your PC. If he finds similar coincidences in subsequent packets, he'll have a pretty good indication that the connection was coming from you.

This attack may or may not be practical, depending on the amount of additional traffic going on in the ISP's network - if there were 5,000 people connected and sending and receiving stuff at the same time as you sent the email, then it'll be harder for him to pinpoint the traffic to you, since there will be many PCs who sent packets at a similar time. He may still be able to make a reasonable guess if your connection Tor lasted a long time and transmitted a lot of data, though. With more packets to correlate, he has a larger chance of finding coincidences between your traffic and the email traffic.

I should note that this isn't an obvious attack, though: it's actually somewhat contrived, and requires that he be familiar with the workings of Tor in the first place. It's entirely possible that he wouldn't think of doing this, even if he did have the resources to pull it off.
Back to top
View user's profile Send private message
magudi
Just Arrived
Just Arrived


Joined: 30 Mar 2008
Posts: 0


Offline

PostPosted: Sat Apr 12, 2008 9:45 am    Post subject: Thanks a lot Reply with quote

the information is really useful. Final question. IF he were only to get hold of one of the emails sent through a webmail, can he tell from the information on the email from itself which computer it was set from?
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Anonymity // Privacy // Spam All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register