Sidebar: Risk? What Risk?

Very few people ever worry about security issues when they send electronic mail (at the user level, not to be confused with the transport-level security issues). E-mail is a tool, like an editor, what could be insecure about it? Actually, unwitting offsite forwarding, obsolete user-id's and aliases, and ambiguous user names all create subtle security liabilities.

To illustrate the hazards of offsite forwarding, I'll relate the story of a department head who traveled back and forth between two institutions, a company site and a university, and did work for both. He forwarded his mail to the appropriate site wherever he happened to be.

One day, someone within the company sent company-confidential material to all the department heads. You can imagine her chagrin when this sensitive mail triggered a Mailer-Daemon message (returned mail notifying you that your message was undeliverable) from a computer system halfway across the country! This material wasn't even supposed to go outside the company!

It turned out that the traveling department head had forwarded his mail, as usual, but this time the university machine where his mail was kept had a full disk and no place to put new messages, so the message was returned to the sender.

Unfortunately, the sender didn't realize she was sending this confidential material outside the company until she received the Daemon message. She had used an alias which was supposed to contain only accounts within the company. Through no fault (nor knowledge) of her own, she had sent confidential material outside of her company and outside the ability of her company to protect it. Of course, the fault lies in allowing someone to forward their mail outside the company. Although such forwarding at first seems reasonable and desirable, especially in a case such as this, it turns out to have potential for disaster.

Some will argue that as long as the intended recipient still receives the message, then security has not been breached. But most network sites backup their mail directories regularly. Thus, if a site has handled the message, it likely also has the message on a backup tape. More ominously, e-mail can be intercepted by a network listener, or copied through other means. My point is that you should not rely on the hope that no one will chance upon sensitive material; instead you should not allow such information to exist anywhere outside of your control.

Obsolete user-ids also create potential problems. Sometimes there are seemingly defensible reasons for keeping such accounts active: perhaps the original user has left the company, but the files will be used by others in the same group. More often such accounts remain active simply because there is no formal procedure for removing obsolete accounts. In either case, a user on the local network might send the former employee mail expecting an action to be taken upon its receipt, not realizing the user has departed. While this isn't a security breach, as such, undesirable results might occur that could have been prevented.

Ambiguous addresses can be a more direct security issue. If you send a message to "smith," do you know it's reaching the correct person? What happens if that company-confidential message intended for department heads winds up being delivered to a contractor or a new employee with no business having it?

All of these problems can be effectively addressed with a slightly restrictive policy and a shell script like rts that notifies someone of a new or more accurate address for a user.