The Ethical Hacker Network

Latest Additions

Who's Online

ozanam

Newbie

Offline

Posts: 1

Email Security

« on: July 15, 2009, 09:22:44 AM »

Hey guys,

I am new here and signed up to ask this question and hope to stick around and start to learn Ethical hacking for work.

My Boss who is not very techy wants to have all his company mails forwarded to Gmail, So all company internal mails with patient details to be forwarded to his gmail account. The only way we can get him to back out of this is to try and show him insecure it really is.

So in turn in September we are having a security day. Whole day about security and to show everyone in the company of 2000 staff how easy somebody can read there mails or get there files. Great, now all i need to know is how to do it ha

On average how many servers would you say a mail hits to get to Google's servers and then within there servers to get to your mail box and is there anyway of ethically hacking a users mail account to show them how insecure it is and to prevent are CEO of the company having details sent across the globe. Patients details that it as well.

Rgds,
Oz


	Logged

UNIX

Hero Member

Offline

Posts: 1235

Re: Email Security

« Reply #1 on: July 15, 2009, 10:27:19 AM »

Welcome to EH and the forums.

Pretty sure no one here will help you to hack into your gmail account as a proof of concept if thats what you are asking for. Wink

Forwarding internal company data (including patient details) onto gmail or any other similar webserver is no good idea at all in my opinion.

There are quite a few risks associated with this. Just consider all the possible attack vectors such as sniffing the forwarded emails etc.
Also as gmail is a webbased service you can log in from everywhere. So when someone logs in there is the possibility that the machine which is used (e.g. at home) is infected with a malware such as keyloggers.

Once an attacker got access it is easy to change all passwords etc. and you won't be able to login anymore while the attacker gets access to all emails stored so far and depending on how fast it is detected (e.g. when the password is not changed) to all future ones.

There are many more risks associated with this approach, at least in my opinion. Lips sealed

Thinking as a patient I would not feel comfortable with this too.


	Logged

don

Editor-In-Chief
Administrator
Hero Member

Offline

Posts: 4165

Editor-In-Chief

Re: Email Security

« Reply #2 on: July 15, 2009, 01:21:03 PM »

Forget all the hacker/security lingo and logic. It works on us, but you're preaching to the choir. To get it into the doctor's head, use words that they'll understand like:

HIPAA VIOLATION!!

To get some ammo, type "is gmail hipaa compliant" into Google. That should be enough.

Welcome and hope that helped,
Don


	Logged

CISSP, MCSE, CSTA, Security+ SME

dalepearson

Sr. Member

Offline

Posts: 357

Re: Email Security

« Reply #3 on: July 15, 2009, 05:12:17 PM »

Like Don said. We all feel the pain on these occasions, but trying to own Google Mail isnt going to do you or your company any good.

Compliance plays its little part here, so look to your external regulators and internal policies to argue the case. If you dont have this, your probably in for a hard time anyway.