ad info
   personal technology

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

CNN Websites
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines

 message boards




Hotmail hack shows risks of Web e-mail

September 8, 1999
Web posted at: 12:54 p.m. EDT (1654 GMT)

by Carolyn Duffy Marsan

Network World Fusion
hotmail graphic

(IDG) -- E-mail administrators are clamping down on users who send and forward messages to free Web-based e-mail services, such as Microsoft's Hotmail or Yahoo Mail. The new policies are designed to prevent exposure to e-mail security breaches, such as last week's hack of Hotmail, one of the worst on record.

Some administrators are blocking end users from forwarding messages to Web-based e-mail services, while others are filtering e-mail messages headed to those sites. Companies that don't have policies about Web-based e-mail still expect users to know better than to put corporate data at risk.

Attorneys at Greenebaum, Doll and McDonald, a Louisville, Ky., firm, are allowed to forward e-mail to Web-based accounts. "But I hope they're not doing that," says Mandi Turner, who manages the firm's network services. "If they forwarded something inappropriate, it could be malpractice."
  Network World Fusion home page
  Free Network World Fusion newsletters
 Reviews & in-depth info at
 *'s bridges & routers page's hubs & switches page
 *'s network operating systems page's network management software page
  Year 2000 World
  Questions about computers? Let's editors help you
  Subscribe to's free daily newsletter for network experts
  Search in 12 languages
 News Radio
 * Fusion audio primers
 * Computerworld Minute

Turner recently installed TenFour's TFS Secure Messaging-Server software for e-mail virus checking and encryption. She plans to begin using the software's e-mail content filtering soon. "We'll be looking for Hotmail addresses," she says.

At the other end of the spectrum is Westinghouse's Anniston, Ala., plant, which blocks all messages to Hotmail, America Online and other Internet e-mail services. "We just started filtering out the Internet e-mail sites about two months ago," says LAN manager Steve Sanders. He uses Elron Software's CommandView Internet Manager to search outgoing e-mail for key words such as "free mail" and "MSN," and then blocks those destinations.

The security risks of Web-based e-mail came to the forefront last week when a design flaw in Hotmail was exploited by hackers. The hackers set up Web sites that allowed anyone to open a Hotmail user's account without a password, read or delete that person's messages or send messages under that person's name. Hotmail users were exposed to the security breach for hours before Microsoft shut down and fixed the service.

The most popular free Web-based e-mail service, Hotmail has more than 40 million e-mail accounts.

Hotmail has become the preferred alternative e-mail address for corporate America. Whether it's for job hunting, sending off-color jokes, distributing the football pool or chatting with family members, Hotmail is where executives send and receive the e-mail messages they don't want seen at work. What makes Hotmail so popular is that messages can be easily accessed over the Internet from the office, home or on the road.

"Hotmail is used by all of the executives who have grown tired of roaming software and firewalls. When they're travelling, they just forward everything to a Hotmail account so they can go to an Internet cafe or a friend's computer and access their e-mail," says Eric Arnum, a consultant with e-mail outsourcer United Messaging. "E-mail administrators need to recognize that as a giant gaping hole in their security."

Hotmail also has some legitimate uses in the enterprise: backup and testing corporate e-mail systems and serving as a spam repository, for example.

"I use my Hotmail account for spam. I redirect it to that account," says Dale Seavey, senior manager of the Global Strategic Application Technology Group at Cisco.

"We use Hotmail to test our Internet connections," says David Byrkit, e-mail administrator for ITT Avionics in Clifton, N.J. "Almost all of us in the IT area keep Hotmail accounts in case we're called upon to see if the connectivity is working."

The challenge for e-mail administrators is setting up policies that allow benign uses of Web-based e-mail services while protecting companies from exposure through these nonsecure sites. Entertainment giant 20th Century Fox has reached a compromise by allowing traffic to Web-based e-mail services but monitoring that traffic with content-filtering software.

"We see a tremendous amount of traffic going across the network to Hotmail, AOL and Yahoo," says Jeff Uslan, manager of information protection at the film studio. He uses Elron Software's CommandView Internet Manager to search outgoing and incoming e-mail for words that might indicate proprietary or inappropriate content.

"We don't want information sent out about our latest movie or our latest star being signed," Uslan says. "We have to protect our intellectual property."

Meanwhile, ITT Avionics keeps all its sensitive e-mail on a classified network that has no connection to the Internet. All other e-mail can be sent out over the Internet without restriction, Byrkit says.

"We haven't been terribly concerned about any security issues with respect to using Hotmail or any other ISP-based mail system," Byrkit says. "We have a lot of mail that has to go to the Internet. We have to be very careful about restricting that in any way."

Others, however, are just saying no.

"We get an occasional request from our users to forward e-mail to Hotmail," says Dale Cybela, a senior consultant with eFunds, a Milwaukee-based provider of electronic payment services. "We tell them, 'Sorry, we already provide facilities for people to get e-mail while on the road.'"

Business manager linked to prostitute through Hotmail hole
September 3, 1999
Hotmail exodus: to where?
September 1, 1999
Hotmail breach: whodunnit?
August 31, 1999

Hotmail hack: This time it's personal
Experts: Hotmail hack easy, office fix flawed
Microsoft now manually checking Hotmail servers for flaw
(InfoWorld Electric)
Web site opens backdoor to Hotmail accounts
Hotmail hole eases e-mail forgeries
Norton AntiVirus 2000 scans e-mail, blocks code
(InfoWorld Electric)
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

Microsoft's Hotmail
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.