[Full-Disclosure] Is the FBI using email Web bugs?
tlarholm at pivx.com
tlarholm at pivx.com
Wed Jan 7 21:17:23 GMT 2004
Can we blow off the FUD on images embedded in HTML mails? Whenever I see
the term "Web Bug" used I know that I will have to find factual
information on the subject discussed from another source.
"Web Bug" is just a sensationalized term for an HTTP request made from
an email. Sure, one use of those HTTP requests could be to track if you
websurfing across multiple sites and build a profile on your surfing
habits, political belief, marrital status and sho size.
Any technology can be used for both good and bad. Cookies are most
definitely used for more good than bad in a scale of the thousands, and
other than spammers trying to verify email addresses by making an HTTP
request from an HTML mail there has not really been any other use of
Some products even try to profit from the fear, uncertainty and doubt
concerning scare terms such as "Web Bugs", like Privoxy claiming to
block these "Web Bugs" - only now, they are not labelled as images in,
or HTTP requests made from, HTML mails, they are labelled as small 1x1
images served from a webpage used for gathering visitor statistics.
If I wanted to spy on somebody or pry on their surfing habits, "Web
Bugs" in whatever label they have this week or the next is the last
thing I would ever consider. To get some perspective, just compare how
many SpyWare backdoors that people have voluntarily installed to get a
free Timer or Calendar application.
Senior Security Researcher
24 Corporate Plaza #180
Newport Beach, CA 92660
thor at pivx.com
PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
From: Richard M. Smith [mailto:rms at computerbytesman.com]
Sent: Wednesday, January 07, 2004 7:24 AM
To: full-disclosure at lists.netsys.com
Subject: [Full-Disclosure] Is the FBI using email Web bugs?
Hmm, is an "Internet Protocol Address Verifier" just an email Web bug?
If so, the suspect should have been using Outlook 2003 which blocks 'em.
Feds thwart extortion plot against Best Buy
The federal search warrant was obtained the morning of Oct. 24 and
allowed the FBI, with Best Buy's cooperation, to use an Internet device
known as an Internet Protocol Address Verifier. It contained a program
that automatically sent back a response to Best Buy after the company
sent a message to the e-mail address. The response allowed investigators
to identify Ray as the sender of the e-mail threats, according to the
Assistant U.S. Attorney Paul Luehr said the address verifier was one of
several investigative tools the government used to track Ray down.
"It was a tool that helped us confirm that other leads were moving in
the same direction," said Luehr, who declined to discuss details of the
Ray faces a maximum of two years in prison and a $250,000 fine for
property and reputation extortion. He faces a maximum sentence of five
years in prison and a fine of $250,000 for threats to damage computers.
Full-Disclosure - We believe in it.
Full-Disclosure is hosted and sponsored by Secunia.