Do you have any idea if the hacking is taking place on your mail server or on your local machine? Are these person to person mails or mails generated off of a web site?

You might want to look into PGP [pgpi.org]. Personal Email encryption with some very good history.

I think it is more important at this point to find out where the intrusion is taking place. If it is mails being sent to the partner that are being hacked, then encryption on the outgoing side won't make any difference. Not that using PGP is not a good idea...

I think it is more important at this point to find out where the intrusion is taking place.

Agreed, but adding security right now could help with that investigation.

Hi there and thanks for the help.

These are person to person emails generated using Outlook Express. The email is POP3.

So the PGP plug-in looks cool. I'll look into it more.

I'd love to know were the intrusion is coming from but I just have no idea. I only have confirmation of emails sent to my partner as being hacked but I have recently become suspicious of my email being read as well.

Unless the sender encrypts the message using PGP, encryption won't stop anyone from reading mail sent to you.

How big is your organization? The easiest way for this to happen is someone snooping on your machine when you're not around.

Also, have you changed all of your e-mail passwords in case a former employee or consultant (yours or your ISP's) has your passwords?

We're a small non-profit organization so all this is done from our homes. My partner at one time had access to the web site but since this started taking place (months ago now) I changed the password and didn't let him back on since he doesn't do any of the web development. So we've kept it to two people who have full access and the other developer is completely honest.

I'm not ruling out that my partners machine has been compromised. He's just half-way around the world so it's hard for me to check up on it. I'm going to be writing up a bunch of suggestions for him like making good passwords, using PGP, etc.

I don't understand how you can tell someone is hacking your email? You said the emails were turning up in strange places...where did you find them?

The hacker obtains some confidential email from my partners email. The hacker then passes that on to other interested parties using anonymous email. These other parties then question my partner. They know the source is questionable but by then the damage is done. Simple enough to figure out eh?

Indeed!

Question on PGP. Do you have to pay for a key service or is there some sort of free public database? I'm still vague on the concept of keys and how they work.

You can distribute your PGP keys on a number of key servers, all free to my knowledge. Your keys will eventually propagate from server to server. The purpose of having your public key on a server is so that others can lookup your key and add it to their keyring. It would be just as easy to e-mail your key to others if you have a finite list of contacts you intend to share encrypted mail with...

You need to pay for the PGP software for corporate use. (There are free versions available for personal use). The new PGP 8.x software is very stable and integrates well into Outlook (not available for free versions).

There is a free, opensource version of PGP developed under the GNU license (GPG), which is supposed to be as good as PGP.

Jordan

It would be just as easy to e-mail your key to others

Don't forget - his e-mail system has been hacked at some point ;)

...but sharing a public PGP key is a non issue unless the 3rd party can get their hands on his private key. I guess if he was really paranoid he could put his key on a floppy and mail it ;)

Seriously though, a public key is useless to someone reading this guy's mail. Get the full PGP package, encrypt your mail and encrypt your disks and there will be few if any people on this planet who have the time and resources to delve into your communications again.

There's a great PGP FAQ maintained by Tom McCune [mccune.cc] if you want to read more.