CYBEREYE

Will phishing kill e-mail as we know it?

Spate of successful attacks shows messages can't be trusted, and a useful business tool could be lost

The recent spate of high-profile breaches of government and contractor systems appears to be the work of sophisticated and persistent attackers who are leveraging relatively simple exploits to gain access to high-value data. In one string of attacks, data stolen from RSA Security apparently has been used to access or attempt to access several companies. In others, account information has been stolen to enable access to communications.

The incidents have in common that they appear to have started with spear-phishing attacks, tricking an end-user into giving up information or allowing the installation of malicious code that could steal data. This information was then used to conduct more sophisticated attacks.

It is simple enough to warn users that they should be careful about what e-mails they open and respond to, and about downloading attachments or clicking on links. But socially engineered e-mails using publicly available information to target users are making it more difficult for recipients to weed out the malicious messages.


Related coverage:

How to counter sophisticated cyberattacks: Focus on the basics

Oak Ridge lab shuts down e-mail, Internet after cyberattack


The routine use of e-mail for confirmations and notifications of transactions have made it a trusted business tool, and even otherwise cautious users tend to trust the medium. But until the technology for identifying phony e-mails improves, we should consider messages untrusted by default, regardless of subject matter or whom they appear to come from. This means that some legitimate uses of e-mail in our everyday business will have to change.

For example, I recently received an e-mail in my work account appearing to be from a vice president of IT and application development, informing me that my profile for the company directory needs to be updated. The e-mail provides a link, with instructions to click, enter my user name and password, and put in my contact information.

The e-mail looks legitimate and the link looks good, but I haven’t responded. I have few, if any, secrets in my own files, but the information being sought can provide the kind of wedge that could be used to gain broader access to company resources and used as a stepping stone for attacks elsewhere if it went into the hands of a hacker.

I have seen too many incidents of similar phishing attacks to be comfortable responding to e-mail requests such as this.

This probably is a legitimate e-mail request, and providing a link to enable me to update my own information is a more efficient way to handle the task than to have a third party input the information. But the bottom line is that additional caution is called for in the current environment.

There might be other ways for me to verify the e-mail and the link, but the simplest and most effective for me is to call the guy and ask him. This is an inconvenience for both of us but it is prudent and better than having to admit later that I was phished.

Until we can assume that the e-mail that lands in our inboxes is trusted, it might be simpler to forego using e-mail for such business and use some other channel of communication, such as a phone call, instead.

This would be a shame, because e-mail, with its unlimited length and ability to carry attachments and links, is a great medium for business activities. But with the bad guys capitalizing on that convenience, security will have to take precedence and we might have to abandon the default trust in e-mail, at least for a while. It’s a case of risk management.

 

Reader Comments

Wed, Jun 8, 2011

Maybe only trust internal emails with links if they have digital signatures?

Wed, Jun 8, 2011 Edward L. Ries New Albany, Indiana

Email has long been a problem with security and continues to be. At my work place I've blocked all incoming emails that contain our domain name in the from field that do not originate from our webmail server or from a client that has authenticated. This at least lets me sleep a little better.

Wed, Jun 8, 2011 Earth

The first problem with e-mail is that the default installation of Outlook is a hackers paradise. Anyone can send you an e-mail with an attachment and the attachment will be run without you even looking at the e-mail. This allows anyone to install anything on your computer with no more effort than sending an e-mail. That after years of security breaches, that Microsoft continues to put out such an unreasonable program is essentially criminal negligence.
It can take hours to harden up Outlook and that’s only if you know all the ways it can be used to own your computer. And once it is hardened up it makes security practices almost impossible. Want to see who really sent an e-mail with outlook? You have to scroll through raw headers in the ‘options’ dialog box. Want to look at the text of an e-mail without triggering attachments. Sorry, can’t be done. Be sure to turn off the ‘preview’ pane because that triggers attachments also. Be sure to do this with the ‘deleted’ folder or you may accidently trigger all sorts of attachments when you go to ACTUALLY get rid of dangerous ones or miss a click going to a different folder.

The government should tell Microsoft that its e-mail programs will be banned from all government and contractor computers until it’s hardened up AND actually allows reasonable security practices. Of course the same could be said about the operating system itself.

The second problem with e-mail is that it doesn’t require confidentiality, integrity and accountability. The system needs to require all e-mail be encrypted, digitally signed and have a hash. Any message not meeting these minimum standards should be dropped by any server in the transport chain. Especially password reset e-mails.

Tue, Jun 7, 2011 Patrick Missoula, MT

Phishing relies upon stupid, gullible people. As long as they are around, phishing will be successful. The only defenses are active intelligence, email tools to guage legitimacy of emails, and simply not trusting everything you read.

Tue, Jun 7, 2011 Captain Obvious Rome, NY

Crooks can call you up and say they're from your bank, and people will give out their account PIN numbers. So we should take out the telephones. There's no way to prevent the 1D10T error.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above