Educause Security Discussion mailing list archives
Re: Lowering the risk of email hoaxes
From: Kathie Brinkman <brinkmkb () MUOHIO EDU>
Date: Mon, 10 Mar 2003 15:39:00 -0500
Thanks, Gary, and those who responded directly to my request for information. Your replies have been very helpful. At 08:26 PM 3/8/2003 -0500, you wrote:
I'll go out on a limb here, and offer a non-traditional approach to counter this problem. First, a metaphor. If a person arrives at your front door holding a box, wearing "street clothes", and says "you owe $30 for this candy", would someone actually pay, or send them away? You'd at least be fairly suspicious, because you have learned that legitimate package carriers look so. Conversely, if you're expecting an order of candy, delivered by FedEx, and a bright FedEx truck drives up and a uniformed person, carrying a FedEx package tracking device, says "here is your COD order, how would you like to pay?" everything's fine. E-mail, as currently delivered, falls into the category of the former example, where totally anonymous, unspoken-for mail is considered just as genuine as a digitally signed message. The "from" line is considered authentic, unless it looks fairly absurd. This is a trust our users have formed due to the history of email being legitimate, because it used to be. To counter the growing tide of abuse of the technology's openness, we can catalyse a cultural shift, toward a time when recipients have the expectation that official mail will carry an official signature. They would expect this much the same way as they already expect their package carriers to be able to prove their authenticity. In history, this has been how kings used to prove that messages were authentic - only they could make "the seal" that assured the reader this was really a message from the king. This shift in the email readership community can't happen overnight, though. However, if your president were to state that his office would henceforth send nothing that was not digitally signed (perhaps with example included), that could start the snowball. Universal PKI remains a pipe-dream, and perhaps the catalyst to the increased growth in the expectation of authenticity-assured messaging is for a few key senders to make such statements. We can never prevent forgeries in the system we have today, and we can't prevent someone from obtaining a bulk email list, no matter how hard we try. We can, however, inform our customers that legitimate mail will begin to look so, and thus lessen the impact of forged or anonymous (ie. unsigned) mail. This too could be the death of spam. Imagine the day when almost all mail (at least the stuff you get from your usual correspondents) is signed. Filter the unsigned stuff, and you've dropped the junk spam. Now, you get only the signed spam and (assuming the CA is trustworthy) you can provably locate the origin, and address complaints to them. Spammers would have to expose their identity in order to get people to even see their mail. Ok, back to practicality. How do we get signed mail today, when we can't realistically manage a campus full of certs? One solution: Permit authenticated SMTP by your users, to your MTA, and have your MTA sign the messages it receives by authenticated SMTP with its own cert (you only need one cert, not thousands). Your users can now easily expect mail from one another to be so-signed - the spoofs and forgeries begin to be obvious by their difference from the norm. ("Hey, here's mail from an on-campus address, but it's not signed, I wonder if it's legit...?") The current unsigned unauthenticated inbound receipt of mail remains possible, but cross-campus mail is now easily made verifiably authentic (to the extent that users have control of their passwords). Your users start to wonder why the rest of the email community hasn't picked this up - their colleagues at other schools are still sending unsigned - the old fashioned way. This doesn't change the world instantly, and your users will still have to expect that mail arriving from off-campus is unsigned, but at least they'll be forming the expectation that legitimate mail from within their own community will be signed, and that will start the process that could ultimately make your forger's methods obsolete. Risk to privacy? Probably not - we do already attempt to prove our authorship identity in mail today, but use an arcane method (the "from" line, sig lines) to do so. It could catch on... ------------------------------------------------------------ Gary Dobbins, CISSP -- dobbins () nd edu Director, Information Security University of Notre Dame, Office of Information Technologies Voice: 574.631.5554 ------------------------------------------------------------ ----- Original Message ----- From: "Kathie Brinkman" <brinkmkb () MUOHIO EDU> To: <SECURITY () LISTSERV EDUCAUSE EDU> Sent: Friday, March 07, 2003 5:36 PM Subject: [SECURITY] Lowering the risk of email hoaxes > I am with Miami University and we have formed a swat team, in reaction to > an incident that occurred on our campus this past week - a student, > purporting to be the president of the university, sent email to 31,000 > email accounts stating that classes were cancelled for the following > day. By the end of next week, we will be submitting a report to Miami > management on how to lower the risk of email hoaxes. We all know that this > is not a simple issue, for a number of reasons. > > Our current environment is as follows: > 1- any student in a residence hall can connect any machine to our wired > network; we do not require a MAC registration > 2- anyone coming on to campus can connect to our wireless access points > without authentication; we syslog the WAPs > 3- we control the mail servers on campus (or have trusted departments that > control departmental servers) > 4- we track ip address assignments issued by our DHCP server (but the > assignments are not logged for more than a few days) > > There is a lot of opportunity for improvement in the environment, but I > would like to know what other institutions have found most useful. And, I > would be interested in knowing if anyone uses PGP for critical messages. > > Thanks for your assistance. (Please excuse the duplicate email messages, > for those of you who are on both the HDI-EDU and the Educause Security lists). > > > _______________________________ > Kathleen B. Brinkman > Senior Manager, MCIS Support Desk > 312-A Hoyt Hall, Miami University > mailto: brinkmkb () muohio edu > voice: 513.529.5947 > fax: 513.529.1496 > > ********** > Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/. > ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
_______________________________ Kathleen B. Brinkman Senior Manager, MCIS Support Desk 312-A Hoyt Hall, Miami University mailto: brinkmkb () muohio edu voice: 513.529.5947 fax: 513.529.1496 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- Lowering the risk of email hoaxes Kathie Brinkman (Mar 07)
- <Possible follow-ups>
- Re: Lowering the risk of email hoaxes St. Laurent, Tim (Mar 07)
- Re: Lowering the risk of email hoaxes Gary Dobbins (Mar 08)
- Re: Lowering the risk of email hoaxes Kathie Brinkman (Mar 10)