Re: Lowering the risk of email hoaxes

[Gary Dobbins <dobbins () ND EDU>]

I'll go out on a limb here, and offer a non-traditional approach to
counter this problem.

First, a metaphor.  If a person arrives at your front door holding a
box, wearing "street clothes", and says "you owe $30 for this candy",
would someone actually pay, or send them away?   You'd at least be
fairly suspicious, because you have learned that legitimate package
carriers look so.  Conversely, if you're expecting an order of candy,
delivered by FedEx, and a bright FedEx truck drives up and a uniformed
person, carrying a FedEx package tracking device, says "here is your
COD order, how would you like to pay?" everything's fine.

E-mail, as currently delivered, falls into the category of the former
example, where totally anonymous, unspoken-for mail is considered just
as genuine as a digitally signed message.  The "from" line is
considered authentic, unless it looks fairly absurd.  This is a trust
our users have formed due to the history of email being legitimate,
because it used to be.

To counter the growing tide of abuse of the technology's openness, we
can catalyse a cultural shift, toward a time when recipients have the
expectation that official mail will carry an official signature.  They
would expect this much the same way as they already expect their
package carriers to be able to prove their authenticity.  In history,
this has been how kings used to prove that messages were authentic -
only they could make "the seal" that assured the reader this was
really a message from the king.

This shift in the email readership community can't happen overnight,
though.  However, if your president were to state that his office
would henceforth send nothing that was not digitally signed (perhaps
with example included), that could start the snowball.

Universal PKI remains a pipe-dream, and perhaps the catalyst to the
increased growth in the expectation of authenticity-assured messaging
is for a few key senders to make such statements.

We can never prevent forgeries in the system we have today, and we
can't prevent someone from obtaining a bulk email list, no matter how
hard we try.  We can, however, inform our customers that legitimate
mail will begin to look so, and thus lessen the impact of forged or
anonymous (ie. unsigned) mail.

This too could be the death of spam.  Imagine the day when almost all
mail (at least the stuff you get from your usual correspondents) is
signed.  Filter the unsigned stuff, and you've dropped the junk spam.
Now, you get only the signed spam and (assuming the CA is trustworthy)
you can provably locate the origin, and address complaints to them.
Spammers would have to expose their identity in order to get people to
even see their mail.

Ok, back to practicality.  How do we get signed mail today, when we
can't realistically manage a campus full of certs?

One solution: Permit authenticated SMTP by your users, to your MTA,
and have your MTA sign the messages it receives by authenticated SMTP
with its own cert (you only need one cert, not thousands).  Your users
can now easily expect mail from one another to be so-signed - the
spoofs and forgeries begin to be obvious by their difference from the
norm.  ("Hey, here's mail from an on-campus address, but it's not
signed, I wonder if it's legit...?")

The current unsigned unauthenticated inbound receipt of mail remains
possible, but cross-campus mail is now easily made verifiably
authentic (to the extent that users have control of their passwords).
Your users start to wonder why the rest of the email community hasn't
picked this up - their colleagues at other schools are still sending
unsigned - the old fashioned way.

This doesn't change the world instantly, and your users will still
have to expect that mail arriving from off-campus is unsigned, but at
least they'll be forming the expectation that legitimate mail from
within their own community will be signed, and that will start the
process that could ultimately make your forger's methods obsolete.

Risk to privacy?  Probably not - we do already attempt to prove our
authorship identity in mail today, but use an arcane method (the
"from" line, sig lines) to do so.

It could catch on...

  ------------------------------------------------------------
  Gary Dobbins, CISSP -- dobbins () nd edu
  Director, Information Security
  University of Notre Dame, Office of Information Technologies
  Voice: 574.631.5554
  ------------------------------------------------------------



----- Original Message -----
From: "Kathie Brinkman" <brinkmkb () MUOHIO EDU>
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Friday, March 07, 2003 5:36 PM
Subject: [SECURITY] Lowering the risk of email hoaxes


> I am with Miami University and we have formed a swat team, in
reaction to
> an incident that occurred on our campus this past week - a student,
> purporting to be the president of the university, sent email to
31,000
> email accounts stating that classes were cancelled for the following
> day.  By the end of next week, we will be submitting a report to
Miami
> management on how to lower the risk of email hoaxes. We all know
that this
> is not a simple issue, for a number of reasons.
>
> Our current environment is as follows:
> 1- any student in a residence hall can connect any machine to our
wired
> network; we do not require a MAC registration
> 2- anyone coming on to campus can connect to our wireless access
points
> without authentication; we syslog the WAPs
> 3- we control the mail servers on campus (or have trusted
departments that
> control departmental servers)
> 4- we track ip address assignments issued by our DHCP server (but
the
> assignments are not logged for more than a few days)
>
> There is a lot of opportunity for improvement in the environment,
but I
> would like to know what other institutions have found most useful.
And, I
> would be interested in knowing if anyone uses PGP for critical
messages.
> Thanks for your assistance. (Please excuse the duplicate email
messages,
> for those of you who are on both the HDI-EDU and the Educause
Security lists).
> _______________________________
> Kathleen B. Brinkman
> Senior Manager, MCIS Support Desk
> 312-A Hoyt Hall, Miami University
> mailto: brinkmkb () muohio edu
> voice: 513.529.5947
> fax: 513.529.1496
>
> **********
> Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/memdir/cg/.
>

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.