[nSLUG] End of email -- what next

George N. White III gnwiii at gmail.com
Wed Apr 20 09:12:41 ADT 2011

On Tue, Apr 19, 2011 at 4:58 PM, D G Teed <donald.teed at gmail.com> wrote:

> On Tue, Apr 19, 2011 at 1:48 PM, George N. White III <gnwiii at gmail.com> wrote:
>> It got into Oak Ridge's system through a phishing email designed to
>> look like it was sent from the lab's human resources department.
> The flaw here sounds just like a recent attack at the Canadian federal
> government department.  The hacker forges an email from a boss
> to an underling, asking for a password or a password reset.  The
> underling obliges (social engineering working here, they don't want
> to say no or give a hassle to the boss), and provides the password in email.
> Alternately, the hacker may have phished the boss's email password
> and then used that to send emails looking for the password reset.
> Then the attacker sets up malware or keyloggers whereever possible
> using the boss's access, possibly on their desktop, etc.
> This gains additional access, since the bosses tend to have lots
> of access with accounts in various systems.
> The key flaw here is sending passwords over email.  Just don't do it.
> Arrange to phone or meet in person in a way you can confirm
> it is really the person who should get the password.

Many gov't workers are accustomed to sending sensitive info using
signed encrypted email.   There has been some suggestion that the
attackers didn't just spoof emails, but managed to send them with
the appropriate digital signatures.

> I've found the average email user doesn't understand how
> easy it is to forge email until I send them a message from
> ronald.reagan at whitehouse.gov and then they come
> back to me and say "oh, ya."  Part of it is not understanding
> the envelope aspect of email.  You'd think Microsoft's mail
> clients were designed by phishers, with their default ability
> to keep the actual address hidden (appear as "Ronald Reagan").

It is worse -- MS mail systems don't store the original envelope,
but may use some internal user ID, so when you check the details
you get the current database entry.  This can have strange results.
Suppose you sent email to list.  Years go by and an employee is
purged from the database (e.g., when they retire), so the list of
recipients no longer includes the name of the now retired employee.

George N. White III <aa056 at chebucto.ns.ca>
Head of St. Margarets Bay, Nova Scotia

More information about the nSLUG mailing list