Saturday, March 19, 2016

Thinking?

The title  of this post is a response to a question in my household when someone says "What were you thinking?" when after due consideration the recipient realizes, Oh yeah, that was probably not so smart.

It's the question I had on receipt of a "secure email" the other day, coming from a healthcare institution.  I won't name the institution because the solution is a commercial one from crafted by an Internet security provider (Proofpoint) that apparently thinks it is a good idea.  Let me explain how it works to you:

When someone sends an e-mail that this software thinks needs to be protected, the software takes the body of the e-mail, encrypts it in some form, base-64 encodes the content of an e-mail into an XML payload, then base-64 encodes that into an HTML form.  It then sends that HTML page in an e-mail as an attachment to the original recipient.  In the body of the e-mail is an official looking page containing the sender logo, a lock icon, and text which explains that you have received a secure e-mail and that in order to access it, you either need to open the attachment, or click on a link.

I'd love to do a video that shows how this system works, and compare it to a phishing attack.

Consider that you have just received an e-mail that appears to be from an institution that you have a relationship with.  It looks official, and bears the correct logo [highlight the institution logo on both the phishing and secure e-mail].  When you click on the "more information" link, it clearly goes the institution's web site, which you can quite readily verify.  The email asks you to Open the attached file to obtain your secure message.  Feeling secured by all that you have done to ensure you security, you now open the attachment.  Once again, it looks very good and official, bears the right logos, and even bears a copyright from a trusted security provider.  It asks you to click a button to retrieve your message.

You do so.  At this stage you are now taken to an HTTPS page on the web which has a long URL which looks right on quick glance, and that asks you, since this is your first time to create a user name and password to access your message.  So far, both systems appear to work in nearly the same way.  So, you create your account.

One of these systems will then decrypt the packet sent to you and the other will send your username and password to pirate bay, where someone will then drain all your bank accounts.

The question is, should you open this attachment?  The answer in both cases is, for most people.  Hell no.

  1. You don't have the training to distinguish the attached file (which may contain a zero day exploit) from any other attached file which could infect your computer.
  2. You shouldn't expose your password management procedures to others whose security you cannot verify.  Many of you have pretty poor ones to begin with (like I use the same username and password for everything).
  3. Any of the italicized items in the scenario above are things that ANY competent software engineer or hacker can do.  In fact, if it can be done, a hacker doesn't need to do it him or herself, they can very likely simply steal it.
Why does an internet security provider believe that encouraging people to engage in behavior that security experts advise against, and other security products protect against, would be a good idea? Well, that goes back to another common response in my family to the "What were you thinking?" question:

It seemed like a good idea at the time?

-- Keith

P.S.  When I first saw this message, I actually thought it had originated from my corporate security folks, who craft similar messages in order to encourage people to take their phishing refresher class, an honor I have thus far managed to safely avoid (it's the reward for clicking on an attachment or link in their generated e-mails).  Yes, I get phished internally as training on what to avoid.

0 comments:

Post a Comment