News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Michael Horowitz's picture
Michael Horowitz

Defensive Computing

More posts | Read bio

June 10, 2009 - 8:19 P.M.

Defensive Computing lessons from the SEC e-mail scam

13 comments

Yesterday morning there were, no doubt, millions of scam e-mail messages sent. But one scam message was written up by the Wall Street Journal, Bloomberg news and the Washington Post. There is a Defensive Computing lesson to be learned from why this message got so much attention.

The message appeared to be from Irene Gutierrez, a lawyer in the enforcement division of the Securities and Exchange Commission (SEC). According to the Journal it "harshly" criticized two high ranking executives at the SEC. The e-mail was sent to several employees at the SEC as well as assorted news organizations. Shortly afterward, the real Ms. Gutierrez e-mailed  that her Blackberry had been stolen and she hadn't sent the first message. Then, it turned out that the Blackberry had only been mis-placed, not lost.

So, if no one but Ms. Gutierrez had used her Blackberry, what explains the initial, phony e-mail?

Frank Ahrens at the Washington Post speculated that the message was typed on a computer, sent to Ms. Gutierrez's Blackberry and then forwarded from her account. He also suggested that Ms. Gutierrez's e-mail account had been hacked.

The truth was simpler, the From address was faked.

When Mr. Ahrens learned that the message was totally fraudulent he wrote "This means that someone with computer programming knowledge was able to change their e-mail address to make it look like the e-mail came from Gutierrez."

In fact, you need no knowledge of computer programming to forge the From address of an e-mail message. It's brutally simple.

Anyone still using AOL software can't do it however, and neither can someone using webmail or the corporate Lotus Notes. But classic e-mail programs such as Outlook, Thunderbird, Outlook Express or Eudora, among others (technically e-mail clients), can easily lie about the sender of a message.

The stories in both the Wall Street Journal and Bloomberg also failed to point out how simple it is to forge the From address. It seems to me, that the authors' ignorance of this, is the only reason this is a story.

Someone who commented on the article at the Journal's website said "why is a crank e-mail news to the WSJ? are you going to report on crank phone calls next?" What else but technical ignorance can explain how this came to be considered newsworthy?

There is no owners manual for e-mail accounts. If there were, the front page would say

NEVER TRUST THE FROM ADDRESS IN AN E-MAIL MESSAGE

Perhaps new e-mail users should be required to write this on a blackboard, over and over and over. It's that important.

When I first broached this subject, I pointed out that even Brian Krebs, who writes the Security Fix column in the Washington Post has warned his readers to treat e-mails differently based on whether they know the sender or not. This assumes, incorrectly, that you can trust the displayed From address.

The Wall Street Journal article mentioned a recent scam where investors were tricked into providing private information about their brokerage accounts by scam e-mail messages purporting to be from the SEC. How can you tell if an e-mail message really came from the SEC? In practical terms you can't. If you get one that looks legit, find the phone number of the SEC in the phone book, call it and try to verify the claims made in the e-mail.

The Wall Street Journal was sent one of the initial scam messages and reported the city where the server that sent the message "appeared" to be. This however, tells us nothing about who actually sent the message, neither their location nor their identity. We may never know who sent it.

Standard Internet POP3 and SMTP e-mail was not designed with security in mind. Messages, for example, are sent in the clear (un-encrypted). To deal with this think of Broadway; don't send anything via e-mail that you wouldn't want to appear on a billboard in Times Square.

If you need both privacy and verification of the sender, there are assorted software solutions, but they tend to be complicated, expensive and/or require you to change the way you handle e-mail. David Strom recently reviewed three e-mail security products for Computerworld.

Hopefully each scammed news organization will use this as an opportunity to educate their readers about the true nature of e-mail.

What People Are Saying

Add new comment

you can forge the From in Lotus Notes

Submitted by Charles Robinson on June 11, 2009 - 4:08 P.M.

You said you can't change your From address in Notes, but that isn't true. The From address can be easily spoofed when sending Internet mail, but not internal Lotus Notes mail. Here is the general idea: http://www.alanlepofsky.net/alepofsky/alanblog.nsf/dx/email-display-name?opendocument&comments

Reply | Report this comment

Yes, you can "forge" your address in Notes

Submitted by Anonymous on June 11, 2009 - 4:05 P.M.

Just create a new location document and put the fake address in the internet address field.

Reply | Report this comment

Use SPF ...

Submitted by Dean on June 11, 2009 - 6:35 A.M.

Properly implemented SPF can greatly reduce the likelyhood of this happening.

Reply | Report this comment

Not really, no

Submitted by Richi Jennings on June 11, 2009 - 7:29 A.M.

Not really, no.

Used on their own, SPF and DKIM can protect you against people forging email "from" ...@sec.gov but they do nothing to protect email from ...@sec-gov.cn for example.

That's why you also need reputation. See my comment below.

Also, SPF -- and its bastard lovechild Sender ID -- have serious limitations. DKIM is the gold standard.

Reply | Report this comment

One more thing

Submitted by Anonymous on June 10, 2009 - 11:08 P.M.

I believe it's time that high ranking officials at important organizations should use something like PGP to sign their emails so authenticity can be checked. In case you do not know, PGP is not only about confidentiality, it also insures the integrity of your messaging.

Reply | Report this comment

...which will never happen

Submitted by Richi Jennings on June 11, 2009 - 4:01 A.M.

Pervasive end-to-end signing is simply never going to happen. Too complex.

Get over it.

However, the DKIM standard is being supported by more and more sending mail systems, receiving mail systems, and spam filters. It allows sending domains to publish information that allows receiving domains to verify the authenticity of the sender.

It also (cruicially) allows spam filters to verify the reputation of a domain (e.g., paypal.com: good; fake-paypal.com: bad).

For more on DKIM and domain reputation, see m'blog posts passim:

Note that DKIM doesn't rely on end-users having the right software and certificates on all their devices. That's a key reason why PGP, S/MIME et al don't work in the real world.

Reply | Report this comment

What computer operation is NOT "too complex"?

Submitted by Ben D. on June 19, 2009 - 11:40 A.M.

"Pervasive end-to-end signing is simply never going to happen. Too complex."

For most normal human beings, logging into Windows is too complex. And yet most people do it every day because they have to, in order to work.

Hardware-token-based authentication? Absurd. And yet again, plenty of accountants do it every day to cut checks via EFT. The banks manage to set up the tokens, ship them to the end users, train them on how to use them, replace the tokens when they fail, etc. And the checks get cut, because they have to.

Good point about "having the right software and certificates on all ... devices", but... hasn't Outlook supported PKI-based messaging since at least 2003? And Outlook is probably what most people use for business email.

If Outlook *required* senders to sign their messages before sending, and refused to display unsigned messages, everyone would just figure it out and do it.

It might be a headache but, again, so is everything involving a computer, for most people.

Reply | Report this comment

PGP signing has other advantages too

Submitted by Anonymous on June 11, 2009 - 1:22 P.M.

- prevents message tampering and proves your identity
- can be used for other electronic documents or communications, not only for email

Yes, it's a little more complex however it's not rocket science. Any normal person can do it and besides that, this is a price to pay in order to protect your electronic identity from being forged. For most of the people this is optional but for those detaining official positions it should definitely be considered.

Reply | Report this comment

It's not difficult to tell if a message was forged

Submitted by Anonymous on June 10, 2009 - 11:02 P.M.

or at least to suspect it. Trouble is that almost all mail clients are hiding the smtp headers that each server adds to the message. It is easy to forge the from field but there is no easy way to forge an smtp server name and address (actually for all servers processing the message) in the message headers. I'm using Thunderbird and I have an option to see the entire header so it makes me laugh every time I see a message coming from name@whitehouse.gov and the header shows it has been initiated from some Russian server.
For those interested, every mail server when processing your message is adding its own header, something like this (sensitive info masked of course) :

from mail.zzzzz.zzz ([zzz.zzz.zzz.zzz]) by mail.ip.yyyyy.yyy (Sun Java(tm) System Messaging Server 6.3-4.01 (built Aug 3 2007; 32bit)) with ESMTP id <0KJB00LL3LUP4N00@mail.ip.zzzzzzz.zzz> for nnnnnnn@yyyyyy.yyy; Fri, 08 May 2009 06:16:01 -0400 (EDT)

the sender email address is taken from the original message and can be fake but the rest is added by the server and it's difficult to forge.

If you want precise, reference information you may search and read the relevant RFCs (Warning: heavy stuff, don't do this at home etc.)

Unfortunately I didn't receive any spam lately so I can not show you a real example.

Reply | Report this comment

email headers

Submitted by Michael Horowitz on June 11, 2009 - 7:29 P.M.

I'm getting over my head here, but I read somewhere that even the bread crumbs (so to speak) that email servers lay down in the headers can be forged.

Thinking it through, what prevents a bad guy from setting up their own SMTP server that lays down a fraudulent identifier? Also, I don't know of a reputable source for information on how to read email headers. But again, even if there is such a source, you are trusting unknown system admins to setup the bread crumb for their SMTP server truthfully.

And, even if a message did, in fact, pass through an SMTP server for company X and it claims to be from someone working for company X, the message could still be a scam. It may, for example, be from employee 2 when it claims to be from employee 1. Or, it could be from someone unrelated to company X, depending on how the SMTP server is configured or exploiting a bug in the SMTP software.

Reply | Report this comment

Related Posts

Spammer trick: exploiting CAN-SPAM loopholes
Snarky replies to spammers and scammers
Stop making it so easy to be attacked online
Domain registration fraud spam

Editor's Picks

Attacks likely against Windows, PowerPoint, researchers say

Google Buzz takes the fight to Facebook, Twitter

Judge dismisses Windows anti-piracy software lawsuit

New Russian botnet tries to kill rival

Microsoft e-health research taps Xbox, mobile phones

Review: 3 encryption apps keep your data safe

About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2010 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.