Shark Bait

Knowledge Centers

Operating Systems

Networking & Internet

Mobile & Wireless

Security

Storage

Business Intelligence

Servers & Data Center

Computerworld Reports

Industry

See your link here

Michael Horowitz

Defensive Computing

Defensive Computing lessons from the SEC e-mail scam

13 comments

TAGS:e-mail
IT TOPICS:Security

Yesterday morning there were, no doubt, millions of scam e-mail messages sent. But one scam message was written up by the Wall Street Journal, Bloomberg news and the Washington Post. There is a Defensive Computing lesson to be learned from why this message got so much attention.

The message appeared to be from Irene Gutierrez, a lawyer in the enforcement division of the Securities and Exchange Commission (SEC). According to the Journal it "harshly" criticized two high ranking executives at the SEC. The e-mail was sent to several employees at the SEC as well as assorted news organizations. Shortly afterward, the real Ms. Gutierrez e-mailed that her Blackberry had been stolen and she hadn't sent the first message. Then, it turned out that the Blackberry had only been mis-placed, not lost.

So, if no one but Ms. Gutierrez had used her Blackberry, what explains the initial, phony e-mail?

Frank Ahrens at the Washington Post speculated that the message was typed on a computer, sent to Ms. Gutierrez's Blackberry and then forwarded from her account. He also suggested that Ms. Gutierrez's e-mail account had been hacked.

The truth was simpler, the From address was faked.

When Mr. Ahrens learned that the message was totally fraudulent he wrote "This means that someone with computer programming knowledge was able to change their e-mail address to make it look like the e-mail came from Gutierrez."

In fact, you need no knowledge of computer programming to forge the From address of an e-mail message. It's brutally simple.

Anyone still using AOL software can't do it however, and neither can someone using webmail or the corporate Lotus Notes. But classic e-mail programs such as Outlook, Thunderbird, Outlook Express or Eudora, among others (technically e-mail clients), can easily lie about the sender of a message.

The stories in both the Wall Street Journal and Bloomberg also failed to point out how simple it is to forge the From address. It seems to me, that the authors' ignorance of this, is the only reason this is a story.

Someone who commented on the article at the Journal's website said "why is a crank e-mail news to the WSJ? are you going to report on crank phone calls next?" What else but technical ignorance can explain how this came to be considered newsworthy?

There is no owners manual for e-mail accounts. If there were, the front page would say

NEVER TRUST THE FROM ADDRESS IN AN E-MAIL MESSAGE

Perhaps new e-mail users should be required to write this on a blackboard, over and over and over. It's that important.

When I first broached this subject, I pointed out that even Brian Krebs, who writes the Security Fix column in the Washington Post has warned his readers to treat e-mails differently based on whether they know the sender or not. This assumes, incorrectly, that you can trust the displayed From address.

The Wall Street Journal article mentioned a recent scam where investors were tricked into providing private information about their brokerage accounts by scam e-mail messages purporting to be from the SEC. How can you tell if an e-mail message really came from the SEC? In practical terms you can't. If you get one that looks legit, find the phone number of the SEC in the phone book, call it and try to verify the claims made in the e-mail.

The Wall Street Journal was sent one of the initial scam messages and reported the city where the server that sent the message "appeared" to be. This however, tells us nothing about who actually sent the message, neither their location nor their identity. We may never know who sent it.

Standard Internet POP3 and SMTP e-mail was not designed with security in mind. Messages, for example, are sent in the clear (un-encrypted). To deal with this think of Broadway; don't send anything via e-mail that you wouldn't want to appear on a billboard in Times Square.

If you need both privacy and verification of the sender, there are assorted software solutions, but they tend to be complicated, expensive and/or require you to change the way you handle e-mail. David Strom recently reviewed three e-mail security products for Computerworld.

Hopefully each scammed news organization will use this as an opportunity to educate their readers about the true nature of e-mail.

Email this

Digg this

What People Are Saying

Add new comment

you can forge the From in Lotus Notes

Submitted by Charles Robinson on June 11, 2009 - 4:08 P.M.

You said you can't change your From address in Notes, but that isn't true. The From address can be easily spoofed when sending Internet mail, but not internal Lotus Notes mail. Here is the general idea: http://www.alanlepofsky.net/alepofsky/alanblog.nsf/dx/email-display-name?opendocument&comments

Reply | Report this comment

Yes, you can "forge" your address in Notes

Submitted by Anonymous on June 11, 2009 - 4:05 P.M.

Just create a new location document and put the fake address in the internet address field.

Reply | Report this comment

Use SPF ...

Submitted by Dean on June 11, 2009 - 6:35 A.M.

Properly implemented SPF can greatly reduce the likelyhood of this happening.

Reply | Report this comment

Not really, no

Submitted by Richi Jennings on June 11, 2009 - 7:29 A.M.

Not really, no.

Used on their own, SPF and DKIM can protect you against people forging email "from" ...@sec.gov but they do nothing to protect email from ...@sec-gov.cn for example.

That's why you also need reputation. See my comment below.

Also, SPF -- and its bastard lovechild Sender ID -- have serious limitations. DKIM is the gold standard.

Reply | Report this comment

One more thing

Submitted by Anonymous on June 10, 2009 - 11:08 P.M.

I believe it's time that high ranking officials at important organizations should use something like PGP to sign their emails so authenticity can be checked. In case you do not know, PGP is not only about confidentiality, it also insures the integrity of your messaging.

Reply | Report this comment

...which will never happen

Submitted by Richi Jennings on June 11, 2009 - 4:01 A.M.

Pervasive end-to-end signing is simply never going to happen. Too complex.

Get over it.

However, the DKIM standard is being supported by more and more sending mail systems, receiving mail systems, and spam filters. It allows sending domains to publish information that allows receiving domains to verify the authenticity of the sender.

It also (cruicially) allows spam filters to verify the reputation of a domain (e.g., paypal.com: good; fake-paypal.com: bad).

For more on DKIM and domain reputation, see m'blog posts passim:

Note that DKIM doesn't rely on end-users having the right software and certificates on all their devices. That's a key reason why PGP, S/MIME et al don't work in the real world.

Reply | Report this comment

What computer operation is NOT "too complex"?

Submitted by Ben D. on June 19, 2009 - 11:40 A.M.

"Pervasive end-to-end signing is simply never going to happen. Too complex."

For most normal human beings, logging into Windows is too complex. And yet most people do it every day because they have to, in order to work.

Hardware-token-based authentication? Absurd. And yet again, plenty of accountants do it every day to cut checks via EFT. The banks manage to set up the tokens, ship them to the end users, train them on how to use them, replace the tokens when they fail, etc. And the checks get cut, because they have to.

Good point about "having the right software and certificates on all ... devices", but... hasn't Outlook supported PKI-based messaging since at least 2003? And Outlook is probably what most people use for business email.

If Outlook *required* senders to sign their messages before sending, and refused to display unsigned messages, everyone would just figure it out and do it.

It might be a headache but, again, so is everything involving a computer, for most people.

Reply | Report this comment

PGP signing has other advantages too

Submitted by Anonymous on June 11, 2009 - 1:22 P.M.

- prevents message tampering and proves your identity
- can be used for other electronic documents or communications, not only for email

Yes, it's a little more complex however it's not rocket science. Any normal person can do it and besides that, this is a price to pay in order to protect your electronic identity from being forged. For most of the people this is optional but for those detaining official positions it should definitely be considered.

Reply | Report this comment

It's not difficult to tell if a message was forged

Submitted by Anonymous on June 10, 2009 - 11:02 P.M.

or at least to suspect it. Trouble is that almost all mail clients are hiding the smtp headers that each server adds to the message. It is easy to forge the from field but there is no easy way to forge an smtp server name and address (actually for all servers processing the message) in the message headers. I'm using Thunderbird and I have an option to see the entire header so it makes me laugh every time I see a message coming from name@whitehouse.gov and the header shows it has been initiated from some Russian server.
For those interested, every mail server when processing your message is adding its own header, something like this (sensitive info masked of course) :

from mail.zzzzz.zzz ([zzz.zzz.zzz.zzz]) by mail.ip.yyyyy.yyy (Sun Java(tm) System Messaging Server 6.3-4.01 (built Aug 3 2007; 32bit)) with ESMTP id <0KJB00LL3LUP4N00@mail.ip.zzzzzzz.zzz> for nnnnnnn@yyyyyy.yyy; Fri, 08 May 2009 06:16:01 -0400 (EDT)

the sender email address is taken from the original message and can be fake but the rest is added by the server and it's difficult to forge.

If you want precise, reference information you may search and read the relevant RFCs (Warning: heavy stuff, don't do this at home etc.)

Unfortunately I didn't receive any spam lately so I can not show you a real example.

Reply | Report this comment

email headers

Submitted by Michael Horowitz on June 11, 2009 - 7:29 P.M.

I'm getting over my head here, but I read somewhere that even the bread crumbs (so to speak) that email servers lay down in the headers can be forged.

Thinking it through, what prevents a bad guy from setting up their own SMTP server that lays down a fraudulent identifier? Also, I don't know of a reputable source for information on how to read email headers. But again, even if there is such a source, you are trusting unknown system admins to setup the bread crumb for their SMTP server truthfully.

And, even if a message did, in fact, pass through an SMTP server for company X and it claims to be from someone working for company X, the message could still be a scam. It may, for example, be from employee 2 when it claims to be from employee 1. Or, it could be from someone unrelated to company X, depending on how the SMTP server is configured or exploiting a bug in the SMTP software.

Reply | Report this comment

Spammer trick of the month: Delayed DNS

Spam culture, part 2: Russia

Spam culture, part 1: China

Stupid users respond to spam? Survey said... (ding) 12% do!

LIVE Nov 10, 2009 12:00 PM ET

Architecting Business Intelligence Applications for Change: The Open Solution

LIVE Nov 12, 2009 02:00 PM ET

The State of PCI DSS Compliance at Organizations Today
Download this resource today!

Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...

Can Heuristic Technology Help Your Company Fight Viruses?
What is Heuristic Technology and how can it help safeguard your business against viruses? Learn more.

Security Convergence Equals Network Security Cost Savings
Listen to IBM Internet Security Systems' take on network security convergence.

Why Email Must Operate 24/7 and How to Make This Happen
Learn how to avoid an email outage by implementing a hosted email continuity solution.

Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!

All White Papers | All Webcasts