Look, I am not a security expert so please correct me if I am wrong about any of this:
Every time PGP for the masses is suggested as a solution it gets dismissed as being to complex or difficult to wrap your head around, but all these scams would not work in a world where authors and publishers only trust signed e-mails.
In my mother’s case I am sure pgp is too complex, but shouldn’t we demand it in a professional context?
Whenever some company gets socially engineered through e-mail the response is “we were targeted by a super tailored phishing attack, bla bla” as an excuse for digital negligence which not using digital signatures for e-mails basically is.
Or are there things I am overlooking?
No, that's not why it's dismissed. Security experts don't advocate for PGP for two reasons:
1. It requires constant vigilance. If humans en masse were capable of constant vigilance in a security context, we wouldn't really have a problem with phishing in the first place.
2. PGP uses relatively old cryptography which is easily misimplemented and doesn't feature forward secrecy. So again to maximize security you have to rely on your users doing something manual: in this case, generating and sharing new keys at some interval, which then need to be verified on the other end etc.
Speaking to the more general point on phishing: people on HN are usually very overconfident in their ability to spot phishing emails. It's easy to spot simple ones reliably. It's fairly easy to spot pretty good ones when you're expecting it. It's functionally impossible to consistently spot very good phishing emails. I say this as someone who has run simulated phishing email campaigns on software engineers in a large tech company. Even many security engineers would get caught out by the best phishing emails, and what's worse: the set of engineers who would be fooled would change depending on the day you ran it.
Humans are fallible. Attackers do not need to compromise most people in your org. They need just one person with privileged credentials to have an off day and not run through an unrealistic checklist, in an organization with hundreds to tens of thousands of people. The best phishing emails will combine excellent social engineering with a legitimate technical break that privileges them to send email on behalf of a domain. You will not spot this reliably, no matter how technically savvy you are. It will pass the technical checks you have.
The best approach to mitigating phishing campaigns is endpoint security. You should obviate the need for employees to even use passwords in a corporate context, and you should use authentication systems which aren't phishable.
This is the real problem that techies tend to ignore. You can have the most technologically secure communication platform in the world, but it all falls apart the second someone circumvents it. Phishing attacks are usually engineered to convince people to circumvent security protocols.
For example, a phishing e-mail might claim to be the person's boss, claim that the boss lost their phone, and ask someone to send the documents via e-mail "just this once" to close an urgent deal until the boss can get back to the office and work with I.T. to fix their phone. Underlings don't want to get fired for ruining the deal by ignoring direct orders, so they send the documents over.
Past a certain point, increasingly sophisticated security measures begin to increase the chances that someone will choose to circumvent the security protocols. At the extremes, people become so accustomed to the idea that the security protocols are too slow, complex, and failure-prone that circumventing them becomes a weekly or monthly occurrence just to get their jobs done on time. Once you reach this point, it's easier than ever for phishing attacks to convince people to do bad things.
If you try to force everyone to use PGP all the time, you're going to end up with a lot of employees communicating on unofficial channels simply because they want to get their jobs done and move on with life.
I would like to add that it's easy to be overconfident when running simulated phishing attacks too. At one place, reporting an email as suspicious would trigger a scan of the email which crawled every link, including the /phished/<my-unique-guid> links. The people with the worst scores were precisely those who followed corporate policy to the letter and reported every suspicious email. It took about one cycle of that nonsense before everyone had email rules deleting the simulated phishing emails.
What are best practices or products for this?
2. Access control policies which minimize privileges to only those which are needed.
3. Put everything behind corporate SSO instead of per-account passwords and login pages.
4. An authenticating proxy that enforces policies on each individual machine using something like webauthn.
The first recommendation limits the extent to which accounts can be compromised if users mistakenly enter their passwords. The second limits the damage which can be done when accounts are compromised. The third limits the general attack surface of passwords entirely, as does the fourth. In particular: the fourth also allows you to remove your corporate VPN while leveraging SSO. It also makes it easier to enforce the granular access control policies.
These things can be a heavy upfront technical investment, but there are off the shelf solutions and products for each of them. They're also easier than trying to train humans to be superhuman.
Professional context is tons of people like your mother.
But also, PGP web of trust would break in larger adoption.
Agree with you. My guess is very quickly people would start to ultimately trust all they friends and colleagues. There would be phishing bots to convince you to trust other bots and fake profiles, etc.
Enigmail or average joe PGP integration does help, but your phisher won't use PGP. What helps is proper cooperate culture. No html, no pdf, no office docs over email. Best, no email at all.
I am still sour that KeyBase got sold off I was hoping they would add an email client and we could all get @keybase email addresses and they would charge for the service finally. I would easily have given them $15 a month for a small family plan (for me and my wife) just cause KeyBase is beautifully done. It could probably be fine tuned but it was great.
Edit:
Please if someone from KeyBase ever reads this, please make your efforts open, some sort of open source foundation that fully owns the rights to KeyBase and is allowed to later on go commercial. It's a damn shame a decent tech is going to just perish. Do not open source it when it is far too late! All your users who know you've sold off the project have no strong confidence in it anymore.
not sure if you can self-serve.
The problem for most users is that they won't recognise people's email addresses as signal - it's just noise to them. They don't know how to parse a domain backwards from TLD/ccTLD to determine where it goes, and even if they did, homographs and other international characters can fool them fairly easily.
Maybe the solution is something like SSH with trust on first use? Where users get alerted to a new display name and are asked to approve it the first time they send an email. Then a bundle of sender email, DKIM/DMARC/SPF success is stored locally, and future emails need to match that, otherwise the user will be warned this might not be the right user.
It seems without cryptographic identities (vouched for through PKI, a la S/MIME) that this is a hard problem to solve when you take into account the human factors and how much the existing solutions rely on the user.
However, the email addresses/domains were very carefully chosen, as was the text of the emails.
It's pretty clear that whoever is involved either knows most of these people or had extended access to their emails.
You should read the article.
HTTPS has been successful in being both highly secure and requiring no real attention (or technical knowledge) from the average user. Could this not be done with email too? Isn't this a job for the IT department rather than for the user themselves?
It doesn’t solve this problem, in the same way that Amazon using HTTPS doesn’t stop people visiting non-Amazon phishing websites.
The From header should be much more prominent too.
For example, perhaps a user should be presented with the email address in large text and explicitly asked to “trust” it before viewing emails for that address (similar to SSH).
People would probably get fatigued of that and click through though, of course (similar to SSH... although it’s much easier to quickly check whether an email address is as expected compared to a SSH fingerprint).
Have humans ever had a truly secure medium for communication? As long as we're communicating, there's always a chance our communications can be intercepted in some way by a third party. Whether in the physical world or digital world.
>Or are there things I am overlooking?
The human factor. You can have all the security in the world, all it takes is for one person to slip up once. Maybe the person answering the email was in a rush? Maybe they were tired and didn't really pay attention? Maybe someone was talking to them while they read the email and they were distracted and didn't notice it seemed shady?
Signing emails isn't the problem. Establishing identity is the problem.
Where I worked, there were a lot of phishing scams going out. Initially, they spoofed our email address, and DMARC helped stop that; but people would still respond to scams coming from webmaster@johnshouseofcontracting.example.org or whatever (lots of random website email forms turned into open relays). If you're getting emails from publishing@randonnhouse or wi1ey or whatever lookalike domains, it's going to be hard to tell, and verifying it came from the someone authorized by the domain owner doesn't help.
I agree that it's a no brainer in a professional context, however I can see there being a ton of value in having a simple / cross-platform / cross-medium personal signing mechanism as well. It's something that we could have used yesterday.
Minor nitpick: signing is something different from encrypting, and in itself would not protect against eavesdropping.
Prosecuting the people that do this is also a way of helping with the problem, acting like a coward and paying extortion money only makes you an easier target
It would be like https: worthless because of Let's Encrypt
The reason why people hate on LetsEncrypt somewhat, is that these scammers can create a TLS certificate immediately and for free for their new phishing domain (e.g. gooooogle.com). It would have otherwise been a small financial barrier for scammers to get this setup, and some of these scammers operate on volume (trying many different domains, getting only a few victims). I think LetsEncrypt does a great job, yes there is a small price to pay to allow the rest of the internet to have secure http traffic (https).
I think the real issue is of user experience. There is no easy way to check who your emails came from except from checking the from: field in the email. Reading these emails is boring and tiring. I think if email clients warned users to validate sender email addresses when receiving emails for the first time, it would make it safer. Therefore, bob@goooogle.com will show up for validation again, and the user has to read and validate it.
Effectively, I suggest using "whitelists" instead of "blacklists". If I had a startup, I would think deeply about not provide emails to my employees. That's how bad I think it is. But then again, to communicate with other companies, its either email or linkedIn...
1. Let's Encrypt isn't useless
because
2. With certificates you can be sure, the message you received, is from the certificate owner. This applies to websites and emails.
Can you please elaborate why LE.org makes https worthless? I don’t want to make improper assumptions as to your meaning
How is it acceptable that my email to Bob Smith can travel across the internet unencrypted with my and his name plastered on the top? Thats a privacy problem!
The EU regulators should fine anyone who sends an unencrypted email within the EU... Start with big mail providers to get change in motion.
Setting up PGP is annoying and also requires recipients to have it. Emails are clearly not private. Whatsapp, Messenger, Signal and Telegram are a bit personal (most require a phone number, and companies don't provide phone numbers to all people). SMS/ phones are also not secure. LinkedIn premium is expensive monthly and doesn't provide a good messaging UI.
Oh, the reason why I ask B2B specifically is because consumer products can communicate through their platforms where users already have accounts. Their either enmeshed in platforms or have their own platforms.
Phone calls are secure enough for most purposes. At the upper levels of business, e-mail is used for quick notes and corrections, but the heavy lifting is going to happen in phone calls and other real-time communications.
Techies some times put too much emphasis on things like cryptographic security of the communication channel or strength of encryption, when in reality it doesn't matter for phishing attacks like these. You could go to great lengths to get your customers set up on Signal or Telegram, but it doesn't matter the second they get an e-mail phishing attack that says "Hey, I got a new phone, locked out of my account, can you just attach the document here?"
- Matt Levine https://www.bloomberg.com/opinion/articles/2020-01-14/blackr...
So the answer seems to be normal communication tools and methods plus lots of trust and prayers.
Secondly, banks have unbelievably onerous KYC processes, and he would not have been able to trade with any counterparty that hadn't been through that (there'd be no legal master agreement, no collateral support or margin agreement, no payment authorisation, no way to even book the trade in the banks systems)
So that anecdote is just... bullshit.
(Source: used to be a swap trader at a big bank)
But suddently they insisted I install a stupid chat client that wants to update every other day, and run on startup. I've stopped using it.
The only possible nefarious scenario I can figure out is: phisher is connected to a more dodgy publishing outfit -- either piracy sites that offer access to PDFs of books for a monthly subscription, or (much less likely) a not-very-scrupulous publisher in a foreign language territory who would like to publish a translation without paying royalties and before their Anglophone population get access to the official ebook (this is a thing, it cannibalizes translation sales in markets with a big English-literate population).
(Ebook piracy sites are a pain in the ass: I've seen novels that I've written advertised for download before publication date, presumably because somebody leaked an early review copy, complete with pre-edit typos.)
I could imagine one, or a small group of, obsessive book collector(s) trying to collect obscure literary content within a narrow focus or genre, but I have trouble believing they'd put so much effort into acquiring drafts by a seemingly random assortment of authors.
I'm partial to your nefarious scenario.
Or here's another one: GPT-4 has escaped the lab and is collecting more material to learn from in its quest to be the world's best predictor of human narratives.
There's a few GPT-2s running around.
The scheme is a little less sophisticated, but the themes are the same. The phisher knows the parties involved and their relationships, they know the lingo and the process of commissioning a composition, it isn’t limited to famous/well known people/groups (e.g. they target grad students), and it’s very unclear what they’re attempting to achieve (or how they might monetize it).
I asked a friend to send me one of the emails so I could look at the headers. All I could get was that it appeared to be sent from an Italian-language webmail setup, no other clues I could find.
My best guess is it's just bored people with private collections, similar to how people were privately collecting and trading pictures off celebrities iClouds (before they were all leaked publicly).
On its own it's a silly little thing, but confidence scans are all about lots of little things which add up to a greater whole. I think it could help those who embrace it.
I remember working at a company where someone in finance gave away a large 5 figure sum to an unknown bank account, because a Hotmail address set up with the MD's name, who was on holiday at the time, asked them to do so. They were lucky that their bank agreed to cancel the payment an hour after they made it. This could have helped.
Another one being that they are doing it to obtain blackmailing material. Maybe they are hoping that there are things in some of the drafts that could be used to blackmail the author (e.g. in some cases there could be things that might be considered to be racist/sexist/similar, but would normally be caught by the editor).
The answer to your second question of course depends on your own idea of what constitutes "bad news"; but I think it's not hard to imagine why some people might not consider it a good thing when folks are getting duped into revealing information outside its intended audience.
It's curious that I can't resist writing this when you likely already knew and ignored it when you wrote your comment.
If I had to guess they sat down to write their novel and this is the ultimate act of procrastination.
The effort and resources they put on this scam doesn't justify for the cost of pirate. Besides, why do they want draft that isn't finished yet?
There's only handful of authors whose upcoming book is so valuable and worth leaking.
> tricking writers, editors, agents and anyone in their orbit into sharing unpublished book manuscripts
This is "copying without permission," "illegal access," or simply "phishing" which everybody in 2021 understands.
The sexy but ambiguous "steal" doesn't make clear whether the author still had access to the manuscripts.
