Great post. The problem with GPG/PGP is, of course, that few of my email contacts use it.
posted by runcifex at 8:22 AM on December 6, 2017 [3 favorites]

I remember when computers were fun
posted by thelonius at 8:42 AM on December 6, 2017 [25 favorites]

Really wish they had gone into more detail about the MTA (email server) side of things, as that is where the mitigation really needs to happen. "Fixing" the MUAs (email clients) doesn't stop the propagation of this forged mail, it just alerts the end user to it.
posted by namewithoutwords at 8:43 AM on December 6, 2017 [6 favorites]

I disagree with the folks at Mozilla and Opera. In the end, this is an MUA vulnerability - mail clients that are only displaying part of what we call the "friendly From address". There's not really a server-side vulnerability here. The authentication methods are validating correctly against what they're presented, and it's not THEIR fault that what the MUA is showing the end user is not the same as what they've validated. Mail servers should *not* be sanitizing data headers.

That said, I think various anti-spam vendors should probably be looking at whether their product allows these things to pass and, if so, if they should be blocking them.
posted by hanov3r at 8:57 AM on December 6, 2017 [6 favorites]

I remember when computers were fun

I hate to tell you this, but email has always been a gaping security hole, and for teenage "hackers," spoofing emails and trying to prank your friends was Internet Mischief 101. Because the core email protocols do not have any mechanism for authentication, it is common for spam and phishing emails to use such spoofing to mislead the recipient about the origin of the message.
posted by filthy light thief at 8:59 AM on December 6, 2017 [7 favorites]

Vulnerabilities: Thunderbird ≤ 52.5.0

(checks mail client)... Thunderbird 58.0b1

OK then. My decade-long refusal to use Mail.app on the desktop has paid off

Now to wait for the inevitable freak out from our IT folks, who have forced us all to endure the hell that is Outlook at work
posted by caution live frogs at 9:10 AM on December 6, 2017 [1 favorite]

Seriously though I keep wondering (as my spam folder fills daily, thanks to the FUCKING IDIOT MORON who keeps using my email address when signing up for porn sites and the like - the hazards of being an early Gmail adopter!) what exactly it will take for email to start using some end to end authentication, by default.

What we lose in anonymity we gain in spam and fraud reduction.
posted by caution live frogs at 9:12 AM on December 6, 2017

Email will continue to play a role for decades but you can reduce the usage drastically as better alternatives to stay in touch exist.

Citation needed.
posted by Chrysostom at 9:12 AM on December 6, 2017 [8 favorites]

I agree this attack seems to be more of a mail client problem than a mail server problem. The mail servers ARE questioning whether I'm actually jsmith@gmail.com.

But then the email client is being a bit too trusting with how to display my "From" name which I've told it is spelled John "ERASE EVERYTHING OUTSIDE THESE QUOTES AND PUT POTUS@WHITEHOUSE.GOV INSTEAD" Smith.
posted by justkevin at 9:31 AM on December 6, 2017 [3 favorites]

> Vulnerabilities: Thunderbird ≤ 52.5.0
(checks mail client)... Thunderbird 58.0b1
OK then. My decade-long refusal to use Mail.app on the desktop has paid off

Chances are they didn't actually test versions > 52.5.0 since that's the latest official stable release.
posted by farlukar at 9:40 AM on December 6, 2017 [1 favorite]

email has always been a gaping security hole

Oh, I know. Problems with sendmail were notorius. I incline to the view of an article I saw once: security just wasn't a concern for the authors of a lot of early infrastructure code. The only people they thought would use it were trustworthy - academics, government researchers.

And your Monty-Python-quoting nerd buds owning you was fun, compared to getting phished or whatever.
posted by thelonius at 9:41 AM on December 6, 2017 [3 favorites]

I am well aware of the flaws inherent in email, but...I kind of wish they hadn't put this tool out there? Because I think of thelonious's statement more like this:

I remember when computers were fun used responsibly

Like your friends might goof on you a bit, but there were no commonly-available tools to attack entire domains at once in order to steal everyone's money and lock up their files and ruin their credit. *sigh* Now I am teh old, I guess.
posted by wenestvedt at 9:45 AM on December 6, 2017 [2 favorites]

If the government and media companies had spent a tenth of the resources that they waste on "digital piracy" on trying to end spam and fraud emails, we wouldn't be in this position. The exploits might still be there, but if email fraud were treated like paper mail fraud - with prison sentences attached if you're found to actually cause harm - there'd be a lot less activity to work as a smokescreen to hide behind.
posted by ErisLordFreedom at 9:46 AM on December 6, 2017 [3 favorites]

The problem with GPG/PGP is, of course, that few of my email contacts use it.

I believe the problem with GPG/PGP is that even security pros are unable to use them easily or with any degree of confidence that they're not going to make a catastrophic mistake either now or at some point in the future.
posted by wotsac at 9:48 AM on December 6, 2017 [3 favorites]

farlukar: "

> Vulnerabilities: Thunderbird ≤ 52.5.0
(checks mail client)... Thunderbird 58.0b1
OK then. My decade-long refusal to use Mail.app on the desktop has paid off

Chances are they didn't actually test versions > 52.5.0 since that's the latest official stable release."

I tested it. And guess what - you're exactly right. I have an email sent to me from Mailsploit, that looks for all intents and purposes as if it came from my work address.
posted by caution live frogs at 9:52 AM on December 6, 2017 [3 favorites]

hades, there's at least one authentication method that's *supposed* to allow you to trust the From: header, to some extent, while simultaneously giving the purported sender a way to say "here's what to do with mail that's supposedly from me that doesn't authenticate in some way". DMARC (mentioned above) ties the From: header to the envelope data, which can be authenticated via SPF or DKIM.

Mailsploit circumvents that by using a domain the attacker controls (for which they can provide SPF, DKIM, and DMARC data) and then not displaying that domain to the recipient.
posted by hanov3r at 9:54 AM on December 6, 2017 [2 favorites]

However. When faced with a questionable email, I almost always check the source. In this case, it says:
From: "=?utf-8?(this is the UTF encoded faked email address)="
<=?utf-8?(this is the UTF encoded faked email address again)=@mailsploit.com>

There are vanishingly few large-scale desktop email applications that let you easily check the full message source code. Sure with work I can view headers, but having access to the source at a keystroke is something I really do rely on to verify some of these things.
posted by caution live frogs at 9:57 AM on December 6, 2017 [3 favorites]

wenestvedt: Like your friends might goof on you a bit, but there were no commonly-available tools to attack entire domains at once in order to steal everyone's money and lock up their files and ruin their credit. *sigh* Now I am teh old, I guess.

The way I read the timeline --

* Haddouche tested the vulnerabilities in the past months/maybe years, confirmed the combined exploits and then alerted email providers/software vendors about a month back, giving them time to reply,
* released this "demo" tool online now, being able to note who said what about their platform/software

-- implies to me that he's operating with the idea that this information is now to inform the public and make them more wary, either moving to a secure platform, using encryption with their emails, or at least being aware of that this sort of threat exists and that service providers may not be doing all they can/should, so you can leave one company for another.

Also, there are other tools already "in the wild" that allow more tech savvy people to do all this, he's just packaged it as an information tool. Will this be misused? Yes, but it seems he made the decision to offer information now (and get a good bit of internet coverage from it), rather than wait for all service providers/vendors to patch their software and inform their customers, because in the mean time, more nefarious folks may discover and chain these vulnerabilities on their own, with much less publicity.


thelonius: And your Monty-Python-quoting nerd buds owning you was fun, compared to getting phished or whatever.

hades: So... those of us who never knew that we were supposed to be able to trust the "From:" header as reported by our mail client, we're still good? *checks exploit details* Yeah, we're still good. All this means is that vulnerable systems behave the way I assumed all email systems still worked, because that's how they did all work for a long time.

We can't roll back the clock, so might as well bring the masses up instead of shutting the internet down, right? That's how I see all this. I also long for the geekier, more trust-worthy past*, but I also see the huge benefit of internet for all. I just wish "technical literacy" was taught from elementary school on, at least to help inform everyone about 1) what they're using in the most basic of terms, and 2) help them be safer for themselves and those around them. Like driver's ed, but start earlier and get a bit more in-depth, given how much more nuanced "technology" is than "motor vehicles on the roads."

* Trolls, assholes, and griefers have also been online since the beginning, so maybe this dream of "the nice, geeky 'net" is looking back through rose-tinted VR goggles. Meet the Internet’s earliest cat lovers — and the trolls who terrorized them -- alt.cats was invaded by alt.tasteless assholes in 1993.
posted by filthy light thief at 10:17 AM on December 6, 2017 [4 favorites]

We're speaking at 34c3 about plan(s) by Riseup, GNUnet, Panoramix, and pEp to build a replacement for email with a messaging system based on mix networking. We only have vaporware at this point, but we'll be talking about all the design constraints, including explaining why the threat model of low-latency systems like Tor does not suffice.

We do not plan to speak about authorization, only the mix networking layer. In fact, we do not all have exactly the same views on the authorization problem anyway, but any scheme that resists traffic analysis necessarily reduces usable bandwidth, so SPAM must be eliminated.

As an example, Pond users can only receive about 288 messages per day since Pond only does network traffic on average every 5 min, so Pond handles anonymous authorization using a group signature scheme. Authorizing strangers like Email requires becomes harder of course, but introductions by mutual contacts helps. We can separately constrain the bandwidth from strangers too.
posted by jeffburdges at 12:09 PM on December 6, 2017 [2 favorites]

So mutt is OK?
posted by Obscure Reference at 5:22 PM on December 6, 2017

Hah! I was having a conversation with a colleague on the arms race that is hacking and identity theft in the near future and what it means to our business. Basically, my postulation of risks cloud computing eventually implies in the land of hacking is not just that your data is available, but more importantly (and scarily) that the algorithms and segmentations a company uses are generally available right along side it. (Here's looking at you Azure and AWS!)

In the old days, fraud detection has been 'wow! somebody spent $$$$ (lots of money) from my account shut it down!' then it translated to 'wow! this purchase habit of $$ isn't my purchase habit shut it down!' I think we're moving towards a great risk of fraud inherently co-opting our models, either altering them, the destination, or modeling our fraud detection and minimizing positive detection (possibly by either driving up false positives or, literally building training data for behavior to beat fraud checks).

The goal of a fraudster then becomes to make money off of grey transactions at the small scale or to hold hostage a compromised company dataset by flooding distrust between companies and their clients at the larger scale...
posted by Nanukthedog at 10:26 PM on December 6, 2017 [2 favorites]

Interesting and funny but only tangentially related security news from today:

CitizenLab: Ethiopian Dissidents Targeted with New Commercial Spyware

"LOL. Targeting a Citizen Lab researcher is one of the dumbest things you can possibly do with your nation state malware"

Wired: Evidence That Ethiopia Is Spying on Journalists Shows Commercial Spyware Is Out of Control
posted by jeffburdges at 10:28 PM on December 6, 2017

as my spam folder fills daily, thanks to the FUCKING IDIOT MORON who keeps using my email address when signing up for porn sites and the like

oops. Sorry.
posted by petebest at 3:17 AM on December 7, 2017 [1 favorite]

as my spam folder fills daily, thanks to the FUCKING IDIOT MORON who keeps using my email address when signing up for porn sites and the like

Hey, don't be so hard on yourself.
posted by axiom at 7:13 PM on December 7, 2017 [2 favorites]

(I'm Dan Kaminsky, quoted in this article.)

Because the core email protocols do not have any mechanism for authentication, it is common for spam and phishing emails to use such spoofing to mislead the recipient about the origin of the message.

Yes, it's a very good sign of spam. Too much so; dropping to port 25 and tapping out someone's name just doesn't *do* anything anymore. The mail never arrives.

What's cute with this class of attack is you can be completely open and up front about who you are, to the mail server, while declaring a totally different identity to the user. Technically even PGP checks might work, or would if any significant number of people had MUA's with integrated crypto. The letters would absolutely be signed by badguy@badguy.com.

The SPAM fighters could take another crack at this but they didn't really try to deal with any of these attacks in the first place. It was just a convenient signal.

There are vanishingly few large-scale desktop email applications

You can drop that to there are vanishingly few desktop applications. If it wasn't for Electron I think the entire platform would be gone (at least off Mac).

that let you easily check the full message source code. Sure with work I can view headers, but having access to the source at a keystroke is something I really do rely on to verify some of these things.

I'm of both minds here. I both know people check the headers way less than they think they do, and also that when we need to check headers, we really, really need to check them.

We need something designed from the ground up to make phishing and spamming difficult (or at least phishing; spamming is probably a lost cause), while still allowing for decentralized operation.

We've only barely kept email a viable channel, and what we've done there is basically creating email cartels. I looks like you don't need *much* decentralization to avoid the centralization traps. More than 1 or 2. Less than 10.

7+-2 in all things.
posted by effugas at 9:34 AM on December 8, 2017 [2 favorites]

→ I have an email sent to me from Mailsploit, that looks for all intents and purposes as if it came from my work address.

I use Thunderbird, and I just tried all of Mailspoit's options. While nearly all of them showed the pretend address as the sender, dkim_verifier showed the tell-tale DKIM: Valid (Signed by mailsploit.com) for all of them. It's still a bloody awful weakness despite this.
posted by scruss at 9:53 AM on December 8, 2017 [1 favorite]