An amazing story of failed email security in the UK, not sure if it’s funny or tragic. We are sure it’s another example of failed email security and how Microsoft, among many, could prevent it.
A prisoner managed to get a smartphone into his cell. He then created a fake domain, similar to the UK court system then sent an email to the prison that appeared to come from that office. The fake email told the jail that he was to be released … which the prison promptly did! It was only days later, when the escapee’s own lawyer arrived that the prison realized they had been duped.
How did he do it? No details have been publicized but we can guess because it’s too simple to be any secret.
First, register a domain name that’s similar to the one you want to spoof. If the target is, say, Microsoft.com you can register the name Microsaft.com Micrasoft.com or Microsoft.net that’s looks correct at first glance. Most people don’t carefully look at email addresses, just the name.
Once you have the domain name, then you can send messages appears to come from that domain.
Strictly speaking you don’t need to register the domain since emails can be faked appearing to come from any address. With control of the domain, you can add some email authentication like SPF which is supposed to verify that the sender is authorized for a certain domain name. In this case, the domain registration had the address of the Royal Courts of Justice.
It’s amazing that the UK authorities don’t have a more secure system for managing prisoners. That a single email could release someone from gaol is something that the British Civil Service is now investigating.
At this point we (ahem) have to mention Privacy and Security in Microsoft Office which has step-by-step help with securing your emails from hacking and spoofing.
Blame Microsoft … a bit
Mostly likely they use Outlook and Exchange Server so they have the tools necessary to make this kind of trick impossible. They should be using both Digital Signatures and Encryption to identify their emails and make them unreadable by outsiders.
Those tools are supplied by Microsoft but, as we’ve mentioned before, they are complicated to setup and difficult to use. Microsoft could put effort into making signing messages and encryption a lot more accessible – but they have consistently ignored calls to do so.
Microsoft’s view is that they’ve provided the basic tools and it’s up to the customer. We think that’s a lame excuse. The signing and encryption provided in Outlook are more like Rube Goldberg/Heath Robinson machines than proper solutions.
Ideally, the messages are encrypted. That confirms the identity of the sender as well as making the message unreadable to anyone without the digital signatures.
Corporate users have the combined voice and money to make Microsoft lift their game. Those large buyers of Office need to start telling Microsoft to make secure email a lot more easy to use and administer.
This article is an example of Office Watch occasional global spelling conundrum. Jail or Gaol? We tossed a coin, it landed on its side, so we used spellings from both sides of the Atlantic.
