Go Phish

Why email is so laughably insecure right now.

Laptops in the White House
Even the White House’s unclassified computer system is susceptible to phishing.

Photo by Saul Loeb/AFP/Getty Images

Perhaps the most surprising thing about this week’s reports of Russian hackers infiltrating an unclassified White House computer system is that for all their efforts the hackers appear to have been unable to retrieve anything more interesting than the unclassified details of the president’s schedule. That is probably due in no small part to the White House’s refreshingly realistic security strategy, as articulated by deputy national security adviser Ben Rhodes in an interview with CNN: “You have to act as if information could be compromised if it’s not on the classified system.”

If the end result of the breach was unexpected, its early stages were anything but—the incident apparently started with a phishing email. So did the ransomware infection at the Tewksbury Police Department earlier this week, which led to the officers paying a $500 ransom (in bitcoin, naturally) to decrypt their data. And that’s just this week—the high-profile examples of security incidents that are launched by phishing emails go back years and include the 2012 breach of the South Carolina Department of Revenue and the espionage efforts of China’s People’s Liberation Army Unit 61398, which were reported in 2013 by security firm Mandiant. Even last year’s Sony breach appears to have been initiated using spear-phishing emails.

Phishing emails appear to come from someone you know, trust, or would want to hear from but are, in fact, sent by someone else entirely (for instance, Russian hackers) to trick you into downloading malware or sharing login credentials or other sensitive information. Phishers can cast a broad net (“Dear Sir, I am a Nigerian prince please send me the details of your bank account …”) or a slightly smaller, more targeted one tailored to a particular organization or group of people (“Dear MIT user, your email is full, please click here to increase your quota …”). They can “spear phish” by sending even more targeted messages directed at particular individuals (“Dear Josephine, please complete the attached form prior to your dissertation defense …”). In general, the more targeted the message—and the falsified sender information—the more likely we are to fall for it. (I’ve never fallen for messages of the first two varieties, but you could fool me in a heartbeat with the third—and no, that’s not an invitation.)

When you scan the cybersecurity headlines, it quickly starts to seem like email is almost always the way in to a protected system—is there any other Internet application so consistently exploited in so many different types of security breaches? The only thing surprising about a successful phishing attack at the White House is that it doesn’t happen more frequently.

In its 2013 Data Breach Investigations Report, Verizon found that phishing was used in 95 percent of state-affiliated espionage incidents. In the 2014 version of that same report, the exasperated authors write:

[W]hile the array of tools [used for cyberespionage] is diverse, the basic methods of gaining access to a victim’s environment are not. The most prolific is the old faithful: spear phishing. We (and others) have covered this ad nauseam in prior reports, but for both of you who have somehow missed it, here goes: A well-crafted and personally/professionally-relevant email is sent to a targeted user(s), prompting them to open an attachment or click a link within the message. Inevitably, they take the bait, at which point malware installs on the system, a backdoor or command channel opens, and the attacker begins a chain of actions moving toward their objective.

It’s no wonder they sound a little weary of the topic: We’ve been using email for decades now. How can we still be so bad at it?

Part of the security problem is that, well, email is getting old. The first ARPANET email was sent in 1971, and the Simple Mail Transfer Protocol standard, which is still widely used today, was originally defined in 1982. And while the stereotype of the older person bumbling with technology isn’t fair, technologies themselves don’t always age well as we find new uses for them. Unlike more recent applications, email was developed in an era before online security was really a concern, when Internet users were so few and so close-knit that impersonation and phishing would have seemed almost impossible to imagine. But over the years, we’ve seen all the things that can go wrong when anyone can spoof an email’s “from” address. People have tried time and again to make email more secure—and made surprisingly little headway.

Email security is challenging for several reasons. For one thing, many of us want to be able to receive emails from total strangers—so unlike applications that limit our communications to the people whom we preapprove or “friend,” email intentionally provides access to the outside world, making it an attractive initial means of contact for spies and thieves. Also unlike many of the other online applications we use, email is federated—there’s no single company with centralized control over or visibility into all of the different users and accounts. That makes it hard for any individual actor to strengthen email security unilaterally.

Traditional models for email security tend to rely on digital signatures, an encryption mechanism that enables individual users to prove their identity to their email recipients. To be clear, I’m not talking about the email signatures that appear automatically at the end of people’s messages featuring inspirational quotations or long lists of distinguished titles. (Those serve no earthly purpose, security or otherwise.) I’m talking about the kind of digital signature in which you use your private encryption key to “sign” a message so that recipients of the message can verify you really sent it, using your public encryption key.

This is helpful because, remember, that “from” address is all but meaningless if someone is trying to fool you. But this system only works if we all get encryption keys and use them to sign our emails, and if the people we send those emails to bother to verify those signatures—and most of us don’t. (The inspirational quotation signatures, on the other hand, we’ve been all too eager to adopt.)

As the challenges of changing behavior one email user at a time have become clearer, some email providers have tried to find more centralized ways to tackle phishing that don’t require them to teach their users about digital signatures (or store those users’ encryption keys). For instance, in 2012, Google, Microsoft, and Yahoo announced that they would filter phishing emails that purported to be sent from the domains of companies including PayPal, Facebook, and LinkedIn. Essentially, those senders issued a list of the servers that they use to send email and any messages with a “from address” ending in one of those domains (i.e., @paypal.com or @facebook.com or @linkedin.com) that were not sent from those pre-approved servers could then be filtered.

So there’s been some small progress—catching some common phishing templates on popular email platforms—but overall, email has been surprisingly resistant to security interventions, despite its prominent role in launching so many successful security breaches.

These days, when we talk about addressing phishing, we tend to focus on user education and awareness as the solution. With more people turning to popular webmail services like Gmail that don’t support digital signing by default, signatures are rarely even part of the conversation anymore. Even when it comes to the kinds of email that are most often exploited by attackers—messages containing attachments or website links—we’ve been content to live in a world where we know very little about who is sending us emails.

Education and awareness efforts may help people distinguish the less sophisticated and targeted of these phishing messages, but they can’t change the fact that often opening attachments or clicking on links—even those sent from addresses you recognize—is fundamentally an act of faith. Yes, many of us could get better at recognizing the indicators of suspicious emails—but email could also give us some stronger indicators to rely on. Email remains a way that the Internet opens us up to the world with all its dangers, and yes, we have to learn some new kinds of cleverness, but it’s also helpful to have some technical protections.

So if, someday, we really do succeed at teaching everyone about how easy it is to impersonate other people using email, perhaps we’ll all finally be ready to acknowledge that some technical interventions are long overdue. Perhaps we’d even be willing to accept stricter authentication requirements for the messages we receive with attachment and links, whether that authentication is enforced via digital signatures or verification of the servers associated with the sending domain. Total strangers and unauthenticated users could still email you, but they’d be restricted to text, and they’d have a much harder time pretending to be your father or boss or buddy at the State Department.

This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.