[Cryptography] In the latest unexpected ransomware twist ...
Viktor Dukhovni
cryptography at dukhovni.org
Thu Jun 10 20:31:09 EDT 2021
On Thu, Jun 10, 2021 at 05:36:22PM -0400, Phillip Hallam-Baker wrote:
> Email is not fit for purpose when a single mouse click can install malware
> that causes the company to collapse.
It isn't email that's the problem, and certainly not lack of sender
authentication. Social engineering does not rely on impersonating a
known sender precisely enough for authentication to matter.
The real issue is the ease of installation of executables (or documents
with an embedded scripting language) that can perform unrestricted
actions as the user who opened the document. We need operating systems
where access control is partitioned by application, and (enterprise)
users cannot raise the access level of an application above a rather low
ceiling that mostly just lets the application play in its own sanbox.
Such an OS would be closer to what Apple delivers with iOS than
Microsoft with Windows or RedHat, et. al. with Linux, but much more work
is required to make this work at enterprise scale.
Nothing you do with email will change the fact that the same problem
applies to web browsers, chat systems, ... anything where the user can
download a file from an external source.
--
Viktor.
More information about the cryptography
mailing list