[Cryptography] In the latest unexpected ransomware twist ...

Jerry Leichter leichter at lrw.com
Fri Jun 11 18:25:28 EDT 2021 

> 
>> Email is not fit for purpose when a single mouse click can install malware
>> that causes the company to collapse.
> 
> It isn't email that's the problem, and certainly not lack of sender
> authentication.  Social engineering does not rely on impersonating a
> known sender precisely enough for authentication to matter.
> 
> The real issue is the ease of installation of executables (or documents
> with an embedded scripting language) that can perform unrestricted
> actions as the user who opened the document.  We need operating systems
> where access control is partitioned by application, and (enterprise)
> users cannot raise the access level of an application above a rather low
> ceiling that mostly just lets the application play in its own sanbox....
Many years back, in the heyday of viruses, you'd always get the question "can an email deliver a virus."  And those of us in the know would always answer:  No, email is just text, it can't be executed.

Well ... initially Microsoft, and eventually everyone else, saw that as a bug a fixed it.  Long live executable attachments.  Long live live links in email.  I find it hilarious that companies regularly do training in which they teach their employees not to click on links in email.  Then they turn around and send emails with embedded links.  I've seen email with embedded links to exactly such courses!  Oh, the courses often warn you not to click on links "from senders you don't know," or to open attachments you aren't expecting ... and then the companies promptly send emails with links to outside vendors of some service you never heard of before, or random emails with attachments.

And then of course you get to the browsers themselves.  What can you actually rely on on a web page?  The answer I've gotten from security guys in the past is "only the contents of the address bar."  Except that I'm not sure even that is reliable any more, with various Javascript techniques to make the address bar "more meaningful" in complex scenarios, not to mention browsers suppressing "irrelevant" information there (though I gather Google is backing off on doing this in Chrome after many complaints).

So the answer seems to be that you can't rely on anything presented to you.  This is a really deep problem, because human beings are evolved to judge the trustworthiness of information based on how it looks and feels and who's presenting this.  It's not as if we're perfect at this - but we're pretty good, and after all, what else *can* we rely one?  So the end result is that we've built an entire ecosystem that seems designed to eliminate the filters that have protected us since we evolved.

Now, agreed, better security mechanisms are important.  If the stuff mail vectored off to were unable to do any harm - either because it was written securely, or had a sandbox enforcement on it, or preferably both; and if the programs that read attachments were similarly safe; we'd be in much better shape.  This would *reduce*, but not eliminate, the problems - which could still arise (as we've seen) from bugs (iOS has had an embarrassing number of bugs in which some sequence of characters causes iMessage to lock up the whole iOS device) and from social engineering, which amounts to attacks against the wetware which no sandbox can protect.

It's a really messy and bad situation, with multiple layers of designs that are, when you look closely, actively hostile to attempts to work securely.

Back in prehistory, DEC terminals had a couple of features that allowed you to configure something on the terminal which would later get sent back to the host in certain circumstances:  E.g., a "Who Are You" field, user-defined keys.  These were designed to require an explicit user interaction to allow the change to be made, which could not be overridden by any command.  People would complain about it as it got in the way of some things they wanted to do - e.g., set up the user defined keys for particular programs.  But it was essential for security, as being able to get an arbitrary string sent back to the host at some point in the future is a major security hole.

Yes, we thought about such things in those days.  Today ... we worry about such things after a ransomware attack.  And then we tear our hair about how we can't fix it without breaking compatibility.
                                                        -- Jerry

More information about the cryptography mailing list