Saturday, January 27, 2007

Terrorism + Phishing + MI5

I recently reviewed the online video of Guy Kawasaki’s 2006 youth forum - the one that brought together college kids and… well, people considerably older than college kids.

There were some priceless moments during the Q&A. Several times, the camera caught the kids looking at some of the older audience members like they were looking at aliens from another planet. The expressions on the audience member faces were equally enjoyable to watch, as they tried to figure out the thoughts moving inside the brains of the seven young people lined up in front of them.

One of the most interesting responses to one of Guy’s questions involved the forum’s use of email. Guy asked each of the young panel members how much time they spent on the medium. Not everyone struggled with the answer, but one guy clearly did. In the end, he admitted that he only used email for “formal communications… like applying for a job or something.”

The audience laughed, then fell into an uneasy silence. But the deed was done: at that moment, email’s future was sealed - for me, at least. In the eyes of this young man, email was barely better than a letter with a stamp on it. In his mind, email was suited only for the *most formal* of communications.

Which brings me to the announcement today from the UK: according to the Washington Post, Britain’s second-most secret spy agency, MI5, has announced that it intends to start issuing terrorism alerts on a subscription basis, via email.

Email terrorism alerts from MI5. Upon hearing this, a kind of sad feeling seeped through my body. MI5? Email? Aren’t these guys supposed to be fitting mini-defibulators into the glove compartments of Aston Martins? Aren’t these guys supposed to be twenty/thirty years ahead of us, when it comes to technology?

Who is going to receive these alerts - my 68 year old auntie? Is her perimeter spam filtering appliance set to allow this to come through, or will it delete the alert because there has been too many false positives, or too many hoaxes? How will my auntie know that the alert that tells her to seal up every crack in her house with duct tape is real, or a college prank? Is she at all aware of how incredibly easily email can be faked?

MI5 guys - terrorist activity email alerts are a *really bad idea*. Not only can they be easily faked by every prankster on the planet, they fail every basic test of security and reliability:

1. The originator cannot be authenticated
2. The message content cannot be authenticated
3. The time and size/content length of the alert cannot be trusted
4. The terrorism alert transmission infrastructure relies on power grid and communication grid survival
5. If the terrorist’s intent is to create terror, what if someone combines phishing + the MI5 brand?

Let’s imagine for a moment that all the terrorist wants to do is “create terror” (cheap), rather than “cause actual mayhem” (expensive).

What better medium could they choose than an email branded by MI5? Email is probably the most ubiquitous and trusted communications system on the planet. Most people remain unaware that not only can the sender’s domain be faked, but literally everything within an email can be faked.

Look at the phishing stats - increasing amounts of people are being fooled by logos and real-looking HTML-based emails. And now, in addition to the banks, we have the MI5 brand: By announcing that their brand has “weight”, MI5 has created a potential terrorism problem, not a potential solution.

Falsely creating and/or manipulating content in the name of MI5 is now easily within the reach of terrorists: creating a message designed to induce panic under an MI5 letterhead, creating a fake originating MI5 domain, creating a fake sender, creating an official-sounding message, and pushing “Send” - all of this could take less than five minutes.

Britain’s MI5 should rethink this approach. By giving their endorsement to email alerts, they are creating an uncontrollable opportunity for misuse of email by pranksters - or worse.

No comments: