E-Mail security breaches: A cautionary tale.

This past week, I heard from a business colleague who heads up a firm that operates in the IT sector. It isn’t a large company, but its business is international in scope and its entire employee workforce would certainly be considered tech-savvy.

Nevertheless, the company suffered a serious security breach affecting its e-mail system … and it took nearly one week of investigation, diagnosis and repair to deal with the fallout. Ultimately, the system was secured with everything restored and running again, but it took much longer than  expected.

What had happened was that an unknown attacker obtained the user ID and password for one of the company’s e-mail accounts, and used those credentials to log on to the mail system as the legitimate user. The attacker then changed the contact name on the account to a fake U.S. telephone number – we’ll call it “+1(4XX) 6XX-9XXX” – and launched a program from his/her/its host computer (hosted by Microsoft and located in in a different country than the affected user) which sent out thousands of e-mails having the subject “Missed call from +1(4XX) 6XX-9XXX” and an attachment that looked like a harmless audio file containing a voicemail message.

This type of phishing attack is well-known, and it would be dangerous to open the attachment (no one at the company attempted to do so). The company’s e-mail server eventually blocked the account because it exceeded the maximum outgoing e-mail limit, but strangely enough the administrator was never notified of this fact. The company only discovered the breach after the user called in to complain about receiving thousands of “failed delivery” messages. It took the better part of a full business day just to piece together what was going on, and why.

The attacker also installed a rule on the compromised account which moved all incoming email to an obscure folder. The rule was cleverly disguised, making it easy to overlook and hence more time-consuming to find and remove.

This friend advised that there are a number of “lessons learned” from his company’s experience, which should be considered for implementation by businesses of all sizes everywhere:

1. Implement security policies requiring strong passwords (big, long, hard-to-guess ones) and frequent password changes (once every 90 days or more frequently). In the case of this particular company, its password strength policy was up to snuff but it wasn’t enforcing rotation. That changed immediately after the breach.

2.  Require multi-factor authentication (MFA). This is where a user doesn’t merely enter a password to log on, but also has to enter a one-time code sent via SMS or a smartphone app. It’s inconvenient, but regrettably it’s the world we live in today. In the case of this particular company, it hadn’t been using MFA. They are now.

3.  Be vigilant in reminding users NEVER to click on links or file attachments embedded in received e-mails unless they absolutely trust the sender. Some larger companies have “drills” which broadcast fake phishing emails to their employees. Those who click are identified and sent to “dum-dum school” for remedial training.

Failing that, companies should adopt policies wherein any employee who receives anything via e-mail that looks like particularly clever or tempting phishing, to notify the company about it immediately for investigation.

4.  Discourage users from logging on to their mail accounts from public locations using unencrypted WiFi. It’s easy to sniff WiFi signals and it’s even easier to read the data in unencrypted signals, which appear as plain text. Typically, if the WiFi connection requires a passphrase to be entered in order to connect, then it’s encrypted WiFi. If not … watch out.

5.  Monitor the e-mail server at least once each day to discover any security breaches or threats, since those servers may not always notify administrators automatically. The sooner a problem is discovered, the quicker and easier it will be to contain and kill it.

6.  Require users to archive messages in their Inbox and Sent Items folders regularly.  The moment an attacker is able to access an account, he/she/it can easily retrieve and quickly download all the messages on the server, and those messages could contain confidential or sensitive data. Therefore, taking this action will move those messages to each user’s device and purge them from the central server.

I’m thankful that my friend was willing to share his experience and suggestions for how to avoid a similar breach happening at my own company. Based on the “lessons learned,” we performed an audit of our own procedures and made several adjustments to our protocols as a result – small changes with potentially large consequences.  I suggest you do the same.

Criptext: When a recall actually looks pretty good.

Criptext logo

I doubt there are many of us in business who have never inadvertently sent an e-mail to the wrong person … or sent a message before it was fully complete … or forgot to include an attachment.

In such cases, it would be so nice to be able to recall the e-mail — just like we used to do in the days of postal mail simply by retrieving the letter from the outgoing mail bin.

Recent news reports reveal that this capability is actually a reality now.

In the fast lane?  Criptext principals just completed a successful round of investment funding.
In the fast lane? Criptext principals just completed a successful round of investment funding.

A start-up firm called Criptext has just raised a half-million dollars in private investment funds to help it perfect and expand a product that allows any sent e-mail to be recalled — even if the recipient has already opened and read it.

According to a report from Business Insider, Criptext is currently available as a plugin and a browser extension for the popular Outlook and Gmail email services.  It operates inside of the email, enabling the sender to track when, where and who has opened emails and/or downloaded attachments within them.

In addition, Criptext also enables the sender to recall emails, and even to set a self-destruct timer to automatically recall emails after a specified length of time.

Viewing a screenshot of how Criptext works (in this case with the Gmail service), things look pretty simple (and pretty cool, too):

Criptext activity panel example

I thought it would be only a matter of time before some developer would figure out a way to “unwind” an email communiqué once the “send” button was hit.  And now we have it.

Of course, time will tell whether Criptext can live up to its billing … or if it turns out to be more of a nightmare of glitches than a dream come true.

It would be great to hear from anyone who may have first-hand experience with Criptext — or other similar email functionalities.  Please share your experiences and perspectives pro or con with other readers here.