by Joel Duisman, Senior Technical Consultant & Security Practice Leader at Taos
“Turning the Corner” — An expression denoting new horizons and chance to move beyond old obstacles.
In the early 1980s, when I was first exposed to email, I initially marveled the effectiveness and utility of asynchronous communication through computer networks. Before long, my friends and I found additional entertainment in connecting directly to Sendmail and creating messages from fictitious people at humorous locations. Messages from santa@thenorthpole proliferated and the students in the Computer Science department all enjoyed this wonderful new technology.
Forward ahead 3 decades to sitting at lunch with an old friend this weekend, I found that members of her team had been let go and she was looking at a grueling work schedule. The culprit? An email sent to a CEO from a fraudster had cost the company dearly and they were now trying to adjust their balance sheets to compensate for the loss.
Email was originally designed to be highly robust in a world with poor connections and limited usage. As with most new technologies, the emphasis was on adoption over security. Now that we have built empires in the cloud, based on standards like email, that limitation shows through painfully. Fortunately, we now have a technology available, that can be simple to deploy and will allow us to “turn the corner” and move towards a world without phishing attacks.
Domain Key Identified Email (DKIM) was originally introduced in 2007 but was revised and revised again finally in 2011. Since then, changes to tools and services allow DKIM to be implemented and function smoothly with minimal risk. However, widespread adoption is still coming.
DKIM is effective because its aim is simple. DKIM allows an organization sending an email to take responsibility for the authenticity of that email. DKIM signs every email sent from its email servers with a private key. The matching public key is made available in the Domain Name Server (DNS) solution already employed by the company. This doesn’t prevent people from sending bogus emails, but it prevents them taking advantage of the reputation of those who do implement DKIM.
Companies are now embracing this solution since email providers can support this functionality through a simple console and provide for the ability to rotate keys safely. In turn, vendors who filter email are able to create special rules for those emails sent by trusted partners. And, alternately, be suspicious of unsigned emails. In the future, whitelisting a partners emails may be as common as asking them to sign a Non-Disclosure Agreement.
They key to the resolution of this very old problem is in our hands, but the effectiveness of the solution depends on adoption. It is time to fix this security hole permanently and for corporations and other institutions to start building their email server’s reputation today.