1y ago

Why can't we fix email?

The Internet and email is old at this point.

It can be reasonably argued that email links are a significant threat vector right now.

So far, we just keep trying to sandbox links or scan attachments, but it's still not stopping the threat.

My questions for comment:

Would removing anonymity from email reduce or remove this threat? If business blocked all uncertified email senders, would this threat be gone?
Why can't we do PKI well after a few decades?
Does anyone believe PKI could apply to individuals? In the context of identity for email, accounts, etc?

I see services like id.me and others and wonder why we can't get digital identity right and if we could, would it eliminate some of the major threats?

Image credit: https://www.office1.com/blog/topic/email

Edit, post not related to the site or any service, just image credit.

17 comments

E-mail is a lingua franca. It's used not because it's superior, but because you don't have to worry about whether your recipient is using the right software setup to receive your message. It's the lowest common denominator of internet messaging and can only be replaced in that role by a new lowest common denominator.
A company that rejected basic email would necessarily be rejecting some percent of legitimate messages and/or increase their IT costs. While this doesn't mean it's impossible, it would be at least be a painful transition. Users will hate it.
Adding PKI just amplifies the software setup problem because now you have to worry about primitive selection, centralized authorities, key lifecycle management, etc. And there's no way for the sender and recipient to negotiate security parameters, so they have to be agreed on in advance, something basic email doesn't need.
PKI is too finicky and abstract for the average user to understand or care about. We can't reasonably expect them to make good decisions about a subject that even professionals and large organizations struggle to understand. A big reason for email's longevity and success is that the average user doesn't need to understand it at any technical level.

Would you mind pointing me at research that demonstrates that email links are the number one threat vector right now?
- I can say from personal experience that that is the case, but I don't have any empirical evidence.
- As someone who leads a major MDR and IR service, phishing was the root cause of about 7.5% of incidents last year. Exploits are #1 around 47% of incidents, followed by compromised credentials around 30% of incidents.
  This only represents SME and Enterprise. Phishing likely could be #1 for individuals.
- A quick Google search gives tons.
  Introducing Cloudflare's 2023 phishing threats report: This report analyzes global survey responses, simulated phishing exercises and real-world attacks, and reveals a 1,265% increase in phishing emails since the launch of ChatGPT, a generative AI tool that can create convincing fake content¹.
  CISA, NSA, FBI, and MS-ISAC Release Phishing Prevention Guidance: This guide outlines phishing techniques malicious actors commonly use and provides guidance for both network defenders and software manufacturers to reduce the impact of phishing techniques used in obtaining credentials and deploying malware².
  The State of Phishing 2023: This report takes an in-depth look at cybersecurity threat trends with insights into how cybercriminals are swiftly advancing and what is required to stop them. It also highlights how attackers use deceptive links, identity deception, and brand impersonation to trick their victims³.
  2023 'State of the Phish' - Findings Sneak Peek: This study covers more countries and more threat types than ever, and uncovers critical gaps in people’s security knowledge and behavior. It also shows how today’s cyber threats are evolving and how attackers exploit the entities we trust and need to get work done⁴.
  The Biggest Security Threat of 2023? It's Phishing: This article explains how phishing works and why it is still such a threat, and what you can do to keep yourself safe. It also warns about the dangers of spear phishing, HTTPS phishing, email phishing, and vishing⁵.
  These are some of the sources that I found that support the claim that phishing is one of the top cyber security threats and vectors for 2023. I hope you find them useful and informative. 😊
  Source: Conversation with Bing, 12/24/2023 (1) Introducing Cloudflare's 2023 phishing threats report. https://blog.cloudflare.com/2023-phishing-report/. (2) Introducing Cloudflare's 2023 phishing threats report. https://blog.cloudflare.com/2023-phishing-report/. (3) CISA, NSA, FBI, and MS-ISAC Release Phishing Prevention Guidance. https://www.cisa.gov/news-events/alerts/2023/10/18/cisa-nsa-fbi-and-ms-isac-release-phishing-prevention-guidance. (4) CISA, NSA, FBI, and MS-ISAC Release Phishing Prevention Guidance. https://www.cisa.gov/news-events/alerts/2023/10/18/cisa-nsa-fbi-and-ms-isac-release-phishing-prevention-guidance. (5) The State of Phishing 2023 | SlashNext. https://slashnext.com/state-of-phishing-2023/. (6) The State of Phishing 2023 | SlashNext. https://slashnext.com/state-of-phishing-2023/. (7) 2023 'State of the Phish' - Findings Sneak Peek | Proofpoint US. https://www.proofpoint.com/us/blog/security-awareness-training/2023-state-of-the-phish-findings-sneak-peek. (8) 2023 'State of the Phish' - Findings Sneak Peek | Proofpoint US. https://www.proofpoint.com/us/blog/security-awareness-training/2023-state-of-the-phish-findings-sneak-peek. (9) The Biggest Security Threat of 2023? It's Phishing - MUO. https://www.makeuseof.com/biggest-security-threat-2023-phishing/. (10) The Biggest Security Threat of 2023? It's Phishing - MUO. https://www.makeuseof.com/biggest-security-threat-2023-phishing/.
  
  How do these demonstrate that email is the main attack vector?
- Why does it have to be number one?
  
  OP originally said number one and edited their post.

Would removing anonymity from email reduce or remove this threat? If business blocked all uncertified email senders, would this threat be gone?
So as a goober that keeps getting jobs where my employer mandates that I am assigned an email address from their private email system, is told to "practice cyber security awareness" blah blah blah, and then is immediately spammed by internal emails with a shit ton of links (from people who are strangers to me but actually work for the same employer) from inside the org, I don't think removing anonymity would eliminate the threat. I'm being habituated into opening, reading, and encouraged to click links from "strangers" by my employer.
It might make it easier to for an attacker to ID a target though.
- So serious corporate culture issue

I want a government email. I think the usps should run one that allows for official government communiction in an isolated inbox and then another isolated inbox for communication that would require a penny and an individual and a last inbox that allows for companies and such to send to you for a fee and it would be encrypted. I wold keep it separate from normal email but at least you could be sure of who the sender is and it would make government communications easier.
- Interesting. I do wish our government identity extended to online. Instead of signing into a bunch of websites with a Google account, I think a us government or state account would be nice. One account, PKI in your driver's license or some other passkey like device.
  I guess the trade would be protection of that digital ID and the system running it. We already have identity theft. I hope it would be harder if you have to digitally sign a bunch of stuff with you driver's license. Most people probably don't have experience with common access cards or tokens though.
  
  yes and you should never have to worry about losing it do to it being like canceled and you should be able to clear up any support issues at the post office.

There are many ways to be more selective about from whom to accept email. SPF, DKIM, DMARC, and various blacklists are among them. They are supposed to make life harder for spammers. But they have also made running a mail server something that few dare to try anymore. Setup is not easy, but getting blacklisted is, and it causes silent delivery failure, and takes days of work to fix.
As a result, most of the email is run by Microsoft and Google. But that didn't stop phishers. They just go after people at smaller companies where security isn't as tight yet, and then they've got valid Microsoft accounts to send from. Liars and Outliers by Schneier is about this sort of dynamic.
As for PKI: If I may assume you to be, or have been, affiliated with an armed service -- Whose property is your CAC? And why did you use a pseudonym to make this post? (I mean to be pithy, not sarcastic.) I think Liars and Outliers by Schneier is all about this sort of thing - but I didn't get much of it read before it was due back at the library.
- Yeah, my frustration with how we've centralized email on those enterprises is that criminals and spammers can just get accounts, pay marketing fees, malware ads, etc.
  Even PKI is frustrating in that it's both a racket where only a couple can do it for good reasons, they can almost charge whatever they want, and still there's places where you can get certs minted with almost no validation.
  I initially hated token login, but after you realize you never need passwords, to remember accounts, and it works for signing documents.
  I'm not says you shouldn't still have a private selection, but I wish we had a certified solution that could reduce deception. Or at least I would direct all non certified senders to spam.

17 comments