'Utegate' another reason for CIOs to check their e-mail

E-mail is a tool that’s widely used, but also highly abused -- and faking an e-mail message can be as easy as “editing a Word document”

Security experts are warning that CIOs may need to revisit their e-mail security following the recent fracas around the “Utegate” affair.

The affair, which involved a faked e-mail used to discredit the prime minister, opposition leader and treasurer, has highlighted deficiencies in e-mail security, according to Andrew Gordon senior manager enterprise and partner at MessageLabs.

Gordon says CIOs need to first remember that e-mail was originally not written with security in mind and needs to have security actively applied to it.

“When e-mail, and simple mail transfer protocol (SMTP), were created a couple decades ago, it was to promote free communication between academics and within government; it was always ‘simple’ mail transfer, not ‘secure’ mail transfer protocol,” he says.

Eddie Sheehy, CEO at e-discovery software provider Nuix, says from a CIO’s perspective e-mail is a tool that is widely used, but also highly abused.

“When somebody writes an e-mail it is sent from one person, through an e-mail server, and then to another person,” he says. “That e-mail is located in three locations, and possibly more if there is an archiving environments involved. On virtually any one of those locations, the e-mail can be extracted, adapted, then on-sent. The receiver of the adapted e-mail has no reason to know that e-mail has been changed, and anyone can do this.”

Sheehy says CIOs also need to be mindful that once an e-mail has been deleted, it hasn’t ceased to exist -- It just means that the headers of the file have been removed; the contents of the file are still there.

James Turner, an advisor on security at research firm IBRS, says that the catch with e-mail is that is has become an accepted, and even essential, component of many work flows.

“For example, not long ago a medium sized Australian organisation got totally burnt by accepting an e-mail order from overseas [as] the payment was a series of credit cards which turned out to be all stolen,” he says. “For most business people, an order coming from an unknown source, via e-mail, for a sizable order should be raising alarm bells. E-mails are easy to fake -- but only to people who don’t know this.”

While many security technologies now exist to better manage e-mail -- transport layer security (TLS), Secure/Multipurpose Internet Mail Extensions (S/MIME) and send a policy framework (SPF) -- CIOs need to be mindful that faking an e-mail, at least in physical form, can be as easy as editing a Word document, MessageLab’s Gordon says.

“It’s very simple -- all you need to do is cut and paste Internet header information into a word document,” he says. “It’s a representation of an e-mail, but when it is printed out there is no real ability to forensically detect whether it is real or not.”

Back in the electronic domain, there is more CIOs can do, Gordon says. Firstly, CIOs need to be mindful of compliances mandates, such as Sarbines Oxley, which will dictate whether they need to encrypt or authenticate at the server-level all e-mail sent outside the organisation.

Join the CSO newsletter!

Error: Please check your email address.

Tags Utegateemailsecurity

More about etworkIBRSMessageLabsNuix

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Lohman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place