2008 Woodie Awards
Illini Media
WPGU
buzz
Illio
TechnographDirector of security and privacy offers insight on bogus massmail
By Mike Corn
Posted: 9/5/08 Section: Opinion Columns
As the campus security officer I and the staff of CITES Security see all sorts of troubling activity on the campus network. Literally millions of Internet-based attacks, spam and inappropriate use of the campus network are work-a-day for us. Some of these are nothing more than pranks. Other attacks can have serious consequences for individuals and the entire University.
In light of Labor Day's hoax massmail I've noticed a number of common misconceptions about e-mail in public discussions of the incident and thought that this was a good opportunity to clear them up. So here are few things to remember the next time you scan through your inbox.
1. "From:" means nothing. E-mail was invented in the late 1960s and early 1970s. At that time you could count the number of e-mail users without even taking off your shoes. Nobody was thinking about the security of e-mail. There was no Internet, and the idea that one day there would be billions of messages sent daily was unimaginable.
As a consequence, few, if any, protections were built into e-mail to guarantee the identity of the "From" address. In general, the "From" line that your e-mail client displays is cosmetic. That's why today there are so many bogus messages from 'banks' asking for your login, password or other account information (see Phishing: http://www.cites.uiuc.edu/security/idtheft/phishing/).
2. "To:" means nothing. See No. 1 above. While some legitimate massmail from the University may be sent "To: everybody@uiuc.edu" there is no address or mailing list known as "everybody@uiuc.edu." It's used cosmetically for the purposes of massmail. A mail sent to everybody@uiuc.edu does not mean that it was sent through the massmail system.
So does this mean you can't rely on e-mail at all? Sort of - it really means that you have to read your e-mail carefully. The campus receives millions of spam e-mails every day, not unlike the hoax massmail, and some of them will slip through our spam filters. Many of them are potentially malicious, and spam is a major cause of identity theft and related fraud.
We don't believe that you should give up on e-mail though. In fact, despite this, we strongly encourage you to use your University e-mail address for all school-related activities.
There are benefits to using your University e-mail account instead of a commercial account. When someone e-mails our office from "cutiepie@somewhere.com" we have no way of knowing who cutiepie really is. When e-mail arrives from netid@illinois.edu we can at least look up who they are supposed to be, and if needed, call them to confirm their identity.
If you submit a homework assignment from your Gmail account to another Gmail account and it doesn't show up, we can't help you. If it's from a campus address to a campus address we can check to see if the message was sent and/or delivered, which could save you a world of problems.
3. Many of the official notices you receive from the University will come from the massmail system. Every massmail message can be verified by logging into the massmail archive at http://www.cites.uiuc.edu/services/massmail. Note that not all units religiously use massmail, so if you are in doubt, or the message seems "odd," don't hit "reply" but check through another means with whomever supposedly sent the message.
4. Use common sense. The University or any other legitimate business will never ask for sensitive data, such as your password, to be sent by e-mail. If that happens, complain. Loudly. Examine any unusual e-mail very carefully. CITES can provide services and tips to help protect you, but ultimately, avoiding e-mail scams and hoaxes is up to you using common sense. You, as a thinking, breathing person are the last and best line of defense against all manner of attacks against your computer.
Finally, though this has little to do with e-mail, be sure to secure your home computer network, particularly those nice wireless routers we all use. All of the hoax e-mails we received last weekend came from unsecured wireless networks (off-campus). If your wireless network is not secured then the next round of spam could be sent from your network. We have a small set of starting recommendations available at http://www.cites.uiuc.edu/security/home to help lock down your wireless network.
Mike Corn is the director of Security Services and Information Privacy at the University.
In light of Labor Day's hoax massmail I've noticed a number of common misconceptions about e-mail in public discussions of the incident and thought that this was a good opportunity to clear them up. So here are few things to remember the next time you scan through your inbox.
1. "From:" means nothing. E-mail was invented in the late 1960s and early 1970s. At that time you could count the number of e-mail users without even taking off your shoes. Nobody was thinking about the security of e-mail. There was no Internet, and the idea that one day there would be billions of messages sent daily was unimaginable.
As a consequence, few, if any, protections were built into e-mail to guarantee the identity of the "From" address. In general, the "From" line that your e-mail client displays is cosmetic. That's why today there are so many bogus messages from 'banks' asking for your login, password or other account information (see Phishing: http://www.cites.uiuc.edu/security/idtheft/phishing/).
2. "To:" means nothing. See No. 1 above. While some legitimate massmail from the University may be sent "To: everybody@uiuc.edu" there is no address or mailing list known as "everybody@uiuc.edu." It's used cosmetically for the purposes of massmail. A mail sent to everybody@uiuc.edu does not mean that it was sent through the massmail system.
So does this mean you can't rely on e-mail at all? Sort of - it really means that you have to read your e-mail carefully. The campus receives millions of spam e-mails every day, not unlike the hoax massmail, and some of them will slip through our spam filters. Many of them are potentially malicious, and spam is a major cause of identity theft and related fraud.
We don't believe that you should give up on e-mail though. In fact, despite this, we strongly encourage you to use your University e-mail address for all school-related activities.
There are benefits to using your University e-mail account instead of a commercial account. When someone e-mails our office from "cutiepie@somewhere.com" we have no way of knowing who cutiepie really is. When e-mail arrives from netid@illinois.edu we can at least look up who they are supposed to be, and if needed, call them to confirm their identity.
If you submit a homework assignment from your Gmail account to another Gmail account and it doesn't show up, we can't help you. If it's from a campus address to a campus address we can check to see if the message was sent and/or delivered, which could save you a world of problems.
3. Many of the official notices you receive from the University will come from the massmail system. Every massmail message can be verified by logging into the massmail archive at http://www.cites.uiuc.edu/services/massmail. Note that not all units religiously use massmail, so if you are in doubt, or the message seems "odd," don't hit "reply" but check through another means with whomever supposedly sent the message.
4. Use common sense. The University or any other legitimate business will never ask for sensitive data, such as your password, to be sent by e-mail. If that happens, complain. Loudly. Examine any unusual e-mail very carefully. CITES can provide services and tips to help protect you, but ultimately, avoiding e-mail scams and hoaxes is up to you using common sense. You, as a thinking, breathing person are the last and best line of defense against all manner of attacks against your computer.
Finally, though this has little to do with e-mail, be sure to secure your home computer network, particularly those nice wireless routers we all use. All of the hoax e-mails we received last weekend came from unsecured wireless networks (off-campus). If your wireless network is not secured then the next round of spam could be sent from your network. We have a small set of starting recommendations available at http://www.cites.uiuc.edu/security/home to help lock down your wireless network.
Mike Corn is the director of Security Services and Information Privacy at the University.
The Daily Illini encourages on-topic discussion through article commenting on its articles and blogs. It is our policy not to delete any comments based upon political or ideological point of view. However, we reserve the right to remove comments that are abusive, off-topic or use excessive foul language.
The posting of copyrighted material, including any and all content for which you are not the author, is illegal under Federal intellectual property laws. Such activity will not be tolerated. Comments containing copyrighted material will be removed, and continued violation of copyright law is grounds for being banned completely from commenting on DailyIllini.com.
If you feel any post meets these conditions or merits review, please e-mail our editors at meonline@dailyillini.com.
Be the first to comment on this story