Friday, January 03, 2014

Attachment Harassment

Lately I've been talking to people about opening unexpected attachments. It became clear to me that there is some misunderstanding. They've heard ‘don't open attachments if they seem suspicious’. What I want you to understand is don't open attachments that are unexpected, even from someone you know.

That got an instant reaction from a few folks.

Joe: “You mean, if someone sends me any attachment that I did not expect to get, I should be wary?”
Me: That's right.
Joe: “What should I do, contact them and confirm that they purposely sent me an attachment?”
Me: That's right. By name of the file.
Joe: “You've got to be kidding!”

So that's where I need to explain further. Malware succeeds in getting onto another computer exactly because we trust messages that come from people we know. It's this trust that malware creators are banking on. The added problem is that the name or address you see in the ‘From’ field in a message is easily forged. You read that right. Malware is perfectly capable of putting anyone's name or address in the FROM field before sending it to you. That changes everything.

Joe: “Well, what about innocent attachments like PDF files or pictures? They can't harm me, can they?”

Not under normal circumstances. But by default, a Windows computer is set to NOT show you the extensions in most file names. That means that malware could send you an innocent looking job report.pdf attachment, but because (real) extensions are being hidden by default, you’re not able to see that the file is actually named job report.pdf.exe. That’s not a PDF file. That’s an executable file in a very clever disguise.

Much of this comes as a surprise to some people.

Joe: “Do I really need to harass people every time I want to send an attachment so that they know it's legitimate?”

No you don't. The better solution is to stop using email to share files.

Office staff might have access to a network drive that everyone can use. This is a perfect place to store files we wish to share with other colleagues, so long as they are not private or contain sensitive content. Send off a quick email telling the recipient(s) where the files are and delete them after a few hours. Or better yet, if you share access to a SharePoint site, put the files there in a special library just for exchanging documents, noting who else has access to that library. Problem solved. Or even better, keep all of the documents ON SharePoint, then you won't have to pass them around period.

Some people get clever and just put a hyperlink to the document in SharePoint (or a network share). This isn't a great idea either (although it is handy), because we've been telling people not to click hyperlinks in their emails either. So it's not good practise to suggest that hyperlinks are dangerous, then use hyperlinks in our own email messages. So what to do? Rather than send the link, just tell them where on the SharePoint site (or networked drive) to go to obtain the document. They will navigate manually and find what they need.

If email attachments are the only practical alternative, you could mitigate the risk of using attachments by using a mutually agreed upon security process that malware would have extreme difficulty duplicating. For example, you could tell all of your contacts that if you ever send them an attachment via email, you will always rename the attachment file in a consistent, but recognizable way. For example, job report.pdf might be renamed job report_KP1nov2013.pdf. The ‘KP’ refers to my initials and the date adds another layer of authentication. Tell them never to trust any attachment that doesn't follow this protocol. Even better – come to an agreement and get EVERYONE to follow this protocol. The recipient simply needs to strip the excess characters off of the file name after they receive it and they are good to go.

The bottom line - attachments are now risky business and must be treated with extreme caution.

No comments: