Have I Seen the End of E-Mail?

Not that I desire it, but my recent encounters of ransomware make me wonder.

Some people in say, accounting or HR departments are forced to use e-mail with utmost paranoia. Hackers send alarmingly professional e-mails that look like invoices, job applications, or notifications of postal services. Clicking a link starts the download of malware that will encrypt all your data and ask for ransom.

Theoretically you could still find out if an e-mail was legit by cross-checking with open invoices, job ads, and expected mail. But what if hackers learn about your typical vendors from your business website or if they read your job ads? Then they would send plausible e-mails and might refer to specific codes, like the number of your job ad.

Until recently I figured that only medium or larger companies would be subject to targeted attacks. One major Austrian telco was victim of a Denial of Service attacked and challenged to pay ransom. (They didn’t, and were able to deal with the attack successfully.)

But then I have encountered a new level of ransomware attacks – targeting very small Austrian businesses by sending ‘expected’ job applications via e-mail:

  • The subject line was Job application as [a job that had been advertised weeks ago at a major governmental job service platform]
  • It was written in flawless German, using typical job applicant’s lingo as you learn in trainings.
  • It was addressed to the personal e-mail of the employee dealing with applications, not the public ‘info@’ address of the business
  • There was no attachment – so malware filters could not have found anything suspicious – but only a link to a shared cloud folder (‘…as the attachments are too large…’) – run by a a legit European cloud company.
  • If you clicked the link (which you should not so unless you do this on a separate test-for-malware machine in a separate network) you saw a typical applicant’s photo and a second file – whose name translated to JobApplicationPDF.exe.

Suspicious features:

  • The EXE file should have triggered red lights. But it is not impossible that a job application creates a self-extracting archive, although I would compare that to wrapping your paper application in a box looking like a fake bomb.
  • Google’s Image Search showed that the photo has been stolen from a German photographer’s website – it was an example for a typical job applicant’s photo.
  • Both cloud and mail service used were less known ones. It has been reported that Dropbox had removed suspicious files so it seemed that attackers turned to alternative services. (Both mail and cloud provider reacted quickly and shut down the suspicious accounts)
  • The e-mail did not contain a phone number or street address, just the pointer to the cloud store: Possible but weird as an applicant should be eager to encourage communications via all channels. There might be ‘normal’ issues with accessing a cloud store link (e.g. link falsely blocked by corporate firewall) – so the HR department should be able to call the applicant.
  • Googling the body text of the e-mail gave one result only – a new blog entry of an IT professional quoting it at full length. The subject line was personalized to industry sector and a specific job ad – but the bulk of the text was not.
  • The non-public e-mail address of the HR person was googleable as the job ad plus contact data appeared on a job platform in a different language and country, without the small company’s consent of course. So harvesting both e-mail address and job description automatically.

I also wonder if my Everything as a Service vision will provide a cure: More and more communication has been moved to messaging on social networks anyway – for convenience and avoiding false negative spam detection. E-Mail – powered by old SMTP protocol with tacked on security features, run on decentralized mail servers – is being replaced by messaging happening within a big monolithic block of a system like Facebook messaging. Larger employers already require their applications to submit their CVs using their web platforms, as well as large corporations demand that their suppliers use their billing platform instead of sending invoices per e-mail.

What needs to be avoided is downloading an executable file and executing it in an environment not controlled by security policies. A large cloud provider might have a better chance to enforce security, and viewing or processing an ‘attachment’ could happen in the provider’s environment. As an alternative all ‘our’ devices might be actually be part of a service and controlled more tightly by centrally set policies. Disclaimer: Not sure if I like that.

Iconic computer virus - from my very first small business website in 1997. Image credits mine.

(‘Computer virus’ – from my first website 1997. Credits mine)

 

Personal Risk Assessment

We all do risk management intuitively – when we decide on uploading our data to the cloud where the NSA may spy on us. Or when we install heating systems that depend on electrical energy. The previous post triggered an interesting discussion about the risk of a power outage.

Is it more risky to pick a heat pump – compared to other systems?

In Austria, nearly all private homes use central heating systems and thus rely on circulation pumps – no matter if you run a natural gas boiler, a wood pellet burner, or a heat pump. Heat is distributed via hot water, powering floor loops or radiators. Heating circuits powered by gravity only are hardly installed today. So a heat pump system does not score worse in case of a power outage. It might hurt even more if you have a cellar full of wood pellets or a tank full of fuel oil – but you cannot get the fuel or the heat to the place where you need it.

You might also compare heaters of the same level of convenience – heat pumps would compete with natural gas boilers that don’t require storage facilities for fuel but access to a grid. I am concerned about gas pipelines traversing countries that make headlines periodically because of the next political gas crisis. But I am less concerned about electrical power – this is the view from our office:

Wind turbines seen from the office

In Austria the average power outage per utility customer and year is less than 1 hour. We had an outage of about half an hour every few years. There are no issues with cable nibbling squirrels, and we worry more about hackers attacking the grid than about breakdowns.

But experts in disaster management tell us that we rely too much on highly available power. This is called the Vulnerability Paradox: The more dependable a service is, the less prepared you are for outages. According to a recent study anarchy will reign a few days after a large-scale blackout in Germany: Police would not be able to refuel their cars as modern gasoline pumps don’t work without power. Sewage systems and toilets would not work.

The impact of ‘just’ not being able to heat might be less dramatic. The lowest average daily ambient temperature here, in Eastern Austrian lowlands, is -12°C. We have encountered it on 4 days in 20 years; the lowest minimum was -17,8°C. If power would be cut off for a day in winter the temperature will fall by a few degrees only. It might irk me more if our internet connection is down for this period of time.

And many Austrian home owners have a backup strategy that blends with aesthetic preferences. Artisanal tiled stoves are popular here:

GrundKachelofenLocal building code demanded us to have an emergency chimney – so we installed the Free Flow Bullerjan stove shown below. I learned now from the company history that it had been invented in Vermont and built in Canada before it became a viral hit in Europe. It can heat our 110m2 open space second storey just fine:

Bullerjan stove

Now why not using a traditional stove for each room as the only heating system – to be independent from the grid all the time? If nobody is at home for several days to put wood on the fire the house will cool off. This is not only a risk, but it will happen with 100% probability, e.g. if you travel for business often.

What happens if power is cut off for several days – and we are traveling? I think the probability would be lower than the likelihood of a tractor crashing into the wall of our house – which is actually a risk listed in our home insurance contract.

___________________________________

Statistics:
Heating 2003 to 2012 by fuels used and heating system (in Austria). Less than 15% of (primary) heating systems are stoves, and they have been on a decline in the last decade. (Link got broken, fixed with new link: 2015-06-04)