Your Security Rests With Sites You Don’t Even Own
Posted by Bob Warfield on September 12, 2011
This post is on behalf of the Enterprise CIO Forum and HP.
What if your business could suffer a major security breach even though your own sites were all properly secured and not penetrated? “How can that happen?” you ask.
Welcome to the world of typosquatting. The problem starts when employees send emails containing sensitive information. If they mistype the name of the destination domain slightly, and there is a live mail server at the mistyped destination, your sensitive information just got sent somewhere else. Somewhere not under your control and potentially harmful to your interests. Sites created for this purpose are called “Doppelganger Sites.” Two researchers from Godai Group managed to scoop up 20GB of data over a six month span in over 120,000 emails by creating doppelgänger for several Fortune 500 companies. Data included daily cargo tank reports for a large oil company. Their original paper is available for download.
Technically, this approach provides just one more way to mount a “Man-in-the-middle” attack, where two participants think they’re communicating securely, but there is an unknown man in the middle overhearing and tampering with that communication. Send an email that is intercepted by the doppelgänger and they get not only the information but the ability to reply back, and with a little social engineering, potentially wreak havoc.
Scary? You bet. But what can you do about it?
One solution: policy-based encryption in MS Exchange. Exchange has a facility to transparently encrypt and decrypt email. The recipient has to go through a brief process just once and after that email encryption is transparent. Policies let IT decide when to encrypt. By setting up policies to encrypt email sent to the company’s domain and all likely misspellings, a couple of advantages accrue. First, having the email be encrypted and only decrypted when received by a legitimate recipient makes it that much more secure. Second, anything sent to the typos will arrive encrypted, and those recipients do not have the keys to decrypt.
When using this approach, it pays to be conservative–protect as many misspellings as you can and be clever about it. The researchers who did the study, for example, built their doppelgänger through omissions of the dot between host/subdomain and domain. It’s an easy typo to make and an easy one to miss if you’re staring bleary eyed at hundreds of emails coming and going.
Similar solutions are available for web-based email as well, and don’t forget to deal with your mobile devices.
Godai mentions a variety of other solutions, such as registering the doppelgänger domains, knocking them out of your internal DNS, and several others.
Consider these doppelgänger one more thing to watch out for on your checklist.