National Cyber Security Centre boss: For the love of $DEITY, use 2FA on your emails, peeps

Re: Building those capabilities

"And Aldi is ultimately owned by a company from a country that values well qualified staff."

Exactly.

The best UK employer I had was ultimately German owned. Among other things they weren't scared of paying for top notch training courses.

Re: Building those capabilities

Just curious if you have ever reviewed the public salary postings for what government jobs pay in the US. At least in some areas I wouldn't qualify it as crap. If you are interested you can lookup California ones via transparentcalifornia.com

For 2016 in Riverside County the lowest paid Security Analyst made 94,766 and the highest paid made 151,657. Just to cherry pick a few others, a Security Analyst for the Modesto Irrigation District was paid 119,406 a Information Security engineer for Santa Clara Country 143,119.59 and so on. I'm not sure I would qualify any of these as paying the least having worked at a fortune 500 previously where I made less than all of these people in a security engineering role. And this is without benefits which tend to be better in general. I don't work for a government agency currently, but you can bet I'm not crossing them off the list for the future.

Re: Building those capabilities

> I had an interview at GCHQ - it's a shithole.

Whereas GDS have a shiny new HQ in Whitechapel with a "trendy atrium bar".

Because "users first!!!!".

A/C because I have to work with these fuckers occasionally.

Re: Building those capabilities

Still a government agency so pay grades rule. They could start someone on a higher pay grade, yes, but the best way to earn market rates from a government job is to be a contractor they can't do without.

I read this the other way - that cyber criminals were put off by the rampant criminality evident in the Harvard MBA test. Even criminals have some morals. Well, sometimes.

Why the idea that a Harvard MBA precludes criminality?

A Harvard MBA test precludes criminality. The business plan you submit will be disqualified for blatant criminality.

What the MBA gets up to after they've passed their test, or before it for that matter (provided they can keep it out of the test itself) - that's another matter entirely.

Re: Absolutely missing the point

Well of course Joe average email user doesn't. They just want things to work.

I was talking about the people setting up the service. User error is a given, so you must plan for that and there is a direct correlation between ease of use and diversion from use-as-usual and user mistakes. Adding 2FA is too far a departure from established use for your average end user, especially for what lurks in parliament. Some of those users have barely adapted to the loss of parchment, ink and quills.

Re: Smart Meters - Don't make me laugh

I've been less worried about people hacking the meter than I have been about the energy companies deciding to either cut me off, reduce the amount of juice I can draw, or just simply ramp up the bill without notice.

I'm more worried about unreported measuring errors. They are in charge of ALL the factors that lead to your bill: the meters, their calibration and their reading, and all of that is but a hack away from being adjusted (the mechanical ones would take at l east a physical visit).

If that "adjustment" is in the user's favour you can be sure they'll be on it like a fly on dead meat, but I am not so trusting that they will own up if they have been overcharging people - you'd never find out unless you add your own device in the pipe.

You'd almost need a regular, random audit by an independent entity.

I would have made a claim against the bookkeeper and never used them again myself. My associate was more forgiving and set them up with a mailbox on their mail system, with 2FA enabled of course, and sent them some IT and accountancy best practice reading. I don't know if the money has been recovered but yes, the chances are slim as it's probably better travelled than Alan Whicker and even the most sympathetic of banks would I'm sure resist reimbursing in these circumstances.

2FA would have prevented the thieves from accessing the bookkeeper's e-mail account, which is where the thieves amended the instructions. It is true that a message can be altered in transit but that is not what happened in this case and in any event, altering a message as it passes through mail servers and routers is much harder to do than hacking a poorly configured endpoint account.

Re: Not the point ....

"SMS has been shown to be less than secure"

I think a big issue is that many people use their phone for both web/email, and of course SMS. So get root on that device, probably no longer patched of course, and you are laughing while they are not.

Of course we can all see this approach is then really 1FA (or SFA in some cases).

Re: Not the point ....

It's 2017; you should enable 2FA on any and every system or account that provides it. If your e-mail system doesn't have 2FA you need to move to one that does as a matter of urgency. If it does and you're not using it, you should assume that someone else is accessing your mailbox no matter how strong your password is because without 2FA if someone else logs in you'd never know unless you caught them in the act (or an audit log revealed it) or they made a change that you noticed. Of course e-mail admins, line managers etc could be logging in without your knowledge, even with 2FA enabled.

The days of hackers logging into mailboxes just to send out spam are fading fast. Now they sit and wait for something interesting and then quietly manipulate it.

Re: Not the point ....

"So any attempt to log into a service using your email address and correct password triggers a 2FA call (say SMS, but any number of authentication services are available)"

I don't use webmail.

My various email clients scan the IMAP server for incoming messages every 10 minutes, and whenever I send an email.

Please tell me how 2FA is going to work there.

Re: WTF? / "But if people encrypt their emails then how will GCHQ be able to read them"

DKIM is NOT "encrypting emails" it is simply DIGITALLY SIGNING THEM using a public key.

SPF is (can) say "these servers are allowed to send my emails, everthing else cannot ( -all )

DMARC says "if an email passes SPF and DKIM checks, it's genuine, otherwise do x,y, or z.

The issue with uptake of SPF, DKIM and DMARC is primarily that I.T. people that understand it seem to have difficult explaining it to a layman, or implementing it....

e.g.

www.microsoft.com

not only does your www. lack an SPF record but your DMARC policy at microsoft.com does not contain an "sp=" value, so DOES NOT apply to ANY subdomains of www.microsoft.com

- so you (or a malicious third party) could send emails from any address ending @www.microsoft.com addresses - because they cannot be validated as genuine....

If microsoft added "sp=reject;" to their DMARC record it would fix this. (sp is subdomain policy!)

e.g.2

www.apple.com

is no better - in fact their DMARC record is worse. "p=none;"

(p is "policy - i.e. the primary domain policy - is no policy at all)

e.g.3

www.ubuntu.com is worst.

Letting the side down guys.

With DKIM the emails remain in plain text and the sending server uses a private key to digitally sign the email in such a way that the receiving server can mathematically compare the digital signature against a public key that the sender's domain has published as a TXT record in that domains public DNS records.

If the sending domain also has a strict(ish) SPF record and publishes a DMARC record then those emails can (in some cases) Automatically be validated as genuine.

(DMARC is essentially a policy - published as another TXT record in the sending domain's DNS - that can* provide instructions to the receiving server on how to AUTOMATICALLY handle emails that pass or fail SPF, or DKIM or SPF & DKIM checks. The DMARC policy can also enable a (DMARC compliant) receiving server to report back email successes and failures - i.e. you can find out AUTOMATICALLY if people are spoofing your emails.)

Unlike SPF, DMARC can also apply to a subdomain of the domain at which the DMARC record is stored - as long as the "sp=" modifier is set.

SPF is another matter. If you have a www.something.com A record but DO NOT have an SPF record that matches the name of that subdomain, then there is NO SPF applying to that subdomain and people can spoof your emails..

This is the tip of the iceberg.