Our computer security problems are our own fault

October 26, 2022

Over on Twitter and the Fediverse I said something:

A quiz: you've a normal, ordinary person and you've received an email with a PDF invoice attached (so it says). You click on the invoice in your mail program and it shows you this. What are you seeing and how alarmed should you be?

A blurred invoice in the background with an 'Adobe PDF / Sign in to view invoice payment' dialog on top, asking for your password.

The spoiler is that this is the 'HTML attachment presented as a PDF attachment' phish that I talked about yesterday. This isn't a real PDF that's been encrypted and magically needs your password to unlock; this is a HTML form that will send your password to the phisher if you try to 'sign in' to see the PDF.

(This image is from a browser instead of a mail client. A mail client I tried rendered it somewhat differently, but I don't know how other ones behave. As covered, since spammers do it I have to assume it works in enough environments to be useful.)

We (the computing community) did this to ourselves. We created a situation where a HTML attachment received in email could plausibly look, to ordinary people, like something that would appear from trying to look at an ordinary PDF. There are a whole bunch of individual pieces and steps that got us here, each sensible on their own in some view, but the collective result is that we did this to ourselves. We have no one else to blame when ordinary people fill in their password and hit 'Sign in'.

These steps aren't just displaying HTML attachments and PDF attachments in mail clients in a way that's hard for ordinary people to immediately tell apart if they're not already suspicious. It's also things like creating a world where opening an attachment might plausibly require a password or additional authentication to actually see it. It's a computing world where you can be challenged for authentication at what feels like random times for random reasons and there's enough noise that what's one more roadblock in the way of getting your work done.

(On a larger scale, there's also the issue that we have no general secure file transfer system beyond 'mail people documents that are encrypted in a variety of ways', ranging from 'locked' PDFs to encrypted ZIP archives to more technical options.)

I don't have any solutions. I'm not sure a solution is even possible at this point. Come back in fifty or a hundred years; maybe we'll have figured one out by then. Or everything will have changed so much that the problem is irrelevant.

Written on 26 October 2022.
« An email phish attempt using attachment file type confusion
Scripts and programs should skip having extensions like '.sh' and '.bash' »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Oct 26 21:08:26 2022
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.