Can you tell me more about the anti-spoofing work you did?
The paper we submitted to SecDev is a follow up to a previous project on anti-spoofing published in USENIX. The previous project was to understand how anti-spoofing works and how it will harm users. This paper is mainly about why this problem still exists and why most services don’t adopt secure protocols.
What are the main barriers to adopting secure protocols?
We found out that the most important barrier is the technical defects. All of those protocols have some intrinsic defect that makes them imperfect. For example, let’s say a secure protocol tells you if an email is authenticated or not. Because of some intrinsic defects, some legitimate emails get blocked. There is also the possibility that some spoofing emails that can bypass these protocols. Because of this, these protocols can cause problems, block legitimate emails, and cannot block all of the bad emails. Those are the biggest reason why everyone isn’t adopting these protocols. When these protocols were designed, they already had these problems.
Why have these protocols not been patched?
One of the protocols is called DKIM. When senders send an email, they will use RSA to sign it. The problem is that a mailing list will add a header or footer to the email, breaking the signature. There’s no way they can patch it.
Given that these protocols are difficult to patch, how should users be more vigilant about these types of attacks?
It’s hard because it requires a lot of technical background. You have to manually check the raw format of the email and I don’t think any normal user will do that.
What are the more pernicious risks that these types of attacks present to users?
The biggest threat to email spoofing is using spear-phishing. Normal phishing attempts try to get at your password. Spear phishing targets just you or your company. If I know your boss, I could spoof your boss and it will increase the chance of you getting phished. The biggest fear is that email spoofing is used for spear phishing, making it much more convincing.
What other research projects are you currently working on?
After this project, I am switching from anti-spoofing to IoT research. One of them is on skill squatting in collaboration with University of Virgnia. Squatting is when you want to go to “facebook” but there’s a link that says “facedook”. If there’s a Google skill called “facebook”, you can create skill called “facedook”. This creates the possibility that that the user may be routed to a malicious skill. If that skill has some critical functionality like banking, it could do something serious.