Russian hack targeting senator makes me want to break up with email
Email makes us vulnerable to hackers. Too bad we still need it.
Laura HautalaFormer Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
ExpertiseE-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking.Credentials
2022 Eddie Award for a single article in consumer technology
I used to think of email as a lifeline that let me stay in touch with friends and family regardless of where I went. Then email changed and now my inbox throngs with surveys, coupons and newsletters from any retailer I made the mistake of doing business with online.
McCaskill said the hacking attempt wasn't successful. Still, it was eerily similar to the 2016 hack of John Podesta's email account. Hackers tricked Podesta, who was running Hillary Clinton's presidential campaign, by sending him a fraudulent email that prompted him to enter his password into a fake website that mimicked the Google password reset page. That's the same approach hackers took with McCaskill, only this time they spoofed a Microsoft web page.
This is what has me looking sideways at email right now. The inbox is more than just a growing guilt-pile of unanswered personal messages buried under hundreds of sale offers. It's also an essential tool for hackers who US intelligence officials believe are trying to interfere with US democracy.
A spoof that's not funny
Crappy email is everywhere. Worldwide, more than 281 billion emails are sent every day, according to market research firm Radicati. A large portion of that is spam, the messages that are the most common attack route for malicious software or links to malicious websites, according to cybersecurity firm F-secure. Spam filters and antimalware software can help protect us from the worst of these attacks. But there's still one big trick hackers can use to access our accounts and hack our machines through email.
It's called impersonation. With this approach, hackers use email addresses and websites that look like they come from legitimate companies to get valuable information from victims.
"It turns out impersonation is both the easiest and most common way that people get tricked on email," said Alexander Garcia Tobar, CEO of email security company Valimail.
Hackers have some sneaky tricks for getting people to fall for this, including what's called a "full domain spoof." That lets them send emails that look exactly like they're coming from from a legitimate email address. There's a tool for stopping this that the owner of a web domain can use. It's called DMARC, but it hasn't been adopted by all email providers.
Even if hackers can't send an email that looks fully legitimate, they might be able to send it from a domain that contains a slight misspelling. Or they might use the "Friendly From" field in an email header to pose as someone they're not. For example, Paypal warns customers they could receive an email from someone who appears in their inboxes as "PayPal Services" even though the sender's email address is really something as random as firstname.lastname@example.org.
Targeting the inboxes of political staffers
In the case of the McCaskill attack, hackers tailored a password reset web page for one of McCaskill's staff members. It already had his email address entered in the form. We don't know how hackers sent the staffer the link to that page, but it could have come in an email that relied on more spoofing techniques to look even more legitimate.
Hackers might not have gotten McCaskill this time, but they'll keep trying. Tom Burt, Microsoft's vice president for customer security and trust, said last week at the Aspen Security Forum that the company has identified three candidates for Congress who were targeted with a phishing campaign using a fake Microsoft web page. Even if McCaskill is one of those three, the others might still be susceptible.
Alternatives to email
Candidates for political office -- as well as you and I -- can rely on communication tools other than email. In April, the Democratic National Committee announced it was partnering with encrypted messaging services Wickr and Signal to offer more secure communication tools to candidates.
Wickr CEO Joel Wallenstrom told CNET that his company is providing tools that make messages harder to steal, and allows campaigns to automatically delete messages it won't need after a certain period of time. Users can also recall and delete specific messages immediately. The messages aren't stored on Wickr's server and they're scrambled up with encryption as they travel to their intended recipients.
All of that helps prevent campaigns from creating an easily hacked archive of sensitive information, which is what the email inbox has become.
The process addresses "this concept of keeping everything for 10 years, whether you need it or not," Wallenstrom said.
As part of its partnership with the DNC, Wickr is offering tools it already provides to corporate clients. These allow users to create a chat room with specific people and then set a deadline for when messages in that room will be erased.
The idea is for campaign staffers to have a place where they can talk about plans for a specific event, discuss recent polling numbers, or exchange files related to a specific part of the campaign during the time they need it. Then when those messages aren't needed anymore, they're gone.
There are still reasons to use email
Obviously some messages are important to keep around for the long term. That's not just for convenience -- it can also be legally required.
Many politicians are subject to public records laws, such as the Freedom of Information Act. So when they win and become an elected official, they have to preserve their communications going forward. But that doesn't apply to Congress, so senators like McCaskill can use encrypted messaging apps for a campaign and to communicate with staffers.
And as much as I hate to admit it, email is still essential for modern communication. For campaigns, it's how they reach donors, potential volunteers and members of the media. Campaigns use email because -- unlike instant messaging, which requires the sender and recipient to use the same app -- they have to take into account everyone's tech preferences. Email will go to whatever address you send it to, no matter what email service it is.
"Here's the thing about email," Valimail's Garcia Tobar said. "Nobody owns it." You can't say the same for any other messaging service.
Still, campaign staffers and regular people alike can make a choice to talk about sensitive topics on more secure platforms than email. That was the mistake of Podesta, who appeared to use his email to discuss everything from campaign business to cooking tips, Wickr's Wallenstrom said.
"You should not be talking about national security matters in the same place you talk about risotto recipes," he said.
That's solid advice. For myself, I'll keep talking with my friends on messaging apps and fondly remembering the days when my relationship with email was carefree -- instead of a dangerous chore.
Correction, 9:56 a.m.: This story has been updated to indicate that members of Congress aren't required to preserve their communications.
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.
Blockchain Decoded: CNET looks at the tech powering bitcoin -- and soon, too, a myriad services that will change your life.