Readit News logoReadit News

Deleted Comment

tric commented on Scammers can exploit email forwarding flaws to impersonate high-profile domains   today.ucsd.edu/story/forw... · Posted by u/sizzle
peanut-walrus · 2 years ago
The attack works for spoofing email from domains that have DMARC configured with reject policy against receiving servers that validate DMARC and act correctly according to policy. Only requirement is that the domain the attacker is spoofing is using O365.

This is not a UX problem. This is a Microsoft problem.

tric · 2 years ago
> Only requirement is that the domain the attacker is spoofing is using O365.

This is not true. The paper mentions multiple service providers using more relaxed validation.

Table 3, section 5 in the paper shows which policies need to be in place on the domain they are piggy-backing on.

They reference Postfix:

"Additionally, we note that mailing list software such as Listserv and Mailman require a backend MTA. In our experiments we used Postfix with DMARC turned on, a configuration which follows good security practice. However, in practice many organizations might not use this configuration because many MTAs (including Postfix) do not enforce DMARC by default. In these cases, the attacker can spoof email from any target domain, regard- less of its DMARC policy, much like the attack against Gaggle."

I read this to mean that if you actually enable DMARC in Postfix, piggy-backing on another domain's policies results in rejection.

No mention of results for receiving at ProofPoint, Mimecast, Trellix, or Cisco's email appliance.

> This is not a UX problem.

They are demonstrating a problem with managed providers, and their opinionated configuration. You give up a lot of control as an admin when you use 365 as your front-end. This further proves that.

tric commented on Scammers can exploit email forwarding flaws to impersonate high-profile domains   today.ucsd.edu/story/forw... · Posted by u/sizzle
peanut-walrus · 2 years ago
This works against domains that have DMARC configured properly. First attack works against any domain that is using O365, regardless of their DMARC settings.
tric · 2 years ago
Your domain may have a policy of reject or quarantine, but does the receiving host correctly act on that policy?

I can understand if free email providers are more permissive with narrow authentication scenarios. Users aren't usually able to contact support.

As someone suggested in this thread, this is a UX problem.

Policies need to appease a large number of users. A gov/corp org receiving these messages can be more strict. Even in these orgs, people complain about not receiving an email that was appropriately rejected.

tric commented on Scammers can exploit email forwarding flaws to impersonate high-profile domains   today.ucsd.edu/story/forw... · Posted by u/sizzle
csharpminor · 2 years ago
I completely agree. As an aside, for .gov domains, the DMARC offenders are primarily at the state, county, and local level. I would personally be in favor of extending CISA’s DMARC requirements to anyone with a .gov domain (and revoking domains that are non-compliant).

Another misconception among many CIO/CISOs is that securing your individual subdomain with DMARC is enough. For example, dmv.ca.gov might have DMARC on its subdomain but not on the root, allowing a scammer to make up their own subdomain like “vehicles.ca.gov” and scam people into paying for fake vehicle registration. Of course there are other mechanisms inbox providers use to protect recipients, but without a DMARC policy on the root domain the door is left open.

This is especially prevalent at the state level where no one wants to own DMARC centrally.

tric · 2 years ago
> the DMARC offenders are primarily at the state, county, and local level.

This has been my experience as well. Likely due to their systems being managed by lowest-bidder MSPs.

Someone once shared their own analysis of each state's configuration a few years ago:

https://old.reddit.com/r/sysadmin/comments/cawch1/united_sta...

I wonder how it looks today.

tric commented on Scammers can exploit email forwarding flaws to impersonate high-profile domains   today.ucsd.edu/story/forw... · Posted by u/sizzle
tric · 2 years ago
The diagram demonstrating the attack shows DMARC fails. All they have shown is that everyone should have DMARC configured properly, and use a reject or quarantine policy. This has been best practice for a long time now.

They use the example of state.gov. That domain's policy is currently set to Reject, which is what all Federal government services have been using for years now.

Here's CISA's requirements: https://www.cisa.gov/news-events/directives/bod-18-01-enhanc...

Microsoft also uses their own auth mechanism in addition to DMARC. It's called composite authentication. In my experience, comp-auth is more strict than DMARC alone.

https://learn.microsoft.com/en-us/microsoft-365/security/off...

What am I missing? Why is this noteworthy?

EDIT:

After reading more of the paper, my conclusion is mentioned in a later reply:

"They are demonstrating a problem with managed providers, and their opinionated configuration. You give up a lot of control as an admin when you use 365 as your front-end. This further proves that. "

tric commented on Ask HN: Does Instagram suspend accounts just to get their phone numbers?    · Posted by u/gurchik
Kiro · 2 years ago
In my country phone numbers are public information so not really giving up much.
tric · 2 years ago
The problem is with linking the account/activity with your identity.

HN can only use less reliable identifiers (eg GeoIP) to link my account to other data. A phone number (potentially) connects me to more data about me.

tric commented on Ask HN: Does Instagram suspend accounts just to get their phone numbers?    · Posted by u/gurchik
tric · 2 years ago
It's always surprising to see how willing people are to give up their phone number to use an app. It's not just Meta products. Telegram & ChatGPT too.

I'm afraid more services will go in this direction.

Deleted Comment

tric commented on Nvidia announces financial results for second quarter fiscal 2024   nvidianews.nvidia.com/new... · Posted by u/electriclove
xnx · 2 years ago
The good new is that Nvidia's high GPU prices motivate everyone (Intel, AMD, ARM, Google, etc.) to try and tackle the problem by making new chips, making more efficient use of current chips, etc. For all the distributed computing efforts that have existed (prime factorization, SETI@Home, Bitcoin, etc.), I'm surprised there isn't some way for gamers to rent out use of their GPU's when idle. It wouldn't be efficient, but at these prices it could still make sense.
tric · 2 years ago
> I'm surprised there isn't some way for gamers to rent out use of their GPU's when idle.

https://rendernetwork.com/

"The Render Network® Provides Near Unlimited Decentralized GPU Computing Power For Next Generation 3D Content Creation."

"Render Network's system can be broken down into 2 main roles: Creators and Node Operators. Here's a handy guide to figure out where you might fit in on the Render Network:

Maybe you're a hardware enthusiast with GPUs to spare, or maybe you're a cryptocurrency guru with a passing interest in VFX. If you've got GPUs that are sitting idle at any time, you're a potential Node Operator who can use that GPU downtime to earn RNDR."

tric commented on Nvidia announces financial results for second quarter fiscal 2024   nvidianews.nvidia.com/new... · Posted by u/electriclove
issafram · 2 years ago
Not that it's much better, but wouldn't it be a duopoly considering that AMD is also a big player?

Hopefully Intel continues to improve it's GPU offerings

tric · 2 years ago
> wouldn't it be a duopoly considering that AMD is also a big player?

I don't think GPUs are commoditized. You can't swap a Nvida GPU with a AMD GPU, and get the same performance/results.

t

u/tric

KarmaCake day545March 26, 2023View Original