A security story that is kind of disturbing


I've got a story for you. As a security person, it's a little disturbing.

I was driving in the car with my wife yesterday who works in the health care industry (she's not a doctor). She was telling me that earlier that day, she was trying to email a file to some other organization and it wasn't getting there. She explained that they were looking at something and the file had a weird extension, .paz (or something like that). I don't know what extension that is, it has to be something unique to the health care field that some software or hardware makers recognize, but is not common in the rest of the world.

For example, I don't know how x-ray files are stored (as images?) but suppose they aren't images, but instead are in a format called .xry and can only be opened with certain software. That's what I assume is happening here.

Anyway, she was saying that as an organization, they have to transmit this particular file to another organization, and it wasn't getting there. She would email it, and a while later her contact on the other side would email back and say "Uh, I'm not getting anything."

My wife would send it, and resend it, and nothing would get through. She would send it to her Gmail account, and again nothing was getting through. "What's going on?" she asked. My wife is an ordinary Internet user, my being in the security industry has had almost no influence on her in the years we've been married.

I surmised that her spam/malware filter was silently deleting it and not notifying her. When I told her my theory she said "That's stupid! How am I supposed to know it's not getting through?!?"

Let’s go to the thought bubble.

Thought Bubble

Before continuing with this story, let me interrupt with another story.

A year or two ago, my wife’s place of work switched from using Office 365 to Proofpoint for its spam filtering. Now, I am well aware that Proofpoint is one of our competitors. But as a low-to-mid level engineer, I don’t see it as that fierce a competition. While some senior executives at corporations famously don’t use the products of other companies, people like me aren’t that ideological because we can’t be.

For you see, I have several friends at numerous organizations who work on anti-abuse, Proofpoint among them. We talk to each other at conferences, we sit on panels and discuss strategies for fighting spam and phishing. And really, it’s a fluke I ended up where I am; I could have easily ended up at another company, including Proofpoint. I may end up there yet if (when?) I get fired for writing something I shouldn’t on this blog.

So, I am not ideological about anything.

But even though she had no say in it whatsoever, and there are many reasons why companies switch, when I found out my wife’s place of work switched from Office 365 to Proofpoint… I took that personally.

It was like a punch in the stomach.

Thanks thought bubble.

IT folks will often implement security policies that are designed to reduce risk for organizations. Yet IT and security people (that's you and me, btw) seem to always forget that people are trying to get work done. If IT and security policies are preventing people from doing their work, they will find even less secure ways to get it accomplished.

And that means all of our good intentions have been circumvented.

I asked my wife how she was able to proceed.

Well, first they take the file off the USB drive and insert it into the computer. Those of you currently having heart attacks can calm down (a little), it's not like they found it on the street but instead need it to transfer data from the device to the computer.

Next, they open up a personal Gmail account and upload the file that way, and then send it onto the final destination. Presto! Problem solved!

Yes, for a functionality standpoint, this worked. But from a security standpoint it failed miserably. But only because from a usability standpoint, it failed just as hard.

I don't know why the message didn't go through originally, and I know that security teams try to abstract the policies away from their users. But users will go around security policies if they interfere with the work they are trying to do and they see no alternative.

You may say "Oh! But there are plenty of services that let you upload a file to it, and then send a link to that file!"

Yes, that's a workaround, but not every Internet user knows about it. It's way easier just to send a file as an attachment... that's what "Send a file as an attachment" is for!

I don't have a lot of good advice for spam filters other than to make sure that your security measures work. I'm also not picking on Proofpoint because anyone can nitpick about many things even in our own service (Office 365), for all I know it was a corporate policy, not service-wide policy, that deleted the message (update on 2016-12-02: it was an organization policy block, not a Proofpoint service block). But in this case, deleting a .paz file because it was a security risk (assuming that is what is was) ended up potentially creating an even bigger security risk because it trains users to look for other ways to get around our security policies.

Let's not make our jobs harder than they already are.


Comments (2)

  1. This one's a no-brainer: handling outbound policy controls ("no unknown file types") is very different to keeping abuse out. In the latter case, silent discard is a reasonable response, however for outbound mail the goal is to adjust user behaviour, in which silent discard is never appropriate: a bounce (a) explaining what policy was breached, (b) what the chosen alternative approach is, and (c) where to direct feedback or request variations.

    Any "security" practitioner who isn't addressing the needs of the organisation isn't actually practising security, they're just tinkering with filter software.

  2. Jonathan Knopp says:

    "IT and security people (that’s you and me, btw) seem to always forget that people are trying to get work done. If IT and security policies are preventing people from doing their work, they will find even less secure ways to get it accomplished."
    Thanks for posting this point. IME it is one that very sorely needs spreading. The same basic point exists between IT people as well. I've run into way too much "it fits what I believe in, so I don't care how it affects you" attitude working with fellow administrators over the years.

Skip to main content