Here at Hackaday we cover news and interesting features for the hacker community, with an emphasis more on the hardware side. Nevertheless we also cover stories from time to time from the broader world of security. These usually involve vulnerabilities discovered through the patient work of software or hardware researchers, and are certainly what we’d call hacking. But what about those information security breaches that aren’t hacks like that at all? What happens when the person being breached simply gives you the information?
I’ve got one, and while it’s Not A Hack, it’s definitely something that we and those outside our community need to talk about. I’m talking about the depressingly common occurrence of organisations who should know better, gifting their letterhead to all and sundry in the form of freely editable Word documents.
A Bit Of Paper That Unlocks So Many Doors
A letterhead may seem to those of us on the cutting edge of technology as though it hails from a bygone era, but in legal and trust terms it’s still in so many circumstances the key that unlocks the door. If you turn up with an official-looking letter on the right letterhead, it’s taken at face value. In my time I’ve had to supply just that for medical, financial, and legal transactions. Thus the letterhead, and the ability to use it, is a key piece of an organisation’s security. We can poke holes in this outdated convention as much as we like, but anything printed on a letterhead carries that organisation’s trust and reputation with it.
In my time I’ve received Word document letters from numerous organisations that should know better, and using the letterhead is as simple as rewriting the letter in my word processor. These include my bank, my university, the BBC, more than one major publishing house, a specialist National Health Service clinic, and even in a particularly funny episode, the solicitors hired by some nasty people who were trying to harass me.
If I were a criminal I could have tried several lucrative financial frauds using those letter headings. I could have used the NHS one with my local doctor to be prescribed interesting pharmaceuticals, and I could probably have used the professional and university ones to secure work I’m unqualified for. Such is the value attributed to these documents. Sadly I haven’t kept a rogue’s gallery for you to leaf through, but instead in each case I’ve politely informed them of their security breach and deleted the document unless it was one of importance that I needed to hang on to. I’m uncertain of the legality behind it all, but I am guessing the crime isn’t in possessing a freely given electronic letterhead but in using it for nefarious purposes.
As if the above list of random big names who were kind enough to gift me their letterhead wasn’t enough, when researching this piece I was astounded to find large organisations in the public and private sectors who even make them available for download. I have declined to put up any links, but, in some cases letters for public consumption can be found online as Word documents, and there are even organisations that publish communication design and style guides containing the blank letterheadings ready for use. You really couldn’t make this up!
Basic Security Left To The Lowest Paid
At fault of course is partly a lack of understanding of just what an electronic version of a document really means. The task of drafting and sending out is left to the lowest paid workers at the bottom of the ladder, and they evidently have no idea that there is a security risk involved; to them the document simply is what’s spat out by Word. If ever a fraud is traced back to a letterheading in a Word document you can be certain it’s those lowly minions who will be for the chop, but the real culprits lie higher up the food chain for not instituting appropriate policies and training. What needs to happen is for letterhead to be considered as important a part of organisational security as any other electronic asset.
Documents still need to be sent out, so how should they be doing it? The obvious first choice is to use PDF, as a readily accepted electronic document format. They’re by no means perfect as a proprietary format, and some of the advanced PDF features need Adobe’s own reader which isn’t available on all platforms, but they are at least well understood and ubiquitous. PDFs can of course still be edited, but the barrier to entry for the miscreant is immediately higher. Alternatively there are various secure online delivery platforms, for example my accountant makes his documents available through a portal for which I have to supply a secured login. If there’s a credible open-source equivalent to either of these options, we’d love to hear it.
While my parody letter headings in the header image should be easy enough to spot, the same can’t be said for the real thing. I’m preaching to the infosec choir in a Hackaday piece so you’ll probably be with me on most of these points, but what’s to be done? As always, the comments await.