British Home Secretary Amber Rudd has been duped into sharing her personal email address with a prankster who has previously embarrassed the likes of Bank of England governor Mark Carney and Barclays boss Jes Staley, as well as Donald Trump Jr and various White House officials. Rudd, who recently courted controversy in the security industry by suggesting that "real people" weren't interested in secure communications, found herself targeted by a mischief-maker who created a free webmail account in the name of Robbie Gibb, the British prime minister's communications chief. The prankster, who calls himself "Sinon Reborn", sent a message posing as Gibb to the unsuspecting Home Secretary, at her email address publicly listed on the British parliament's website.
Now, I have no doubt that MPs and government ministers receive no end of unsolicited or cranky emails, especially as all have their official email addresses listed on the web. But Amber Rudd made a mistake in not only replying to the email (without checking that it came from the real Robbie Gibb), but also by responding from her own personal email account. In short, the Home Secretary had just told a complete stranger her private email address, and believed she was speaking to a colleague. That's a serious error to make - and one which could potentially have been exploited to dupe Amber Rudd into clicking on a malicious link or poisoned attachment, or divulging personal information or passwords. If I was being cynical I might suggest that Amber Rudd has just proven that she's not that interested in secure communications... The truth is that ordinary people need cryptography. It not only protects your communications from criminals and prying eyes, it can also help reassure you that you're communicating with the person who you think you are speaking to. Sinon Reborn admits that his email pranks are not sophisticated - he simply emails high profile figures from webmail accounts he has created in the names of their colleagues and associates - but simple social engineering tricks appear to keep outwitting high profile figures, until the conversations become too ridiculous or out-of-character at least. Fortunately, these pranks appear to be more about amusing the perpetrator rather than designed with malice in mind. But the same tricks could so easily be used by someone who was targeting a particular company or individual with more than just the intention to embarrass. We all need to be more careful when it comes to email. We should not automatically trust communications that arrive from unusual email addresses, or use language or show behaviour which is out of character of the correspondent's normal style. Some companies may even be wise to put functionality at the email gateway which displays a visual warning if a message has arrived from outside the organisation, requesting that a higher level of caution is exercised. I'm not worried about Sinon Reborn's future pranks. I have no doubt he'll continue for as long as he finds his activities amusing. What worries me much more is the serious problem he has shone a spotlight on of just how reckless people can be with their email communications, and the very real possibility that real villains will adopt their own bogus email disguises to perpetrate future crimes. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
