Government emails can be easily forged
Folks who use messaging services based on Microsoft Exchange will be familiar with Outlook Web Access, in short called OWA.
While I don't mind companies using the default options, I strongly believe default options aren't wise for the Government (^^,) ... Yup! The highly secured infrastructure that is supposed to guard our biometric data actually has a plain OWA without Captcha login & I guess no mechanism to detect multiple login attempts.
Oh wait! It doesn't stop here. I was invited for a talk yesterday at the Rajiv Gandhi Science Centre. The speakers present highlighted the various legal implications & violation of civil liberties that surround the collection and storage of biometric data. On my turn I talked about the current IT infrastructure of the Mauritian Government. To give a glimpse to the public I demo'ed something about email forgery and warned people on phishing scams. That's the usual security awareness that we do. My demo focused on the poor security mechanisms around the Government Portal and that nothing has been implemented to prevent email forgery.
I ran a mail server in a Linux virtual machine & used it to send myself a fake email with the address firstname.lastname@example.org. Contrary to what you'd expect, the email lands in my inbox. Watch the screencast.
If anyone thinks I should have alerted the authorities of this security flaw, well, this isn't something unknown to the IT Community of Mauritius. Most engineers are well aware of this.
Still in my letter to the ICT Minister & the MNIS Project Manager, I did highlight this issue. A copy of the letter is available on hacklog.in.
Currently, mail.gov.mu isn’t equiped with SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) which are mechanisms that help in fighting email forgery. To say, someone can easily send out a forged email with @mail.gov.mu extension, the email is delivered to the victim’s inbox & the latter is presented a beautifully crafted email talking of “reforms etc”. The person is then tempted to click on a colorful download button, asked to log in (page which resides on a similar to gov-mu.org domain) & yes a PDF is downloaded. Everything looks innocent. Everyone is happy! The poor victim gets a PDF that talks of “reforms” & the attacker gets the victim’s “login credentials”. DNSSEC is important for gov.mu, SPF & DKIM are good practices to fight email forgery and govmu.org is very bad for the government’s health.