Government emails can be easily forged

July 9, 2014

Folks who use messaging services based on Microsoft Exchange will be familiar with Outlook Web Access, in short called OWA.

While I don’t mind companies using the default options, I strongly believe default options aren’t wise for the Government (^^,) … Yup! The highly secured infrastructure that is supposed to guard our biometric data actually has a plain OWA without Captcha login & I guess no mechanism to detect multiple login attempts.

gov-mu-owa

Oh wait! It doesn’t stop here. I was invited for a talk yesterday at the Rajiv Gandhi Science Centre. The speakers present highlighted the various legal implications & violation of civil liberties that surround the collection and storage of biometric data. On my turn I talked about the current IT infrastructure of the Mauritian Government. To give a glimpse to the public I demo’ed something about email forgery and warned people on phishing scams. That’s the usual security awareness that we do. My demo focused on the poor security mechanisms around the Government Portal and that nothing has been implemented to prevent email forgery.

talk-rajiv-gandhi-science-research-centre

Photo, courtesy of IAM ( :

I ran a mail server in a Linux virtual machine & used it to send myself a fake email with the address security@mail.gov.mu. Contrary to what you’d expect, the email lands in my inbox. Watch the screencast.

As a citizen of the country whose fingerprints & biometric photo are being demanded to be stored on a Government owned infrastructure where poor security abounds, I feel my civil rights being violated. I do not trust the infrastructure & I have strong reasons to do so.

If anyone thinks I should have alerted the authorities of this security flaw, well, this isn’t something unknown to the IT Community of Mauritius. Most engineers are well aware of this.

Still in my letter to the ICT Minister & the MNIS Project Manager, I did highlight this issue. A copy of the letter is available on legacy.hacklog.in.

Extract of the letter

Currently, mail.gov.mu isn’t equiped with SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) which are mechanisms that help in fighting email forgery. To say, someone can easily send out a forged email with @mail.gov.mu extension, the email is delivered to the victim’s inbox & the latter is presented a beautifully crafted email talking of “reforms etc”. The person is then tempted to click on a colorful download button, asked to log in (page which resides on a similar to gov-mu.org domain) & yes a PDF is downloaded. Everything looks innocent. Everyone is happy! The poor victim gets a PDF that talks of “reforms” & the attacker gets the victim’s “login credentials”. DNSSEC is important for gov.mu, SPF & DKIM are good practices to fight email forgery and govmu.org is very bad for the government’s health.

Some local banks as well suffer from this email forgery issue. Be on guard when receiving suspicious emails from your bank & never provide login credentials via emailed links.