First things first.

先說正事。

Check your e-mail.

檢查你的電子郵件。

I got one.

我有一個。

Fake Dylan at W.H.O.

W.H.O.的假迪倫。

This is the WHO's real domain, right?

這是WHO的真正領域吧？

W.H.O. dot I.N.T.

W.H.O. dot I.N.T.

So Fake Dylan is a internet security researcher that I worked with to send all of our emails

所以，假迪倫是一個互聯網安全研究人員，我的工作，以發送我們所有的電子郵件。

a bunch of fake messages.

一堆假消息。

And he was able to send these messages from the real W.H.O. domain.

而他能夠從真正的W.H.O.域發送這些資訊。

I'm going to say I'm coming to you from my new job in the World Health Organization.

我要說的是，我是從世界衛生組織的新工作中來找你的。

I spent all my money moving to Geneva, Switzerland.

我把所有的錢都花在了瑞士的日內瓦。

Please, send me some bitcoin to tide me over?

求你了，給我寄點比特幣，讓我渡過難關？

It might say “this is a joke” in our example here, but the more serious ones would be like,

在我們這裡的例子中，可能會說 "這是一個笑話"，但比較嚴肅的會是這樣的。

“there's an urgent new coronavirus warning from the W.H.O.”

"W. H. O. 有一個緊急的新冠狀病毒警告"

As the number of coronavirus cases increases, so too do Internet scams and hoaxes.

隨著冠狀病毒病例的增多，網絡詐騙和騙局也越來越多。

Real-looking emails supposedly from the World Health Organization and CDC asking for money.

看似真實的郵件，據說是世界衛生組織和疾控中心要錢的。

These agencies do not ask for direct donations by e-mail.

這些機構不要求通過電子郵件直接捐款。

If you click on a link or download an attachment from those e-mails, you could be giving hackers

如果你點擊這些郵件中的鏈接或下載附件，你可能會向黑客提供以下資訊

your personal information.

您的個人信息。

So what we're looking at here is domain spoofing and we're seeing it a lot with respect to

所以，我們在這裡看到的是域名欺騙，我們看到了很多關於。

the coronavirus in particular.

特別是冠狀病毒。

So this really has been totally unprecedented.

所以，這真的已經完全是前所未有的了。

The teams have never seen anything like this in terms of a single lure, uniting all different

隊伍從來沒有見過這樣的事情，在一個單一的誘餌，團結所有不同的。

types of actors behind a single real pretext for people to do all kinds of things, whether

類型的行為者，在一個單一的真實藉口背後，讓人們做各種事情，無論是。

it's actually just steal their password, what we call credential phishing, whether it's

它實際上只是竊取他們的密碼， 我們稱之為憑證釣魚，無論是

install malware.

安裝惡意軟件。

So this is just one example sent from what looks like the W.H.O. e-mail address, just

所以這只是一個例子，從W.H.O.的電子郵件地址發出的，只是...

like the one that came to you.

就像那個來找你的人一樣。

Clearly it's trying to get you to download a specific file that they have sent.

很明顯，它是想讓你下載他們發送的特定文件。

And researchers at IBM found that that file contains malware that captures screenshots

而IBM的研究人員發現，該文件中含有捕捉截圖的惡意軟件

and logs your keystrokes and steals usernames and passwords.

並記錄你的擊鍵和竊取用戶名和密碼。

Huh, “beware of criminals pretending to be W.H.O.”

哼，"小心那些冒充W. H. O. 的罪犯"

The W.H.O. has actually published guidance on this and they are aware that this is happening.

事實上，W.H.O.已經公佈了這方面的指導意見，他們知道這種情況正在發生。

But its top advice, its number one advice, is: “Verify the sender by checking their

但它的首要建議，它的首要建議是："通過檢查發件人

email address.”

電子郵件地址。"

We know that that's pretty easy to fake at this point.

我們知道，這一點上很容易造假。

Wow.

哇哦

I'm surprised they don't point that out because people might think that if it has a W.H.O.

我很驚訝他們沒有指出這一點，因為人們可能會認為，如果它有一個W. H. O.

dot I.N.T address, that means it's legitimate.

點I. N. T地址，這意味著它是合法的。

But really, it's a necessary but not sufficient condition.

但其實，這是一個必要但不充分的條件。

Correct.

好吧，我知道了

Yeah.

是啊。

What I found super interesting was that we tried spoofing a bunch of domains, and only

我發現超級有趣的是，我們嘗試欺騙了一堆域名，而只有

some of them went through to the inbox.

其中一些人去通過收件箱。

The CDC and Vox emails didn't, but WHO and Whitehouse.gov emails did.

CDC和Vox的郵件沒有，但WHO和Whitehouse.gov的郵件有。

And I should say, it was only the Yahoo emails that we set up.

而且應該說，我們設置的只是雅虎郵箱。

The Gmail and Outlook emails both put them in spam.

Gmail和Outlook的郵件都把它們放到了垃圾郵件中。

So I've been looking into this and it seems like the greater context around this is that

所以我一直在研究這個問題，似乎圍繞這個問題的更大背景是

when email was created back in the eighties, no one bothered to make any way to verify

當電子郵件在80年代被創建時，沒有人費心去做任何驗證的方法。

that the sender is who they say they are.

發件人是誰，他們說他們是。

Really it is the foundational technologies of the Internet being built with no security

真的是在沒有任何安全保障的情況下，構建了互聯網的基礎技術

in mind and no central database of who is who that gives rise to this problem.

銘記在心，而沒有中央數據庫，誰是誰，這就產生了這個問題。

And since then, there've been lots of attempts to sort of build this sort of verification

從那時起，已經有很多嘗試來建立這種驗證的排序

system.

體系。

The problem is just that the participation is not as high as it should be.

問題只是參與度沒有那麼高。

So of make sense of this, it might help to think about another type of verification problem,

是以，為了理解這個問題，我們可以考慮另一種類型的驗證問題。

which is that society doesn't want teenagers to get into bars to buy alcohol.

這就是社會不希望青少年進入酒吧買酒。

To prevent that from happening, we need two things: We need a way to verify ages, which

為了防止這種情況發生，我們需要兩件事。我們需要一種方法來驗證年齡，這

is our ID system, and we need businesses to then check for IDs.

是我們的身份證系統，我們需要企業然後查驗身份證。

Now, imagine if that ID system was voluntary.

現在，想象一下，如果這個身份證系統是自願的。

So you have a bunch of adults who might not bother to go get an ID.

所以，你有一群成年人可能不屑於去辦身份證。

Then when they come to the bar, the business basically has a decision to make.

那麼當他們來到酒吧的時候，企業基本上就會有一個決定。

Either they require IDs knowing full well that plenty of legitimate adults don't have

要不就是明知很多合法的成年人沒有身份證，還要求他們出示身份證

one.

一。

Or, to avoid pissing people off, they just let them in and maybe they end up letting

或者，為了避免惹惱別人，他們只是讓他們進來，也許他們最終會讓。

in some kids too.

在一些孩子也。

And probably every bar is going to make a slightly different decision.

而可能每個酒吧都會做出稍微不同的決定。

That's kind of where we're at.

這就是我們現在的情況。

With email authentication right now.

與電子郵件認證，現在。

We have an I.D. system.

我們有一個身份識別系統。

It's called DMARC, but it's voluntary.

它叫DMARC，但它是自願的。

So if an e-mail comes in with my email address, joss@vox.com, the email service, whether that's

是以，如果一封帶有我的電子郵件地址的電子郵件進來，[email protected]，電子郵件服務，不管是

Yahoo! or Outlook or G-mail, is going to check if that domain, Vox.com, has a DMARC record.

雅虎或Outlook或G-mail，要檢查該域名Vox.com是否有DMARC記錄。

And we do!

我們也是！

Thankfully, Vox took the time to set up a DMARC record, which basically does three things:

值得慶幸的是，Vox花時間建立了一個DMARC記錄，它基本上做了三件事。

First, it says that the email has to come from a certain set of IP addresses that Vox

首先，它說，電子郵件必須來自特定的IP地址集，Vox

trusts.

信託；

Second, it says that the email has to carry a unique signature that only Vox can create.

其次，它說郵件必須帶有唯一的簽名，只有Vox才能創建。

And third, it says that if the email fails either of those two tests, then the email

第三，它說，如果郵件沒有通過這兩個測試中的任何一個，那麼該郵件

service receiving the email should reject it, should just throw it away so that it never

接收郵件的服務應該拒絕它，應該把它扔掉，這樣它永遠不會

reaches anybody's inbox.

達到任何人的收件箱。

Because of that, my Vox e-mail address, your Vox e-mail address, we can't be easily impersonated.

正因為如此，我的Vox郵箱地址，你的Vox郵箱地址，我們不能輕易被人冒充。

OK, so say an e-mail comes in from a domain that doesn't have a DMARC record or has set

好的，比如說，一封郵件從一個沒有DMARC記錄的域名發來，或者是設置了

their DMARC policy to something other than “reject,” that e-mail is going to have

拒絕 "以外的其他政策，該郵件將有。

a higher chance of getting through.

通過的機會較多。

Now, the e-mail providers all have spam filters.

現在，電子郵件提供商都有垃圾郵件過濾器。

They have these algorithms that are looking through these emails to check and see if anything's

他們有這些算法，正在尋找通過這些電子郵件檢查，看看是否有什麼是。

fishy.

腥。

But obviously that didn't stop Dylan's fake e-mail from getting into my Yahoo! inbox.

但顯然，這並不能阻止迪倫的假郵件進入我的雅虎郵箱。

I would guess that the W.H.O. does not have a strong DMARC policy set up, if they have

我猜測W.H.O.並沒有制定強有力的DMARC政策，如果他們有的話。

one at all.

一個在所有。

OK, there's actually a way that we can double check this.

好了，其實有一個辦法，我們可以仔細檢查一下。

Oh, nice.

哦，不錯。

It has this nice little green box that comes up.

它有這個漂亮的綠色小盒子，上來。

But this is the actual DMARC record.

但這是實際的DMARC記錄。

V equals DMARC1, P equals reject.

V等於DMARC1，P等於拒絕。

So this is telling us that our policy is, “reject this e-mail.”

所以，這是在告訴我們，我們的政策是，"拒絕這封郵件"。

And this is true, I think, of… yeah, the CDC as well.

這是真的，我想，... 是的，疾控中心也是如此。

What about the White House?

那白宮呢？

Yeah.

是啊。

Let me try the White House…

讓我試試白宮...

Huh.

咦。

OK.

好的

So the White House has published a DMARC record, but if you look at it, P equals none, meaning

所以白宮公佈了DMARC的記錄，但如果你看一下，P等於無，也就是說

that they are not telling email providers to reject e-mails that come from other IP

他們沒有告訴電子郵件提供商拒絕來自其他IP的電子郵件。

addresses or that generally are not from their approved domain senders.

地址，或者一般不是來自他們準許的域名發送者。

The weird thing about that…

奇怪的是...

So this is their guidance on what all federal agencies are supposed to do.

所以這是他們對所有聯邦機構應該做的指導。

“All agencies are required to, within one year after issuance of this directive, set

"所有機構都必須在本指令發佈後一年內，制定：

a DMARC policy of reject for all second level domains and mail-sending hosts.”

a DMARC政策對所有二級域名和郵件發送主機的拒絕。"

Wow.

哇哦

So the White House is violating its own policy.

所以白宮違反了自己的政策。

At the very least, they're acknowledging that a DMARC policy of reject is the strongest

至少，他們承認DMARC的拒絕政策是最強有力的。

protection.

保護。

And it is very clear that they are not using that protection.

而且很明顯，他們沒有使用這種保護措施。

So now let's try the W.H.O.

那麼現在讓我們試試W. H. O.

“Not protected against impersonation attacks!”

"不防冒充攻擊！"

They have not published a DMARC record at all.

他們根本沒有公佈DMARC的記錄。

And I can understand.

我也能理解

Like the W.H.O. has a lot on their hands right now.

就像W.H.O.現在有很多事情要做。

They're basically leading the global effort against this giant pandemic.

他們基本上是上司著全球對抗這種巨大的流行病的努力。

But damn, it really seems like they should have done this.

但該死的，他們似乎真的應該這樣做。

Yeah.

是啊。

And to be fair, it's not like the WHO is alone in this.

平心而論，這並不是世衛組織一個人的事。

There's a report by ValiMail, that shows that less than 15 percent of domains with

ValiMail的一份報告顯示，只有不到15％的域名帶有

DMARC have actually set their policy to reject spoofed emails or send them to spam.

DMARC實際上已經制定了他們的政策，拒絕接受欺騙的電子郵件，或者將它們發送到垃圾郵件。

There's kind of an incentive issue at play, which is that you publish the record to protect

有一種激勵問題在起作用， 這是，你發佈的記錄，以保護。

other people from being phished.

其他的人，以免被釣魚。

And the tradeoff there is that if you don't configure it properly, and it does take some

如果你不正確地配置它，它確實需要一些權衡。

work to set up correctly, you risk some of your e-mails not being delivered.

如果您的工作設置正確，您就會有一些郵件無法送達的風險。

I think that the W.H.O. is in a tough spot right now because it is incredibly important

我認為，W.H.O.現在正處於一個艱難的境地，因為它是非常重要的。

in this moment that their e-mails get through.

在這一刻，他們的電子郵件得到通過。

And also there's an increase in the risk that it's coming from a fake domain and that, you

也有一個增加的風險 它來自一個假的域名和，你。

know, maybe they have some more responsibility than they might have before in terms of protecting

知道，也許他們有一些更多的責任 比他們可能有在保護方面的前

people from fake e-mails.

人從假郵件。

Hey, do it for us, because we're all, you know, vulnerable out here on the internet

嘿，為我們做的，因為我們都，你知道， 脆弱的在這裡在互聯網上。

looking for information.

尋找資訊。

Yeah.

是啊。

It is the sort of thing that every good citizen of the internet should do.

這是每一個網絡好公民應該做的事情。

But, you know, like eating your vegetables and working out every day, it's not something

但是，你知道，就像吃你的蔬菜和工作 每天，它不是什麼東西。

that every organization does.

每個組織都會做的。