“The Higgs boson does not exist!” stated an e-mail recently sent to many of our colleagues within CERN as well as with our global research community. We can definitely enter in a technical discussion about physics results produced by the LHC. But here, this is not the point. As many recipients noticed, this e-mail appeared as having been sent from an e-mail address “Fabiola.Gianotti [at] cern.ch”, i.e. the address of our Director General. However, no worries! The mail has not been sent by her. And her account has not been compromised. Rather, the issue lies in the technical ways the email protocol is working and – like in this case – can be abused…
Technically, e-mails are delivered like normal “snail mail” letters. In a normal letter, you can put whatever contents or opinion you want. Love letters, or threats. True statements, or fake news. And you can put any sender on its envelope, as well as any purported sending address --- not necessarily yours, but that of someone else, like that of our DG… Finally, but rather obvious, e-mails can be sent to any valid (and invalid) e-mail addresses. Due to our open and academic nature, CERN email addresses are published through the CERN phonebook and are available through many other webpages: conference participation lists, experiment memberships, service manager lists, on-line/shifter duty lists...
Therefore, there is no good technical measure* to generally prevent such e-mails if sent from a fake (“spoofed”) e-mail address world-wide. Also, locally for the protection of CERN mailboxes, this is not as easy. While the SPAM filter tries to catch such fake emails, the attacker repeatedly made many modifications in order to bypass those filters (the attacker even expressed his frustration with our filtering when sending a few mails with the subject “[….] you Service Desk”). Thanks to our email service managers, they engaged in that cat-and-mouse game… Mostly with success, but sometimes with mails going through. Apologies for that.
*For the technical people: yes, “SPF” , “DMARC” and “DKIM” might theoretically help, but all those methods come with drawbacks resulting in delivery or compatibility problems, especially with standard mailing lists (see the experience made by Yahoo! in 2014). But that might get better in the future as e.g. mailing list software is trying to adapt (e.g. http://wiki.list.org/DEV/DMARC).
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, visit our website or contact us at Computer.Security@cern.ch.