Brown email addresses can be impersonated by any user inside or outside of the Brown network through email spoofing websites, evidenced by an email supposedly sent from Brown Concert Agency Publicity Chair Raillan Brooks ’13 to multiple press outlets Tuesday with a false Spring Weekend lineup.
“(Email spoofing) is an inherent insecurity in the Internet,” said Chief Information Security Officer David Sherry, one that is “inherent in all email servers” and not just Brown’s.
The email’s source code revealed the message was a hoax sent from a third-party service that allows any user to modify an email’s “from:” field and impersonate another address. If done cleverly enough, the email will appear at first glance to have actually been sent by that user.
Sherry said trying to crack down further on these sorts of spoofing attempts “would be a losing battle” and would “cause issues for all emails.”
“I did know that it was possible to impersonate other email addresses, but I had never seen it happen,” said Kareem Osman ’14.
“This was obviously a lighthearted example,” he added. “But you can obviously think of ways that it would be bad” — emails to which a user might respond with sensitive information, Osman said.
At 9:53 a.m. yesterday, The Herald and BlogDailyHerald received an email from Brooks that stated the Spring Weekend lineup announcement was forthcoming. At 10:32 a.m., The Herald posted a brief article online attributing the information to Brooks.
Ten minutes later, BlogDailyHerald received an email claiming to be from Brooks’ email account, with subject “Lineup.” The body read: “Friday: The Sounds of Capitalism, Toro Y Moi. Saturday: The Postal Service, Grouper. More acts to be announced in March.”
The Sounds of Capitalism and Grouper are not real bands, Brooks said, and The Postal Service is currently booked to perform at Coachella Valley Music and Arts Festival the Saturday of Spring Weekend. But, BlogDailyHerald editors said, because Brooks was their source for the previous Spring Weekend information, they published the lineup reported in the email.
“That’s usually what we do when we receive an email from BCA,” said BlogDailyHerald Editor-in-Chief Meredith Bilski ’14. “We put (the information) up on the Blog.”
Though Brown’s security filter flagged the message as suspicious, the system marked it as a “soft fail,” allowing the email through with the fraudulent “from:” address intact.
Brooks and Bilski both said no one from their respective organizations sent the fraudulent email.
“The people on BCA understand the consequences of leaks,” Brooks said. “I trust them as my friends and as people who are professionally invested in this to not do something like that.”
“People on our staff are ethical, and they would not do this on purpose,” Bilksi said. “We were anticipating a Spring Weekend lineup from them, and we wouldn’t have made one up on our own.”
-With additional reporting by Rachel Margolis