From rgferrell at direcway.com Fri Nov 5 11:39:30 2004 From: rgferrell at direcway.com (Robert G. Ferrell) Date: Fri Nov 5 11:48:56 2004 Subject: [govsec] Morris Worm and a Change in Direction In-Reply-To: <5.0.0.25.2.20040329112950.03888238@pop3.direcway.com> References: <5.0.0.25.2.20040329112950.03888238@pop3.direcway.com> Message-ID: <6.0.0.22.2.20041105101242.0443b008@pop3.direcway.com> It's been over 6 months since I posted to GovSec; many of you probably forgot you were even subscribed. I originally founded this list with the hope of fostering meaningful discussion concerning the unique issues facing those entrusted with securing information systems in the public sector. Such dialogue has, unfortunately, largely failed to materialize, for whatever reason, so I've decided to change my tack a bit. I'm going to use this list to post items of interest to the government infosec community, about which you are, of course, free to comment. I expect it will still be a very low volume list, but hopefully what little traffic you do receive will be of more use and interest. **************************************** As most of you are no doubt already aware, Wednesday was the 16th anniversary of the release of the Morris worm. I expect many of us can remember exactly where we were and what we were doing when it hit--I was working in a medical research lab at a university in Texas. Worms have become commonplace in this day and age, but I wonder if people who have entered the infosec field since that November day in 1988 really understand what fundamental changes took place in the collective attitudes of those using the Internet. Security was a personal affair back then-- true anonymity was rare, and there simply weren't enough nodes to rely on some convoluted path for obscurity. The bang path of your email messages was pretty much a roadmap back to you, for example--a sort of electronic manifestation of what biologists call the principle of "ontogeny recapitulating phylogeny." Security since those days has morphed into a multi-billion dollar industry and a major employer within the IT field, but I can't help but be curious how many of the newly-certificated experts out there understand the fundamental history of their chosen vocation. One very important aspect of being a professional soldier is a thorough knowledge of military history. Every general who has come before you has contributed to the common pool of knowledge in the art and science of warfare. If you aren't intimately familiar with their success and failures, you doom yourself, needlessly, to making their same mistakes. Today is a good day to take it upon yourselves to study the brief but rich history of infosec, and thereby to learn the lessons of the past--so that they won't become the all too familiar news stories of the future. Cheers, RGF From jericho at attrition.org Fri Nov 5 12:03:32 2004 From: jericho at attrition.org (security curmudgeon) Date: Fri Nov 5 12:03:35 2004 Subject: [govsec] Morris Worm and a Change in Direction In-Reply-To: <6.0.0.22.2.20041105101242.0443b008@pop3.direcway.com> References: <5.0.0.25.2.20040329112950.03888238@pop3.direcway.com> <6.0.0.22.2.20041105101242.0443b008@pop3.direcway.com> Message-ID: : As most of you are no doubt already aware, Wednesday was the 16th : anniversary of the release of the Morris worm. I expect many of us can : remember exactly where we were and what we were doing when it hit--I was : working in a medical research lab at a university in Texas. : : Worms have become commonplace in this day and age, but I wonder if : people who have entered the infosec field since that November day in : 1988 really understand what fundamental changes took place in the : collective attitudes of those using the Internet. Security was a : personal affair back then-- true anonymity was rare, and there simply : weren't enough nodes to rely on some convoluted path for obscurity. : The bang path of your email messages was pretty much a roadmap back to : you, for example--a sort of electronic manifestation of what biologists : call the principle of "ontogeny recapitulating phylogeny." Mmm.. the good old days of UUCP style routed e-mail and Racketeer showing how to route a piece of mail around the globe in Phrack 41! With regards to the Morris worm, this is from a response to the incident borrowed from the Infowarrior list. Rich Kulawiec brought up an excellent point, something that is lost on just about everyone these days. -- From: Rich Kulawiec [..] It's a little too early in the day for me to wax philosophical, but I will observe that one thing that has changed -- much for the worse -- in the interim is that many people knowingly permit their networks to be enormous sources of abuse (spam, viruses, worms, DoS attacks, proxy probes, etc.) on an ongoing basis. I find this astonishing: on November 3, 1988, some people *ran* to their data centers to unplug themselves, not because they were trying to avoid infection, but because they believed they already were and were trying to spare everyone else. What a pity that this ethic has gone by the wayside. And what an enormous cost that loss has imposed on all of us. [..] From blitz at macronet.net Fri Nov 5 12:20:29 2004 From: blitz at macronet.net (blitz) Date: Fri Nov 5 12:38:14 2004 Subject: [govsec] Morris Worm and a Change in Direction In-Reply-To: <6.0.0.22.2.20041105101242.0443b008@pop3.direcway.com> References: <5.0.0.25.2.20040329112950.03888238@pop3.direcway.com> <6.0.0.22.2.20041105101242.0443b008@pop3.direcway.com> Message-ID: <6.1.2.0.2.20041105122021.0363e488@mail.macronet.net> Great idea! At 11:39 11/5/2004, you wrote: >It's been over 6 months since I posted to GovSec; >many of you probably forgot you were even subscribed. >I originally founded this list with the hope of fostering >meaningful discussion concerning the unique issues >facing those entrusted with securing information >systems in the public sector. Such dialogue has, unfortunately, >largely failed to materialize, for whatever reason, so >I've decided to change my tack a bit. I'm going to >use this list to post items of interest to the >government infosec community, about which you are, >of course, free to comment. I expect it will still be a very >low volume list, but hopefully what little traffic you >do receive will be of more use and interest. > >**************************************** > >As most of you are no doubt already aware, Wednesday was the >16th anniversary of the release of the Morris worm. I expect >many of us can remember exactly where we were and what we >were doing when it hit--I was working in a medical research >lab at a university in Texas. > >Worms have become commonplace in this day and age, but I wonder >if people who have entered the infosec field since that >November day in 1988 really understand what fundamental >changes took place in the collective attitudes of those using >the Internet. Security was a personal affair back then-- >true anonymity was rare, and there simply weren't enough nodes >to rely on some convoluted path for obscurity. The bang path >of your email messages was pretty much a roadmap back to >you, for example--a sort of electronic manifestation of what >biologists call the principle of "ontogeny recapitulating >phylogeny." > >Security since those days has morphed into a multi-billion dollar >industry and a major employer within the IT field, but I can't >help but be curious how many of the newly-certificated experts >out there understand the fundamental history of their >chosen vocation. One very important aspect of being a professional >soldier is a thorough knowledge of military history. Every >general who has come before you has contributed to the common >pool of knowledge in the art and science of warfare. If you >aren't intimately familiar with their success and failures, >you doom yourself, needlessly, to making their same mistakes. > >Today is a good day to take it upon yourselves to study the >brief but rich history of infosec, and thereby to learn the >lessons of the past--so that they won't become the all too >familiar news stories of the future. > >Cheers, > >RGF > > >_______________________________________________ >govsec mailing list >govsec@attrition.org >http://www.attrition.org/mailman/listinfo/govsec From jmetz at intac.com Fri Nov 5 13:51:36 2004 From: jmetz at intac.com (jmetz@intac.com) Date: Fri Nov 5 14:59:05 2004 Subject: [govsec] Morris Worm and a Change in Direction In-Reply-To: <6.1.2.0.2.20041105122021.0363e488@mail.macronet.net> References: <5.0.0.25.2.20040329112950.03888238@pop3.direcway.com><6.0.0.22.2.2004 1105101242.0443b008@pop3.direcway.com> <6.1.2.0.2.20041105122021.0363e488@mail.macronet.net> Message-ID: <2611.24.228.0.116.1099680696.intacweb140@webmail.intac.com> one question bothers me in almost every situation all mail (to any Governmental officer) is considered either questionable or often non deliverable to the intended recipient mostly this has been because of the potential of virus/worm delivery. Yet in all the years of Email no one has ever considered mail conversion prior to delivery. Why has no one ever setup a system of conversion to pdf in the mail system. This would be one way to insure that real information would be transfered no matter how it was sent. A stand alone mail Gateway which automaticly strips all mail html or plain text ( oe even preexisting PDF converting it to pdf and then transposting it to the intended recepient would prevent most worms/virus from ever getting through. This would ensure that public officials would receive direct comunication while the mailbox/gateway would preform the function of vetting the mail in the conversion process. A dedicated system in this fasion would be considered sacrificial While the concept may not be perfect it might create a relitive short term security concept by processing both incoming and outgoing mail no matter what or how the senders or receivers composed the original. It would also insure that the security would be enhanced in the most vulnerable pathway. Yours John Metzger > At 11:39 11/5/2004, you wrote: >>It's been over 6 months since I posted to GovSec; >>many of you probably forgot you were even subscribed. >>I originally founded this list with the hope of fostering >>meaningful discussion concerning the unique issues >>facing those entrusted with securing information >>systems in the public sector. Such dialogue has, unfortunately, >>largely failed to materialize, for whatever reason, so >>I've decided to change my tack a bit. I'm going to >>use this list to post items of interest to the >>government infosec community, about which you are, >>of course, free to comment. I expect it will still be a very >>low volume list, but hopefully what little traffic you >>do receive will be of more use and interest. >> >>**************************************** >> >>As most of you are no doubt already aware, Wednesday was the >>16th anniversary of the release of the Morris worm. I expect >>many of us can remember exactly where we were and what we >>were doing when it hit--I was working in a medical research >>lab at a university in Texas. >> >>Worms have become commonplace in this day and age, but I wonder >>if people who have entered the infosec field since that >>November day in 1988 really understand what fundamental >>changes took place in the collective attitudes of those using >>the Internet. Security was a personal affair back then-- >>true anonymity was rare, and there simply weren't enough nodes >>to rely on some convoluted path for obscurity. The bang path >>of your email messages was pretty much a roadmap back to >>you, for example--a sort of electronic manifestation of what >>biologists call the principle of "ontogeny recapitulating >>phylogeny." >> >>Security since those days has morphed into a multi-billion dollar >>industry and a major employer within the IT field, but I can't >>help but be curious how many of the newly-certificated experts >>out there understand the fundamental history of their >>chosen vocation. One very important aspect of being a professional >>soldier is a thorough knowledge of military history. Every >>general who has come before you has contributed to the common >>pool of knowledge in the art and science of warfare. If you >>aren't intimately familiar with their success and failures, >>you doom yourself, needlessly, to making their same mistakes. >> >>Today is a good day to take it upon yourselves to study the >>brief but rich history of infosec, and thereby to learn the >>lessons of the past--so that they won't become the all too >>familiar news stories of the future. >> >>Cheers, >> >>RGF >> >> >>_______________________________________________ >>govsec mailing list >>govsec@attrition.org >>http://www.attrition.org/mailman/listinfo/govsec > > _______________________________________________ > govsec mailing list > govsec@attrition.org > http://www.attrition.org/mailman/listinfo/govsec > From boklm at mars-attacks.org Fri Nov 5 15:52:24 2004 From: boklm at mars-attacks.org (nicolas vigier) Date: Fri Nov 5 16:01:05 2004 Subject: [govsec] Morris Worm and a Change in Direction In-Reply-To: <2611.24.228.0.116.1099680696.intacweb140@webmail.intac.com> References: <6.1.2.0.2.20041105122021.0363e488@mail.macronet.net> <2611.24.228.0.116.1099680696.intacweb140@webmail.intac.com> Message-ID: <20041105205224.GL17351@mars-attacks.org> On Fri, 05 Nov 2004, jmetz@intac.com wrote: > > > one question bothers me in almost every situation all mail (to any > Governmental officer) is considered either questionable or often non > deliverable to the intended recipient mostly this has been because of the > potential of virus/worm delivery. > > Yet in all the years of Email no one has ever considered mail conversion > prior to delivery. > > Why has no one ever setup a system of conversion to pdf in the mail system. > This would be one way to insure that real information would be transfered > no matter how it was sent. > > A stand alone mail Gateway which automaticly strips all mail html or plain > text ( oe even preexisting PDF converting it to pdf and then transposting > it to the intended recepient would prevent most worms/virus from ever > getting through. I don't see how it can be a solution. People who use bogus email client like Outlook Express to display html mails will maybe use a bogus pdf viewer. The problem is not with HTML or PDF, it's with people who use vulnerable programs, and in a good email client an HTML message is not supposed to be able to run a program. -- gpg fp: 8a7e 9719 b38d 97c6 6af0 d345 12a0 3708 2c8c 3c11 http://boklm.mars-attacks.org/ From jmetz at intac.com Fri Nov 5 17:29:14 2004 From: jmetz at intac.com (jmetz@intac.com) Date: Fri Nov 5 19:29:03 2004 Subject: [govsec] Morris Worm and a Change in Direction In-Reply-To: <20041105205224.GL17351@mars-attacks.org> References: <6.1.2.0.2.20041105122021.0363e488@mail.macronet.net><2611.24.228.0.11 6.1099680696.intacweb140@webmail.intac.com> <20041105205224.GL17351@mars-attacks.org> Message-ID: <2689.24.228.0.116.1099693754.intacweb140@webmail.intac.com> You are looking at the situation as an individual user, I was suggesting that the mail server do the conversion. The user and sender become ir-relevant to the process. The user would only see the end product the message. In the conversion the senders method is or would be of no consequence because it would be stopped and converted to a safe message prior to delivery. As I stated before the mail server would be considered a sacrificial lamb with an appropriate amount of redundancy that nothing would be lost The idea of security is to prevent the user from being able to place themselves in a vulnerable position, that would mean that officials would only be allowed to use the .gov mail system ,web mail yahoo ,google and the like would not be allowed for officialdom or any contractors while on the job. You simply bar the door from the web mail or personal mail servers so that the ips are not accessible while on or near government property Anyone who violates that basic security should be terminated the same thing with instant messengers, the portals should be blocked while on federal property or on any governmental computer. If the ports are blocked properly the the intruders can't get in to wreck havoc If the user has no way to violate security then the systems are kept secure It always comes down to what price security,, > On Fri, 05 Nov 2004, jmetz@intac.com wrote: > >> >> >> one question bothers me in almost every situation all mail (to any >> Governmental officer) is considered either questionable or often non >> deliverable to the intended recipient mostly this has been because of >> the >> potential of virus/worm delivery. >> >> Yet in all the years of Email no one has ever considered mail conversion >> prior to delivery. >> >> Why has no one ever setup a system of conversion to pdf in the mail >> system. >> This would be one way to insure that real information would be >> transfered >> no matter how it was sent. >> >> A stand alone mail Gateway which automaticly strips all mail html or >> plain >> text ( oe even preexisting PDF converting it to pdf and then >> transposting >> it to the intended recepient would prevent most worms/virus from ever >> getting through. > > I don't see how it can be a solution. People who use bogus email client > like Outlook Express to display html mails will maybe use a bogus pdf > viewer. The problem is not with HTML or PDF, it's with people who use > vulnerable programs, and in a good email client an HTML message is not > supposed to be able to run a program. > > -- > gpg fp: 8a7e 9719 b38d 97c6 6af0 d345 12a0 3708 2c8c 3c11 > http://boklm.mars-attacks.org/ > _______________________________________________ > govsec mailing list > govsec@attrition.org > http://www.attrition.org/mailman/listinfo/govsec > From pjcljc at yahoo.com Fri Nov 5 20:14:53 2004 From: pjcljc at yahoo.com (Peter Churchyard) Date: Fri Nov 5 20:24:01 2004 Subject: [govsec] Morris Worm and a Change in Direction In-Reply-To: <2689.24.228.0.116.1099693754.intacweb140@webmail.intac.com> Message-ID: <20041106011453.35071.qmail@web60705.mail.yahoo.com> There are SIMPLE mail clients that do not support anything other than plain text and are not vulnerable to the problems that plague the complicated over featured software most users use. Less is more! (more Security that is). Lori jmetz@intac.com wrote: You are looking at the situation as an individual user, I was suggesting that the mail server do the conversion. The user and sender become ir-relevant to the process. The user would only see the end product the message. In the conversion the senders method is or would be of no consequence because it would be stopped and converted to a safe message prior to delivery. As I stated before the mail server would be considered a sacrificial lamb with an appropriate amount of redundancy that nothing would be lost The idea of security is to prevent the user from being able to place themselves in a vulnerable position, that would mean that officials would only be allowed to use the .gov mail system ,web mail yahoo ,google and the like would not be allowed for officialdom or any contractors while on the job. You simply bar the door from the web mail or personal mail servers so that the ips are not accessible while on or near government property Anyone who violates that basic security should be terminated the same thing with instant messengers, the portals should be blocked while on federal property or on any governmental computer. If the ports are blocked properly the the intruders can't get in to wreck havoc If the user has no way to violate security then the systems are kept secure It always comes down to what price security,, > On Fri, 05 Nov 2004, jmetz@intac.com wrote: > >> >> >> one question bothers me in almost every situation all mail (to any >> Governmental officer) is considered either questionable or often non >> deliverable to the intended recipient mostly this has been because of >> the >> potential of virus/worm delivery. >> >> Yet in all the years of Email no one has ever considered mail conversion >> prior to delivery. >> >> Why has no one ever setup a system of conversion to pdf in the mail >> system. >> This would be one way to insure that real information would be >> transfered >> no matter how it was sent. >> >> A stand alone mail Gateway which automaticly strips all mail html or >> plain >> text ( oe even preexisting PDF converting it to pdf and then >> transposting >> it to the intended recepient would prevent most worms/virus from ever >> getting through. > > I don't see how it can be a solution. People who use bogus email client > like Outlook Express to display html mails will maybe use a bogus pdf > viewer. The problem is not with HTML or PDF, it's with people who use > vulnerable programs, and in a good email client an HTML message is not > supposed to be able to run a program. > > -- > gpg fp: 8a7e 9719 b38d 97c6 6af0 d345 12a0 3708 2c8c 3c11 > http://boklm.mars-attacks.org/ > _______________________________________________ > govsec mailing list > govsec@attrition.org > http://www.attrition.org/mailman/listinfo/govsec > _______________________________________________ govsec mailing list govsec@attrition.org http://www.attrition.org/mailman/listinfo/govsec -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.attrition.org/pipermail/govsec/attachments/20041105/c8c30ec9/attachment-0001.html From boklm at mars-attacks.org Fri Nov 5 20:19:45 2004 From: boklm at mars-attacks.org (nicolas vigier) Date: Fri Nov 5 20:28:30 2004 Subject: [govsec] Morris Worm and a Change in Direction In-Reply-To: <2689.24.228.0.116.1099693754.intacweb140@webmail.intac.com> References: <20041105205224.GL17351@mars-attacks.org> <2689.24.228.0.116.1099693754.intacweb140@webmail.intac.com> Message-ID: <20041106011945.GN17351@mars-attacks.org> On Fri, 05 Nov 2004, jmetz@intac.com wrote: > You are looking at the situation as an individual user, I was suggesting > that the mail server do the conversion. The user and sender become > ir-relevant to the process. > > The user would only see the end product the message. In the conversion the > senders method is or would be of no consequence because it would be > stopped and converted to a safe message prior to delivery. Yes, but why do you want to use PDF for that ? Plain text would be safer in my opinion. -- gpg fp: 8a7e 9719 b38d 97c6 6af0 d345 12a0 3708 2c8c 3c11 http://boklm.mars-attacks.org/ From jmetz at intac.com Fri Nov 5 21:32:48 2004 From: jmetz at intac.com (jmetz@intac.com) Date: Fri Nov 5 22:03:48 2004 Subject: [govsec] Morris Worm and a Change in Direction In-Reply-To: <20041106011945.GN17351@mars-attacks.org> References: <20041105205224.GL17351@mars-attacks.org><2689.24.228.0.116.1099693754 .intacweb140@webmail.intac.com> <20041106011945.GN17351@mars-attacks.org> Message-ID: <3971.24.228.0.116.1099708368.intacweb140@webmail.intac.com> Plain text does not convey all the needed information in any form other than a verbal statement charts, photos, personal data, all need images to convey information for the user (recipient) to comprehend striping everything down to plain text removes far too much in data transmission Plain text would be totally unusable in conveying a description of an individual on a watch list going through customs Show me a way to communicate financial trends without a well defined pie chart or the communications network of suspect individuals without a dream catcher chart the too simple solution to government communications leads to more problems than it is worth Pd's as a document form can strip away extraneous information print exactly what was as it was written originally (signatures , authorizations etc.) Email even text Email can still have code buried in it with-in the header or the links. which would be needed to see the visual information that might be needed to fain the information that a pdf can include in process. The inhouse mail trnsport (mail server) allows internal and externl comunications as are needed it is most important to have this be the approprate place to stop potential intrusions and it should be the focus point of intrusion and malware dection John Metzger > On Fri, 05 Nov 2004, jmetz@intac.com wrote: > >> You are looking at the situation as an individual user, I was suggesting >> that the mail server do the conversion. The user and sender become >> ir-relevant to the process. >> >> The user would only see the end product the message. In the conversion >> the >> senders method is or would be of no consequence because it would be >> stopped and converted to a safe message prior to delivery. > > Yes, but why do you want to use PDF for that ? > Plain text would be safer in my opinion. > > -- > gpg fp: 8a7e 9719 b38d 97c6 6af0 d345 12a0 3708 2c8c 3c11 > http://boklm.mars-attacks.org/ > _______________________________________________ > govsec mailing list > govsec@attrition.org > http://www.attrition.org/mailman/listinfo/govsec > From jericho at attrition.org Sat Nov 6 04:28:39 2004 From: jericho at attrition.org (security curmudgeon) Date: Sat Nov 6 04:28:42 2004 Subject: [govsec] Morris Worm and a Change in Direction In-Reply-To: <20041106011453.35071.qmail@web60705.mail.yahoo.com> References: <20041106011453.35071.qmail@web60705.mail.yahoo.com> Message-ID: : There are SIMPLE mail clients that do not support anything other than : plain text and are not vulnerable to the problems that plague the : complicated over featured software most users use. Less is more! (more : Security that is). : Lori Really? For the sake of argument, could you provide such examples? =) I think it would be more appropriate to say there are simple mail clients that do not suffer from *as many* or *as serious* vulnerabilities as Outlook and some of the other more popular and widely deployed mail clients. From pjcljc at yahoo.com Sat Nov 6 09:49:12 2004 From: pjcljc at yahoo.com (Peter Churchyard) Date: Sat Nov 6 09:58:23 2004 Subject: [govsec] Morris Worm and a Change in Direction In-Reply-To: Message-ID: <20041106144912.12513.qmail@web60707.mail.yahoo.com> elm, pine ... Lori. security curmudgeon wrote: : There are SIMPLE mail clients that do not support anything other than : plain text and are not vulnerable to the problems that plague the : complicated over featured software most users use. Less is more! (more : Security that is). : Lori Really? For the sake of argument, could you provide such examples? =) I think it would be more appropriate to say there are simple mail clients that do not suffer from *as many* or *as serious* vulnerabilities as Outlook and some of the other more popular and widely deployed mail clients. _______________________________________________ govsec mailing list govsec@attrition.org http://www.attrition.org/mailman/listinfo/govsec -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.attrition.org/pipermail/govsec/attachments/20041106/bc3bf47c/attachment.html From boklm at mars-attacks.org Sat Nov 6 10:03:11 2004 From: boklm at mars-attacks.org (nicolas vigier) Date: Sat Nov 6 10:12:01 2004 Subject: [govsec] Morris Worm and a Change in Direction In-Reply-To: <20041106144912.12513.qmail@web60707.mail.yahoo.com> References: <20041106144912.12513.qmail@web60707.mail.yahoo.com> Message-ID: <20041106150311.GP17351@mars-attacks.org> On Sat, 06 Nov 2004, Peter Churchyard wrote: > elm, pine ... http://www.securityfocus.com/bid/8589 http://www.securityfocus.com/bid/8588 http://www.securityfocus.com/bid/6120 ... That's not as much as Outlook Express, but there is still something. -- gpg fp: 8a7e 9719 b38d 97c6 6af0 d345 12a0 3708 2c8c 3c11 http://boklm.mars-attacks.org/ From pjcljc at yahoo.com Sat Nov 6 10:02:41 2004 From: pjcljc at yahoo.com (Peter Churchyard) Date: Sat Nov 6 10:12:24 2004 Subject: [govsec] Morris Worm and a Change in Direction In-Reply-To: <20041106144912.12513.qmail@web60707.mail.yahoo.com> Message-ID: <20041106150241.80526.qmail@web60704.mail.yahoo.com> Translating content into what should be equivalent content in another form is used. Some of the problems recently seen with image formats containg exploits just shows that there are few safe data formats. jpeg <-> gif <-> jpeg as an example could be done at the gateway to clean up images and remove steganography. Likewise mp3 <-> wma <-> mp3 could be used do the same. what are the requirements since they will define acceptable security. Lori -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.attrition.org/pipermail/govsec/attachments/20041106/a3e18a64/attachment.html From jmetz at intac.com Sat Nov 6 11:01:33 2004 From: jmetz at intac.com (jmetz@intac.com) Date: Sat Nov 6 11:32:42 2004 Subject: [govsec] Morris Worm and a Change in Direction In-Reply-To: <20041106150241.80526.qmail@web60704.mail.yahoo.com> References: <20041106144912.12513.qmail@web60707.mail.yahoo.com> <20041106150241.80526.qmail@web60704.mail.yahoo.com> Message-ID: <2529.24.228.0.116.1099756893.intacweb140@webmail.intac.com> Acknowledged this is not a simple answer but it is a needed direction. Content variabilities and stenography have to be stripped from the content and tagged at the mail server.In order that the security IT can follow it back to the source and process it accordingly. I offered a direction for new evaluation based on existing capabilities of software that can still deliver content All the other concepts including the different mail clients still leave problems that a binary or trianiary attack can utilize to bypass internal security (the links to additional data are part of the problem) Government and industrial security needs are even higher than the civilian population as a whole. The basic problem is people management, social engineering is still the most successful way to attack a system by getting the user to do something that violates the procedure and opens the door to the attacker. My suggestions to solving the problem is one method that limits the users ability to link through to an outside site and still lets the important necessary information get to the users in a usable form Can anyone else address a solution that can do the same when dealing with 10,,100 or 1000 users I understand that to properly implement(the concept) one would need to install many additional mail servers/gateways all the way down to work group levels. but considering the cost it is small when compared to the man weeks needed to resolve an infestation after it takes place my opinion is that the price is cheap. john metzger > > Translating content into what should be equivalent content in another form > is used. Some of the problems recently seen with image formats containg > exploits just shows that there are few safe data formats. jpeg <-> gif <-> > jpeg as an example could be done at the gateway to clean up images and > remove steganography. Likewise mp3 <-> wma <-> mp3 could be used do the > same. > > what are the requirements since they will define acceptable security. > > > > Lori > > _______________________________________________ > govsec mailing list > govsec@attrition.org > http://www.attrition.org/mailman/listinfo/govsec > From jericho at attrition.org Sat Nov 6 11:46:54 2004 From: jericho at attrition.org (security curmudgeon) Date: Sat Nov 6 11:46:55 2004 Subject: [govsec] Morris Worm and a Change in Direction In-Reply-To: <20041106144912.12513.qmail@web60707.mail.yahoo.com> References: <20041106144912.12513.qmail@web60707.mail.yahoo.com> Message-ID: : elm, pine ... osvdb.org: 5451 Elm Message-ID Header Remote Overflow 3530 Elm frm Command Overflow 6328 Elm save_embedded_address() Remote Overflow 5825 Elm Symlink Privilege Escalation 6329 Elm get_filter_rules() Command Line Overflow 2198 FreeBSD Korean Elm Port Local Overflow 5404 Pine 4.43 URL Handling DoS 2536 Pine Message Parsing Buffer Overflow 9003 Pine display_parameters() Function Overflow 4531 pgp4pine stack overflow 6948 Pine Malformed From: Header DoS 1352 Pine index.html Arbitrary Command Execution 1142 Pine Environment Variable Expansion in URLS 1560 Pine Malformed Header DoS 1567 Pine From Field Overflow : I think it would be more appropriate to say there are simple mail : clients that do not suffer from *as many* or *as serious* : vulnerabilities as Outlook and some of the other more popular and widely : deployed mail clients. From jholleran at comcast.net Sat Nov 6 14:07:46 2004 From: jholleran at comcast.net (Jack Holleran) Date: Sat Nov 6 14:16:11 2004 Subject: [govsec] Morris Worm and a Change in Direction In-Reply-To: <20041106150241.80526.qmail@web60704.mail.yahoo.com> Message-ID: Based on the description below, this seems to be a method that might remove copyright protections as well since a change is/has occurred and any digital signature could not be the same. SO possibly a protection on one hand might also be a requirement breaker on the other hand. Jack Holleran -----Original Message----- From: govsec-bounces@attrition.org [mailto:govsec-bounces@attrition.org]On Behalf Of Peter Churchyard Sent: Saturday, November 06, 2004 10:03 AM To: govsec@attrition.org Subject: Re: [govsec] Morris Worm and a Change in Direction Translating content into what should be equivalent content in another form is used. Some of the problems recently seen with image formats containg exploits just shows that there are few safe data formats. jpeg <-> gif <-> jpeg as an example could be done at the gateway to clean up images and remove steganography. Likewise mp3 <-> wma <-> mp3 could be used do the same. what are the requirements since they will define acceptable security. Lori -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.attrition.org/pipermail/govsec/attachments/20041106/fe8125ee/attachment.html From jericho at attrition.org Sat Nov 6 14:24:43 2004 From: jericho at attrition.org (security curmudgeon) Date: Sat Nov 6 14:24:45 2004 Subject: [govsec] Morris Worm and a Change in Direction In-Reply-To: References: Message-ID: : Translating content into what should be equivalent content in : another form is used. Some of the problems recently seen with image : formats containg exploits just shows that there are few safe data : formats. It isn't just that the format isn't secure that we need to worry about. You propose that a system be implemented to scan and convert between MIME/file types. Historically, these implementations are just as insecure as anything else. How many vulnerabilities are there related to e-mail scanning systems (virus, content, etc)? : jpeg <-> gif <-> jpeg as an example could be done at the gateway to : clean up images and remove steganography. Likewise mp3 <-> wma <-> mp3 : could be used do the same. This still poses a risk. Instead of a gif or jpg being used to execute arbitrary code when rendered in a browser, it could just as well be designed to execute when processed by the engine that converts. From jmetz at intac.com Sat Nov 6 14:26:13 2004 From: jmetz at intac.com (jmetz@intac.com) Date: Sat Nov 6 14:57:26 2004 Subject: [govsec] Morris Worm and a Change in Direction In-Reply-To: References: Message-ID: <3088.24.228.0.116.1099769173.intacweb140@webmail.intac.com> True but with a sacrificial lamb, the mail server, and the redundancy of a secondary backup server in line this is a literally minor problem communications don't go down if the system is locked so that nothing can be changed in the registry and NO Programs are allowed to be executed then the problem ceases to exist remember we are discussing something that is for a systems security the failure to implement adequate security affected the state of New Jersey last week on every system that the State had Postini does a similar job by pre screening all mail on their own site http://postini.com There are other commercial systems in operation but they can be far too effective screening out desired mail (something all the services admit does happen more often than not.) The reality is that Government can not afford to contract out mail services. Too many whistle blowers would never make contact if they were aware that third or fourth parties could read or discuss their knowledge with the people they are reporting. So lets see are there any other suggestions that might work in controlling Governmental services and securing both hardware and data so that the attackers have no way in to the servers mail web and ftp ? Proactive response to the threats while maintaining open communication with the public is the need of the Governmental public INTERNET connection other wise we are going to end up in something entirely different, that is not a democracy not a republic. john > > : Translating content into what should be equivalent content in > : another form is used. Some of the problems recently seen with image > : formats containg exploits just shows that there are few safe data > : formats. > > It isn't just that the format isn't secure that we need to worry > about. You propose that a system be implemented to scan and convert > between MIME/file types. Historically, these implementations are just as > insecure as anything else. How many vulnerabilities are there related to > e-mail scanning systems (virus, content, etc)? > > : jpeg <-> gif <-> jpeg as an example could be done at the gateway to > : clean up images and remove steganography. Likewise mp3 <-> wma <-> mp3 > : could be used do the same. > > This still poses a risk. Instead of a gif or jpg being used to execute > arbitrary code when rendered in a browser, it could just as well be > designed to execute when processed by the engine that converts. > > _______________________________________________ > govsec mailing list > govsec@attrition.org > http://www.attrition.org/mailman/listinfo/govsec > From jericho at attrition.org Sat Nov 6 15:07:21 2004 From: jericho at attrition.org (security curmudgeon) Date: Sat Nov 6 15:07:23 2004 Subject: [govsec] Morris Worm and a Change in Direction In-Reply-To: <3088.24.228.0.116.1099769173.intacweb140@webmail.intac.com> References: <3088.24.228.0.116.1099769173.intacweb140@webmail.intac.com> Message-ID: : True but with a sacrificial lamb, the mail server, and the redundancy of : a secondary backup server in line this is a literally minor problem Tell that to the administrator of any system that has had a box compromised due to a remote vulnerability in their MTA. You are talking about a service that is exposed to the world, can't block traffic to it 99% of the time, and must receive all incoming mail before it is processed. That is a set up for a serious vector of attack. Even if you make an external mail server a 'sacrifical lamb', it would need a small trust relationship to pass mail to the second mail server and still presents one route from the big bad internet to the soft chewy center of a corporate network. : The reality is that Government can not afford to contract out mail : services. : : Too many whistle blowers would never make contact if they were aware : that third or fourth parties could read or discuss their knowledge with : the people they are reporting. Third, fourth, fifth and eighteenth parties can read the mail usually. Not only do you have administrators of the various systems the mail is sent from and ends up on. Then factor in how many hostile parties could be sniffing traffic at various points of the net. From jmetz at intac.com Sat Nov 6 17:04:40 2004 From: jmetz at intac.com (jmetz@intac.com) Date: Sat Nov 6 17:35:51 2004 Subject: [govsec] and one more Change in Direction In-Reply-To: References: <3088.24.228.0 .116.1099769173.intacweb140@webmail.intac.com> Message-ID: <3819.24.228.0.116.1099778680.intacweb140@webmail.intac.com> and now this is evident http://story.news.yahoo.com/news?tmpl=story&cid=581&ncid=581&e=12&u=/nm/20041103/tc_nm/crime_internet_phishing_dc Net Banking Fraudsters Step Up the 'Phishing' Scam Wed Nov 3, 1:29 PM ET By Bernhard Warner, European Internet Correspondent LONDON (Reuters) - Fraudsters have developed a potent new computer program that steals Internet banking customers' details by duping them into opening up a bogus e-mail, a British security firm said Wednesday. Security technicians at MessageLabs fear it could become a favorite tool for "phishing" fraudsters, who lure computer users to a fake Web site and steal their banking and credit card details. In the past, a phishing victim would have had to go through a relatively cumbersome procedure of opening the bogus e-mail and then clicking on a file attachment or Web site address located within the message to be conned. Now, the trick starts the moment the victim opens the seemingly innocuous e-mail. The program has been circulating on the Internet for the past week, but in relatively small numbers, said MessageLabs. The company added that the e-mails target three Brazilian banks -- Caixa, Unibanco, and Bradesco -- but the fear is it could easily be re-engineered to target almost any online bank. "We've only seen about 30 copies. In volume terms, it's small. But people should be on the look-out as this could be the next stage in the phishing problem," a MessageLabs spokeswoman said. MessageLabs said that once a person opens the fraudulent e-mail, a tiny computer program known as a "script" immediately begins running. It embeds itself on the victim's computer and overwrites bookmarked Web addresses or automatically redirects the victim from the intended banking site to an authentic-looking fake site that captures banking details. Phishing frauds have become more and more prevalent over the past 18 months as more consumers do their personal banking on the Internet. British police recently estimated phishing scams cost UK banks an estimated 60 million pounds last year. "Most banks have advised their customers to be wary of any e-mail asking for personal banking details, but in this case all they have to do is open an apparently innocent e-mail and their bank details could be silently sabotaged," said Alex Shipp, senior anti-virus technologist at MessageLabs. The company said that if the computer user deactivates Windows scripting host program on the PC, they run less of a risk of falling prey to the scam. From Spiess at TAFTLAW.com Mon Nov 8 08:06:47 2004 From: Spiess at TAFTLAW.com (Spiess, David M., Jr.) Date: Mon Nov 8 08:16:10 2004 Subject: [govsec] and one more Change in Direction Message-ID: <7245D55219CA7F4F93A4624CB2521A520452A837@cincy-mx3.cincy.us.taftlaw.com> Does anyone else miss the days of PINE? No problems of viruses getting to the users then.... -----Original Message----- From: govsec-bounces@attrition.org [mailto:govsec-bounces@attrition.org] On Behalf Of jmetz@intac.com Sent: Saturday, November 06, 2004 5:05 PM To: govsec@attrition.org Subject: [govsec] and one more Change in Direction and now this is evident http://story.news.yahoo.com/news?tmpl=story&cid=581&ncid=581&e=12&u=/nm/ 20041103/tc_nm/crime_internet_phishing_dc Net Banking Fraudsters Step Up the 'Phishing' Scam Wed Nov 3, 1:29 PM ET By Bernhard Warner, European Internet Correspondent LONDON (Reuters) - Fraudsters have developed a potent new computer program that steals Internet banking customers' details by duping them into opening up a bogus e-mail, a British security firm said Wednesday. Security technicians at MessageLabs fear it could become a favorite tool for "phishing" fraudsters, who lure computer users to a fake Web site and steal their banking and credit card details. In the past, a phishing victim would have had to go through a relatively cumbersome procedure of opening the bogus e-mail and then clicking on a file attachment or Web site address located within the message to be conned. Now, the trick starts the moment the victim opens the seemingly innocuous e-mail. The program has been circulating on the Internet for the past week, but in relatively small numbers, said MessageLabs. The company added that the e-mails target three Brazilian banks -- Caixa, Unibanco, and Bradesco -- but the fear is it could easily be re-engineered to target almost any online bank. "We've only seen about 30 copies. In volume terms, it's small. But people should be on the look-out as this could be the next stage in the phishing problem," a MessageLabs spokeswoman said. MessageLabs said that once a person opens the fraudulent e-mail, a tiny computer program known as a "script" immediately begins running. It embeds itself on the victim's computer and overwrites bookmarked Web addresses or automatically redirects the victim from the intended banking site to an authentic-looking fake site that captures banking details. Phishing frauds have become more and more prevalent over the past 18 months as more consumers do their personal banking on the Internet. British police recently estimated phishing scams cost UK banks an estimated 60 million pounds last year. "Most banks have advised their customers to be wary of any e-mail asking for personal banking details, but in this case all they have to do is open an apparently innocent e-mail and their bank details could be silently sabotaged," said Alex Shipp, senior anti-virus technologist at MessageLabs. The company said that if the computer user deactivates Windows scripting host program on the PC, they run less of a risk of falling prey to the scam. _______________________________________________ govsec mailing list govsec@attrition.org http://www.attrition.org/mailman/listinfo/govsec