lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 4 Feb 2004 21:04:41 +0100 (CET)
From: Georg Schwarz <geos@...st.de>
To: Gadi Evron <ge@...uxbox.org>
Cc: bugtraq@...urityfocus.com
Subject: Re: getting rid of outbreaks and spam (junk) [WAS: Re: RFC: virus handling]


> 2. In a broader view, notifications ARE currently the problem rather 
> than a solution.

agreed, for the following reason: it is absolutely trivial to automatically
detect any MS Windows/DOS executable or script in an attachment to an
email (that is what a large number of virii are made of). Simply deleting all
such mail greatly reduces the number of of unwanted emails in times of
new virus outbreaks (and we are definitely to see quite a few of them in
the months ahead... it is apparently so easy to fool many people into
executing such programs on their PCs). I find it hard to think of a legitimate
reason to have such attachments anyway, so throwing away such mail will not
be a loss to many if not most users (your milage my vary of course).

This however leaves open three types of virus-related emails:

- bounces of virus-sent emails that used your email address as a fake sender
address. 

- notifications of email scanners as a result of virii using your email address
either as a sender or as a recipient address.

- virus-infected (or rather -generated) email which on some intermediate host
was scanned and stripped of the viral attachment (so the above-mentioned
detection no longer catches it). Such mail has become "harmless" but annoying
spam.

I do not know whether there is anything in general to do about the first type
of mails.
For the second one it is clear that nowadays notifications do much
more harm that good, so I hope email scanning software authors and users
will disable that feature (probably most people that employ such software are
unaware or ignorant about the effects of that feature :-(). You can start
filtering such messages, but it is hard because there is not a really simple
criterion to automatically detect them. Any suggestions?
For the third type of emails more or less the same is true. Such filters that
remove the virus but let pass the remaining "spam" body parts also do more
harm than good. Today it is save to assume that virus-infected mail is
virus-generated mail and thus can and should be killed off altogether.

Since I am pesimistic regarding a change in email scanners' behavior I
would welcome any suggestion for better filtering these types of unwanted
emails.

> 
> The AV industry is built on reaction rather than prevention. Adding new 
> signatures is still the #1 tool in the fight against malware.

yes, and it is a loosing battle (for the user, not for that industry that
is, of course).


> With spam and mass mailers clogging the tubes, causing us all to waste 
> money on bigger tubes, as well as our time dealing with the annoyance 
> (more money), shouldn't the problem be solved there (at the main tubes 
> themselves) rather than at the end user's desktop?

since the problem after all is at the end user's desktop desktop, I think
it is only there where it can be solved. Anything else is just mitigating the
symptoms (which can of course improve the situation).

> 
> If backbones filtered the top-10 current outbreaks, with non-intrusive 
> means such as for example running MD5 checksum checks against 
> attachments, or whatever other way - wouldn't it be better? True, it may 
> cause a cry of "the government spies on us, but with the current 
> economic troubles outbreaks cause, can we really use that excuse 
> anymore? Doesn't the police regulate speeding?

the true problem is that malware authors apparently are able to execute
arbitary code on (many) other people's systems and can thus use that for
all kind of criminal business. Filtering, whether done on servers or in
backbones, will not stop that. Such filters will easily be circumvented.
I am sure once such scanners are out clever programmers will find a way
to produce viral code that passes them undetected. Just as with today's
scanners they can only react to known incidents. So I think it would not
make a real difference where scanning occurs.

> - Make ISP's care (enforcing new laws?).

I would rather say: make users care. I know it is a rather weak analogon,
but if anyone commits a crime using your car, your weapon, your whatsover
and it turns out that you have made this possible by grossly neglecting
secure deposit of that device I am sure that in many coutries you can be
held liable to some degree. This should put pressure from consumers on
device (PC) vendors to take security of their products more serious.

> We are reaching a place where 80-90% of the traffic is junk, it may be 
> economic but do we really want to stay there?

since it in fact is an economic problem only economic (monetary) meassures
will lead to a solution, which here means being held liable for damage
caused by hooking up (or one step further, selling) systems that grossly
undermine network security.
Computer virii are no god-given thing (although the mere term might make
many people think so), they are a result of neglected security in a networked
world both with respect to device/software design and user behavior.


-- 
Georg Schwarz    http://home.pages.de/~schwarz/
 geos@...st.de     +49 177 8811442

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ