lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 18 Jun 2004 10:57:58 -1000
From: Jason Coombs <jasonc@...ence.org>
To: Joel Eriksson <je-secfocus@...nux.com>
Cc: R Armiento <rar_bt@...iento.se>, bugtraq@...urityfocus.com
Subject: Re: Is predictable spam filtering a vulnerability?


> On Wed, Jun 16, 2004 at 01:26:28PM +0200, R Armiento wrote:
>>For example: attacker 'A' sends 'B' a social engineering request
>>for "the secret plans"
...
>>spam filter silently drops the email. 'A' forges a reply

Joel Eriksson wrote:
> it's not a "real" vulnerability that gives remote root to
> the attacker, I think it's beautiful though. :)

More likely I will ask your boss to approve payment of an invoice and 
then send my own forged authorization.

This is a widespread vulnerability in the way that organizations 
improperly trust computer communications.

The only solution is to implement some type of authentication for 
important electronic communications, and we all know that new 
vulnerabilities are exposed once there is an authentication mechanism.

To presume that electronic communications and stored communications are 
trustworthy, the way that the parties to civil litigation generally do, 
and the way that criminal courts nearly always do, creates endless 
potential for very bad things to happen. We must always doubt by default 
anything that is in electronic form.

With that in mind, remember that the attacker in the scenario presented 
will only succeed once per target and then the target will adapt and 
defend. In practice that is an acceptable risk, and the natural 
condition of our exposure to computer vulnerabilities.

Where we really see harm come from improper computing practices on a 
large scale is in court. As a society we will never be capable of 
adapting to threats because there will always be new people who have not 
previously suffered the consequences of each mode of attack.

Sincerely,

Jason Coombs

Director of Forensic Services
PivX Solutions, Inc.
http://www.pivx.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ