Email Clients and digital signatures

Neil Williams linux@codehelp.co.uk
Sun Jul 6 10:59:02 2003 

--Boundary-02=_oV+B/ifouZCuV4b
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Sunday 06 Jul 2003 5:22 am, CL Gilbert wrote:
> Well I have been away from the scripting for a while so I will say that
> what you say makes no sense if that is true.

Your ignorance of the risk is threatening sites that I rely on. Do somethin=
g=20
about it.
http://www.codehelp.co.uk/html/winemail.html
http://www.codehelp.co.uk/html/winprotect.html

> I know Java could Never do anything like that, even though the program
> can run automatically when you visit a web page or download an email.
>
> Same with javascript.  It just does not have access to these things.

Java does have a good sandbox, that's why I recommend OpenOffice later to=20
replace MSOrifice. Javascript does have some problems on Windows platforms=
=20
but the security implications are not massive. Javascript is nothing to do=
=20
with Java.

HOWEVER:
I was talking of ActiveX/VBScript not Javascript. ActiveX can access your=20
system registry directly, no express permission is required by default=20
although nearly all the mechanisms can be locked down if the admin is VERY=
=20
security minded and oblivious to user complaints. Internet Explorer runs=20
VBScript or ActiveX within the Explorer environment, i.e. your desktop!

> and we are all the way to XP and windows is doing something stupid as tha=
t.

Hate to disappoint you but many business users are not at XP (nor ever will=
 if=20
MS keep up their licencing fiasco). Many still run Win95, some have updated=
=20
to Win98 but that's your lot. I have no direct experience of XP but the=20
principle and the vulnerability still exist in XP. (See the Windows Securit=
y=20
sites for more info, XP is still getting security alerts for HTML rendering=
=20
vulnerabilities.)

> also the default action is NOT to allow arbitrary code to execute.  It
> depends on the certificate of the code or website.

Not true. A site does not need a certificate to execute ActiveX elements. N=
or=20
does it need to be on a website - as the quote showed, it is easier to=20
execute from an HTML email where certificates have no impact.

> If this is so, why do I still get malicious emails that require me to
> run a program.  why dont I get sent ones that just run automaticaly??

You probably have. If it runs automatically, why would you ever know that i=
t=20
did run? I hate to repeat myself, so here's the answer:

=46rom my email:
OT Off-topic Was:Email Clients and digital signatures
Today 12:30:42 am
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
It really is that easy - the reason [low-level formatting of your C: drive]=
 =20
isn't happening all the time is that the potential perpetrators have lost=20
interest in trashing individual systems. That's left to those who have a=20
personal reason for targeted revenge (usually targeted at the backup server=
).=20
The interest is in distributed attacks - keeping your machine running their=
=20
nice Trojan. You keep going, oblivious to the chaos your infected machine i=
s=20
creating across the rest of the network.=20
(A DDoS, distributed denial of service).=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

So what is the point of alerting you that your lovely machine is running a=
=20
cutesy little Trojan??? The whole point of the Trojan method is that the=20
trojan runs when the intruder wants it to run, does what the intruder wants=
=20
it to do and is completely invisible to all interventions from the user.=20
There is often no need for the Trojan to reveal itself - it's more of a col=
d=20
war mole. If your system is set to display HTML email unaltered, there is n=
o=20
reliable method of assuring that you have a clean system. Trojans can hide=
=20
from anti-virus routines by using the same techniques as the 'Tracker'=20
programs employed by companies to pretend to stop laptop theft. (Tip: use=20
Linux to format your entire hard drive and your trojan (or indeed Tracker) =
is=20
no more. Windows format won't.)

A DDoS can bring down any site on the internet if it is allowed to get big=
=20
enough. The sights are set higher now too, the targets become whole subnets=
=20
or large company sites with multiple sub-domains. Unless people stop=20
believing the kinds of things you have been quoting at me, the situation ca=
n=20
only get worse.

It really is stupidly easy to protect yourself AND OTHERS from your own=20
bravado.=20
There are tips available to bolster Windows poor security, including on my =
own=20
site:
http://www.codehelp.co.uk/html/winemail.html
http://www.codehelp.co.uk/html/winprotect.html

If you must use HTML email - or just allow it to be read as HTML - you are=
=20
being irresponsible NOT to prevent it from affecting others when the soluti=
on=20
has been staring you in the face since Win98 was released. You still won't =
be=20
protected from Word macros (uninstall MSOffice and use OpenOffice to do tha=
t)=20
but it would be something.

=2D-=20

Neil Williams
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
http://www.codehelp.co.uk
http://www.dclug.org.uk

http://www.wewantbroadband.co.uk/


--Boundary-02=_oV+B/ifouZCuV4b
Content-Type: application/pgp-signature
Content-Description: signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA/B+VoiAEJSii8s+MRArFrAKDvXhWyybqOoUIuNNIp7qxe19WtvgCgkWgv
+wadXxfOGDdWO3qMnP7dC8o=
=NA6a
-----END PGP SIGNATURE-----

--Boundary-02=_oV+B/ifouZCuV4b--