gnupg encrypted mail and malware/spam

Neil Williams
Sun May 11 15:30:03 2003

Hash: SHA1

On Sunday 11 May 2003 12:28 pm, Thomas Scheffczyk wrote:
> Perhaps I'm to pessimistic, but I do not share the opinion that it would
> to much work for spammers to encrypt (not sign) their messages. I can
> imagine that the success ratio of an encrypted spam would be remarkably
> higher compared with a unencrypted and often filtered message :-(

When the spam filters can still operate on the decrypted message, I can't see 
that it would succeed. Encrypted does not have to mean unfiltered. It just 
changes the location from server to user. With an open source email client, 
you could even adjust the program source code to do this without intervention 
- - in between decryption and display.

Your basic problem is user training. You seem frightened that if the server 
filters are bypassed that users will open any attachment, run any program and 
visit any site listed inside the email. If this is the case, your only real 
recourse is training. Alternatively, move to a more secure filesystem like 
Unix/Linux where the root and system files are simply not visible to users, 
so limiting any possible damage to user files. Even then, users will still 
have to be taught the consequences of casual and irresponsible behaviour.

You cannot protect the users from themselves and IMHO GnuPG should not be 
twisted into a means to protect the careless from their own mistakes / 

> I guess that my question was a little misleading and to spam centric. A
> graphical firewall and a gateway for checked files would be a possible
> solution. Another solution would be to accept encrypted messages only
> for functional (i.e. non personal) mail to avoid any kind of key escrow
> for personal keys.

Just how are you going to implement that??? Bounce every message until you get 
a valid account?? There are personal spam firewalls out there that can work 
that way but these can prove unpopular.

> 'I do not fear 'ordinary' viruses or other malware. What i really fear
> is a sophisticated attacker that send on a very slow rate backdoors to
> single users in my network. I can not guarantee the really no user will
> start the program. If it is started, it's easy to create a backchannel
> over allowed traffic like http.'

You mean a Trojan? Or a root-kit? Then use an intrusion detection system, you 
simply cannot cover every possibility that someone may use, to deliberately 
install something like this, any other way. Email is not the only way to get 
rooted - I wouldn't even think it was the most common.

> Does nobody fear this, too? I'm very surprised that this threat was
> never discussed in the context of public key infrastructures. I know a

The threat is nothing to do with GnuPG. You seem to be talking about a general 
network security issue that is more related to keeping the OS up to date with 
patches and general system maintenance. You are in danger of blaming the 
messenger. Have you excluded all other routes? Instant Messaging? IRC? 
Deliberate introduction by users? Known exploits? 

'A sophisticated attacker' will not want to rely on a method that, in turn, 
relies totally on a user decrypting a message and launching the attachment. 
There would need to be some kind of inside knowledge that a specific user 
would be likely to ignore all the basic security rules and willfully 
compromise their own system. An attacker willing to put in that much work is 
not going to stop if that method fails. Other attackers wouldn't even bother 
with the encrypted route, there are far easier targets on a system.

> couple of big institutions (please apologize that I don't list the
> institutions right here) that do allow personal use of encryption, but

Probably because they don't understand it and / or are anxious to read all 
outgoing mail. (Note lack of smiley - some companies would love to filter all 
outgoing mail and probably already do.)

> only one (a health insurance company) was aware of this problem. (Their
> solution is to allow cryptography only for special messages like data
> exchange with universities ;-)

Then it sounds like they don't understand the issue. Personal encryption can 
be as much about prevention of identity fraud as 'subterfuge'. I sign emails 
because I don't want anyone else to be able to pose as me. I encrypt personal 
data so that it cannot be used to allow an attack to proceed beyond the 
compromised machine. (There may be other ways for an attacker to get to the 
next machine but it won't be by finding copies of passwords etc. lying around 
on the system.) Encryption can be part of your security and can be used to 
halt an incursion that has been made using other methods. If all users 
encrypted their passwords and other personal ID data with their own personal 
keys, it could be made much harder for attackers to move from one compromised 
machine to the next. (Assuming of course, that the original passwords are 
half-way decent in the first place and not going to be cracked with a simple 
dictionary attack.)

No one program or principle can give you security - the point is to target the 
weakest link. Only worry about encrypted emails when all other targets are 
removed. In the meantime, get an intrusion detection program.

- -- 

Neil Williams

Version: GnuPG v1.0.7 (GNU/Linux)