gnupg encrypted mail and malware/spam

Thomas Scheffczyk thomas.scheffczyk@verwaltung.uni-mainz.de
Sun May 11 22:10:03 2003


This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig6CF1271F9979A4B4FD2458B2
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Neil Williams wrote:

>>Perhaps I'm to pessimistic, but I do not share the opinion that it would
>>to much work for spammers to encrypt (not sign) their messages. I can
>>imagine that the success ratio of an encrypted spam would be remarkably
>>higher compared with a unencrypted and often filtered message :-(
> 
> When the spam filters can still operate on the decrypted message, I can't see 
> that it would succeed. Encrypted does not have to mean unfiltered. It just 
> changes the location from server to user. With an open source email client, 
> you could even adjust the program source code to do this without intervention 
> - in between decryption and display.

Hello Neil,

you are right, security will definitively change from beeing 
border/network to host centric. If there is no other solution it's the 
way I have to go.

> Your basic problem is user training. You seem frightened that if the server 
> filters are bypassed that users will open any attachment, run any program and 
> visit any site listed inside the email. If this is the case, your only real 
> recourse is training. 

Do you have the resources to train all users to a sophisticated level. I 
would like to have, but I don't have.

> Alternatively, move to a more secure filesystem like 
> Unix/Linux where the root and system files are simply not visible to users, 
> so limiting any possible damage to user files. 

This is also possible with WinNT/2000/XP: you don't use IE and Outlook, 
restrict rights, etc. That fine against malware that's not targeted 
especially against your system.

> Even then, users will still 
> have to be taught the consequences of casual and irresponsible behaviour.

Sorry I can not agree with your conclusion especially because your first 
   statement is right. It's all user training. But see this from the 
other side. There are people that have to do their job to earn money. 
They don't wan't to use a computer, they have to. We (at least I) give 
them tools they roughly can use but don't really understand. Who is to 
blame if an error occurs? I think in most cases it's the administration 
and not the user.

> You cannot protect the users from themselves and IMHO GnuPG should not be 
> twisted into a means to protect the careless from their own mistakes / 
> incompetence.

Big words. Just an issue where GnuPG can be involved that will explain 
my concerns: I'm not sure about the juristical consequences that a gnupg 
signed mail can have. Who is responsible if within this mail 5000 litres 
of milk (harmless example) is ordered? Who has to pay if the user denies 
his/her responsibility? Does the user have to prove his innocence, 
because 'it's a digitally signed message and gnupg is secure'? Think on 
automatic teller machine frauds in Great Britain and how long the banks 
were able to deny any responsibility. Did every user of this machine 
knew the riscs and the fact that the banks were lying about the security 
of ther systems (see http://axion.physics.ubc.ca/atm.html or the book 
'Security engeneering' from Ross Anderson for more details).
Another example from germany: I was really surprised that I 'have to 
serve' a mail account if I publish the mail address. If I don't do it 
can have negative consequences like missed time limits that started when 
a message arrived in my postbox.
So of I don't know the juristical consequences of my (technical) acts, 
how should a average user know the technical consequences of theirs?

>>I guess that my question was a little misleading and to spam centric. A
>>graphical firewall and a gateway for checked files would be a possible
>>solution. Another solution would be to accept encrypted messages only
>>for functional (i.e. non personal) mail to avoid any kind of key escrow
>>for personal keys.
> 
> Just how are you going to implement that??? Bounce every message until you get 
> a valid account?? There are personal spam firewalls out there that can work 
> that way but these can prove unpopular.
> 

Graphical firewall:
The concept of a grphical firewall and experiences with an 
implementation can be found at:
https://www.dfn-cert.de/dfn/berichte/db093/maczkowsky-vnc.pdf
It's called 'Graphical' firewall, because only the 'picture' of a mail 
client or a browser is displayed on the workstation of a user. The 
programs run on a server in a different network. Attached files have to 
be saved on a gateway and will be transferred to the inner network after 
beeing checked. Files that have to be transfered to external addresses 
go the same way in the opposite direction.
 From the users point of view is the additional tranfer the biggest 
difference. Messages without attachments are handled like in a local 
program. In this environment the use of GnuPG is a real security 
enhencement without a drawback.

Functional mail accounts:
Each group of an organisation get it's own mail account that is not 
associated with a real person. The GnuPG key for this account is known 
by all members of this group and by the mail gateway. On the gateway 
it's not loaded automatically at startup. The necessary passwords are 
stored only in non swapable memory and the system is specially hardened 
(i.e. rsbac). Incoming messages are decrypted on this system. This kind 
of use is published with the keys.

Central encryption/decryption:
See http://www.gnupg.org/aegypten/index.html for this.

>>'I do not fear 'ordinary' viruses or other malware. What i really fear
>>is a sophisticated attacker that send on a very slow rate backdoors to
>>single users in my network. I can not guarantee the really no user will
>>start the program. If it is started, it's easy to create a backchannel
>>over allowed traffic like http.'
> 
> 
> You mean a Trojan? Or a root-kit? Then use an intrusion detection system, you 
> simply cannot cover every possibility that someone may use, to deliberately 
> install something like this, any other way. Email is not the only way to get 
> rooted - I wouldn't even think it was the most common.
> 

Perhaps not the most common, but a possible one. Would you open a 
security hole without asking if there are ways to avoid the risc? Do you 
remember how the source code of windows was stolen? It started with a 
unsecured private computer and a tunneling program that was inserted 
inside the microsoft network on this way.

>>Does nobody fear this, too? I'm very surprised that this threat was
>>never discussed in the context of public key infrastructures. I know a

> The threat is nothing to do with GnuPG. You seem to be talking about a general 
> network security issue that is more related to keeping the OS up to date with 
> patches and general system maintenance. 

In my opinion it is connected with making cryptography availiable on 
workstations in a secured network.

> You are in danger of blaming the messenger. 

Please apologise, I never wanted to blame GnuPG (the messenger) for 
anything. It's a great program. I use it in my private environment for 
various tasks and would like it at work, too. Because of this I asked 
for advise on this mailing list.

> Have you excluded all other routes? Instant Messaging? IRC? 
> Deliberate introduction by users? Known exploits? 

I'm happy that I'm allowed to have a quite restrictive security pollicy. 
Nothing perfect, but not to bad at all.

> 
> 'A sophisticated attacker' will not want to rely on a method that, in turn, 
> relies totally on a user decrypting a message and launching the attachment. 
> There would need to be some kind of inside knowledge that a specific user 
> would be likely to ignore all the basic security rules and willfully 
> compromise their own system. An attacker willing to put in that much work is 
> not going to stop if that method fails. Other attackers wouldn't even bother 
> with the encrypted route, there are far easier targets on a system.
> 

I would go this way :-( It's so easy to forge mail messages. And it's 
also very easy to create an interesting program like a screensaver or 
some kind of 'christmas fred' that at least one user will try out.

>>couple of big institutions (please apologize that I don't list the
>>institutions right here) that do allow personal use of encryption, but
> 
> Probably because they don't understand it and / or are anxious to read all 
> outgoing mail. (Note lack of smiley - some companies would love to filter all 
> outgoing mail and probably already do.)

Also no smiley here: I don't want to filter mail, I really want to 
respect the privacy of the users in my network. If the price for the use 
of GnuPG would be a general key escrow I would not introduce GnuPG.

>>only one (a health insurance company) was aware of this problem. (Their
>>solution is to allow cryptography only for special messages like data
>>exchange with universities ;-)
> 
> Then it sounds like they don't understand the issue. Personal encryption can 
> be as much about prevention of identity fraud as 'subterfuge'. I sign emails 
> because I don't want anyone else to be able to pose as me. I encrypt personal 
> data so that it cannot be used to allow an attack to proceed beyond the 
> compromised machine. (There may be other ways for an attacker to get to the 
> next machine but it won't be by finding copies of passwords etc. lying around 
> on the system.) Encryption can be part of your security and can be used to 
> halt an incursion that has been made using other methods. If all users 
> encrypted their passwords and other personal ID data with their own personal 
> keys, it could be made much harder for attackers to move from one compromised 
> machine to the next. 

I agree.

> (Assuming of course, that the original passwords are 
> half-way decent in the first place and not going to be cracked with a simple 
> dictionary attack.)

  Just an remark: If a password ist just composed of upper and lowercase 
alpabetic characters and digits it has a 'entropy' of about 70/255, with 
all direct accessible characters about 90/255. So a 'average' 8 
character long password is comparable with a 16 to 24 bit symmetric key. 
   Knowing this, even a brute force attack can be amazingly successful 
against 'real' passwords. But this leads to a new question that I would 
like to ask in a new thread: user choosen or generated passwords - what 
is more secure?

> No one program or principle can give you security - the point is to target the 
> weakest link. Only worry about encrypted emails when all other targets are 
> removed. In the meantime, get an intrusion detection program.

Who told you that I'm only worried about encrypted mail messages ;-)

Thanks for your answer,


Thomas


--------------enig6CF1271F9979A4B4FD2458B2
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+vq6AICWLj6LjFjIRAhktAJ45K9J1ha8YlSYTdl6MSQTyG0vvxQCfZ5az
kWc7hUveJSJJDk/wShOHOWs=
=ST31
-----END PGP SIGNATURE-----

--------------enig6CF1271F9979A4B4FD2458B2--