<<< Date Index >>>     <<< Thread Index >>>

Re: Is predictable spam filtering a vulnerability?



On Wed, Jun 16, 2004 at 01:26:28PM +0200, R Armiento wrote:
For example: attacker 'A' sends 'B' a social engineering request
for "the secret plans"
...
spam filter silently drops the email. 'A' forges a reply

Joel Eriksson wrote:
it's not a "real" vulnerability that gives remote root to
the attacker, I think it's beautiful though. :)

More likely I will ask your boss to approve payment of an invoice and then send my own forged authorization.

This is a widespread vulnerability in the way that organizations improperly trust computer communications.

The only solution is to implement some type of authentication for important electronic communications, and we all know that new vulnerabilities are exposed once there is an authentication mechanism.

To presume that electronic communications and stored communications are trustworthy, the way that the parties to civil litigation generally do, and the way that criminal courts nearly always do, creates endless potential for very bad things to happen. We must always doubt by default anything that is in electronic form.

With that in mind, remember that the attacker in the scenario presented will only succeed once per target and then the target will adapt and defend. In practice that is an acceptable risk, and the natural condition of our exposure to computer vulnerabilities.

Where we really see harm come from improper computing practices on a large scale is in court. As a society we will never be capable of adapting to threats because there will always be new people who have not previously suffered the consequences of each mode of attack.

Sincerely,

Jason Coombs

Director of Forensic Services
PivX Solutions, Inc.
http://www.pivx.com