Bugtraq mailing list archives
Re: Is predictable spam filtering a vulnerability?
From: Jason Coombs <jasonc () science org>
Date: Fri, 18 Jun 2004 10:57:58 -1000
On Wed, Jun 16, 2004 at 01:26:28PM +0200, R Armiento wrote:For example: attacker 'A' sends 'B' a social engineering request for "the secret plans"
...
spam filter silently drops the email. 'A' forges a reply
Joel Eriksson wrote:
it's not a "real" vulnerability that gives remote root to the attacker, I think it's beautiful though. :)
More likely I will ask your boss to approve payment of an invoice and then send my own forged authorization.
This is a widespread vulnerability in the way that organizations improperly trust computer communications.
The only solution is to implement some type of authentication for important electronic communications, and we all know that new vulnerabilities are exposed once there is an authentication mechanism.
To presume that electronic communications and stored communications are trustworthy, the way that the parties to civil litigation generally do, and the way that criminal courts nearly always do, creates endless potential for very bad things to happen. We must always doubt by default anything that is in electronic form.
With that in mind, remember that the attacker in the scenario presented will only succeed once per target and then the target will adapt and defend. In practice that is an acceptable risk, and the natural condition of our exposure to computer vulnerabilities.
Where we really see harm come from improper computing practices on a large scale is in court. As a society we will never be capable of adapting to threats because there will always be new people who have not previously suffered the consequences of each mode of attack.
Sincerely, Jason Coombs Director of Forensic Services PivX Solutions, Inc. http://www.pivx.com
Current thread:
- Is predictable spam filtering a vulnerability? R Armiento (Jun 16)
- Re: Is predictable spam filtering a vulnerability? Joel Eriksson (Jun 18)
- Re: Is predictable spam filtering a vulnerability? Jason Coombs (Jun 19)
- Re: Is predictable spam filtering a vulnerability? Bill Burge (Jun 19)
- Re: Is predictable spam filtering a vulnerability? Sean Straw / PSE (Jun 19)
- RE: Is predictable spam filtering a vulnerability? Aaron Cake (Jun 18)
- Re: Is predictable spam filtering a vulnerability? Chris Brown (Jun 21)
- RE: Is predictable spam filtering a vulnerability? Hamlesh Motah (Jun 18)
- Re: Is predictable spam filtering a vulnerability? David F. Skoll (Jun 18)
- Re: Is predictable spam filtering a vulnerability? Jon Fiedler (Jun 19)
- Re: Is predictable spam filtering a vulnerability? David F. Skoll (Jun 19)
- Re: Is predictable spam filtering a vulnerability? Kyle Wheeler (Jun 21)
- Re: Is predictable spam filtering a vulnerability? (silently dropping messages) Martin Mačok (Jun 22)
- Re: Is predictable spam filtering a vulnerability? Jon Fiedler (Jun 19)
(Thread continues...)
- Re: Is predictable spam filtering a vulnerability? Joel Eriksson (Jun 18)