Re: Is predictable spam filtering a vulnerability?

[Jason Coombs <jasonc () science org>]

> On Wed, Jun 16, 2004 at 01:26:28PM +0200, R Armiento wrote:
> > For example: attacker 'A' sends 'B' a social engineering request
> > for "the secret plans"
...
> > spam filter silently drops the email. 'A' forges a reply

Joel Eriksson wrote:
> it's not a "real" vulnerability that gives remote root to
> the attacker, I think it's beautiful though. :)

More likely I will ask your boss to approve payment of an invoice and 
then send my own forged authorization.

This is a widespread vulnerability in the way that organizations 
improperly trust computer communications.

The only solution is to implement some type of authentication for 
important electronic communications, and we all know that new 
vulnerabilities are exposed once there is an authentication mechanism.

To presume that electronic communications and stored communications are 
trustworthy, the way that the parties to civil litigation generally do, 
and the way that criminal courts nearly always do, creates endless 
potential for very bad things to happen. We must always doubt by default 
anything that is in electronic form.

With that in mind, remember that the attacker in the scenario presented 
will only succeed once per target and then the target will adapt and 
defend. In practice that is an acceptable risk, and the natural 
condition of our exposure to computer vulnerabilities.

Where we really see harm come from improper computing practices on a 
large scale is in court. As a society we will never be capable of 
adapting to threats because there will always be new people who have not 
previously suffered the consequences of each mode of attack.

Sincerely,

Jason Coombs

Director of Forensic Services
PivX Solutions, Inc.
http://www.pivx.com