Full Disclosure mailing list archives
Re: Re: E-Mail viruses
From: "docco" <docco () zeelandnet nl>
Date: Sat, 6 Mar 2004 10:36:06 +0100
I still think teaching users to handle attachments correctly would be by far easier, as this would be a one_time_lesson, while otherwise you would have to expect all users to keep all_the_time up to date to the last extension used. What would happen if some forget their current (now old) extension is not valid any more? How would those attachments be handled? Would you have to allow for a reasonable (??) period of time two different "supersecret" extensions? The more I think about it, the scarier it gets ... (And two more ... make 4 cents) Regards, Nacho Pobes ----- Original Message ----- From: "MacDougall, Shane" <smacdougall () idanalytics com> To: "docco" <docco () zeelandnet nl>; <full-disclosure () lists netsys com> Sent: Saturday, March 06, 2004 10:12 AM Subject: Re: [Full-disclosure] Re: E-Mail viruses Curt's idea could be more effective in a client/server environment that used extensions that changed periodically (fast enough to thwart virus attacks, etc). The extension transformations could be length/format. How this updated extension exchange would be implemented would be another kettle of fish... Just a thought. Shane -----Original Message----- From: docco Sent: Sat Mar 06 00:58:09 2004 To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Re: E-Mail viruses Hi all,
"The nice thing about this approach is that it completely eliminates the need for any anti-virus on the mail server since all virus attachments are automatically dropped without the need for scanning [...]"
What Curt Purdy is saying looks to me like a great_pain_in_the_ass_solution. In case the "supersecret" extension would get leaked or compromised, which I beleive would be absolutely not hard to achieve (by means of social engineering, sniffing or just brute force - combinations of three letters, wow, that IS hard to guess) you should: - Change your whole statregy. As the extension is been compromised you could not trust ANY attatchment anymore from that moment on, loosing probably good and valid attachments. - Inform all users about the "supersecret" extension been compromised and ask them to use the new "supersecret" extension. Then, and I'm playing Devil's Advocate, suppose the new "supersecret" extension gets again compromised in the time users are getting used to this new second one, and that you, again, have to inform everybody to change once more the way they send attachments ... Well I'm guessing, but I'm almost sure some of your users would just quit their jobs and go insane. You Can't Judge a Book By Looking At The Cover (Willie Dixon) You Can't Judge a File By Looking At The Extension (Common Sense) Just my two cents. Regards, Nacho Pobes PS.- I follow the list for a while with great interest and it's a good learning experience. Thanx to everybody who participate. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: E-Mail viruses, (continued)
- Re: E-Mail viruses Incident List Account (Mar 05)
- RE: [inbox] Re: E-Mail viruses Curt Purdy (Mar 05)
- Re: Re: E-Mail viruses Paul Szabo (Mar 05)
- Re: Re: E-Mail viruses docco (Mar 06)
- Re: Re: E-Mail viruses Curt Purdy (Mar 06)
- Re: Re: E-Mail viruses Eddie (Mar 06)
- RE: Re: E-Mail viruses Aditya, ALD [Aditya Lalit Deshmukh] (Mar 08)
- Re: Re: E-Mail viruses docco (Mar 08)
- Re: Re: E-Mail viruses Bruno Wolff III (Mar 08)
- Re: Re: E-Mail viruses docco (Mar 06)
- Re: E-Mail viruses Incident List Account (Mar 05)
- Re: Re: E-Mail viruses docco (Mar 06)