Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Filtering email headers generated from internal network (Sensible?)

From: Sebastian Garcia <sgarcia () citefa gov ar>
Date: Fri, 13 May 2005 03:55:20 -0800
I hope this was what you were looking for.

In 2002, www.trustmatta.com consultants analysed CIA PoP (Points of
Presence) on the Internet. 

Their quote:

"...Through entirely using open sources (primarily Internet search
engines, WHOIS servers & DNS requests), Matta has undertaken the task of
performing Internetbased counterintelligence against the Central
Intelligence Agency (CIA), with some surprising results. It should be
clearly noted that, at no point did we port scan or directly probe any
CIA Internetbased networks, as all of our intelligence was gathered
using open sources. This counterintelligence was undertaken entirely
within English and American
law regarding computer misuse and control of data. If Matta had been
authorised to launch a determined attack (encompassing network scanning
and aggressive probing of the CIA<A1><C7>s infrastructure) more
information would have been gleaned. In the interests of Matta retaining
professionalism, entirely open sources were used in-line with the law."

It's worth noting that the information they gatter from emails was
minimal. And they didn't found interal ip address in emails.
I think this was the "urban legend" part.

http://www.trustmatta.com/downloads/Matta_Counterintelligence.pdf
http://www.trustmatta.com/services/docs/cia-map.jpg


Sebas


On Thu, 2005-05-12 at 09:45 +1200, Brendan Murray wrote:

A few years, maybe 2, back I heard that someone in Germany (?) had
mapped the internal CIA (NSA?) network using the mail header
information. Unfortunately that might be urban legend since I could
never find the article - but if it is true then it would suggest 
obfuscating the headers would be a good thing, in the right
circumstances.

Now if anyone could fid me a pointer to that story I'd be very appreciative. 

On 5/10/05, anyluser <anyluser () yahoo com> wrote:


IMO there's a balance between sec through obscurity
(STO) and flat out information leakage.  Just as most
things in security, this as much a balance as any
other.

Generally speaking sec through obscurity implies (to
me) that you're relying on the obfuscation for more
then it's really worth.  If you think it'll keep you
safe, you're using STO.  If you're realistic about
your expectations then do a CBA (cost/benefit
analysis) and make your decision as to whether or not
it's worthwhile.

IMO if there's a mail routing infrastructure behind
your borders then you should obscure it to the
outside, if you have the time.  That'

Granted it wont make you secure but it'll least keep
your infrastructure details relatively private, which
being the paranoid lot we probably are is a good
thing.  :)


-----Original Message-----
From: Bipin Gautam [mailto:visitbipin () hotmail com]
Sent: Monday, May 09, 2005 10:36 AM
To: pen-test () securityfocus com
Subject: Filtering email headers generated from
internal network (Sensible?)

Is it sensible to filter extra email headers in the
gateway generated from your internal network before it
leaves your server, so that Information like...
User-Agent:, X-Virus-Scanned:,  and those EXTRA hopps
of  Received from: (headers........)     won't leak
out, which could be a valuable information for a
potential intruder. Moreover the trouble multiplies if
a software exploit is realesed before patch. It is
kinda Security by obscurity. But if it buys you some
extra time to act isn't is sensible to impliment or
just too paranoid?

drop your views,
Bipin Gautam
http://bipin.sosvulnerable.net/

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com


-- 
Sebastian Garcia
Si6 - Laboratorio de Seguridad Informatica
CITEFA
San Juan B. de La Salle 4397 
B1603ALO Villa Martelli - Pcia. Bs. As.
Tel: (54-11) 4709-8289 
e-mail: sgarcia () citefa gov ar - www.citefa.gov.ar/si6/
http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x4305E810
Previous By Date Next
Previous By Thread Next

Current thread: