J
Jack
So it's not IE or OE that is the malware; and it's not the HTML in theLeythos said:
web-page or email message that is the malware; so how was your system
attacked?
Duh.
web-page or email message that is the malware; so how was your system
attacked?
Duh.
L
Leythos
Lets look at spam this way, it's normal email, normal traffic, and
permitted traffic. Sure none of us want it, me less than most, but to
say that spam is a threat to availability is no something I totally
agree with 100%.
Sure, spam can clog a email box, sure it can use valuable resources, and
it even costs each of us money to fight it.
I do not consider spam to be a security threat, it's a resource threat.
Spam is no different than any other form of email, in content and
processing, so it's not any more/less of a threat. It is a large
resource abuse, and that's where I would leave it.
R
Richard S. Westmoreland
Jack said:
In one way or another.
http://www3.ca.com/securityadvisor/vulninfo/Vuln.aspx?ID=7300
Plain text is just a conduit into exploiting something else.
But HTML isn't even why I put Spam on the triangle. Even 100% harmless (in
content) spam, is still a threat to Availability, which is 1 of the three
pillars of Security.
Rick
R
Richard S. Westmoreland
Leythos said:
That's still a decent number. If you were to turn off those filters, that
would definitely cause a problem to your system.
What RBLs are you using? I found this list to be the most accurate:
http://www.antisource.com/article.php/20040629005840948
Although because of an odd intermittent issue with spamcop, I had to disable
that RBL. Spamhaus' SBL-XBL is invaluable. Lookups to 127.0.0.2, 4, and 6
collectively have blocked 780972 emails since June 22nd. Our antispam also
uses RFC Compliance checks and Reverse DNS lookups but I don't have stats on
those - and all that before it gets to the spam signatures and manual
content filters.
L
Leythos
Nah, it's a nice server, Dual Xeon, 2GB RAM, mirrored 250GB Drives, 2000
server and Exchange 2000, all service packs and updates. Has run for
over a year without anything except for reboots due to service pack
updates. I'm in the process of moving to 2003 in Dec, it's free with our
MS Agreement, so I thought I would try it.
I'm using the following:
sbl.spamhaus.org,blackholes.mail-abuse.org,relays.ordb.org
I'm happy with SMSE 4.0 and now 4.5, 4.5 added email spam grading in an
automated manner to the manual lists/words/subject/body filters I had
before, so far it's doing better than my manual settings
L
Leythos
I believe that any "script" that you can code can also be malicious if
you want it to be. A script can do many things, where HTML can't access
your hard drive, a script can. Same as a macro, it an access your hard
drive, and that makes it program. Scripting and Macro's by nature have
to be permitted access to system resources, in general, or they don't do
us much good. HTML doesn't need more than buffer space in memory in
order for the HTML parser to render the images.
R
Richard S. Westmoreland
Leythos said:
Sorry I meant a vbs script virus.
Based on what a few others are saying, a VBS Script would not be a program
because it is just data that is being interpreted by another program - after
all they are just ascii text files. But we can agree that it is not a data
file, not an image or anything, but it is a script. But a script cannot
also be called a program, because only programs are software.
So script viruses cannot be called malware, because malware is malicious
software, which must execute.
(I don't believe that)
Rick
L
Leythos
Are you yanking my chain here. DOS, Denial Of Service attacks are a
threat, I've only seen one type of DOS that was unintentional, and it
was caused by a malfunctioning network adapter. DOS is a threat if it
makes it inside the network or attempts to compromise the firewall, if
only abuses the connection speed/ability to respond, then it's a
resource threat.
That's a lack of planning
Since the power didn't "threaten yournetwork" it's a resource threat - meaning lack of resources to maintain
the network services.
This is almost fun, if I respond, and your server sees the message, is
that a threat or a utilization of resources?
R
Richard S. Westmoreland
Leythos said:
Is DoS (regardless if it was intentional) a security threat or a resource
threat?
If my server goes down because of a power failure, is that a security threat
or a resource threat?
Rick
R
Richard S. Westmoreland
Leythos said:
I see what's going on here. One one side we have Systems Administrators
that deal with these malware/exploits/threats on a regular basis, arguing
that Spam is indeed malware (or at least a threat). Then on the other side
we have Programmars and Developers that deal with the code on a regular
basis (hopefully not writing viruses!). So it's basically "real world
experience" fighting against "text book education" (only in reference to
dealing with the systems part first hand - programmers have just as much
real world experience just at a different level).
See, it's just a matter of perspective.
Rick
J
Jack
Leythos said:
You still aren't reading the posts that you are replying to. HTML can be
used to knock your machine over, without any script being involved.
Big deal, it sounds as if youve discovered the XP equivalent of the
"File Types" taskbar tab from earlier versions of Windows. The question
was: Does your OS, however you have it configured, launch HTML in a
vulnerable application, or in a text-editor?
And are they patching Notepad? Answer: not to my knowledge. They are
expecting the HTML vulnerabilities to be a bit more problematic for
people who open HTML documents with an HTML renderer.
What ****ing script? I gave you two links to current vulnerabilities,
with exploits in the field, that rely on nothing more than HTML/1.0 - no
script, no executables. You have ignored them; you appear to be arguing
with yourself, so why are you posting your comments as replies to my posts?
I think I'm being trolled, and I'm guess I'm going to have to do the
appropriate thing.
Damn, you're sharp! How did you figure out that an exploit is an exploit?
The question is, does the exploit target your email client, your
text-viewer, or the HTML renderer that the email client relies on to
render HTML-formatted messages?
BTW: I've never said there was a 'flaw' in HTML. But I take the view
that HTML in email is unnecessary and stupid; and sending a multipart
MIME email message with just one part - text/html - is rude, spammy and
not acceptable here, since my email client is set to not render HTML.
(Kiddies, that means something like "MrDemeanour has left the chatroom")
R
Richard S. Westmoreland
Leythos said:
No yanking, just preparing for a point.
That's a lack of planning
network" it's a resource threat - meaning lack of resources to maintain
the network services.
Ahah. The industry standard for network security does state this scenario
as a security threat. This disrupts Availability which is a primary concern
in Security. The other two primary concerns are Confidentiality and
Integrity. You wouldn't think that a T1 going down and preventing my
employees from connecting to the central office would be a security threat,
but it really is and that is being taught in all of the security
certifications. If an unauthorized person looks at my data, that is bad.
If my data gets corrupted or tampered with, that is bad. If I can't even
get to my data, that is also bad.
That depends if your response contains vulgarity! (and some malicous
html... j/k)
Rick
J
Jack
Leythos said:
I need to plonk you.
L
Leythos
Sort of - I design networks, security plans, server farms, etc... I also
install and maintain them. At the same time I have strong roots in
programming for industrial applications. So, I'm looking at it from both
sides.
L
Leythos
Please do, it won't bother me. Since I've read your replies and
completely disagree with parts of them, we're not going to resolve the
difference in opinions. I would rather leave it at We agree to have
differences than plonking, as either of us is trolling or being foul.
L
Leythos
One can only answer the last question if they agree with your ideals.
You are asking us to do something I see instructors do all the time -
they provide an explanation, show them how to do it the wrong way, and
tell the students to never do it this way in the real world - what do
the students remember, they remember how to do it the wrong way
R
Richard S. Westmoreland
I think everyone needs to take a step back, breath in deep, and exhale
slowly. Close your eyes and count to ten.
Now...
I appreciate the contributions of comments from BOTH of you. Both of you
make good points. None of this stuff is set in stone after all, by the very
nature of the computing industry. A 0 is false and 1 is true, beyond that
everything is open for interpretation and a little customization. I suppose
you could declare all of this philosophical.
The original thread is about the Malware Threats Triangle that I propose.
Questions, comments and opinions are all welcome. I won't agree with some
of them, but I will consider most of them. Now I don't plan on budging from
my position that Spam can be called Malware, because I accept the definition
that non-executable data is software. For the sake of the critique, let's
all pretend that Spam is both Malware and a Threat (security or resource).
Accepting that, would you agree with the way the Triangle is laid out? Do
you think this triangle can be useful in any way?
Thanks,
slowly. Close your eyes and count to ten.
Now...
I appreciate the contributions of comments from BOTH of you. Both of you
make good points. None of this stuff is set in stone after all, by the very
nature of the computing industry. A 0 is false and 1 is true, beyond that
everything is open for interpretation and a little customization. I suppose
you could declare all of this philosophical.
The original thread is about the Malware Threats Triangle that I propose.
Questions, comments and opinions are all welcome. I won't agree with some
of them, but I will consider most of them. Now I don't plan on budging from
my position that Spam can be called Malware, because I accept the definition
that non-executable data is software. For the sake of the critique, let's
all pretend that Spam is both Malware and a Threat (security or resource).
Accepting that, would you agree with the way the Triangle is laid out? Do
you think this triangle can be useful in any way?
Thanks,
R
Richard S. Westmoreland
Leythos said:One can only answer the last question if they agree with your ideals.
You are asking us to do something I see instructors do all the time -
they provide an explanation, show them how to do it the wrong way, and
tell the students to never do it this way in the real world - what do
the students remember, they remember how to do it the wrong way
LOL, yes you are right. But on the flipside, how are we going to accomplish
anything in this thread if nobody changes their mind anyway and continue to
argue their same points?
Let's just look at it this way, the basic level. Spam is just email that is
used in a way to do some kind of damage mostly to Availability. Viruses are
just executables that can be used in a way to do some kind of damage mostly
to Integrity. Spyware are just executables that can be used in a way to do
some kind of damage mostly to Confidentiality.
We'll call that the "Stuff That Does Some Kind of Damage Mostly to One of
the 3 Pillars of Security" (tm).
Rick
R
Richard S. Westmoreland
Leythos said:
That is a good perspective. Mind if we chat via email?
Rick
L
Leythos
The email address listed in my sig (remove the 999) is valid.