Email security

[Steve]

x-no-archive: yes


The Looming E-Mail Disaster

John C. Dvorak
PC Magazine 1/5/99


While Y2K issues are grabbing all the headlines, a bigger and more
looming threat to the Internet and to the worldwide business
community is the security holes in the Internet, specifically in the
e-mail architecture. These problems are so enormous that the system
may fail completely in the next few years.

Already, numerous e-mail attacks that do all sorts of damage have
been unleashed on the public. Various denial-of-service gambits and
e-mail bombs are launched by jokers all over the world for cheap
laughs.

Unfortunately, it's getting easier to create these problems. Any
offense whatsoever from a friend or enemy can clog your e-mail box
with junk. Even filtering doesn't help, because the junk is so
voluminous that the server can be overloaded. Filtering only cleans
up the e-mail; it doesn't keep messages from coming in. Aardvark
(www.aardvark.co.nz), a New Zealand online publication, describes how
easy an e-mail attack is:

"The hole is exploited by malevolent Net users when they sign up for
a free e-mail account with USA.net then subscribe to the many free
e-mail information services offered on the very next page. They can
also subscribe to any number of mailing lists and respond to the
requests for confirmation before setting up the account to forward all
the received e-mail to the mailbox of whomever they choose as their
victim."

In other words, you set up an e-mail account using a fake name, load
up with various junk subscriptions, and then forward all the e-mail
to somebody's real mailbox. This is called an "e-mail bomb attack."
The POP mail-forwarding feature for free e-mail should be abolished.
People would be less likely to pull a stunt like this if it actually
cost money. The problem is that these Web-based e-mail systems have
to compete on features to keep people coming.

Though these issues seem benign now, there's no evidence that they're
going to lessen. When you bring this topic up with Net superstars
(a.k.a. hackers/security experts), they go into the "Hackers' Ethic"
nonsense. Real hackers, they say, are not malevolent, nor are they
"crackers." (The terms hacker and cracker have become intertwined,
much to the dismay of real hackers.) They go on to say how a real
hacker would never pull these pranks, which are considered lame.
"Lame" is the worst thing you can call something or someone in this
milieu.

Superstar computer types who can sneak into any system and trash
machines will not do so, out of a regard for a higher ethic. Big
deal. It's all the other people who will do the damage. Anyone can
e-mail- bomb a boss or ex-girlfriend. But if someone wants to go on
the Web to find more elaborate schemes, it takes no more than a few
clicks to discover how to do chain bombs, error message bombs, covert
distribution, and so-called mail exploder exploitation.

All Internet-based mail uses SMTP, usually in combination with a mail
transfer agent (MTA). Any weakness in such systems can be exploited.
The mail system was not established to protect users, because the
Internet had always been a network of trustworthy academics and good
folks. No protection was needed. Efficiency was the key. Sendmail,
the de facto standard MTA program, is at the heart of Internet mail;
elaborate e-mail attacks can be orchestrated using scripts (available
on the Net) that exploit the weaknesses of the Internet e-mail system
and Sendmail in particular.

Besides clogging your mailbox, hackers can easily slander you or your
business by using the covert distribution channel technique, whereby
a letter under your name and possibly even routed out of your server
can be sent to millions of people. The true source of the message is
completely hidden if this is done properly. This is more than
"spoofing," where you merely change the name on the "From:" line
using Eudora. I'm surprised that political dirty-tricksters haven't
exploited this technique to create channels of misinformation. (Or
maybe they have!)

The best document I've seen outlining the emerging worldwide e-mail
problem is "E-Mail Bombs and Countermeasures: Cyber Attacks on
Availability and Brand Integrity," by Tim Bass et al.
(www.silkroad.com/papers/html/bomb). The future of e-mail will be
grim, according to the authors, unless the entire system is
completely reengineered. Y2K has more priority, but this situation is
more dangerous. Y2K will get all the attention while this situation
deteriorates. Public-key encryption will help a little in the short
term, but this problem is going to worsen if something isn't done
immediately. It may already be too late.

Copyright (c) 1998 ZDNet





* * * * * * * * * * * * * *  From the Listowner  * * * * * * * * * * * *
.	To unsubscribe from this list, send a message to:
majordomo at scn.org		In the body of the message, type:
unsubscribe scn
==== Messages posted on this list are also available on the web at: ====
* * * * * * *     http://www.scn.org/volunteers/scn-l/     * * * * * * *