Re: [Fsfe-uk] Amusing but potentially worrying

[Simon Waters]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul wrote:
>
> Just had an email from address@hidden containing a nasty
> payload (Bugbear II). Okay, doesn't worry me in the least and knowing
> that virii enjoy making up email addresses, doesn't really concern me.

They are "viruses" not "virii", see the archive of uk.comp.os.linux for
the (almost) definitive discussion. Well I was convinced enough to drop
virii YMMV.

Most email addresses used by viruses are not "made up" but are scavenged
from the PC it is on.

Often viruses will find a bunch of emails, and send themselves to sender
of email N+1 a mail allegedly from sender of email N, or similar simple
algorithmn. One time I got loads of Win32 viruses apparently from a
fellow GNU/Linux user in Sweden, I eventually figured out he'd posted a
message to gnu.announce that was immediately before mine.

> That is until I found 2 things out. address@hidden is a valid
> email address and westminister.gov.uk has more open ports than I've ever
> come across - it's not just open windows, it's backdoors, front doors,
> air bricks and skylights!
>
> Isn't it good to know that the UK govt have decided to become more open
> ;-p Mind you, it wouldn't hurt if they had decent AV software running...

The MX record for westminster.gov.uk hits a Checkpoint firewall,
sometimes not everything is as bad as it first appears. Any bets you are
now well and truely logged?! Port scanning random boxes is bad
netiquette, even those that (apparently) scan you.

Similarly it is more likely that the virus is from someone mailed by
address@hidden

However given the recent proliferation of new (variants) email bourne
viruses, we can fairly safely conclude that antivirus software itself is
not enough, as it is rapidly out of date.

Last time I had to work around this issue we went with SMTP proxy
attachment type whitelisting. Although rather generously we did allow
Office file formats through, bit of a pain for users, but better than
leaving corporate documents at the mercy of the most gullible (or
unlucky) user.

I know at least one person who emailed a supplier for an Excel document,
and got a virus (apparently from the supplier) with an "apparent" Excel
attachment next time they collected their email. These are caught by the
proxies because to be run they must have executable extension, even if
the presented name looks like a spreadsheet. So users don't have to be
gullible to run viruses, unlucky will do, the solution must take away
reliance on the human element as much as possible.

Not that I want to breed complacency, I personally think anyone still
running Outlook family mail clients needs their head examined, but I
routinely receive emails from "sensitive" organisations which happily
use it for email.

Although much as I like free software, free software is not an unalloyed
benefits with security. It certainly makes it easier to secure software,
but it also makes it easier to find and exploit weaknesses. I suspect
the net effect is better security, but proving it is another matter.

Certainly any organisation serious about security can audit free
software to their own standards.
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+5IwWGFXfHI9FVgYRAh8GAJ9dybDW5T4MCDb+On/G0pC/Z4HQ4QCg0QSv
xaivrU5Hp/uk7JhucDI5r7k=
=DzGO
-----END PGP SIGNATURE-----