Fwd: non-disclosed info in Outlook can lead to potential serious Social Attack.

From: Intel Nop (0x90at_private)
Date: Wed Jul 17 2002 - 13:19:18 PDT

Next message: skp: "[AP] Oracle Reports Server Information Disclosure Vulnerability"

Previous message: Jelmer: "Java webstart also allows execution of arbitrary code"
Next in thread: David Walker: "Forged FROM addresses/non-disclosed info in Outlook can lead to potential serious Social Attack"
Reply: David Walker: "Forged FROM addresses/non-disclosed info in Outlook can lead to potential serious Social Attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

(can I resubmit this, signed by the key for this email instead of the other 
key I signed it with, thnx).

See below...

I don't know if this has been discussed on bugtraq before, but I just thought
it might be important to bring up. Noting Outlook Express specifically, even
6, is vulnerable to certain Social Attacks and interception/redirection of
mail rather trivially, caused by non-disclosed header/email information in
the From: address box. Outlook 2000 and previous versions, all have the same
problem if viewed specifically from the preview pane only, (I don't know the
stats on how many view specifically from the preview pane, but at my place of
employment, it turns out to be plenty). I'm not a Microsoft outlook expert,
nor have I had the time or effort to go and look for the cure, other than
recommending to enforce some openPGP or other form of digital signature
system for the business environment as to identify and confirm who you
received mail from. This attack is very simple, as someone can easily go get
a free web-based e-mail account and just know the name of the person they
intend to masquerade and send the email to the unknowing user to socially
engineer pertinent and possibly confidential information from the unknowing
user, as I notice, when hitting reply to user, it still does not disclose the
email address unless investigated further to the properties of the user name.
Not to mention, it is also rather trivial to forge email addresses, and still
contain a reply-address to the masquerading user who initiated the attack as
well. This is probably widely known, but maybe not taken as seriously as it
should be, and the use of One-way hash signatures for email authentication
would be highly recommended in general to the public, as they do have certain
software freely available that is quite trivial to use and requires little
knowledge to operate. The possibilities of this attack are endless, and
combined with a little social engineering, the level of confidential
information that could be obtained is alarming. We need to have a rfc for
Digital Trust on the Internet. Any takers to help establish one?

Anyway, my two cents for the day.

0x90
http://www.invisiblenet.net


- - --
People will do tomorrow what they did today because that is what they
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj010UsACgkQN6nb5Smw0U2OUQCgwwOLDSdonkFArBEqTYG40uMp
EKEAoPjv+Sf2oVlo3/RJV6vs3KeGsZpG
=wzat
-----END PGP SIGNATURE-----

Next message: skp: "[AP] Oracle Reports Server Information Disclosure Vulnerability"
Previous message: Jelmer: "Java webstart also allows execution of arbitrary code"
Next in thread: David Walker: "Forged FROM addresses/non-disclosed info in Outlook can lead to potential serious Social Attack"
Reply: David Walker: "Forged FROM addresses/non-disclosed info in Outlook can lead to potential serious Social Attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 18 2002 - 10:48:52 PDT