EMail risks

EMail risks

Post by A » Wed, 15 Jun 1994 03:50:10



My company (a bank) is about to add internet email.  What are some of the
risks involved with "just" email on the internet?  Are there ways to hack
into our system?  I know very little and would appreciate any help.

:-)apb

 
 
 

EMail risks

Post by Mike O'Conn » Wed, 15 Jun 1994 05:36:04


:My company (a bank) is about to add internet email.  What are some of the
:risks involved with "just" email on the internet?  Are there ways to hack
:into our system?  I know very little and would appreciate any help.

Details are needed before an answer can be composed which makes any
sense.  A good place to start would be by describing the general
interface that you're going have to plug into the Internet for email
(and of course, providing too many details on the Usenet can lead to
breakins which would not otherwise occur -- take your chances).  

                                                ...Mike

--

 Ford Motor Company, OPEO      |  UUCP:      ...!fmsrl7!opeo!mjo
 20000 Rotunda, Bldg. 1-3001   |  Phone:     +1 (313) 248-1260
 Dearborn, MI  48121           |  Fax:       +1 (313) 323-6277

 
 
 

EMail risks

Post by Nick Maclar » Wed, 15 Jun 1994 06:30:26



>My company (a bank) is about to add internet email.  What are some of the
>risks involved with "just" email on the internet?  Are there ways to hack
>into our system?  I know very little and would appreciate any help.

Theoretically, the only risk is people filling up your disk with junk
messages, and you can limit the damage that causes by restricting the
size of the incoming mail spool.  In practice, there are two really
* causes of loopholes:

    1) Ones caused by the method of Internet connexion, often due to
improper or careless installation of your networking software.

    2) Bugs and other imbecilities in the mail software that you are
inflicted with.  The "Internet Worm" is a classic example.

In summary then, don't think of Email as the risk - look at your whole
system (vendor, configuration and especially networking).  Any other
approach is asking for trouble.  And, given that banks are high-risk
targets, I would advise paying a competent security consultant to look
over the details.

Nick Maclaren,
University of Cambridge Computer Laboratory,
New Museums Site, Pembroke Street, Cambridge CB2 3QG, England.

Tel.:  +44 223 334761    Fax:  +44 223 334679

 
 
 

EMail risks

Post by Ben Ellist » Wed, 15 Jun 1994 14:50:13


: My company (a bank) is about to add internet email. What are some of the
: risks involved with "just" email on the internet? Are there ways to hack
: into our system? I know very little and would appreciate any help.

Your only real risks are:

- The reliability of the sendmail daemon that you run which talks to the
world .. make sure it's one of the later versions, (I'd suggest AGAINST
vendor provided versions) and has all patches applied. Take, for example,
the bugs in sendmail which allowed text to be e-mailed to programs on the
mail host. This is essentially how the Internet worm worked its way around.

- The risks associated with people recieving encoded binary files within their
e-mail. One organisation with which I am familiar STILL has not installed
e-mail for the simple reason that they're afraid people will be e-mailed
trojan horses and that they will decode them back into binary form and run
them.

Hope this helps. These are the only major points that crop to mind.

--
Ben Elliston

Fax: +61-6-255-1074

 
 
 

EMail risks

Post by Hildo den Breej » Wed, 15 Jun 1994 16:53:03



>My company (a bank) is about to add internet email.  What are some of the
>risks involved with "just" email on the internet?  Are there ways to hack
>into our system?  I know very little and would appreciate any help.
>:-)apb

If you only want e-mail, why not consider a Uucp link to an e-mail
backbone somewhere?
--

Ideta b.v., Frankemaheerd 6, 1102 AN Amsterdam, the Netherlands
My opinions are my own, not necessarily my boss's
----------------------------------------------------------------------------
 
 
 

EMail risks

Post by John Shardl » Wed, 15 Jun 1994 23:01:04


|> My company (a bank) is about to add internet email.  What are some of the
|> risks involved with "just" email on the internet?  Are there ways to hack
|> into our system?  I know very little and would appreciate any help.
|>
|>
|> :-)apb
|>

If you use UUCP to send and receive e-mail then you are fairly safe.

If you use a real IP link to connect to your service provider then you
are open to many more method of attack. Of course these can be
guarded against but its a lot more complex.

John

--
+----------------------------------+
| John Shardlow                    |  


+----------------------------------+
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.3a

mQCNAi3vWtsAAAEEAKJ0em25+3pxU8h700vmlqMlKJMc8nsy3hBZq87bONHLCDzY
+O+tBmSI9bj+sUFS/Y/hmHer1QTlISg6w/ao8E+aHqXEn5c1JmPM0CvlKr0NjxD2
do+z6jQcNBey08njDEYG950IyZkE8m8wd9UumIx10fObDRvaDOOVRBJD8x49AAUR
tDNKb2huIEouIFNoYXJkbG93IDxqc2hhcmRsb3dAbG9uZG9uLm1pY3JvZ25vc2lz
LmNvbT4=
=1R1I
-----END PGP PUBLIC KEY BLOCK-----

 
 
 

EMail risks

Post by Mikolaj Habr » Thu, 16 Jun 1994 17:59:34



>My company (a bank) is about to add internet email.  What are some of the
>risks involved with "just" email on the internet?  Are there ways to hack
>into our system?  I know very little and would appreciate any help.

        This really depends on what kind of system you are running at
your bank. There are various nifty things that crackers can do to you via
mail. For example, you can make file requests by mail (metamail i think,
but i am uncertain on that point), but hopefully you do not have
sensitive info lying around unprotected. However, there ws a security
hole reported a while ago about some mailers not checking for read
permissions before seizing the files and mailing them back to you...

        Also, i had a quite unpleasnt surprise the other day... I
received a piece of mail from cypherpunks (or firewalls - one or the
other), and Elm, with it's very broken handling of metamail, sat there for
a moment before showing the message. That wasn't at all bizarre. What was
bizarre was what was printed up before the message was displayed.

/bin/sh: Unable to execute.
/bin/sh: Unable to execute.
/bin/sh: Unable to execute.

        I thought that that was just a tad suspicious. Looking around, i
saw that a file had been created named "dk | tr A-Z a-z". Now, i don't
know whether that is a natural function of elm or what, but it does
present some interestin trojan possibilities. Incidentally, what is dk?
How does one send commands in metamail - how are they inserted in the
message. I checked the mail spool, and the file looked absolutely normal.

--
*       *       Mikolaj J. Habryn

    *           "I'm just another sniper on the information super-highway."
                PGP Public key available by finger
    *           #include <standard-disclaimer.h>

 
 
 

1. Security risk posed by email forwarding?

I'm trying to verify if having a deactivated account on a UNIX machine
(e.g., SunOS), while forwarding the user's email with a .forward file,
poses a security risk.

My impression that if there is a '*' in /etc/passwd, forwarding of email
to an address stored in that account's .forward file poses no risks of
security compromise.

Comments?

Scot Silverstein, MD

2. Quota for >=1.1.45

3. E-Mail E-Mail E-Mail

4. KDE1 decoration, window title centered?

5. extract email from text file and send an email to the email address

6. Remote X Display

7. Active email and news (was Mozilla droppings in email...)

8. HELP: recovering half done 2.5.1->2.6 upgrade

9. How to enable SMTP socket to send email to other email system

10. Email Problems: Null's before the header of emails

11. Samba/E-Mail server w/E-mail arrival messages. How?

12. whoops forgot to put my e-mail to previous e-mail

13. ANNOUNCE - Beta available - DirectChoice - WWW & Email with no junk email