Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Greetings awareness - Awareness greetings ? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Greetings awareness - Awareness greetings ?
It is the seasonal greetings time of the year again and with the migration from the traditional postal cards to short text messages, e-mails and e-cards it's time to warn users of the dangers associated with the e-mails and e-cards.

E-mails

Plain text messages obviously are little risk and don't need warnings against them. It gets worse when there are attachments involved. Some of these attachements will not be just a simple picture. Many will include executable programs. Those attachments might contain gifts you just do not want to receive.  The best policy with it is to ignore those wishes from people you do not know to start with and to even be extremely careful with the attachments to E-mails, even of the people you do know.  Let's face it many of those attachments are not created from scratch by the well-wisher, they contain foreign components where you might not have the needed trust in the creator.

Also show the good example and just send plain old text messages to your contacts. It's a matter of leading by example. We'll come back to this ...

E-cards

E-cards are a different story. From a sender's perspective, there are a number of companies trying to offer a responsible service but how do you recognize them? If you use one of the services you give the company behind it the list of e-mail addresses of your friends. If the company is trustworthy that should cause little concern, but how can you be sure?

On the receiving end it gets worse, sometimes it says who tried to send you something, sometimes it doesn't. Sometimes you know the company sending you the e-card, sometimes you've never heard of them. You do know that the sender sometimes gets confirmations you went are read the card.
If you read this regularly, you might even be aware of possible cross site scripting issues that could be exploited somehow.

So what to do?

Start you own chain of secure greetings this year

Send out the E-mail greetings early this year to your contacts. Keep it plain text and ask them to please not send you e-cards as you will not read them this year over security reasons.

If enough people do that, there will hopefully be a few less incidents of people getting infected with all sorts of malware and loss of privacy.

--
Swa Frantzen
Swa

760 Posts

Sign Up for Free or Log In to start participating in the conversation!