Post #202,477
4/8/05 1:52:57 PM
|
Fake MS security updates circulate
[link|http://news.zdnet.com/2100-1009_22-5660042.html?tag=nl.e589|http://news.zdnet.co....html?tag=nl.e589]
An e-mail campaign designed to lure people to a bogus Microsoft Web site is making the rounds as part of an attempt to install a Trojan horse, antivirus company Sophos said Friday.
Attackers are sending out fake e-mails that claim to come from Microsoft's Windows Update. People who click on the link in the message are steered to a site that looks like Microsoft's security update site, where they are urged to download fake patches.
But should unsuspecting users download the bogus patches, they will infect their computers with the Troj/DSNX-05 Trojan horse, according to Sophos. That, in turn, will let the attackers remotely take control of the infected PC.
-----
This is a twist on phishing and is rapidly becoming an are that requires a solution.
What I'm trying to understand is, why don't email companies improve support for digital signatures in their email clients and why don't companies begin to adopt digital signing of their messages as a matter of course? Seems like that would eliminate the problem in fairly short order.
Right now, in order to get support for digital signatures/certs, there's a whole fiddly keygen/extension installation mess. Its not easy for the casual user to take advantage of this stuff. I think that, were the email clients to give it a little priority, we could get this problem licked.
Or am I missing something?
"Whenever you find you are on the side of the majority, it is time to pause and reflect" --Mark Twain
"The significant problems we face cannot be solved at the same level of thinking we were at when we created them." --Albert Einstein
"This is still a dangerous world. It's a world of madmen and uncertainty and potential mental losses." --George W. Bush
|
Post #202,508
4/8/05 3:37:14 PM
|
I think you have the right idea
We'd have to deal a bit with key management, but companies like Red Hat seem to have that licked. (Downloads through up2date are all signed and Red Hat's key is automatically installed at setup time.)
Tom Sinclair
"This is a lovely party," said the Bursar to a chair, "I wish I was here."
-- The Bursar is a man under a *lot* of stress
(Terry Pratchett, Lords and Ladies)
|
Post #202,771
4/10/05 11:53:08 PM
|
Security is Hard.
Microsoft have known this for years (though for the wrong reasons) and thus only implemented it when practically bullied into it. The actual hurdle for handling signed emails et al is that J Random User has to learn the rudimentaries of it. That's the difficult bit. Microsoft could make this a lot easier, but their long entrenched attitude towards security is preventing them from doing this.
Wade.
Is it enough to love
Is it enough to breathe
Somebody rip my heart out
And leave me here to bleed
| |
Is it enough to die
Somebody save my life
I'd rather be Anything but Ordinary
Please
| -- "Anything but Ordinary" by Avril Lavigne. |
|
Post #202,909
4/11/05 6:42:05 PM
|
Doesn't need to be that hard and its not just MS
"The actual hurdle for handling signed emails et al is that J Random User has to learn the rudimentaries of it."
Disagree. Its much worse than that.
For instance, in order to get certs into my mail client I had to go here: [link|http://www.sente.ch/software/GPGMail/English.lproj/GPGMail.html|http://www.sente.ch/...proj/GPGMail.html]
And then get this: [link|http://www.gnupg.org/|http://www.gnupg.org/]
And follow this arcane little guide: [link|http://webber.dewinter.com/gnupg_howto/english/GPGMiniHowto.html|http://webber.dewint...GPGMiniHowto.html]
Overall, to get signed email working I spent about 3 hours downloading and following instructions. I am experienced at installing all sorts of software and I found it daunting.
How is Joe AOL going to deal with this?
"Whenever you find you are on the side of the majority, it is time to pause and reflect" --Mark Twain
"The significant problems we face cannot be solved at the same level of thinking we were at when we created them." --Albert Einstein
"This is still a dangerous world. It's a world of madmen and uncertainty and potential mental losses." --George W. Bush
|
Post #202,937
4/12/05 12:19:38 AM
|
That's my point.
Although what I technically meant by the line you quoted was said in the light of my experience in managing coporate encryption services. If you deal with keys, you have to understand the basics (the idea of a Key Encrypting Key is bizarre to a lot of people, for instance). Otherwise it won't make sense and you'll do it wrong.
The proliferation of programs to do all the bits is the part where someone like Microsoft could help. Unless the majority of other email client makers get together and do it.
Wade.
Is it enough to love
Is it enough to breathe
Somebody rip my heart out
And leave me here to bleed
| |
Is it enough to die
Somebody save my life
I'd rather be Anything but Ordinary
Please
| -- "Anything but Ordinary" by Avril Lavigne. |
|
Post #202,948
4/12/05 12:58:06 AM
|
Don't need GNUPG for that on Winders
Outlook and TBird support the Windows certs just fine, and they're somewhat less arduous.
Quel surprise, however, that on OS X the GNUPG plugin for Mail and GPG Keychain Access applications make being a GPG user as easy as falling off a log.
Peter
[link|http://www.ubuntulinux.org|Ubuntu Linux]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Home]
Use P2P for legitimate purposes!
|
Post #202,957
4/12/05 2:01:28 AM
|
Then why do you think more people don't do it then?
I think it's because there is still a learning hurdle.
Wade.
Is it enough to love
Is it enough to breathe
Somebody rip my heart out
And leave me here to bleed
| |
Is it enough to die
Somebody save my life
I'd rather be Anything but Ordinary
Please
| -- "Anything but Ordinary" by Avril Lavigne. |
|
Post #202,964
4/12/05 5:08:34 AM
|
Well, yes.
90% of users don't even know that they CAN encrypt their mail.
Peter
[link|http://www.ubuntulinux.org|Ubuntu Linux]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Home]
Use P2P for legitimate purposes!
|
Post #202,983
4/12/05 8:21:52 AM
|
Oh, I know that I can...
I just don't know that most of the people I send email to would be able to figure out how to read it.
Cheers,
Ben
I have come to believe that idealism without discipline is a quick road to disaster, while discipline without idealism is pointless. -- Aaron Ward (my brother)
|
Post #202,987
4/12/05 8:43:00 AM
|
You're *so* not in the 90%
:-)
Peter
[link|http://www.ubuntulinux.org|Ubuntu Linux]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Home]
Use P2P for legitimate purposes!
|
Post #203,055
4/12/05 4:00:22 PM
|
That was part of my point
Even those that can, have incentives not to bother.
Cheers,
Ben
I have come to believe that idealism without discipline is a quick road to disaster, while discipline without idealism is pointless. -- Aaron Ward (my brother)
|
Post #203,114
4/12/05 11:35:18 PM
|
I'm not so sure...
I've gotten GPG-encrypted mail from you that had issues. --\r\nYou cooin' with my bird?
\r\n[link|http://www.shtuff.us/|shtuff]
|
Post #203,131
4/13/05 1:12:42 AM
|
That was an S/MIME issue...
...and we need to revisit it. I need to know if it's just you or if I have a problem. Other people have communicated with me encryptowise without difficulty.
Peter
[link|http://www.ubuntulinux.org|Ubuntu Linux]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Home]
Use P2P for legitimate purposes!
|
Post #203,134
4/13/05 1:49:38 AM
4/13/05 1:50:58 AM
|
Re: That was an S/MIME issue...
Every other PGP/GPG-encrypted message I've ever received marked the encrypted portion with the content-type 'application/pgp-encrypted', and the signature 'application/pgp-signature'. \r\n\r\n Yours appears to have done neither. Perhaps some clients sniff for the 'BEGIN PGP MESSAGE' line, and Evolution doesn't? \r\n\r\n Saving the message and decrypting on the command line worked OK. --\r\nYou cooin' with my bird?
\r\n[link|http://www.shtuff.us/|shtuff]
|
Post #203,138
4/13/05 3:00:18 AM
|
Fixx0r3d, and a note for Mail/GPG users on OS X
The GPG plugin thing for Mail has a preference panel with an option to always use OpenPGP/MIME.
Enabling this resolved the problem.
Peter
[link|http://www.ubuntulinux.org|Ubuntu Linux]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Home]
Use P2P for legitimate purposes!
|
Post #203,041
4/12/05 2:37:38 PM
|
Recently, GNOME has made great strides in that.
Gnome has the little app called seahorse.
It is a central point for all of your keys. Evo supports it out of the box. Evo 2.2.1.1 (which I run now) even has support for managing cert as well for things like signed keys and so on.
I dunno, I would have to say that if someone can just walk people through it, easily...
Well, we wouldn't have to be in this siutation.
-- [link|mailto:greg@gregfolkert.net|greg], [link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey[link|http://it.slashdot.org/comments.pl?sid=134485&cid=11233230|"Microsoft Security" is an even better oxymoron than "Military Intelligence"] No matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]
|
Post #203,230
4/13/05 3:02:33 PM
|
Yes and we have the keychain on OS X
but getting the key's generated and registered - that's still ugly.
"Whenever you find you are on the side of the majority, it is time to pause and reflect" --Mark Twain
"The significant problems we face cannot be solved at the same level of thinking we were at when we created them." --Albert Einstein
"This is still a dangerous world. It's a world of madmen and uncertainty and potential mental losses." --George W. Bush
|
