Re: they should have used crypto...

[mea culpa <jericho () DIMENSIONAL COM>]

Reply From: lbridwell () icsa net

> From: Dan Schrader <Dan_Schrader () trendmicro com>

A few random thoughts:

> Actually, routine use of cryptography will result in huge
> security problems.

Would this alleged gaping security problem be larger than lack of
confidentiality?

> Why?  Because the best place to stop computer viruses, trojans >and other
> malicious code is at the email server - and you can' scan >encrypted
> mail.

Actually for me the best place is at the desktop, the sender's desktop that
is:-)

> What about desktop virus protection?
> 1.  It has demonstrably failed - see damages mentioned above

A pretty bold statement and I disagree.  By and large the same technology
is used for servers and gateways as it is for desktops.  If the desktop
doesn't catch the virus why would you expect the e-mail gateway to catch
it?  In fact, in our labs we have found gateway products (if not
installed, configured, and updated properly) are sometimes more prone to
detection failure.  Please note I said sometimes.

In fact, while I agree that there needs to be redundancy in AV protection
(desktop, server, & gateway), you can't blame the desktop av product for
all the above mentioned costs.  Some of those systems which were
compromised by Melissa had gateway or e-mail server protection up and
running, but it got through anyway (both you and I could name several I am
sure).  Why?  Because the virus was not known and there was no signature
available and until the signature was available it was not detected.  When
the signature became available it was for both desktop and server,
therefore, either would have detected it.  Now, I will grant you the point
that at the server it would only have needed to be caught once, but either
would have detected.  So I think your logic that desktop protection has
"demonstrably failed" is inaccurate.  A more cynical soul who doesn't know
you as well might even be apt to say it is more marketing statement than
point in fact.

> 2.  It relies on end user compliance

If by end user you mean humans, you are right.  Of course the server or
gateway product does too.  I have heard some system administrators argue
that if the AV companies who continue to create more products would just
create a better administrative console, provide better centralized
management, and automate the updates (daily, weekly, whenever) there would
be less need or concern for gateways, servers, or encrypted e-mail.  Let's
face it, if you are using an operating system, application, or e-mail
clients which are prone to viruses, they all (viruses) either begin or end
up on a desktop.  Why not fix it there?  It is a legitimate argument.

> 3.  We never will be able to update 100's of millions of desktops fast
> enough to stop the next Melissa virus.

And as long as we use known signature scanning we won't stop it at the
gateway either.  At least the initial outbreak.  After all, it has to
infect before you have a sample to create the string form :-).  Again, I
am not arguing against multiple layers of protection.  Just that your
logic NOT to use crypto is flawed.

> Finally, ISP such as US West and Sprint have started adding
> virus protection
> a part of their internet access offerings - which will be a
> very effective
> way to contain virus outbreaks - but only if email is not routinely
> encrypted.

I am glad this is the case, but end users should still use encryption when
they feel it is necessary.  After all, if the AV industry provides timely,
automated updates for those users who need virus protection and users run
products in real-time mode, they will still be protected.

> Lession:  - Encrypt selectively

I should think the Lesson here is to:  select your AV protection
carefully;  make sure the company is committed to timely updates; the
product has good, easy to use centralized management; a corporate history
of customer support;  and then encrypt as you deem necessary to do
business and protect your privacy.

Larry Bridwell
______________________________________
Technology Program Manager, ICSA Labs
1200 Walnut Bottom Road, Carlisle, PA 17013-7635
pgp fingerprint:  DC26 351B 0D73 9091  5B4A 83B7 FD50 FDC4

ISN is sponsored by Security-Focus.COM