Information Security News mailing list archives
Re: they should have used crypto...
From: mea culpa <jericho () DIMENSIONAL COM>
Date: Mon, 13 Dec 1999 06:25:24 -0700
Reply From: lbridwell () icsa net
From: Dan Schrader <Dan_Schrader () trendmicro com>
A few random thoughts:
Actually, routine use of cryptography will result in huge security problems.
Would this alleged gaping security problem be larger than lack of confidentiality?
Why? Because the best place to stop computer viruses, trojans >and other malicious code is at the email server - and you can' scan >encrypted mail.
Actually for me the best place is at the desktop, the sender's desktop that is:-)
What about desktop virus protection? 1. It has demonstrably failed - see damages mentioned above
A pretty bold statement and I disagree. By and large the same technology is used for servers and gateways as it is for desktops. If the desktop doesn't catch the virus why would you expect the e-mail gateway to catch it? In fact, in our labs we have found gateway products (if not installed, configured, and updated properly) are sometimes more prone to detection failure. Please note I said sometimes. In fact, while I agree that there needs to be redundancy in AV protection (desktop, server, & gateway), you can't blame the desktop av product for all the above mentioned costs. Some of those systems which were compromised by Melissa had gateway or e-mail server protection up and running, but it got through anyway (both you and I could name several I am sure). Why? Because the virus was not known and there was no signature available and until the signature was available it was not detected. When the signature became available it was for both desktop and server, therefore, either would have detected it. Now, I will grant you the point that at the server it would only have needed to be caught once, but either would have detected. So I think your logic that desktop protection has "demonstrably failed" is inaccurate. A more cynical soul who doesn't know you as well might even be apt to say it is more marketing statement than point in fact.
2. It relies on end user compliance
If by end user you mean humans, you are right. Of course the server or gateway product does too. I have heard some system administrators argue that if the AV companies who continue to create more products would just create a better administrative console, provide better centralized management, and automate the updates (daily, weekly, whenever) there would be less need or concern for gateways, servers, or encrypted e-mail. Let's face it, if you are using an operating system, application, or e-mail clients which are prone to viruses, they all (viruses) either begin or end up on a desktop. Why not fix it there? It is a legitimate argument.
3. We never will be able to update 100's of millions of desktops fast enough to stop the next Melissa virus.
And as long as we use known signature scanning we won't stop it at the gateway either. At least the initial outbreak. After all, it has to infect before you have a sample to create the string form :-). Again, I am not arguing against multiple layers of protection. Just that your logic NOT to use crypto is flawed.
Finally, ISP such as US West and Sprint have started adding virus protection a part of their internet access offerings - which will be a very effective way to contain virus outbreaks - but only if email is not routinely encrypted.
I am glad this is the case, but end users should still use encryption when they feel it is necessary. After all, if the AV industry provides timely, automated updates for those users who need virus protection and users run products in real-time mode, they will still be protected.
Lession: - Encrypt selectively
I should think the Lesson here is to: select your AV protection carefully; make sure the company is committed to timely updates; the product has good, easy to use centralized management; a corporate history of customer support; and then encrypt as you deem necessary to do business and protect your privacy. Larry Bridwell ______________________________________ Technology Program Manager, ICSA Labs 1200 Walnut Bottom Road, Carlisle, PA 17013-7635 pgp fingerprint: DC26 351B 0D73 9091 5B4A 83B7 FD50 FDC4 ISN is sponsored by Security-Focus.COM
Current thread:
- Re: they should have used crypto... mea culpa (Dec 06)
- <Possible follow-ups>
- Re: they should have used crypto... mea culpa (Dec 07)
- Re: they should have used crypto... mea culpa (Dec 07)
- Re: they should have used crypto... mea culpa (Dec 13)