[extropy-chat] Virus problem inquiry

Eugen Leitl eugen at leitl.org
Sun Mar 7 13:15:18 UTC 2004 

On Sat, Mar 06, 2004 at 02:39:43PM -0800, Jeff Davis wrote:

> Now if I get a junk email, with or without attachment,
> I send it straight to the trash, of course. 

It is interesting that by now we can tell it's spam, because the fitness
function has changed through advent of spam filters. By now the bulk of spam
has become almost unintelligible.

> Occasionally I'll open the mail, but never the
> attachment.  In this case however, there was a

I open all attachements. I don't execute them, though.

I might execute an attachement, provided it's provably from a trusted person,
and executing it actually fulfills a useful purpose (right now I can't think of
any such purpose, though).

> problem: it looked like it might--though I doubted it,
> since "eleitl at leitl.org" isn't Gene's usual email
> address as I'm familiar with it--come from Gene Leitl.

I sign almost all my outgoing mail with a digital signature. The only way to
prove the message's from me (or from somebody who cracked my machine, and
snarfed the passphrase) is to check the digital signature. You can completely
disregard most of what's in the headers; it's perfectly forgeable, and
frequently forged.

>  I was suspicious, so I scanned the attachment using
> yahoo's virus scan function.  Bingo, red flag, it was
> a virus.

Notice that this variant uses social engineering to get the user to execute
it. They zip the payload, and use a password protected zipfile, so the virus
scanners can't look inside.
 
> How did this happen?  How did I get an email
> configured to look like something from Gene?  Is my

Easy as pi: http://www.opus1.com/www/presentations/emailproto/sld012.htm

The issues of trust and authentication are not that obvious, btw. It's clear
enough by biological properties and my government-issued ID never issued the
picture -- you built a model from a history of post, and linked it to
whatever appeared on the To: headers.

If that information is forgeable (and it is), it's clearly one has to turn to
something else to authenticate. Public key cryptography allows us to use the
laws of mathematics to verify that this email came somebody in the possession
of a secret (the private part of the public/private key pair). I have an
incentive to not circulate that secret widely, so just download a PGP/GPG
plugin for your MUA. 

> machine infected with something that helped to make
> this possible?  (My Norton anti-virus is up to date,
> and reports as of yesterday that I'm clean.) Is it an

This is not an absolute security, btw. You can get hit by a new virus before
your virus scanner updated his knowledge base.

> infection associated with the list, or one or more
> members of the list?  Gene's IT savvy is so advanced
> that I can rarely make heads or tales of the

Uh, sorry about that. Does this email make more sense than the previous ones?

> discussion when Gene goes there, so I think it least
> likely that his machine is infected, but who knows.

It is possible, but unlikely.
 
> I submit this in detail because it may be of concern
> to others with more serious security concerns.

-- Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07078, 11.61144            http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
http://moleculardevices.org         http://nanomachines.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.extropy.org/pipermail/extropy-chat/attachments/20040307/22bc0379/attachment.bin>

More information about the extropy-chat mailing list