Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Gateways Identifying/Defending E-Mail Attacks A. Padgett Peterson, P.E., CISSP Corporate Information Protection Lockheed Martin Corporation Orlando,

Published byCortez Gladden Modified over 9 years ago

Similar presentations

Presentation on theme: "Securing Gateways Identifying/Defending E-Mail Attacks A. Padgett Peterson, P.E., CISSP Corporate Information Protection Lockheed Martin Corporation Orlando,"— Presentation transcript:

1 Securing Gateways Identifying/Defending E-Mail Attacks A. Padgett Peterson, P.E., CISSP Corporate Information Protection Lockheed Martin Corporation Orlando, Florida Las Vegas, 26 July, 2000

2 26 July 2000appbh002 The Problem In recent months the most serious problems have been from the “Mass Mailer” viruses May take many forms –Word Documents: Melissa –Excel spreadsheets: Papa –VBS files: Loveletter –Script files: KAK All have common roots Are other vectors but less common

3 26 July 2000appbh003 What makes MassMailers easy

4 26 July 2000appbh004 Mass Mailers From a corporate/agency standpoint, the really disruptive mechanism are those which broadcast using global address lists (GAL) –potential for thousands of messages –50,000 Melissa seen –200,000 LoveLetter

5 26 July 2000appbh005 Mass Mailers Thusfar.EXE files are constrained to local access e.g. PrettyPark uses.WAB - has no access to GAL All attacks using GAL are VB based (VBA/VBS/ActiveX)

6 26 July 2000appbh006 Mass Mailing http://msdn.microsoft.com/library/devprods/vs6/vc++/vccore/_core_mapi.2c_.enabling_your_program_for_mail.3a_.overview.htm

7 26 July 2000appbh007 Looking Sdrawkcab Early 1998 - vendor told that inclusion of CreateObject in VBS was not a good idea Ignored as usual Russian New Year attack demonstrated capability of embedded scripting Patch issued for RNY WORD/EXCEL. Required 32 Mb download. Ignored PowerPoint.

8 26 July 2000appbh008 Looking Sdrawkcab - Dec 1997 Outlook added HTML capability –discovering exactly which HTML was like pulling teeth

9 26 July 2000appbh009 Whazzat ? Image is on remote site Experiment #17, HTML generation test This is a test of HTML response capability If you see more than this message text please let me know Padgett

10 26 July 2000appbh0010 July 00 - Surprise http://www.microsoft.com/technet/security/bulletin/fq00 -049.asp The Office HTML Script vulnerability, allows malicious script code on a web page to reference an Excel 2000 or PowerPoint file in such a way as to cause a remotely hosted file to be saved to a visiting user's hard drive.

11 26 July 2000appbh0011 Since Then W97M/Alina.A@MM W97M/Antisocial.E@MM W97M/Bench.E@mm W97M/Buffer.A@MM W97M/MadCow@MM, WM97/Melissa-D@MM (over 50 Melissas now) W97M/Cobra.F@MM W97M/Evolution.E@MM W97M/Jany.B@MM W97M/Lucia.A@MM W97M/Nail.B@MM W97M/Ping.B@MM W97M/Prilissa.A@MM etc, etc, etc

12 26 July 2000appbh0012 What is the common factor ? ALL use CreateObject Are other possible constructs –GetObject (must preexist) –CreateTextObject (using executable ASCII) –GetTextObject –and one more we’ll mention later but not many

13 26 July 2000appbh0013 Gateway Factor “Block all Scripting” –something about a baby and a bath ? “Block all executables” –care to be a bit more specific: ??_ AD? ASP BAS BAT BIN CDR CHM CMD COM CPL CRT CSC DEV DL? DO? EXE GMS GZ? HLP HT? IM? INI INS ISP JS? MD? MPP MPT MS? OBD OBT OCX OLE OV? PCD POT PP? RTF SCR SCT SHS SMM SYSVB? VS? VXD WBK WPD WS? XL? XML XTP

14 26 July 2000appbh0014 More Appropriate Allow only permitted extensions Block anything with fab four This re-establishes sandbox –but allows “safe” scripting & VBS

15 26 July 2000appbh0015 At Desktop Vendor has 8 Mb patch (2 Mb 2000) Affects many elements http://support.microsoft.com/support/kb/articles/Q262/6/18.asp Does seem to work well with today’s problems, but what about tomorrow ? –Executable written to TEMP directory prior to screen popup exploit already being discussed

16 26 July 2000appbh0016 At Desktop Best answer probably Integrity Manager/Behavior blocker –no updates required unless new mechanism discovered doesn’t happen very often If network application tries to write to disk, or execute local file, ask first. –Mail, Browser, FTP,...

17 26 July 2000appbh0017 That other construct CLSID –essentially a call to an internal element –generally one marked “safe for scripting” –and shouldn’t be –may allow creation/writes without “CreateObject” –method used by BubbleBoy/KAK –shouldn’t be in a script anyway

18 26 July 2000appbh0018 Conclusions Gateways –filters need to be developed that are both specific and granular –need to be able to apply/reconfigure immediately (vendors often lag by several hours) library of special filters needs to be developed commitment from gateway for immediate action specific line of authority to direct filters consided “approved” attachments rather than bad

19 26 July 2000appbh0019 Conclusions II Gateways –can use multiple products - is a good idea re: scanners –choose defensible points and ones that can be reconfigured quickly. Desktop –Integrity Management/Behavior Blockers may be more appropriate slow updates very large numbers

20 26 July 2000appbh0020 Thank you Questions ? A. Padgett Peterson, P.E., CISSP padgett.peterson@lmco.com

Download ppt "Securing Gateways Identifying/Defending E-Mail Attacks A. Padgett Peterson, P.E., CISSP Corporate Information Protection Lockheed Martin Corporation Orlando,"

Similar presentations

Patch Management Patch Management in a Windows based environment

Patch Management Patch Management in a Windows based environment
Drybridge Consulting Party Identification Directory Installing the Microsoft Research Service IDEAlliance and Drybridge Consulting – collaborating to deliver.

Drybridge Consulting Party Identification Directory Installing the Microsoft Research Service IDEAlliance and Drybridge Consulting – collaborating to deliver.
The Web Wizards Guide to Freeware/Shareware Chapter Four Essential Tools for Web Page Authors.

The Web Wizards Guide to Freeware/Shareware Chapter Four Essential Tools for Web Page Authors.
NIMAC 2.0: The Accessible Media Producer Portal NIMAC 2.0 for AMPs.

NIMAC 2.0: The Accessible Media Producer Portal NIMAC 2.0 for AMPs.
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.

Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.
INTERNET INFORMATION ACCESS How to avoid and eliminate common problems confronting usage of modern resources to access the Internet.

INTERNET INFORMATION ACCESS How to avoid and eliminate common problems confronting usage of modern resources to access the Internet.
Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.

Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.
Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.

Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.
Information for Developers Windows XP Service Pack 2 Information for Developers.

Information for Developers Windows XP Service Pack 2 Information for Developers.
Worms By: Aaron Stahler. Difference Between a Worm and A Virus Viruses are computer programs that are designed to spread themselves from one file to another.

Worms By: Aaron Stahler. Difference Between a Worm and A Virus Viruses are computer programs that are designed to spread themselves from one file to another.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
CSE331: Introduction to Networks and Security Lecture 31 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 31 Fall 2002.
Mgt 240 Lecture Website Construction: Software and Language Alternatives March 29, 2005.

Mgt 240 Lecture Website Construction: Software and Language Alternatives March 29, 2005.
E-mail-I CS-3505 Wb_e-mail-I.ppt. Email 4 The most useful feature of the internet 4 Lots of different email programs, but most of them can talk to each.

-I CS-3505 Wb_ -I.ppt. 4 The most useful feature of the internet 4 Lots of different programs, but most of them can talk to each.
Chapter 10 Publishing and Maintaining Your Web Site.

Chapter 10 Publishing and Maintaining Your Web Site.
Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.

Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.
Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.

Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.
Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,

Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,

Similar presentations

Ads by Google