Cenzic 232 Patent
Paid Advertising
web application security lab

Email Risks

There’s an interesting link over at Network Blog talking about a survey done of a number of office workers who were completely unaware of the risks involved with email security. Namely most of the users interviewed were happy to open any email they got and even worse click on links regardless of who sent it.

They then link to an article at Application Security Blog that discusses how webbugs work in the context of emails. Email clients are becoming more and more resistant to this trick now a days because they now ask if users would like to download images. Of course there are ways to circumvent those security measures (consumers preffer convenience and will turn almost any security measure off if they can if they don’t understand how it’s protecting them).

As we’ve seen malware is pretty prevolant these days - (at least 1/10th the spam I get has .zip or .src or other horrible attachments). Of course this goes beyond the realm of Outlook, Lotus and Thunderbird to the realm of Yahoo Mail, Hotmail and Gmail. Scanning attachments for viruses is one free service that a lot of these webmail clients offer, but it certainly doesn’t offer security from zero-day exploits - so one off targeted attacks will always be possible. And of course there are phishing aspects, or simply links that lead to malicious websites with all sorts of consequences (like the unsubscribe link and the JavaScript port scanner).

Email is a pretty scary medium these days. Part of the problem is that email clients and web browsers are becoming more full featured as user demands on functionality rise. These issues are only partially under control at the moment, but the interaction between software is becoming more and more complex and it is only allowing more and more vectors as a result. The fact that email can call the web is an issue, but there are tons of other applications that are starting to do the same (even things as obscure as online games). It will be interesting to watch these vectors morph as user interest in the mediums shift. Instant messaging is a great example as it gradually overtakes email in popularity and as it becomes more and more feature rich.

Comments are closed.