DoD Bans Web Based Email - Outlook Web Access
Jeremiah sent me a link today about how the DoD has now completely banned the use of web-based email, like Outlook Web Access. Jeremiah asked the very scary question, “did we cause this?” Is our hubris out of control or are people listening. Unfortunately the wording was so vague it’s tough to tell for sure, but this quote is pretty telling:
“The JTF-GNO mandated use of plain text e-mail because HTML messages pose a threat to DOD because HTML text can be infected with spyware and, in some cases, executable code that could enable intruders to gain access to DOD networks, the JTF-GNO spokesman said. “
At first I thought that this could be just about anything, including spyware or some sort of Trojan that gives access to the internal network, but that is not specific to HTML emails. That means that the government has seen what we are doing and is now taking precautions to protect themselves from XSS malware. Good for them! It’s about time we start seeing people take this threat seriously. The impact is pretty massive for approximately 4300 troops who rely on web based email, but allowing your intranet to be compromised through JavaScript malware is completely unacceptable.
I for one am impressed! Not just that they took the precaution but that people are now really getting it. Clearly they know the value of security and take it seriously. This is a great gauge of how dangerous an issue DHTML malware really is.
December 29th, 2006 at 2:33 pm
Interesting reading relating to the use of CAC Smart Cards and related protocol for accessing such DoD networks using Outlook Web Access:
http://images.google.com/imgres?imgurl=http://www.mfr.usmc.mil/4thmaw/MAG42/NMCI/MAG42_NMCI_OWA_Smart_Pack_files/image034.jpg&imgrefurl=http://www.mfr.usmc.mil/4thmaw/MAG42/NMCI/MAG42_NMCI_OWA_Smart_Pack.htm&h=359&w=484&sz=62&hl=en&start=3&tbnid=ql9cLHrG4w9smM:&tbnh=96&tbnw=129&prev=/images%3Fq%3Doutlook%2Bfor%2Bweb%2Bdod%26svnum%3D10%26hl%3Den%26lr%3D%26client%3Dfirefox-a%26rls%3Dorg.mozilla:en-US:official%26sa%3DG
December 29th, 2006 at 3:13 pm
So now, we could waiting for the gov. policy on their web application security… this is a big stuff that still miss.
December 29th, 2006 at 3:20 pm
You beat me to it. This is the slant I was about to take on this.
I think the decision was based on a lot of factors. I’m sure this site was one of the factors. Your logs are probably like ours and show daily visits from various .mil domains that are involved with IT security (cert.mil, dss.mil, disa.mil, jcs.mil, etc.). A lot of .mil sites that were at one time public are now closed except to authorized personnel only. I think they finally concluded that the possibility that these security measures could be easily circumvented through malware and XSS just wasn’t acceptable.
I wouldn’t worry too much about the troops. The military always maintains completely isolated networks for various purposes. They’ll just set aside computers for webmail that are never used for official purposes. This is probably already being done at most locations.
But those mid-level officers and NCO’s will raise hell. Unless they’re authorized Blackberry’s they probably won’t be able to check email from home and hotels. At many locations people can’t carry cell phones, USB drives, ipods, etc. Years ago they tried to restrict PowerPoint (http://news.zdnet.com/2100-9595_22-502314.html) and now its html messages and web mail. They’re taking away all their toys!
But maybe this will help keep our secrets secret. They’ll just have to go back to playing cards at work and going down to the hotel bar while on travel. Hopefully this doesn’t lead to more Tailhook scandals! (just kidding guys)
John @ NIST.org
December 30th, 2006 at 3:11 am
I think you have mistaken the intention behind the terms “plain text e-mail” and “HTML messages” in the excerpt. Rather than the email application’s platform, this refers to the content type header of an email message.
It has been a personal policy of mine to deal only in plain text messages and “stop the buck” on all HTML messages I receive, forwarding or replying as plain-text only.
Whether your email application is web-based or otherwise, it must employ the core technology of a web browser to display HTML messages. Thunderbird acts like Firefox when a message has a content type header indicating HTML; Outlook acts like Internet Explorer. Using a non-web-based email client does not protect you from HTML messages.
The least you must do to remove the threat from HTML email is display the message in its raw format, disregarding content type header and all forms of markup or attachment. The next obvious step is to strip tags to improve the readability.
Email clients should be easily switched into this mode of operation. Unfortunately this is not an option in all email clients. This is probably the cause for the ban on Outlook web-based email.
I think a better solution would be to enforce the use of email gateways that strip markup and downgrade content type headers from HTML to plain text. In this way, the threat would be stopped before the message ever reached the recipient. The client’s DHTML rendering habits would thus become irrelevant.
December 30th, 2006 at 9:23 am
“Using a non-web-based email client does not protect you from HTML messages.” While that is true if in fact they are allowed to render at all, that is not true in the simple fact that outlook web access _is_ HTML. Given the fact that there may be XSS vulnerabilities in OWA itself that Outlook and Thunderbird would ignore (as they don’t allow JavaScript to run) this could very well be the reason they no longer want to allow HTML email. Stripping it of HTML may or may not be helpful, depending on the payload and how the XSS vulnerability is instantiated (it could be a completely different part of the header, for instance).