[unisog] Phishing targeting University Admissions

dan.jones at colorado.edu Dan.Jones at colorado.edu
Wed Jun 16 12:48:33 GMT 2004


Regarding your "pipe dream" our student file system will eventually
allow students to send a unique URL.  The URL can be limited to
specific users, anyone with the URL (i.e., anonymous), or provide just
a single download.  The system uses Xythos.  My plan is modify our
security awareness campaign to high light this as an alternative to
attachments.

We do not as a rule block all .zip attachments but have reserved (and
exercised) the right to block on demand as needed.  We do block some
types of extensions for example .jsp and .vbs scripts.  So, I think
there is a balance to be found.

On Wed, Jun 16, 2004 at 12:30:39AM -0500, Keith Schoenefeld wrote:
> Seriously, why wouldn't people accept zip files?  If you don't allow zip 
> files, but still allow attachments, what compression program do you use, 
> rar?  If so, then what happens when viruses start getting spread via rar 
> (they already are)? If we continually decrease the level of service we 
> provide, we start changing the usability of the services we provide.  If 
> we dramatically change the usability of our services, then the virus 
> writers win.  It is far better to teach users how to properly handle 
> attachments than to block attachments of certain types.  By blocking zip 
> files, we are using a technical solution to solve a user knowledge 
> problem.  It's bound to fail.  We don't need more technology, we need 
> better trained users.
> 
> Obviously, I'm totally against the whole idea of "Viruses are possible 
> in files with extension '.xxx' so we'd better block them".  Just like 
> the recent viruses said "type in this password and open the zip file", 
> untrained users are going to receive an email message that says "rename 
> this blah.zi_ to blah.zip and open it" and they will do it.  Again, the 
> proper solution in my opinion is user training, not band-aid technical 
> solutions.
> 
> I suppose using my same logic, one could argue that we shouldn't block 
> any virus email.  I would argue that blocking viruses using definitive 
> signatures is a good spam blocking and mail server saving measure, but 
> that end users should be trained to handle the viruses that do get through.
> 
> All that said, there are all sorts of arguments as to whether one should 
> really support attachments at all.  I personally would rather have some 
> sort of automated repository where all outgoing and incoming attachments 
> are stored on a server and unique http:// links are sent in place of the 
> attachments.  Maybe using something like hardlink periodically to save 
> space.  I believe such a product is a pipe dream at the moment... maybe 
> someone can correct me?
> 
> -- KS
> 
> 
> Sergent, Phil wrote:
> 
> >You still accept .zip files!?
> >
> > 
> >Phil Sergent                                      MU 
> >Systems Programmer
> >Marshall University
> >Computing Services/Systems Group
> >Drinko Library 422a
> >Huntington, WV  25755-5320
> >304/696-3689 (Desk) 304/696-3601 (FAX)
> >Email: sergent at marshall.edu
> >It's not who you are that holds you back, it's who you think you're not.
> > 
> > 
> >
> >-----Original Message-----
> >From: unisog-bounces at lists.sans.org
> >[mailto:unisog-bounces at lists.sans.org] On Behalf Of Joseph Brennan
> >Sent: Monday, June 14, 2004 8:19 AM
> >To: UNIversity Security Operations Group
> >Subject: Re: [unisog] Phishing targeting University Admissions
> >
> >
> >
> >--On Monday, June 14, 2004 8:46 AM -0400 Michael Holstein 
> ><michael.holstein at csuohio.edu> wrote:
> >
> >
> >>Greetings,
> >>
> >>Late last week we saw a "phishing" attack targeting our students using
> >>the enticement of a research assistantship (and a student visa). The
> >>messages are written such that they appear to be from a legitimate
> >>University International Admisions contact, and contain an
> >>as-yet-unidentified "mailer.zip" attachment.
> >
> >
> >
> >Do you have the header portion?  I assume it claimed to be from an
> >address at your school but really came from somewhere else.  Some
> >general rule might be made to filter out such mail.
> >
> >Joseph Brennan
> >Academic Technologies Group, Academic Information Systems (AcIS)
> >Columbia University in the City of New York
> >
> >
> >_______________________________________________
> >unisog mailing list
> >unisog at lists.sans.org
> >http://www.dshield.org/mailman/listinfo/unisog
> >
> >
> >
> >_______________________________________________
> >unisog mailing list
> >unisog at lists.sans.org
> >http://www.dshield.org/mailman/listinfo/unisog
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
Dan Jones
Campus IT Security Coordinator - ITS
University of Colorado
303.735.6637 Phone



More information about the unisog mailing list