[unisog] Phishing targeting University Admissions

Guy Reisenauer greisen at mail.prosser.wsu.edu
Wed Jun 16 16:25:23 GMT 2004


There is another solution to outright banning "data" extended files such
as zips, rtf, etc.  Anomy-sanitizer and other server level software can
"defang" them by renaming the file.  The advantage is the user actually
gets the file.  They have to take steps to open the program and the
data file as opposed to having it done automatically for them.
Either rename the file to open, or open the appropriate program and locate
the file.  The user takes the explicit action.


Guy Reisenauer
IT Systems Coordinator
IAREC Prosser
Washington State University
Ph:  (509) 786-9282
FAX: (509) 786-9370


On Wed, 16 Jun 2004, Keith Schoenefeld wrote:

> Seriously, why wouldn't people accept zip files?  If you don't allow zip
> files, but still allow attachments, what compression program do you use,
> rar?  If so, then what happens when viruses start getting spread via rar
> (they already are)? If we continually decrease the level of service we
> provide, we start changing the usability of the services we provide.  If
> we dramatically change the usability of our services, then the virus
> writers win.  It is far better to teach users how to properly handle
> attachments than to block attachments of certain types.  By blocking zip
> files, we are using a technical solution to solve a user knowledge
> problem.  It's bound to fail.  We don't need more technology, we need
> better trained users.
>
> Obviously, I'm totally against the whole idea of "Viruses are possible
> in files with extension '.xxx' so we'd better block them".  Just like
> the recent viruses said "type in this password and open the zip file",
> untrained users are going to receive an email message that says "rename
> this blah.zi_ to blah.zip and open it" and they will do it.  Again, the
> proper solution in my opinion is user training, not band-aid technical
> solutions.
>
> I suppose using my same logic, one could argue that we shouldn't block
> any virus email.  I would argue that blocking viruses using definitive
> signatures is a good spam blocking and mail server saving measure, but
> that end users should be trained to handle the viruses that do get through.
>
> All that said, there are all sorts of arguments as to whether one should
> really support attachments at all.  I personally would rather have some
> sort of automated repository where all outgoing and incoming attachments
> are stored on a server and unique http:// links are sent in place of the
> attachments.  Maybe using something like hardlink periodically to save
> space.  I believe such a product is a pipe dream at the moment... maybe
> someone can correct me?
>
> -- KS
>
>
> Sergent, Phil wrote:
>
> > You still accept .zip files!?
> >
> >
> > Phil Sergent                                      MU
> > Systems Programmer
> > Marshall University
> > Computing Services/Systems Group
> > Drinko Library 422a
> > Huntington, WV  25755-5320
> > 304/696-3689 (Desk) 304/696-3601 (FAX)
> > Email: sergent at marshall.edu
> > It's not who you are that holds you back, it's who you think you're not.
> >
> >
> >
> > -----Original Message-----
> > From: unisog-bounces at lists.sans.org
> > [mailto:unisog-bounces at lists.sans.org] On Behalf Of Joseph Brennan
> > Sent: Monday, June 14, 2004 8:19 AM
> > To: UNIversity Security Operations Group
> > Subject: Re: [unisog] Phishing targeting University Admissions
> >
> >
> >
> > --On Monday, June 14, 2004 8:46 AM -0400 Michael Holstein
> > <michael.holstein at csuohio.edu> wrote:
> >
> >
> >>Greetings,
> >>
> >>Late last week we saw a "phishing" attack targeting our students using
> >>the enticement of a research assistantship (and a student visa). The
> >>messages are written such that they appear to be from a legitimate
> >>University International Admisions contact, and contain an
> >>as-yet-unidentified "mailer.zip" attachment.
> >
> >
> >
> > Do you have the header portion?  I assume it claimed to be from an
> > address at your school but really came from somewhere else.  Some
> > general rule might be made to filter out such mail.
> >
> > Joseph Brennan
> > Academic Technologies Group, Academic Information Systems (AcIS)
> > Columbia University in the City of New York
> >
> >
> > _______________________________________________
> > unisog mailing list
> > unisog at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/unisog
> >
> >
> >
> > _______________________________________________
> > unisog mailing list
> > unisog at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/unisog
>
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
>




More information about the unisog mailing list