[unisog] When you really need to blast email

John C. A. Bambenek, GCIH, CISSP bambenek.infosec at gmail.com
Fri Mar 14 16:31:25 GMT 2008


I have a paper coming out on this, but this is the basic gist.  If you use
emergency e-mail, and more importantly, emergency texting as a life-saving
system, at best, you will fail, at worst, you give an easy way for hostile
entities to lead people TO a threat, instead of away from one.

First, the delay involved in such systems means people will not get
notifications until an overwhelmingly majority of events are over.  Think
NIU, the threat was over before the first call to 9/11 hit.

Second, by marketing such systems in the way they are being marketing, you
are almost legally obligating your institution to overuse the system in
cases where more prudence should be the norm.  Think Va. Tech.  Police
responded to the first threat which by every indication seemed like a
domestic issue.  There was no information available to the police before the
second shooting took place to indicate that such an event was bound to
happen.  As such, this means almost every act of violence where the
perpetrator isn't immediately caught will spawn a lockdown. No one will want
to be accused of a "Pre. Va. Tech mentality" so they will err on the side of
caution. Even questionable cases, say students setting off M-80s on campus,
will have to be treated with an overwhelming amount of caution.

Third, and most importantly, by using an insecure and insecurable system for
emergency messages that is trivial to spoof and forge, you create a
psychological point of entry for hostile entities to manipulate innocent
populations.  It should be common knowledge in this group that it is trivial
to forge a "From:" address, especially so with text messaging (SMS).  People
will know the format of the messages and will immediately take the message
seriously and follow instructions.  Imagine a message that says, "Active
threat on campus, take shelter in X auditorium".  People will do it and not
think twice. They won't call 9/11 to verify.  Because of the delay, even if
authorities got word of the false threat instantly (and they won't), they
will not be able to send an immediate cancel notification or countermand the
instruction.  A hostile entity could lead people TO a threat to dramatically
increase casuality count.  This has been a tactic employed before in
terrorist attacks (see Omagh bombing, I don't buy that it was an
"accident").

This is possible with other emergency notifications except e-mail / text
messaging allows a hostile entity to send forged messages trivially and need
not be even physically connected to the campus.  A PA system requires
someone to take overt action to hack into it.  It's trivial for someone to
mailbomb a campus from Pakistan.

In a rush to prevent the last tragedy, campuses are adopting a system that
creates a huge window of opportunity for a hostile entity to increase their
body count in an attack.

On Tue, Mar 11, 2008 at 1:02 PM, Michael Holstein <
michael.holstein at csuohio.edu> wrote:

> Our safety folks are working a campus-wide "emergency notice" system,
> where one option will be email (the logic behind that is outside the
> scope of this technical question).
>
> Yahoo (and others) like to rate-limit email, and we've tried to no avail
> to remedy this .. usually we get a "421 try again later" (Yahoo). For
> things like our campus mail digest or notices of a snow day, a 15 minute
> delay isn't a problem. For something more serious like "stay inside and
> away from the window", it is.
>
> My first thought was was to configure a box with multiple virtual IPs
> (possibly on different subnets) and blast them out in parallel with
> hopes of staying underneath the "radar" .. by doing multipath routing
> with Neftilter, for example (since I apparently can't do this with
> sendmail directly).
>
> Is there a better approach than this brute-force hack?
>
> Thanks,
>
> Michael Holstein
> Cleveland State University
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20080314/de5bca87/attachment.htm 


More information about the unisog mailing list