With all the cryptoware being delivered by "smart" file types, will E-mail attachment files devolve down to "dumb" bitmaps?
-
My printer / scanner unit can double as a fax, apparently. Never tried, or wanted to - last time I saw a fax was around the start of the century! :laugh:
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay... AntiTwitter: @DalekDave is now a follower!
Fax is still very common in international business in lesser developed parts of Asia / Africa, South America, it's not that they don't have email, it's just not that reliable (and lets face it less secure) - fax being analog can handle transmission errors (black dots/streaks) better, and don't come with viruses. And of course you all know billions trillions of dollars of inter-bank fund transfers are ordered/confirmed using Telex, even with banks right next to each other they will not accept the business any other way including hand delivered.
-
Or in general a dumbing down of formats. Many of the attack vectors are in Weird Features that no one uses, so disable them by default.
Especially when a seemingly-innocuous file format was designed to allow embedded code to run as soon as the file is opened! :doh: Windows Metafile vulnerability - Wikipedia[^]
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
I was reading yet again about another cryptoware outbreak being delivered by a DOC file with the subject being "Invoice". Now businesses run on invoices being conveyed & paid all the time, and so I can say how easy it can be for a payment clerk to click on yet another message that says "Invoice" with a DOC file. I think I've read that PDF files can be hacked as well. And I've been noticing that customer businesses I deal with (i.e., with myself as the customer) don't allow me to send a PDF file of whatever documentation they demand, but rather only a stupid fax through Ma Bell, causing me to use a service like GotFreeFax to send my PDF file. :mad: And this makes me wonder if this will cause all these "smart" file types like DOC or PDF to become obsolete for regular business, with them using a "stupid" file type like BMP to transmit a static document. (I presume that BMP is impossible to hack ...)
I recall long ago when email was text and only text and the understanding was that you could not get a virus by reading an email. For you youngsters, i'm going well back into the 90s. I work with a guy that is about my age - all I get from him are plain text emails. It just occurs to me why. And then Microsoft opened up the content under the explanation "We've determined our customers wanted a more interactive email experience." Harold, you say "Or in general a dumbing down of formats. Many of the attack vectors are in Weird Features that no one uses, so disable them by default." I hope you are referring to application providers, not users. How many times does Adobe, Microsoft, etc change a default setting and not tell anyone? For that matter, if they apply to weird features that no one uses, it makes you wonder why they exist in the first place. I still contend that if you want to make software more secure, hold software makers liable. Want banks to protect your accounts? Liable. Equifax collecting your data and selling it as their own? Make them liable. Microsoft, want to enable "interactive features" by default? Hehehe....
Charlie Gilley <italic>Stuck in a dysfunctional matrix from which I must escape... "Where liberty dwells, there is my country." B. Franklin, 1783 “They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” BF, 1759
-
Ah that shines a light on an issue I had recently, I needed to fill a PDF form for a bank recently and the only way they would accept it was via fax. I was quite annoyed that they were so old fashioned, attack vectors were not considered. I refused to send my banking details via a free fax service, hunting down a real fax machine was a challenge.
Never underestimate the power of human stupidity RAH
Mycroft Holmes wrote:
Ah that shines a light on an issue I had recently, I needed to fill a PDF form for a bank recently and the only way they would accept it was via fax. I was quite annoyed that they were so old fashioned, attack vectors were not considered. I refused to send my banking details via a free fax service, hunting down a real fax machine was a challenge.
I think businesses are in essence forcing the technology to be dumb by only working with a fax, which on their side simply get saved as a bitmap anyway. What they need to do is to let folks send a fax by E-mail, which would be in a FAX type of format (which TIFF seems to be). The E-mail client could check that the attachment is such a file in that format, and it should be no problem.
-
I recall long ago when email was text and only text and the understanding was that you could not get a virus by reading an email. For you youngsters, i'm going well back into the 90s. I work with a guy that is about my age - all I get from him are plain text emails. It just occurs to me why. And then Microsoft opened up the content under the explanation "We've determined our customers wanted a more interactive email experience." Harold, you say "Or in general a dumbing down of formats. Many of the attack vectors are in Weird Features that no one uses, so disable them by default." I hope you are referring to application providers, not users. How many times does Adobe, Microsoft, etc change a default setting and not tell anyone? For that matter, if they apply to weird features that no one uses, it makes you wonder why they exist in the first place. I still contend that if you want to make software more secure, hold software makers liable. Want banks to protect your accounts? Liable. Equifax collecting your data and selling it as their own? Make them liable. Microsoft, want to enable "interactive features" by default? Hehehe....
Charlie Gilley <italic>Stuck in a dysfunctional matrix from which I must escape... "Where liberty dwells, there is my country." B. Franklin, 1783 “They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” BF, 1759
Yes I meant that applications should start to interpret only the "dumb subset" of fancy formats by default. For example, PDFs can "launch" files. That should produce a warning screen, but that is far from safe, of course users are going to click "do it anyway #YOLO", that's how users are. Just block that whole feature by default, approximately 0% of the non-malicious PDFs *actually* need to launch a file so this is not a big deal. It might be nice for all 0 users that are affected by this to have an "enable launching files" deep in the settings.
-
Mycroft Holmes wrote:
Ah that shines a light on an issue I had recently, I needed to fill a PDF form for a bank recently and the only way they would accept it was via fax. I was quite annoyed that they were so old fashioned, attack vectors were not considered. I refused to send my banking details via a free fax service, hunting down a real fax machine was a challenge.
I think businesses are in essence forcing the technology to be dumb by only working with a fax, which on their side simply get saved as a bitmap anyway. What they need to do is to let folks send a fax by E-mail, which would be in a FAX type of format (which TIFF seems to be). The E-mail client could check that the attachment is such a file in that format, and it should be no problem.
It *shouldn't* be a problem, but it may easily be. libtiff has a decent number of CVEs: [Libtiff Libtiff : CVE security vulnerabilities, versions and detailed reports](http://www.cvedetails.com/product/3881/Libtiff-Libtiff.html?vendor\_id=2224)
-
My printer / scanner unit can double as a fax, apparently. Never tried, or wanted to - last time I saw a fax was around the start of the century! :laugh:
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay... AntiTwitter: @DalekDave is now a follower!
OriginalGriff wrote:
last time I saw a fax was around the start of the century!
Last time I saw a fax was... never :doh:
Cheers, विक्रम "We have already been through this, I am not going to repeat myself." - fat_boy, in a global warming thread :doh:
-
I was reading yet again about another cryptoware outbreak being delivered by a DOC file with the subject being "Invoice". Now businesses run on invoices being conveyed & paid all the time, and so I can say how easy it can be for a payment clerk to click on yet another message that says "Invoice" with a DOC file. I think I've read that PDF files can be hacked as well. And I've been noticing that customer businesses I deal with (i.e., with myself as the customer) don't allow me to send a PDF file of whatever documentation they demand, but rather only a stupid fax through Ma Bell, causing me to use a service like GotFreeFax to send my PDF file. :mad: And this makes me wonder if this will cause all these "smart" file types like DOC or PDF to become obsolete for regular business, with them using a "stupid" file type like BMP to transmit a static document. (I presume that BMP is impossible to hack ...)
I usually send attachments in RTF. I thought that was perfectly safe, opened by nearly everything and WYSIWYG. Was I wrong? Have a nice day, all.
-
I was reading yet again about another cryptoware outbreak being delivered by a DOC file with the subject being "Invoice". Now businesses run on invoices being conveyed & paid all the time, and so I can say how easy it can be for a payment clerk to click on yet another message that says "Invoice" with a DOC file. I think I've read that PDF files can be hacked as well. And I've been noticing that customer businesses I deal with (i.e., with myself as the customer) don't allow me to send a PDF file of whatever documentation they demand, but rather only a stupid fax through Ma Bell, causing me to use a service like GotFreeFax to send my PDF file. :mad: And this makes me wonder if this will cause all these "smart" file types like DOC or PDF to become obsolete for regular business, with them using a "stupid" file type like BMP to transmit a static document. (I presume that BMP is impossible to hack ...)
If email treats all content at read-only, it's not an issue.
-
Ah that shines a light on an issue I had recently, I needed to fill a PDF form for a bank recently and the only way they would accept it was via fax. I was quite annoyed that they were so old fashioned, attack vectors were not considered. I refused to send my banking details via a free fax service, hunting down a real fax machine was a challenge.
Never underestimate the power of human stupidity RAH
Its a least common denominator -- everybody can usually figure out how to send a FAX. Amusingly, many of those places don't actually have FAX machines themselves or deal with the physical paper -- they have a FAX-receiving service that turns it into a PDF.
I live in Oregon, and I'm an engineer.
-
Ah that shines a light on an issue I had recently, I needed to fill a PDF form for a bank recently and the only way they would accept it was via fax. I was quite annoyed that they were so old fashioned, attack vectors were not considered. I refused to send my banking details via a free fax service, hunting down a real fax machine was a challenge.
Never underestimate the power of human stupidity RAH
We still have some shops where you can pay a good price to send a fax. Haven't needed a fax in some two years now, on my PC or anywhere.
"'Do what thou wilt...' is to bid Stars to shine, Vines to bear grapes, Water to seek its level; man is the only being in Nature that has striven to set himself at odds with himself." —Aleister Crowley
