-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 (can I resubmit this, signed by the key for this email instead of the other key I signed it with, thnx). See below... I don't know if this has been discussed on bugtraq before, but I just thought it might be important to bring up. Noting Outlook Express specifically, even 6, is vulnerable to certain Social Attacks and interception/redirection of mail rather trivially, caused by non-disclosed header/email information in the From: address box. Outlook 2000 and previous versions, all have the same problem if viewed specifically from the preview pane only, (I don't know the stats on how many view specifically from the preview pane, but at my place of employment, it turns out to be plenty). I'm not a Microsoft outlook expert, nor have I had the time or effort to go and look for the cure, other than recommending to enforce some openPGP or other form of digital signature system for the business environment as to identify and confirm who you received mail from. This attack is very simple, as someone can easily go get a free web-based e-mail account and just know the name of the person they intend to masquerade and send the email to the unknowing user to socially engineer pertinent and possibly confidential information from the unknowing user, as I notice, when hitting reply to user, it still does not disclose the email address unless investigated further to the properties of the user name. Not to mention, it is also rather trivial to forge email addresses, and still contain a reply-address to the masquerading user who initiated the attack as well. This is probably widely known, but maybe not taken as seriously as it should be, and the use of One-way hash signatures for email authentication would be highly recommended in general to the public, as they do have certain software freely available that is quite trivial to use and requires little knowledge to operate. The possibilities of this attack are endless, and combined with a little social engineering, the level of confidential information that could be obtained is alarming. We need to have a rfc for Digital Trust on the Internet. Any takers to help establish one? Anyway, my two cents for the day. 0x90 http://www.invisiblenet.net - - -- People will do tomorrow what they did today because that is what they -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAj010UsACgkQN6nb5Smw0U2OUQCgwwOLDSdonkFArBEqTYG40uMp EKEAoPjv+Sf2oVlo3/RJV6vs3KeGsZpG =wzat -----END PGP SIGNATURE-----
