E-mail flaws threaten Net security

That was the point brought home to anti-virus software makers when a crusading security expert demonstrated e-mail security flaws with a variation of the so-called Ping of Death attack.

"You have all these programs looking at e-mails to detect viruses, bad words, whatever. Those programs make assumptions that can cause major, major problems," said Rob Rosenberger, network security analyst and Webmaster of the Computer Virus Myths Web site.

Rosenberger created numerous files to demonstrate the techniques to anti-virus software makers and other security companies two months ago. Each file exploits the assumptions programmers have made about an incoming e-mail, and taken together the 20MB cacophony of files can crash most e-mail scanners, claimed Rosenberger.

Ping of Death
The anti-virus industry critic likened the attacks to the Ping of Death -- a simple, yet effective, method to crash a server that reared its head in 1996. "The Ping of Death is an unanticipated ping. This is an unanticipated e-mail," he said.

Pings are used to test a network to see if an Internet address is valid. Attackers that added enough bytes onto the data to make the ping overlong could cause many servers to crash, gaining the technique the name Ping of Death.

Likewise, Rosenberger created files that violated established protocol: COM files of zero length, Zipped files with no content, and other techniques. To the server, these methods don't make a difference, but many anti-virus and content scanners freeze when they scan such a file.

The problem: When the scanners die, they take the servers with them. Two weeks ago, he presented the techniques to a group of security experts. ZDNN has chosen not to publish the specifics of the techniques.

'Legitimate problems'
"These are legitimate problems," said Dan Schrader, vice president of new technology for anti-virus software maker Trend-Micro Inc. "They are potential denial of service attacks."

Trend is working on patching its software to account for the security holes.

Still, while admitting the effectiveness of the exploits, Schrader dismissed their importance. "This problem is going to go away (when we complete the fixes)," he said, adding that while the techniques were "amusing (in there cleverness) … there are other denial of service attacks -- there are lots of ways to crash people's systems."

Another anti-virus firm, Network Associates Inc. (Nasdaq:NETA), has already patched a hole in its product that the files exploited. Still, the company stressed its disapproval for making the fact that there are holes public.

"Maybe we fixed our product, but what other products are out there (that haven't been fixed)?" asked Sal Viveros, group product manager for NAI. "Typically, in security you don't go out and announce a flaw unless you know companies are no longer vulnerable."

A rethink needed
Rosenberger denounced the so-called "security through obscurity" policy, stressing that the Internet e-mail infrastructure needs to be fixed before these, or similar attacks, are used to crash electronic communications.

"We need to rethink the e-mail infrastructure," he said. "The NSA rainbow books (on security) says that we should go back to the design level and fix it. We should."