[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MS-Mail Security

To: [email protected]
Subject: Re: MS-Mail Security
From: "Mark O. Aldrich" <[email protected]>
Date: Fri, 28 Jun 1996 17:18:38 -0400 (EDT)
Cc: [email protected], [email protected]
In-Reply-To: <[email protected]>
My-Date: Fri, 28 Jun 1996 17:18:38 -0400 (EDT)
My-From: [email protected]
Sender: [email protected]

On Thu, 27 Jun 1996 [email protected] wrote:

>  In> I would like to gather informations of whether the MS-Mail server
>  In> is  secure or not, is anyone heard of somebody, say, disguise as other
>  In> user  or read other user e-mail?
> 
> I'd also like to know how secure the MS-Mail files are (*.mmf). They are
> password protected and should be encrypted but does anybody know how
> secure? 

We have worked extensively with MS Mail and providing integrated crypto
features for the product.  The native security on the files is provided in
two ways:  1)  The usually poor MS "scrambling" (it's not really crypto),
and 2) The discretionary access controls (DAC) of the OS.  Since only NT
has decent DAC (which only works at a C2 level of trust when it's not on a
network), my opinion of the risk level would be "VERY HIGH" against
threats of repudiation, loss of confidentiality, loss of availability, and
loss of integrity. 

Further, the I&A mechanisms in everything other than a stand-alone NT
environment are inadequate for any real proof of identity.  They most
certainly can't offer anything close to a real non-repudiation solution.
Forging a "from" header into the database is, I would contend, fairly
simple.  Reading someone else's mail is a bit harder, but not incredibly
difficult.  If traditional hacking doesn't work, building a hacking tool
using MAPI (widely available API to the mail subsystem) would be fairly
straight-forward (Hmmmmm - Summer vacation programming project???). 

------------------------------------------------------------------------- 
|Just as the strength of the Internet is  |Mark Aldrich                 |
|chaos, so the strength of our liberty    |GRCI INFOSEC Engineering     |
|depends upon the chaos and cacophony of  |[email protected]            |
|the unfettered speech the First Amendment|[email protected] |
|Protects  - Federal Judges on the CDA    |                             |
|_______________________________________________________________________|
|The author is PGP Empowered.  Public key at:  finger [email protected] |
|    The opinions expressed herein are strictly those of the author     |
|         and my employer gets no credit for them whatsoever.           |
-------------------------------------------------------------------------

References:
- Re: MS-Mail Security
  - From: [email protected]

Prev by Date: Yet another mailing list
Next by Date: Re: CIA Fears UmpTeen InfoNukes
Prev by thread: Re: MS-Mail Security
Next by thread: Re: MS-Mail Security
Index(es):
- Date
- Thread