The InfoSec Blog

Security awareness: another reason to avoid HTML mail

Posted by Anton Aylward

On the face of it, this looks like a perfectly reasonable message with a perfectly reasonable URL from a perfectly reasonable address:

Dear Workopolis member,

Workopolis Technical Department requests you to complete Online Employer
This procedure is obligatory for all clients of Workopolis.
Please select the hyperlink and visit the address listed to access
Online Employer Form.

These instructions are to be sent to all Workopolis members.
Copyright � 2007 All Rights Reserved.

In reality, its HTML mail that is used to hide the real URL.
What I've shown in plain text above reads like this in HTML:

Please select the hyperlink and visit the address listed to access
Online Employer Form.

What's really there is

As you see, what you see and what you get aren't the same.

My spam detector, spamassassin, is smart enough to spot this.
Its really crude spam!

X-Spam-Report: * 1.7 HOST_EQ_D_D_D_D HOST_EQ_D_D_D_D
  * 2.9 RM_hm_EmtyMsgid Message ID is empty, or just spaces - probable spamsign
  * 0.1 SPOOF_OURI URI: URI has items in odd places
  * 2.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
  * 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist [URIs:]
  * 1.0 MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME parts

But the really important thing is that a HTML message can hide reality.

Why do I mention this? For most of us its obvious.

Well at a recent ISSA meeting I spoke with another CISSP, a security manager with a local organization that has an operating budget of over 200 Million dollars. All their internal mail is "HTML" - he says that's the standard, so the MUAs read mail as HTML by default. Mail from his is in proper MIME format, the text part as well as the HTML part. I pointed out that this means his organization is paying extra for storage and that it gets multiplied when mail is cc'd. He just said "well its the corporate standard".

Now the corporation may not care that its paying extra for all that storage, after all, storage is cheap.

But humans have always been the weak link. Someone might get mail like this and click on the URL. We've been telling users for years not to open unsolicited attachments, but they still do. Why would we think they won't click on URLs in mail messages.

The reasons my colleague at the ISSA offered included "HTML offers formatting options that our users require. Plain Text does not." But that was with no explanation of why they might need those options.

Personally I think that's a specious answer. For EVERY message? We do fine here with plain text.

HTML mail represents a risk. User's need to be educated to realize that. A baseline policy of "all mail should be html" also means all readers default to html and so can hide what's really in the message. Not least of all, there have been bugs in the html rendering code in the past that have led to exploits. Does anyone really think that users won't click on the URLs in mail from the outside?

Perhaps you also need a front-end 'sanitizer' like
or which is the one I recommend.

Perhaps you need to be wary about MIME e-mail in general, both HTML mail and attachments.

“Who ya gonna call?” Certainly not qualified experts!

Posted by Anton Aylward

This from a Friend in Australia:

The Australian Government is wasting over $100 million on "free" "Internet content filtering" software for home computers (, and in the latest move, the opposition - which stands a very good chance of becoming the government after Saturday's election - is now taking advice from a 16-year-old kid on its Internet policy (see

Security theater of the highest order. Words fail me.

"Security theater"? That's one of Bruce Schneier's lines. I'm surprised he hasn't mentioned this at his blog.

Technorati Tags: , , , ,

The falling price of graphics cards and RAM will be the death of the 32-bit OS

Posted by Anton Aylward

Indeed. But not yet.

You can run 64-bit Linux or Windows but many drivers aer not there yet. If we are talking about servers then its probably not a problem, and if your server has 64-bit hardware then you should be running a 64-bit OS; but for the desktop thinks like Adobe Flash and man video and audio codecs aren't here yet.

While on the whole I'm happy with my 17" Compaq X6050 (I wish it were lighter, though!) it and my tower server both have this limit on the number of slots for RAM. The thing here is that I want a large screen and disk, this is a 'desktop replacement'. Yes, there are plenty of small and light machines out there. The Asus EEE PC come in at under a kilogram but it has 7" TFT LCD with LED backlight @ 800×480. It is is a subnotebook, about the size of a hardback book. That's great, as a 'pocket book', if you work that way. But I'll stick with paper and pen or my trusty old Newton. When I want a computer I want a proper computer, and that means a proper display. Perhaps one day we will have display that are 'smart paper' and can unfold.
This limit on memory represents some serous brain damage on the part of the designers.

As this article points out, RAM is cheap and getting cheaper. Tiger Direct in the USA have been selling 512 megabyte DDR2 for US$9.99 recently. Even here in the Great White North where prices are marked up astronomically and
retailers don't care that the loonie is stronger than the greenback I can get a 1 gigabyte DDR2 for C$29.99 on the high-street with no shopping around. The same for my laptop is a little over twice the price at the same outlet. If I got down to the Computer Strip at College and Spadina in Toronto I can find 512M DDR2 for C$12.
When memory and address space was expensive we had to be parsimonious and ended up with virtual memory (and other) systems. We also had the phrase "virtual memory means virtual performance".

The "56k limit" of DOS running on an 8088 (or a Z-80 if you remember CP/M) and roll-in-roll out memory management fitted in with the economics back then. Even if you were willing to shell out for more memory the hardware wouldn't support it, the chips simply couldn't address it.

So what has changed? Well the chips can address it, but if I were to shell out for 16 gigabytes of memory ... the hardware won't support it. The motherboards don't have enough slots.

Well, sort of. In one sense motherbaords are just another commodity, but that also means most of the are clustered in capability and performacne. Oh, there are exceptions! Here's a "monster truck" that supports 16Gbytes of RAM. And you can add to that whatever memory is on the video card.

Great for your server; great for your desktop. But what about the laptop? And lets not forget that more and more individuals and corporations are moving to laptops. The lure of mobility, of wireless networking, of telecomuting and much else is very strong.
I suppose this might be yet another example of the "failure of imagination" syndrome that has always beset this and other industries, the designers and policy wonks simply can't imagine why anyone would want to do "THAT!" It seems only time and a slow evolution of the marketplace brings about change.

But what we have here is, as this article describes, an economic force. I can easily afford to buy large disks and large amounts of memory, more than my cabinet and motherboard can cope with. While I can always run a SCSI cable to another chassis, there is really no simple way I can add more memory than the motherboard has slots for. And with the laptop I am even more constrained.
More and more applications are using large memory spaces. Perhaps applications will drive development of hardware. Consider these statistics. Half of the machines are 2G or more. When the hardware developers will be able to tout more slots as a way to sell more gear, it will happen.
Even so, it may well be an iterative a re-run of the old 1950s attitude towards automobiles:- planned obsolescence. Many people think so, but items that last tend to become cultural icons - classic automobiles and of course the Newton.

Filed under: Social No Comments