Information Security Frequently Asked Questions (FAQs) For Privacy and other FAQs, please click here

Questions:

(1) If I receive an email with an attachment that looks like it has a .DOC, .JPG, .PDF or some other innocuous suffix, does that mean it is safe to open? In other words, can someone "hide" a .EXE file in an attachment and make it look like a .DOC file, etc?

(2) I have heard that it is always safe to open an email message as long as I don't open an attachment. Is that true?

(3) Is it possible to archive GroupWise email on a memory stick (thumb drive)? How about on my "I drive"? Since I work with several different computers (my academic office, research office, home), I have kept lots of email in my GroupWise account but I'm getting close to the max. Of course if I archive emails on one computer's hard drive I won't be able to access them from my other computers.

(1) If I receive an email with an attachment that looks like it has a .DOC, .JPG, .PDF or some other innocuous suffix, does that mean it is safe to open? In other words, can someone "hide" a .EXE file in an attachment and make it look like a .DOC file, etc?

The short answer is that the file is not necessarily safe to open. Here are possible scenarios and how to detect them (and this is not an exhaustive list of possibilities):

• The file might really have another extension (the characters after the "dot" in the name, there could be more than one "dot") than the one that appears. Due to various "tricks" to conceal the full name of a file, it may not show the entire name.
  
  Make sure your operating system (OS) is set to display the full file name (if you are using Windows, then when you browse to a file in explorer, the entire file name will appear, including the extension.)
  
  Once you are sure the OS is displaying the full file name, you can save the attachment (without opening it) to a folder on your computer and then look at the file name in the folder. If you see, for example, word.doc.bat instead of word.doc, you will know that something is up and that the file should be deleted
  
• For file extensions that are more generic and "open" (that is not tied to a specific originating program), it is generally (but not 100%) safe to open these files if your operating system is up to date with security patches. If your system is not up to date with these patches, a compromise is possible.
  
  For example, hackers developed a way to embed corrupting information in "normal" .jpg files so that, when these were opened, a buffer overflow resulted which caused a security exposure on the machine and potentially lead to the machine being taken over. Here is what Microsoft said about that:
  
  "A buffer overflow vulnerability exists in the GDI+ component included in several Microsoft products. Systems affected are those that provide an operating system version of the GDI component that is vulnerable to this issue. This vulnerability is triggered by a malformed JPEG image file.
  
  An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs, viewing, changing or deleting data; or creating new accounts with full privileges. The vulnerability has been publicly exploited."
  
  More information is at Microsoft Security Bulletin MS04-028 (http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx)
  
• For file extensions associated with a specific application (.doc with MS Word, .pdf with Adobe Acrobat, etc.) there have been cases where the features or weaknesses of these programs have been exploited to cause a security compromise.

The best bet here is to make sure you have installed any application security patches available. Opening these documents in other applications can also minimize the risk. For example, a "Word viewer" application does not have the capabilities of the MS Word program and is not likely to be vulnerable to a Word document exploit.

In summary, any attachment is not necessarily what is seems. The best defense is to have all OS and applications up to date with security patches and to not open unsolicited attachments.

[back to top]

(2) I have heard that it is always safe to open an email message as long as I don't open an attachment. Is that true?

Unfortunately this is not true. If you have your email program set to open email only as "text only" then this is true. If your email program will display html formatted email (or uses another program, for example MS Word, as the "display engine" for the email) it is possible for a process to be kicked off from the html just as if you had visited a hostile web site.

The best protection against this possibility is to have your email displayed as text only. If this is unacceptable, then make sure all your OS and applications have all security patches installed and configure your html default web browsing program for high safety so processes will not happen merely from opening an email (or visiting a bad web page).

[back to top]

(3) Is it possible to archive GroupWise email on a memory stick (thumb drive)? How about on my "I drive"? Since I work with several different computers (my academic office, research office, home), I have kept lots of email in my GroupWise account but I'm getting close to the max. Of course if I archive emails on one computer's hard drive I won't be able to access them from my other computers.

Yes this is possible. Any device the shows up as a drive letter (preferably the same drive letter each time) on your computers can be used for the archive. This includes the "I drive" or removable media such as a "thumb drive".

The GroupWise archive is encrypted andrequires the GroupWise client as well as the user ID and password to open the archive. Therefore, it is a fairly secure storage format for email, regardless of storage location.

A key consideration is ensuring that enough space is available on the device or network drive of choice.

If you will have access to the UofL network from all of the computers you use, the Information Security Office preference, in order of desirability, would be:

• "H" Drive - Since this is your personal network drive space, it would be hard for someone to get to the data if a GroupWise hacking tool is developed, without also compromising the network security. The "H Drive" is also part of IT's back-up and DR plan.

• "I Drive" - Since this is a department's network drive space, requires more network management so that the file is not available for copying by others with access to the folder. This would only really be a problem if a GroupWise hacking tool is developed. Also part of IT's back-up and DR plan.

• III - "Thumbdrive" - Actually a very good option but it would not be advisable to resort to only using a thumb drive because if the thumb drive is lost, so is the archive (have a back-up on your "H" drive.). Very secure location for data if not lost, very portable but somewhat fragile so always keep a back-up. If lost, as discussed above, the GroupWise archive format is pretty secure so not too much chance of data exposure. Also, some thumb drives have their own encryption and password options, making two layers of protection possible.

[back to top]