Re: [Full-disclosure] virus in email RTF message MS OE almost disabled

Hash: SHA1

On 23/11/2010 15:03, Mikhail A. Utin wrote:
This my final reply.
For still interested:
- it happened on my home PC
- immediately disconnected (for a few interested people I can forward email to taste this thing after receiving appropriate paperwork)
- it is beyond MS released SPs for Office and Windows
- using this list is OK as we discuss vulnerabilities
- using corporate email is not prohibited to discuss professional topics
- public emails, charts/IM, social sites are prohibited by policies

Sorry, I was looking for a few short ideas and mostly for known cases, but not lecturing. I'll fix it, not a big deal. Expect others as having some knowledge as well and do not waste time. BTW, certifications help in all covered matters, believe me. Even in understanding that other may know something and do have certain experience.

If you know such cases, please, reply. Otherwise do not waste your and computer energy.

Thank you

Mikhail A. Utin, CISSP
Information Security Analyst
Commonwealth Care Alliance
30 Winter St.
Boston, MA
TEL: (617) 426-0600 x.288
FAX: (617) 249-2114


With a CISSP I expect you would have the skill to set up a VM, replicate the scenario and monitor system activity... Analysis.
A Scroogle/Google on some of your results should provide the answers you need. I'm sorry but I fail to understand how someone with a CISSP would
require help in dealing with this.

My limited experience leads me to believe that like any security analyst, a CISSP should have a lab of some description at home. Doubly so for a
CISSP who is a security analyst. Your initial post did you no favours and casts doubt on your abilities to live up to the standards required by
your qualification and position. The only time to leak information about security practice to this list is when you want a free pentest from
some of the less scrupulous members of FD.

Using plain text for emails shuts down a whole lot of attack vectors in OE, as it does in any email client. But you are a CISSP, you don't need
me telling you this.

Don't take my comments or the comments of others too hard and certainly not personally. This is a tough room, with some exacting professionals.

Dave something
Information Security Noob.
- --
Mankind's systems are white sticks tapping walls.
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla -


Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Relevant Pages

  • Re: MSc in Information Security
    ... If the CISSP pool is getting diluted, is the SANS GIAC certification perhaps a better alternative? ... MSc in Information Security from Royal Holloway University. ...
  • Re: security engineer skills set for software engineering background
    ... Take into consideration that you are asking this question on a crypto ... highly technically qualified person in your company, the CISSP will not ... certification, not a technical certification. ... Nobody is an expert in every field of information security. ...
  • Re: CISSP without experience
    ... A employer can check up on you! ... Maybe the SSCP cert is for you. ... You don't have to wait until you've spent years in the field to demonstrate your competence in information security. ... Almost all of the jobs require a CISSP, ...
  • RE: University Degree or CISSP
    ... I've noticed that hardly any employer really cares about certs only, ... the job-description that is and even then. ... Subject: University Degree or CISSP ... university degree on information security than certifications such as ...