Department of Defense Now Blocking HTML Email 262
oKAMi-InfoSec writes "The Department of Defense (DoD) has taken the step of blocking HTML-based email. They are also banning the use of Outlook Web Access email clients. The DoD is making this move because HTML messages can easily be infected with spyware and executable lines of code that enable hackers to access DoD networks, according to an article in Federal Computer Week by Bob Brewin . A spokesman for the Joint Task Force for Global Network Operations (JTF-GNO) claims that this is a response to an increased network threat condition. The network threat condition has risen from Information Condition 5 to Information Condition 4 (also called Infocon 4). InfoCon 5 is normal operating conditions and Infocon 4 comes as a result of 'continuing and sophisticated threats' against DoD Networks. The change to Infocon 4 came in mid-November, after the Naval War College suffered devastating attacks that required their entire system be taken offline, but the JTF-GNO spokesman claims there is no connection."
Stupid (Score:3, Interesting)
Still ways to get email from outside the network (Score:5, Interesting)
So instead of just plain old OWA sitting out there waiting for anyone to type in a username and password, they've upped the security a little bit. Yes, it's making us jump through hoops a little (for myself, need to stand up an ASA5510 as a VPN concentrator to receive outside connections), but it's not impossible.
Besides... not being able to check your work email from home can only be a good thing, no?? I know, I know, it's for people on travel, leave, etc. too...
As for the "blocking" of HTML email, can't say that I've seen that at all. Maybe it's only for emails that originate from outside of the network since we use HTML email all the time from within Outlook (formatting is useful in this case).
---John Holmes...
Temporary? (Score:5, Interesting)
If the Infocon levels work anything like the other readiness levels in the DoD, then a shift to Infocon 4 requires a change (temporary) in policy. So it seems that a shift back to level 5 would mean HTML e-mail is no longer blocked.
It's like after 9-11, when all DoD installations had much stricter physical access rules and extra guards at the gates.
Which is a shame, because saying goodbye to html email entirely would be fine by me.
Re:As They Should (Score:5, Interesting)
Personally I'd miss the formatting features of HTML. Bold, Italic, etc. I'm a little surprised there hasn't been a middle ground estbalished at some point. You know... pretty text, no exploits. Well, I can dream. In the mean time, gotta give kudos to GMail. One of my favorite features is that it disables images until you turn them on. That's a feature Outlook 2000 could have used.
Re:Blocking? Looked to me they were just convertin (Score:1, Interesting)
Re:As They Should (Score:3, Interesting)
Doesn't that break digital signing? (Score:5, Interesting)
Or is the DoD just skipping the concept of digitally signing email?
And the problem with this is? (Score:2, Interesting)
I block html email myself simply because it is annoying and 90+% is spam anyway. Why is this a problem?
NMCI goes even further (Score:5, Interesting)
A NMCI laptop takes over 10 minutes to boot and load the dozens of background processes and roving preferences. Once booted the machine is near useless performance wise.
Most, including middle management, refer to NMCI as No More Computing In-house.
In order to get idea just how bad things are, upper management conducted "customer satisfaction surveys". Even though the NMCI program office controlled the content, distribution, and analysis of the survey the results indicated overwhelming dissatisfaction. The NMCI program office has declined to release the raw data from the survey, instead issuing a release about the results. Rear Admiral J. B. Godwin III said releasing the results would challenge the "integrity of our data." Hmmm....
Most Navy labs that are under the burden of the NMCI contract maintain two networks, the legacy and the NMCI - the one to get work done on an the other to read email. This leads to double the costs and double the vulnerability exposure, and halves the resources to concentrate on security and usability.
Worst I hear that the Navy just extended the contract to 2010. Your tax dollars at work.
Re:Good call (Score:3, Interesting)
I also wonder when other organizations will follow suit.
Re:As They Should (Score:3, Interesting)
LOL. If the OP wants bold and underlining in his emails, I'd suggest he starts with reading
T^HTh^Hhe^He M^HMu^Hut^Htt^Ht E^HE-^H-M^HMa^Hai^Hil^Hl^HCl^Hli^Hie^Hen^Hnt^Ht
Personally, I'd find that annoying, like every other attempt to be interesting, or creative or otherwise expressive. Look folks, many of us read hundreds of emails per day. Subscribing to few mailing lists and we're looking at thousands.
Do we really need or want anything other than standard messages? The content of an average message is just a few sentences. What people send out, on the other hand, is somewhere between unecessary and absurd. And all of it (at least in a corporate setting) gets stored and archived.
Re:Stupid (Score:3, Interesting)
Re:Good call (Score:5, Interesting)
If you are DOD and you want to get Commercial Off the Shelf (COTS) products to resolve your problems without hiring the massively expensive solutions of 1 off stuff built to design, you must be able to accept attachments such as .zip and html mail. Sorry but the commercial guys cannot even tell you what they are doing anymore without this stuff. DOD costs just got higher!
I worked one DOD site where we had to email files of code. The volume of the attachments was beyond the Email limits so we had to zip the files. The filters blocked .zip. So we renamed the files .aaa or something like that. Then the filters didn't catch the files. That way we could get the emails. We had to break our own security just to do our job. This stuff is a real problem.
The US DOD needs to can Microsoft. If they were to run Linux or Apple systems and then to sandbox all emails and web browser stuff under the OS a lot could be done and things would be much more secure. The basic problem is a Microsoft logical design construct. Microsoft thought that they should own your computer and you should rent it from them. Under these conditions they wanted "their" computers to be remotely controlled by various means. The means they designed into their constructs also leave sucking security holes which hackers and other malware designers just walk right through.
There is a real reason most DOD people stick like glue to Microsoft. For Network security people in the DOD they are as worried that some subordinate might actually control his machine as they are of having foreign control. (Foreign to their system) As such they must keep central control. This is the Microsoft construct at a second level. The DOD system I worked on had an entire base having one root password that didn't change folks because of this demand. Linux etc doesn't conform to this as naturally as MS systems. Another level of this sticking like glue to MS systems comes from the fact that most of the people who program (contractors etc) for the Government like to keep their jobs. MS systems do not support legacy software well. As such they are continually "re-inventing the wheel" so to speak and it makes for lots of jobs that last a lifetime. It holds the DOD hostage to continually hiring the same contractor because his software is proprietary and cannot be easily "reverse engineered" without risk of software copyright violations. In the end this synergy of profits and control leaves the US DOD bleeding money, never able to do its job as effectively and wedded to MS systems.
If the taxpayers get involved they will ban such OS like Microsoft because this is completely contrary to the interest of the taxpayers. It however; requires the US DOD to recognize that its only true security lies in the loyalty of its people. In doing so it will have to retract from foreign (non-USA) suppliers and contractors. It will have to seriously look into who it is hiring and it will have to weed out those it has on payroll who are being more selfish than loyal. Let me assure you that if this situation is dealt with properly it will be a top to bottom 10 on the Richter Scale earthquake in US Government operations. Imagine if you will actually not being able to have the management read every document in someones computer without them knowing. Imagine having someone who works for you who you actually have to be able to trust! Imagine real government security! (WOW!)