Stopping Malicious Attachments

[00:00:00]
>> Mike North: Now, the defenses against this kinda thing is be restrictive on file upload types, right? So don't just allow users to upload arbitrary things. Put due consideration as you add new file types. Don't trust extensions.
>> Mike North: Don't really trust advertise mime types either. And the more you let your users share files, the more it becomes just a dumping ground for people to drop traps for other users.

[00:00:31]
I mean, there are certain sites that allow just arbitrary uploads. And photo sites have turned into this in some cases, where they're not restrictive at all, and it just becomes a total wasteland of cross-site scripting hell.
>> Mike North: For images, the thing you wanna do is actually pretty simple, and it's already a best practice.

[00:00:52]
You just wanna compress images, right? Anything that will attempt to reduce images in size, it's generally going to start by dropping online visible data. That's the easiest thing to do first. I mean, and a great tool to use is Image Magic, if you use that. It is available, ports to a variety of different programming languages.

[00:01:13]
But anything that tries to shrink these things down, before it does all this sophisticated work figure out like is this color palate a little bit too specific and can we drop some colors, that is the fifth or sixth level of optimization after it looks like there is some stuff that doesn't have anything to do with pixels show on the screen.

[00:01:33]
Get rid of it.
>> Mike North: And also, as you add more attachment types, make sure you research capabilities thoroughly. PDFs are one that people often overlook because it seems like a document, right? Most of the things we receive are documents. And we have system viewers like Mac ships with a PDF viewer, but you can embed dynamic code into a PDF.

[00:01:58]
It's rare to see these, but if you download the slides and click this link, it'll take you to Adobe's documentation for JavaScript that can run inside a PDF. So you load it, it runs it. And this can, for some browsers, depending on how permissions are set, it can just start running right away.

[00:02:16]
And remember, if you're already depending on this technology, say that you use this for your application, you want to give people maybe reports where they can open the PDF and it's like an animated graph or something. That sounds great, but at this point now, users have set their permissions for your domain saying all right, now you can run dynamic stuff in a PDF.

[00:02:36]
And that is now a vector for someone to do nasty stuff.