Posts tagged ‘eMail’

« Previous Entries

Epsilon Breach will Lead to Phishing Season Security Companies Predict

April 5, 2011, 3:39 pm

Over the weekend, email marketing firm Epsilon revealed that it had been hacked and that some of their client customer lists had been stolen.

Names and email addresses were stolen.  With the link between your email address and the particular client of Epsilon, it is now much easier to create a targeted phishing email.

Phishing emails are a type of spam that pose as emails from legitimate institutions such as your bank or phone company.  When you receive an email regarding issues with your account at ”TCF Credit Union” you hit delete.   You know it is spam because you don’t have an account there.  When they know you have an existing relationship, the attacker can create an email that is much more likely to get past your skepticism.

Source: Much of this article is taken from the Barracuda Labs Internet Security Blog.

Epsilon Customers Include:

  • 1800-Flowers
  • Abe Books
  • American Express
  • Ameriprise Financial
  • Barclays Bank of Delaware
  • Bebe Stores Inc.
  • Benefit Cosmetics
  • BestBuy
  • Brookstone
  • Capital One
  • Citibank
  • City Market
  • The College Board
  • Dillons
  • Disney Vacations
  • Eddie Bauer
  • Food 4 Less
  • Fred Meyer
  • Fry’s
  • Hilton Honors
  • The Home Shopping Network
  • Jay C
  • JP Morgan Chase
  • King Soopers
  • Kroger
  • LL Bean
  • Marriott Rewards
  • McKinsey Quarterly
  • New York & Co.
  • QFC
  • Ralphs
  • Red Roof Inns Inc.
  • Ritz Carlton
  • Robert Half
  • Smith Brands
  • Target
  • TIAA CREF
  • TD Ameritrade
  • TiVo
  • US Bank
  • Walgreens

Epsilon customer list compiled by Brian Krebs

To protect yourself from phishing attacks
1.  Have a good spam filter in place.   Either you or your ISP should have a spam filter.
2.  Enable your browser-based phishing filter.  This is available in most major browsers.
3.  Use other URL filters such as BlueCoat K9 is a free effective URL filter.
4.  Be aware of how your bank will contact you.  Banks will generally not be asking you to log in from an email link.
5.  Only use known links and phone numbers.  Consider links and phone numbers in email to be very suspicious.
6.  If you use Google Mail, enable the “authentication icon for verified senders” Lab.
7.  Consider installing Iconix Phishing Protection (for personal computers)
8.  Think

Tags: ,
Category: General  |  Comment

Magazine Publisher Phished for Millions

April 5, 2011, 8:03 am

Magazine publisher Conde Nast received a email from a company with a name similar to their regular printers asking them to update their payment information.   Conde Nast dutifully began sending their monthly payments electronically to a bank account in Houston Texas.

$8 million was collected before the printers contacted the publisher to ask why they hadn’t been paid.  Surprisingly the money was still in the account.  No word on whether the person opening the account was a money mule or a the perpetrator.   The surprising part is all the money still remaining in the account.

Source: Reuters

Tags: ,
Category: General  |  Comment

Opportunistic TLS and MessageLabs

November 17, 2010, 8:44 am

Back in February 2008, I suggested to the Sendmail admins that we look into opportunistic TLS.   Like all encryption there is a performance hit.   Unlike S/MIME or PGP the encryption is only during transit between links.   Additionally there is no guarantee that all links will be encrypted.   Hence the word opportunistic.   While you don’t want to get a false sense of security from it, I don’t see a reason not to implement it on a system that has the performance capacity.  

The Sendmail admins added opportunistic TLS to outbound email pretty quickly.   However they found that to add it for inbound email required recompiling Sendmail.   As a result, this was put on the shelf for a while.   Here we are 2.5 years later, and as part of moving Sendmail to a Solaris blade server, they added opportunistic TLS for inbound email.  

There’s always a but…

We use MessageLabs as our secure email gateway.   I assumed that because I could connect to them on port 25 and initiate the command STARTTLS that meant they supported opportunistic TLS.     The exact phrase I used in Feb 2008 was “I suspect messagelabs would then send our inbound email across a SSL session making our email slightly more secure.”   It turns out my assumptions are incorrect.  

Symantec MessageLabs does not support opportunistic TLS (Solution ID: DA_116296).   Solution ID DA_136900 claims that opportunistic TLS is a security threat rather than a security feature.   Because it only encrypts a connection when it can, unencrypted email can be sent.   This is of course true.   But at a minumum, I would know that the connection from my servers to MessageLabs was encrypted.   Final secure delivery would depend on the configuration of the recipient servers.  

It seems to me that Symantec MessageLabs is trying to force customers to purchase their Boundary Encryption product.

I have been informed via the comments that if MessageLabs receives the message via SMTP/TLS they will attempt to preserve that level of security on delivery to the next hop.   That makes sense.   In most cases adding encryption merely for the last hop is pointless.   Sweetness.  

So the onus is back on other mail providers.   I saw a great rant recently on Gmail not providing opportunistic TLS.   

Tags: , ,
Category: General  |  2 Comments

Webmail Account Compromises

September 10, 2010, 12:39 am

A couple of my friends had their webmail accounts compromised and I got pharma spam  from them over the weekend.   One had a Hotmail account and another a Yahoo account.   I’m not sure whether they should be mocked more for using accounts at those domains or for getting compromised.

Restoring Access
If this happens to you and you’re really fortunate, you’ll be able to log into your webmail account, change your passwords, and change the security questions used to reset the password.  

If you can’t gain access because the bad guy changed the passwords, try using the lost password button.   If you can’t reclaim your account that way, you’re going to have to contact the Google/Hotmail/Yahoo, whoever the website owner is.   Good luck with that.

Cleaning Up
Review all your settings.   In Google  Mail check your Filters and your mail forwarding.   Mail from your bank could now be forwarded to the bad guy.   

Maybe its paranoia talking but I would search my mailbox for “password” to see if any other accounts might have been learned by the bad guy because a plain text password was available in your inbox.

Prevention
People always want to know how this happened to them.   Often they jump first to blaming their webmail provider.   While that’s possible, it’s not something you can really control.   It’s better to start looking at simpler explanations that you can do something about.

Was your computer hacked?   Did a keystroke logger gather your webmail credentials?   That is certainly possible.   And it doesn’t hurt to check out the computer.   I would have to wonder why the spammer would gain your credentials and then use another computer to send the spam.   Some webmail providers give full mail headers including the PC used to send the email.   For the spam I received I could see it wasn’t the same country as the sender.

Were you phished or tab napped.   Attackers manipulate victims into providing valid authentication credentials at fake sites.   The best defense to this is to use bookmarks to avoid typos, and go directly to https sites where possible.  

Did you use the account from an insecure computer or network.    It’s so tempting to hop on an open access point at the coffee shop.    It’s tempting to use the ‘guest kiosk’ at the hotel while on vacation.   You don’t know the hygiene of that computer.    You don’t know who is snooping on that coffee bar network.  

Is your password really weak?   I don’t think webmail providers would allow a lengthy bruteforce attack without locking out the account.   But if your password is incredibly bad, this could still be a cause.

Was your password used on another service?   While blaming the host isn’t my first thought, hosts do get compromised every now and again.  There ae multiple account/password lists available from server compromises.   If you’ve been on a system that was compromised and their password list stolen, if you reuse the same credentials than you have a problem.

Unfortunately the causes for account compromise aren’t any clearer than the ways to get your mailbox back.   Hopefully this gives some food for thought.

Tags: ,
Category: General  |  1 Comment

That’s Not from the Copier

July 16, 2010, 4:53 pm

A lot of copiers now have the ability to scan documents and email the result as a PDF. I’ve never quite understood why people don’t take the time to change the default subject line. On a Xerox it is something like “Scan from a Xerox WorkCentre” to something a bit more descriptive. Worse yet, I’ve seen people here send directly from the copier to their external person instead of sending the PDF to themselves, formating the email a bit more and then forwarding it on.

We must not be the only one in this habit. The bad guys are using it too. I just saw some virus alerts on our inbound email.

Subject: Scan from a Xerox WorkCentre Pro $3609550
Virus: Packed.Generic.306
From the Symantec website: “Packed.Generic.306 is a heuristic detection for files that may have been obfuscated or encrypted in order to conceal them from anti-virus software.”

No file name was listed in the virus alert, so I thought this might be a false positive. Since I don’t have access to release quarantined messages to myself, I checked the source IP. The IPs I checked were from Guatemala. Between that and the fake looking source email address, I’d say this is definitely malicious.

Update: Here’s a link to a Barracuda blog post on the subject.

Tags: , ,
Category: Antivirus  |  1 Comment

PDF Virus spammed

July 1, 2010, 4:33 pm

We’re seeing emails with the subject “phone calls” and “setting for your mailbox are changed” getting detected as bloodhound.exploit.290.  That’s a generic detection for a Adobe Reader PDF exploit.

Tags: , , ,
Category: General  |  Comment

Out of Office

June 30, 2010, 12:30 am

Are out of office (OOF) messages a security risk or a useful tool?   (Microsoft uses the acronym OOF for Out of Facilitiy.   I’ll be using that rather than OoO for out of office).

I’ve felt that the anti-OOF forces are the kind of ludite people who still agitate for a return to text only email.  Rather than dismissing it out of hand, lets examine some of the objections to OOF

Out of office messages could inadvertently disclose information.  “I’m out of the office, check with Joe at 555-12324.   Now the bad guy has another contact name.   In this era of LinkedIn, I’m not sure how big a disclosure this would be.  You decide for your environment.

OOF messages could verify your email address to spammers.
 Your spam product and Mail server should be blocking directory harvest attacks at the gateway. I wonder if its still true that “verified” email address are more value to attackers. Either way, my spam filter prevents spam from reaching my inbox any way.

OOF messages could help an attacker engage in social engineering
Now that the bad guy knows Joe is the backup, they know he may not know procedure as well. “Roger let me do that”. Personally I think that is a problem with training not OOF.

OOF messages could alert an attacker that its time to break into your home.
While there are stories about burglaries when someone posted their vacation schedule on Twitter, that is often neighborhood kids and people you know. Not using an OOF doesn’t exactly help there. 

Now that we’ve gone through some OOF FUD, how can you OOF safely?
1.  If you’re running Exchange 2007 or later you have the ability to use a different message for internal senders and contacts versus external senders.  You can also perform OOF only for people in your contacts.

2.  Sign off of any mailing lists or set them to “no mail” where possible. You don’t need to be annoying the list with your out of office notes.   I think this is the real root of the anti-OOF forces, annoyance with mailing list OOF backscatter.

3.  The less said the better.

At work, you kind of need to let people know you wont be getting back to them for a while.   There may be a few businesses (e.g. financial) where the risk does outweigh the courtesy.   For most of us I think a OOF on the work email account isn’t the end of the world.

“Best Practices” are for people who cannot perform a risk analysis.   You’ll need to consider the risk environment and decide whether OOF is appropriate.

Tags: , ,
Category: Awareness, Policy  |  Comment

Email Message Size Limits – The Update

May 19, 2010, 9:06 am

The Microsoft Exchange team wrote a blog back in 2006 summarizing the need to email message limits.
Email size limits help protect you against denial of service attacks. Intentional or not Internal sender or external, a large message can consume all available resources. The problem can be aggravated by Antivirus for Exchange. It only has so many processes and a traffic jam can occur while its trying to deal with this massive file.

Outbound messages may not even reach their destination. The public mail servers like Yahoo, Gmail and Hotmail limit their message size to 10-25 MB. Many companies protect themselves by putting these limits in place as well.
I dont think its too old school to say its bad netiquette to send large email messages.

Alternative methods like file servers and sharepoint are good internally. Externally companies need to be providing easy to use file transfer services. Otherwise users will end up using potentially insecure third party transfer websites like YouSendIt or even god forbid P2P.

When I wrote about message limits in October of 2006, I was hoping that we would end up with a 50 MB message limit at the mail gateway but guessed that we would end up with a 100 MB limit. Instead we ended up with a ludicrous 500 MB limit. As Microsoft says an outrageously large limit (to quiet the restless natives) is the same as the lack of mailbox and message size limits.

The high limits (and no limit internally) have caused multiple performance issues affecting availability this year. Management is now willing to put a (still really high) 50 MB on messages sent via Outlook, but they are not willing to put a better limit on incoming email. We’ve produced statistics showing the low number of messages that would be blocked. At a certain point you just document that management has accepted this risk.

As I finish writing this, I see the new Hotmail allows up to 200 50 MB attachments on a single email message. Still hard to attach a > 51 MB attachment. But this doesn’t actually change my point. This limit isn’t because of how I think the Internet should work. Its a technology limitation. Perhaps Exchange 2010 wont fall to its knees with a 100 MB message. Even so with no guarantee of the recipients server capabilities, I think its better to keep limits imposed.

Tags: , ,
Category: General  |  1 Comment

Symantec buys PGP and GuardianEdge

April 29, 2010, 12:08 pm

I’ve been waiting for Symantec to buy GuardianEdge ever since they started selling a rebranded GuardianEdge encryption product. It seems every other endpoint security company bought a dancing partner over the past year or two and Symantec was merely renting.
When Symantec bought MessageLabs, I was very concerned. I like MessageLabs and was afraid of what Symantec would do to it. When Symantec bought IMLogic, I felt the technical support and the product vision totally went in the crapper. Fortunately MessageLabs had a strong position to prevent that from happening to them as well.
Regular readers of my blog will know I’ve had a lot of issues with GuardianEdge support over the years. At this point I don’t know if GuardianEdge support will be internalized by Symantec or remain as a separate team. Either way it can only get better.
I’m wondering what it means that they bought both PGP and GuardianEdge. It seems kind of redundant. PGP adds secure email. But I’m not sure what else. Not sure if PGP already has the mobile encryption that GuardianEdge currently licenses from TrustDigital.
I would expect that by the time of our next renewal encryption will be an option for a Symantec Endpoint Suite and our overall dollar spent will go down. I expect this purchase to be a good thing.

Tags: , , , , ,
Category: FDE  |  Comment

Staging Virus Definition Updates

April 27, 2010, 7:16 pm

In the wake of McAfee’s false positive that rendered Windows XP computers unbootable there has been a lot of talk. What I wanted to talk about today was the staging of virus definition updates. I saw a lot of comments that companies took the McAfee update and deployed it company-wide without any testing.
I dont know of companies of any size that would roll out any other patches without testing. Or I shouldnt’ say testing as much as rolling it to a small group of users, followed by a bigger group then all. Even if no tests are performed, the computer at least is used after the update an shown that everyday tasks still work.
Yet companies have given in to the virus definition update race and update definitions between 365 and 5000 times a year without any testing at all.
Depending on your vender, virus definitions come out between 1 and 20 times per day. Do you really want to be the choke point that prevents your company from being as fully protected as they could be? I gave up on that after the time I had to drive back from an awards dinner and run down a hallway yelling “hit update now, hit update now”. (I needed the email gateway antivirus updated)
Perhaps i’m going to feel really stupid when Symantec does the same thing next year. But I still feel our protection is better for having up to date definitions. Perhaps as a middle ground I could apply Rapid Release definitions to my own computer.
More and more antivirus venders are going to the cloud or going to the community to provide intelligence on the validity of a file. As antivirus venders take to the cloud, any staging/testing of virus definitions is only part of the equation. You can’t test the cloud in small groups.

Tags: , , ,
Category: Antivirus  |  3 Comments
« Previous Entries