Some major players in the email game are banding together to create a unified specification to attack domain spoofing.

While the prospect of less spam and phish clogging email systems should incite administrators to cry “hurrah”, the immediate prospects of that happening are dim.

The new spec is called DMARC—Domain-based Message Authentication, Reporting & Conformance. With DMARC, email powerhouses like Google, Microsoft, AOL and Yahoo hope to unify how they authenticate the origin of email messages.

For years, spammers and phishers have “spoofed” domain names to disguise the origin of their junk mail. That allows them to slip by spam filters, as well as mount phishing attacks on unsuspecting targets.

DMARC is designed to make two existing email authentication methods—SPF and DKIM—more effective.

The Sender Policy Framework (SPF) authenticates where an email originates by comparing its IP address to a list of valid IP addresses submitted by the domain owner to the Domain Name System. If a message arrives at a mail exchange saying it’s from a certain domain, but the IP address where it came from doesn’t correspond to the addresses in the SPF record for that domain, the message is bounced.

DomainKeys Identified Mail (DKIM) insures a message’s origin by attaching a cryptographic digital signature to it that associates a message to a domain. That signature can be reviewed at any point in the message’s path to its destination.

When it gets to its destination, the receiving system can determine what to do with the message based on the reputation of the signature’s owner. If the owner has a good reputation, it will probably deliver the message without a lot of hassle. If a reputation is tarnished, closer scrutiny of the message may be in order.

The problem with these schemes is that everyone doesn’t use them. In addition, those organizations that do use them, tend to be in silos. Users of SPF don’t use DKIM, and vice versa. DMARC is designed to address that problem.

Since DMARC is predicated on those existing schemes, its effectiveness is questionable. That’s because users of SPF and DKIM have been reluctant to fully trust the schemes to identify malmail. That means they’re not ready to tell a recipient system to reject all mail that doesn’t jibe with policy rules set forth in an SPF record or with a DKIM signature.

Some elements of DMARC are designed to help build trust in SPF and DKIM. For instance, it allows a recipient to report to a sender that a message was found to be out-of-policy, whether it was delivered or not. That allows sender to evaluate what would happen if they go “whole hog” and require all out-of-policy messages to be trashed.

It also allows policy rules to be applied to a subset of cases. That, too, permits senders to tweak a scheme before applying it to all its mail across the Internet.

However, to make a dent in malmail, widespread adoption of SPF and DKIM would have to occur. That’s a tall order. It means thousands of organizations will have to modify their email systems to accommodate the schemes—something that won’t happen overnight, or even in a decade or two.

Malmail Fighters Get on Same Page with DMARC

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Administrators confident about the safety of their data encrypted on company laptops should start squirming if a recent court decision passes muster in the United States.

The case involves a Colorado woman who has been ordered to open the encrypted drives on her laptop for federal investigators.

Unlike the cops on television shows and movies, who always seem to have a computer wizard on hand to decrypt a hard drive or crack a password, law enforcement authorities in Colorado, stymied by the encryption on a notebook in the possession of Romona Fricosu, simply went to a judge and asked him to order her to type in her password so they could see what was in the encrypted files.

In arguing against opening the files, Fricosu claimed doing so would violate her civil rights, in particular her Fifth Amendment rights against self-incrimination. Her reasoning was that the government, by forcing her to give up her password for decrypting the drive, were forcing her to incriminate herself if there were anything on the drive tying her to their criminal investigation of a mortgage scam. They believe Friscou is involved the scam that defrauded banks in the Colorado Springs area of some $900,000.

Federal District Court Judge Robert Blackburn didn’t buy that argument. Fricosu might be self-incriminating  herself if she were being asked to utter the password to the files or to give it to the investigators in some other way. However, she was only being asked to type in the password.

The government said it wasn’t interested in knowing what the password was. In fact, it said Fricosu could type the password into the laptop without any government operatives hovering over her. For that reason, the password could be treated like a key is treated in the physical world. Since the courts have ruled that the government can compel someone to give it the key to a safe or other repository of potential evidence in a case, Judge Robinson reasoned, it can compel Fricosu to type in her password.

Although the Fricosu case will be appealed and isn’t settled in law yet, it should give administrators some food for thought. It’s not that far of a stretch, for instance, from treating a password for decrypting files  as a key to treating passwords to anything that way.

That can have broad implications for your data’s security should you ever have to lock horn with any government for any reason. While Fricosu was involved in a criminal matter, the logic underlying the case could be extended to non-criminal government activity such as tax audits or compliance reviews.

With that in mind, should alternatives to passwords be considered? For example, if voice recognition were used to replace passwords, then the “utterance” test might be met and your data might be better protected against intrusive legal searches. Then there’s the question of whether other biometric solutions used for authentication are as legally vulnerable as simple passwords. If a retina has to be supplied to open a laptop, is that a potential act of incrimination?

One thing administrators should take away from the Fricosu decision, should it be upheld by the appellate courts, is that their passwords and the passwords of their organization’s users aren’t as safe as they as they used to be—and neither is anything that can be decrypted with a password.

Government Can Force You to Decrypt Your Data

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Google recently hung a ‘going out of business’ sign on its Message Continuity service for users of Microsoft Exchange. Google will continue to provide the service to its users until their contracts run out, but after that, they’re on their own.

Since the service was launched a little over a year ago, “hundreds” of businesses have subscribed to the offering, which uses Google’s cloud to provide email continuity when a Microsoft Exchange environment is interrupted for any reason.

Hundreds of users, though, can’t compete with the “millions” of businesses that have moved their entire email operation to Google Apps, so Searchzilla has decided to scrap its continuity product for Exchange  and concentrate all its resources on its application suite.

Current users of the continuity product were “encouraged to consider using Google Apps as their primary messaging and collaboration platform” in a company blog written by Vice President of Product Management Dave Girouard.

The brusque departure by Google from the Exchange disaster recovery scene contrasts sharply with how it entered it:

“Google Message Continuity advances our commitment to providing rapidly deployed, cost-effective email management solutions for organizations of all sizes,” Enterprise Product Manager Matthew O’Connor wrote when the continuity product was announced.

Looking back on the announcement, it appears that Google’s “commitment” to the Exchange market was as solid as an adolescent’s commitment to the latest fad.

That’s not to say that Google’s intentions in offering an Exchange product weren’t clear from the start for careful readers of the company’s pronouncements. “Additionally, for organizations interested in eventually moving to Google Apps, Google Message Continuity can provide a smooth bridge to the cloud,” O’Connor slyly observed in his blog item.

O’Connor’s colleague, Rajen Sheth, the group product manager for Google Apps had a similar pitch at the time:

“Google Message Continuity can also help organizations transition to Google Apps down the road,” he wrote. “Since Microsoft Exchange and Gmail are always in sync with one another, there’s no need to migrate email data when eventually deploying Google Apps.”

Little did those who signed on for Google’s continuity solution realize when they did so that if they didn’t “transition” to Google Apps fast enough to suit the Ferret King, they’d be left looking for another business interruption solution within a year’s time.

Google has been criticized in the past for its flighty attitude toward product development. Some detractors maintain that Google often enters markets to be disruptive, not competitive. Like a sea gull boss, it will undercut competitors in a market and when things don’t work, abandon that market, leaving customers who had faith in the Google brand to clean up the mess.

That kind of product management may work with consumers, but it leaves something to be desired in the business world. Google’s competitor in the enterprise market, Microsoft, knows that. While the Redmond crew have suffered a few slings and arrows for sticking with products too long, their commitment to legacy products has been an important, if sometimes overlooked, part of their success in the business market.

Google’s forsaking of Message Continuity brings to mind some remarks by Microsoft Senior Director of Online Services Tom Rizzo in his famous “Google Graveyard Spooks Customers” blog written on Halloween last year:

“Google releases experimental products and tracks adoption to determine whether to continue providing them,” he wrote. “Its products are like spaghetti, Google throws them up against the wall to see if they stick.”

“The burials of de-supported products are more examples of what is convenient for Google and not good for business,” he added.

Google Deserts Exchange Users by Killing Message Continuity

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Gates: Momentous security memo

For computer security experts, January 15 marked the anniversary of a red letter day. It was the 10th anniversary of the day that Microsoft decided to get serious about security.

On that day in 2002, a memo from Bill Gates to Microsoft employees declared the company would be entering a new era, an era of “Trustworthy Computing.”

“In the past,” Gates wrote, “we’ve made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We’ve done a terrific job at that, but all those great features won’t matter unless customers trust our software.”

“So now,” he continued, “when we face a choice between adding features and resolving security issues, we need to choose security.”

Gates’ commitment to security came when the Windows world was reeling from two monster malware attacks from the previous year Code Red and Nimda. Code Red exploited buffer overflows to attack Internet Information Services (ISS) running under Windows Server. It infected an estimated 300,000 PCs.

Unlike Code Red, Nimda was a worm that used multiple attack vectors to rapidly infect computers connected to the Internet. The technique was extremely effective and within 22 minutes of its release on September 18, 2012, it became the most widespread malware in the world.

It’s with that backdrop that Gates emailed his memo to his employees. One group of workers was particularly glad to see their boss’s missive: the company’s malware fighters.

“It’s not an understatement that the memo felt, to me, like the arrival of Gandalf and Eomer at Helm’s Deep in the film The Lord of the Rings: The Two Towers at a moment of great despair; at last we were getting some relief and might survive” Christopher Budd, who worked on security issues for 10 years at Microsoft, wrote in Betanews.

“In a single movement, Gates enshrined security, privacy and reliability as central, aspirational ideals,” Budd observed. “Like all ideals, there have been better and worse times in realizing them, but their central importance was never open to question. That memo eliminated the resistance that made our work so hard and gave us the power to do the right thing for customers.”

Budd asserted that the memo gave the security and privacy factions in the company the power to stand toe-to-toe with those primarily concerned with revenue and growth. He wrote:

“In a way, it represents a statement of conscience for the company and we used it as such, with success.”

Since the memo was issued, Microsoft has made security an important part of its product development cycle. That’s led to security features like library randomization and BitLocker drive encryption in Windows 7 and Secure Boot, a way in Windows 8 to foil BIOS attacks. It has made Windows Server IIS as secure as its open source competitor, Apache, too.

It has also lifted Microsoft’s browser, Internet Explorer, from a security nightmare to one of the most secure ways to surf the Web today. A 2010 report from independent software tester NSS Labs found:

“Internet Explorer 9 was by far the best at protecting users against socially-engineered malware.”

Unfortunately, it’s hard to change a bad security reputation forged over many years and IE’s user share has fallen from its once dominant position of more than 90 percent to under 50 percent of all users.

Microsoft’s Trustworthy Computing Program Turns 10

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Gestures can replace passwords in Windows 8.

Why it has taken Microsoft so long to make password security more than an afterthought when it introduces a new operating system is anybody’s guess. Nevertheless, with Windows 8 it is making an effort to help users manage their passwords in an efficient and secure way.

Everyone has dozens of accounts they need for which they need to memorize passwords. Most people, though, only commit a few passwords to memory and just reuse them over and over again. A study in 2007, for example, found that the average Internet user had 25 accounts that required password access, but they only used six passwords to access their accounts.

Security pros decry the multiple use of passwords but there are plenty of sites on the web where if your password fell into the wrong hands, the consequences would be trivial. Reusing passwords for those sites should be acceptable. There are sites where unique passwords are a must, though, such as banking or credit card payment sites.

With Windows 8, Microsoft is addressing several nettlesome issues that discourage people from creating and using strong passwords. In the upcoming version of Windows, user names and passwords are stored in a secure location called the Credential Password Vault.

The latest version of Microsoft’s web browser, Internet Explorer 10, is designed to automatically access the Vault for your credential information, but other browsers and applications will eventually be able to access the area, too.

What’s more, if you have or obtain a Windows Live ID, you’ll be able to synchronize the Vaults across all your devices. Not only does that remove the annoying situation of trying to remember credentials for a site when you’re away from the device where you created those credentials, but it can provide a safety net should the password information on any one device be corrupted.

Synchronization appears to be pretty robust too. Microsoft says it can take place behind a firewall. However, websites can block the storage of credentials used to access them. Some banks do that. In that case, synchronization will not work because your credentials won’t be stored in your Vault.

Another intriguing aspect of the Credentials Password Vault is that it can also store security keys. Typically, those keys involve the use of hardware tokens to authenticate a person’s identity. The Vault, however, is designed to work with something called the Trusted Platform Module, which is being incorporated into more and more computers these days. The Vault and the Module, which acts as a virtual security token, can team up to perform the same function as token-based key pair system.

For tablets or computers with touchscreens, Windows 8 has an even neater password option. It allows you to take a photo of your choice and use it to access your slate by performing a series of gestures on it.

Although some security experts are skeptical of the method, and even Microsoft acknowledges that smudges on a screen could compromise the gesture password, the approach has the potential to be more secure than ordinary password schemes. Microsoft estimates that there are 398 trillion five gesture combinations that could be applied to a photo, compared to 182 million combinations for a five-character password and nine trillion combinations for an eight character one.

Windows 8 Offers New Password Features

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

BYOD can give administrators a headache.

More and more organizations are finding their employees using personal devices to access company data. Without some measure of control, those workers can create serious security problems for their employers.

As much as some administrators would like to block the use of personal devices in the workplace, that’s unlikely to happen for a number of reasons. For example, many employees are already using their own devices at work, as a recent survey by IDC shows. That poll found that 95 percent of workers use one personally purchased device on the job.

In addition, businesses are demanding more and more productivity from their workers, and that’s what they can get by allowing employees to use their own gadgets for work. One study by iPass, for instance, showed that employees using personal devices worked 240 more hours a year.

Not many companies would want to part with that kind of productivity, and they’re not going to, according to a Gartner analysis. To do so, that report noted, corporations will be embracing the practice by placing their apps on their workers’ devices. In fact, by 2014 Gartner predicts that 90 percent of all employee-owned devices will have corporate apps running on them.

Other cultural and technology trends are also making opposition to the Bring Your Own Device futile. Hardware makers are finding they need to produce products with a consumer bent if they want to stay in business.

Virtualization and cloud computing encourage access to corporate technology resources whenever worker wants to access them and with whatever they want to access them with.

Meanwhile, as the line between work and non-work becomes more and more obscure, the case for creating a clear line of demarcation between work and home devices becomes weaker and weaker.

To address issues created by the use of personal devices in the workplace, companies have begun to adopt BYOD policies. Before adopting such a policy, here are some questions an organization might want to consider.

• Should data be classified to determine what can and can’t be downloaded by personal devices?
• What happens to company data on a personal device when an employee leaves the company?
• What happens if a personal device is lost or stolen?
• Do personal devices need to be configured in any special way?
• How can an acceptable password policy be implemented on a personal device?
• What forms of encryption should be acceptable?
• What personal devices are acceptable for use with corporate resources?
• Should employees be allowed to jailbreak or root their devices, as doing that may make the device more susceptible to security risks.
• Should employees be required to sign the BYOD policy before they’re granted access to the company’s network?

Some of those questions were considered by Unisys when it formulated its BYOD policy. Among the requirements of that policy is that Unisys has the right to confiscate a device if it’s needed for litigation purposes.

That policy requires employees to accept a digital certificate to be installed on their personal device. It authenticates the device to Unisys’s systems, and it allows the company to analyze access behavior. Knowledge of that behavior can be used to identify abuse of access privileges.

The certificate gives an employee access to email and calendar functions on the system. Access to other functions can require additional authentication.

Another requirement of the policy, and one most administrators will find desirable, is the installation of a program on the device that enables all data to be remotely wiped on a unit that is lost or stolen.

What Should Be in Your BYOD Policy?

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Recently we wrote about how workers in the United Kingdom felt compelled to check their email at all times, even during holidays like Christmas. Those same kinds of pressures are felt across the Channel, too, in Germany, but some employers over there are relieving those pressures by turning off the email spigot.

The latest employer to do that is auto maker Volkswagen. The Kaiser of Fahrvergnügen cut a deal with its unions recently to shut-off outbound mail from its Blackberry servers to rank-and-file workers from one half hour after close of business to one half hour before office hours begin each day. The agreement doesn’t apply to managers and executives at the company.

At the height of their popularity, Blackberry smartphones were known as “crackberries” because of the addictive behavior of their users. They had to constantly get their email “fix”. Apparently, Volkswagen sees “crackberry” as more than just a jocular metaphor as far as the health of its workforce is concerned.

At the German consumer goods maker Henkel, a more short-term solution was adopted for the holiday season. It has declared the week between Christmas and New Year’s Day “Blackberry Free Week”—unless there is an emergency. Declared CEO Kasper Rorsted to the German newspaper Frankfurter Allgemeine Sonntagszeitung:

“I don’t want to have to read emails just because someone is bored somewhere and wants to show he’s busy.”

Last year, a similar tack was taken by the top brass at Deutsche Telekom, which owns T-Mobile in the United States. It instituted a “smart devices policy” for its workers. The policy calls for employees to claim some time off from their devices. Management also pledged not to call workers or expect them to read email after business hours.

Such a policy, though, doesn’t seem destined for success. After all, most UK workers aren’t required to check email, either. That doesn’t stop them from doing it. If a company is serious about creating a healthy separation between work and home, then shutting off email, as Volkswagen is doing, is a more effective approach.

It’s evident that these German companies are reacting to two worldwide trends. First, there’s the growing use of smartphones, which are far more addictive than conventional cellphones—and not just because you can check email more easily with them. A typical smartphone user loads their device up with apps that continually beckon them to check their phone.

The other trend is the rising amount of burnout among workers. In Germany alone it’s estimated that 10 million sick days a year can be attributed to employee burnout.

While the relentless pressure to do more with less, which was rampant before the great economic collapse and has become worse since, is a significant contributor to burn-out, so, too, is the inability to cut the cord to the office. One recent poll showed that 88 percent of German workers make themselves available after office hours to bosses, colleagues and clients. That’s a 15 percent increase over what it was two years ago.

Today, email administrators concentrate much of their time on making sure mail arrives where it should in a timely manner. In the future, they may have to make sure it doesn’t arrive at all during some hours.

Volkswagen Shuts Off Email Servers After Business Hours

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Despite the claims of one CEO of a major global high tech company, many workers believe their internal email is important enough to scrutinize when they should be kicking back and being jolly during the holiday season.

In a poll of some 1000 people with full-time jobs in the United Kingdom, surveyors found that nearly half of the workers (46 percent) intend to check their office email either frequently (15 percent) or intermittently (31 percent) during yuletide. About a third of the sample (34 percent) said they’d totally resist the temptation to check their email during their stay at home during the festive period.

Younger workers (18-24 year olds) were more likely to check their email during the holidays that older ones (50 years old or older), according to the survey conducted by OnePoll and sponsored by SecurEnvoy, a firm specializing in two-factor authentication without tokens.

While 21 percent of the respondents said that there was no expectation or compulsion by their employers to have them check emails while at home, 20 percent felt they’d be at a competitive disadvantage at the office if they failed to do so. Nevertheless, nearly half (46 percent) of the respondents told the pollsters that if they were contacted by their employer during the holidays, they’d be “very angry” (28 percent) or “really annoyed” (18 percent).

No doubt, along with any office nuggets in their inboxes, employees will find one of these scams making the rounds right now:

• Offers for free screen savers never seem to lose their appeal to scammers or their allure to victims, who want to give their computer displays a festive look during the holidays.
• Gift cards have become popular with gift givers, as well as with Net grifters. Typically, they’ll offer a gift card from a popular store at a discount. That’s because the card has been stolen or is bogus. Gift cards are best purchased directly from the store that issues them.
• An assortment of deals, special offers and discounts tied to the season. While these may have the appearance of legitimacy—scammers have become very adept at mimicking the official mail of banks, retailers and such—these missives usually contain malicious links aimed at conning personal information from a target or infecting their computer or smartphone with malware.

While many workers are thinking of checking email during the holiday out of a concern, either real or imagined, for keeping their jobs, few are thinking about protecting themselves or their companies from cyber criminals. Nearly half (46 percent) of the survey sample polled by OnePoll admitted that they don’t use any kind of security on their mobile phones, not even a simple personal information number (PIN), even though they acknowledged that they’d be reading emails on them that could include sensitive information and unencrypted documents.

“If you’re accessing the corporate network to retrieve emails, using a password or hardware token that’s left next to your PC just isn’t adequate,” warned SecurEnvoy CTO Andy Kemshall. “Should Santa, his elves or someone a little more sinister drop by and liberate you of your token or copy your password, they could be stealing vast amounts of critical company data,”

Cell phones can be a great alternative to passwords and custom tokens for accessing corporate systems because unlike custom tokens, most people always keep their phones with them and are diligent about keeping tabs on them. They’re even a better alternative if access to them is protected by a PIN or password.

Santa Checks His List; Everyone Else Their Email

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

There’s an appealing logic to the notion that as technologies focused on a problem improve, the problem will diminish. That’s not always the case, however, and it may not be so when it comes to plugging email leaks.

Technologies don’t develop in bubbles. While improvements in Data Loss Prevention (DLP) technology are advancing, so are other technologies, technologies and trends that can offset or undermine those improvements.

“You might think the constant progress of technology means more innovative DLP methods will be coming down the pike to prevent sensitive data from being leaked through email and other communications channels,” security expert Jim Rapoza wrote in a white paper published recently by InformationWeek Reports. “But technology is advancing in ways that will make preventing data loss a much tougher task.”

One trend that will make controlling data leaks through email harder than ever is the use of consumer technology in the workplace.

“Many companies are increasingly dealing with the demands of employees (and upper management) who want to use their own devices for business tasks,” he wrote.

“This lets workers take advantage of the latest smartphones and tablets—systems that are likely generations newer than the company could provide—but also adds considerable management headaches, especially in terms of security,” he explained.

Even for administrators who can persuade the brass in their organizations that consumer devices should be kept out of the workplace, enforcing that policy may be more trouble than it’s worth.

“You can ban these devices from your company,” Rapoza wrote, “but chances are good that employees will use them anyway—which only increases the possibility of data leakage.”

As Rapoza explained in his paper, there are a number of ways to control data loss through email, although they can be undermined by the introduction of consumer devices into the office.

For example, encryption can be used to ensure that only the sender and recipient of a message can read it. A drawback to encryption, though, is that a sender and recipient have to coordinate their efforts on a message. That can be cumbersome, although there are systems that automatically manage the exchange of encrypted email within an organization.

Rights management is another way to prevent leakage. It allows rules to be imposed on how a message can be shared, viewed or distributed. You can prohibit a message from being forwarded to someone or shut off “reply to all”. You could bar the message from being sent to an external email address, too. The problem is that rights management may not work on some personal devices brought into work by employees.

Email gateways are another means of staunching leakage. Since they analyze email traffic, consumer devices don’t pose a problem to them. Gateways can be set up to look for content—words, phrases, attachments—that flag errant emails. One drawback to gateways, though, is false positives, which can be annoying to both administrators and their flocks.

And for organizations that need the full metal jacket treatment to prevent leaks, there are Full DLP systems, which combine encryption, rights management and gateways with network and storage policy management and next generation firewalls. That kind of protection is typically priced at six-figures and is costly to maintain on an annual basis to boot.

Plugging Email Leaks Becoming Tougher Than Ever

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Some $87 billion in wasted time a year could be saved in the United Kingdom alone simply by enforcing  better email management by corporate directors and senior managers.

That’s the conclusion reached by a U.K.-based training company after its surveyors discovered that directors and managers waste an hour a day on their jobs because they manage their email poorly.

The estimate from the study conducted by training company Emailogic is based on an average director making $140,000 a year and there being some 4.5 million private companies in the United Kingdom.

An hour may not sound like much, but that’s 20 hours a month, or half a work week, that could be used to increase a highly paid individual’s productivity and further fatten a company’s bottom line.

“This is highly significant because it is 20 hours per month of senior executive time—this is key personnel time being lost every day and will be having real impact on business productivity,” Emailogic Managing Director Marc Powell.

The survey was based on a study of 115 senior managers, directors and partners from a variety of industries—pharmaceuticals, banking, law and retail. Based on a comparison between the time spent by the executives on email before and after they completed their email management training, the surveyors found that they saved 59 minutes a day from their email regimen.

One of the tips that email management trainers give their students is to avoid checking their inboxes every time a new message arrives. Doing that, they contend, creates productivity leaching interruptions. They recommend turning off all audio alarms—no more “You’ve got mail!”­—and checking mail at defined intervals.

From Emailogic’s survey findings, the study participants took that tip to heart because, as a whole, they were checking their inboxes 39 percent less often after finishing their training.

More advice offered to the execs was to let people know when they send you a copy of information that you don’t need and to write clear and meaningful subject lines.

That advice, too, appears to have been embraced by the execs because they told surveyors that irrelevant emails in their inboxes had been reduced by 22.5 percent and the amount of email in those inboxes had fallen by 33 percent.

An added benefit of those reductions in email, the surveyors maintained, was the ability by the execs to keep the list of messages in their inbox confined to a single screen. That gave them a feeling of greater control of their inboxes and changed their attitudes toward email which, prior to taking the management training, they described in a number of unflattering ways, including irritating, love/hate, frustrating, overwhelming and horribly addictive.

While the training may have made the execs more efficient in using email, it may have encouraged inefficiencies in other areas. For instance, the execs reported that they were using their phones more often. That doesn’t sound like a more efficient use of time to many of us.

Without a doubt, Emailogic’s survey is self-serving—after all, they’re in the business of email management training—but that doesn’t make their findings any less revealing or recommendations less useful. If execs want to take their email management training to the next level, however, they may want to rethink their view of email, from looking at it as merely a communication tool and transforming it into a productivity tool, as Jeff Orloff outlined in his blog item here last month.

Better Email Management can Save Companies $87 Billion a Year

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

As the end of November draws near, anticipation is building that Service Pack 2 for Exchange 2010, which was announced in May, will finally be released. Given Microsoft’s track record with the last two roll-up updates for the software, you really can’t blame Redmond for being extra careful with this service pack.

Although originally expected to make it out the door at the end of October, it appears that the new deadline for the service pack is sometime next week, if Microsoft’s general manager for Exchange, Kevin Allison is to be believed.

At a trade show earlier this month, Allison fudged the issue of the missed deadline by saying that Microsoft had always intended to release SP2 for Exchange sometime in the fourth quarter. Of course, that gives the company all the way to December 31 to let the update into the wild, but he appeared confident that release would come by early December at the latest.

Allison told show attendees that Microsoft considered it critical that SP2 be as bug free as possible, and it was paying particular attention to quality with this release. That sort of begs the question, though, are there updates where the company doesn’t pay particular attention to quality?

Certainly flaws in quality control came to light during the embarrassing releases of two Roll-Up Updates earlier this year, RU3 and RU4. As might be expected, much of Microsoft’s quality control is automated. For example, the code for Exchange is subjected to a suite of well over 100,000 automated tests. In addition to those tests, there’s some manual validation. None of that testing, though, caught the bugs in the two Roll-Ups.

Those muffs could leave a casual observer scratching their heads. In RU3, for example, Blackberry smartphone users found themselves receiving an extra copy of their messages. Even if a flaw like that bypassed the automated tests, you’d think that one of the manual testers with a Blackberry would have discovered the problem. Maybe all the testers were using only handsets running Windows Mobile 7.

The RU4 gaffe was equally puzzling. When users moved or copied a public folder, they found the contents of folder had disappeared. In fact, the contents hadn’t disappeared. It had merely be shipped to the Recoverable Items folder. While it’s well known that Microsoft frowns on the use of public folders, still, not one tester tried to copy or move such a folder during the testing regimen?

Service Pack 2 for Exchange 2010 will have some nice new features. Corporate users without a smartphone will find accessing Outlook via a web easier with OWA Mini. Double logins to OWA will be eliminated for some users with cross-site silent redirections. Hybrid configurations that support local and cloud deployments can be set up. And segmented address books, which can be managed directly from the Exchange Management Console, will be added to the software.

Nevertheless, it remains to be seen what effect past missteps by Microsoft will have on how rapidly SP2 is adopted by the Exchange 2010 community. Despite Redmond’s pledge that it has beefed up its quality assurance on this update, there’s no substitute for testing, testing, and more testing before any organizations fully deploys the update.

Microsoft Exchange 2010 SP2 is Coming Soon

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Microsoft Exchange 2010 was first introduced two years ago. While adoption was initially slow, despite Microsoft’s aggressive efforts to spur rapid adoption, it seems that companies are finally starting to see the benefits of the software and ready to migrate to it in a big way.

According to a recent independent survey of some 500 IT decision makers, more than three-quarters of them (77 percent) said they expected to migrate to Exchange 2010 or Office 365 in the next two years. If that happens, that means hundreds of thousands of businesses will be embracing the software in the next 24 months.

There are many reasons why the migration to Exchange 2010 has become a stampede. Two of the top rationales are new features (57 percent), which includes better support for mobile devices, and easier administration (50 percent). Also high on the list of migration motivators were security (49 percent), larger mailboxes (49 percent), improved storage options (48 percent), and improved web access (46 percent), the survey said.

Also, to some extent  companies’ enthusiasm to migrate is being fired by a recognition of the increased role email is playing to business success. Not only does Exchange 2010 offer better handling of email while imposing less of a burden on harried IT personnel, but it can do it at a lower cost.

According to a recent report in The Independent, email is far more effective in converting eyeballs into cash than any other web medium. 25 percent of people who open an email in a sales campaign will be converted into a buyer, the publication reported. That’s far and away higher than conversions from clicking on links (10 percent) and website visitations (2 percent).

As important as email is to a successful business, it can be costly to store and archive, which must be done for compliance as well as business reasons. Companies that have clung to older versions of Exchange are finding that the storage options offered by Exchange 2010—most notably the ability to swap out expensive SAN architecture for low cost SATA drives—can save them barrels of money. For instance, storage and archiving costs for an Exchange 2003 deployment can be 40 percent higher compared to what they cost with Exchange 2010.

There are productivity costs associated with older Exchange deployments too, especially because they don’t have the robust support of Exchange 2010 for the web and mobile platforms, the independent reported.

Another factor contributing to the step-up in Exchange 2010 adoption is its unique position as a bridge to the cloud. As the high-tech research firm Gartner has pointed out in the past,

“Exchange 2010 represents both the beginning of the end of the premises-based email era, and the dawn of the cloud-based email era.”

The strategy adopted by Microsoft for Exchange 2010 could pay off big for the company as it faces a growing number of competitors trying to capture a piece of its Exchange business.

“With several low-cost competitors snapping at its heels,” observed one technology commentator, “Microsoft’s hybrid strategy is a win-win one as it allows the company to protect its customer base in the on-premise model—while simultaneously giving customers the choice to migrate to a new cloud-based model.”

Migration to Exchange 2010 Becoming a Stampede

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Organizations that want to see that their employees have the tools to get their jobs done often allow them to use their own devices to do it. While that policy can set the teeth of many administrators on edge, it’s fast becoming a fact of life in the workplace.

One of the prime culprits behind the popularity of BYOD—Bring Your Own Device—is Apple’s iPhone. Not only did it become a favorite among the rank and file workers in many companies, but also among the top brass in many of them, too. That made it difficult for IT departments to keep the smartphones from invading their domains.

Now all kinds of smartphones are slipping by the door, many of them ill-suited for a corporate environment. They can be insecure. They can also be a headache to support. The iPhone, though, while conceived as a consumer device, has an edge on its competitors in an enterprise environment. That’s why administrators should be in Apple’s corner when the BYOD wave breaks over their organizations.

Granted, Research In Motion’s Blackberry smartphones are among the most secure in the world, which is why they’re the favorites of law enforcement, military and intelligence agencies, but RIM hasn’t been able to keep up with the technology breakthroughs made by its competitors, like Apple and Google, so it has been losing its adherents even in corporate markets where it was a darling for many years. A recent outage where some customers lost Blackberry service for up to three days hasn’t helped the platform’s image either.

One of the iPhone’s strongest suits is its robust support of Microsoft Exchange ActiveSync policies. In fact, outside of phones that run Windows Mobile, which are dwindling since Microsoft moved to its Windows Phone 7 platform, the iPhone supports more ActiveSync policies than any other mobile.

The iPhone ecosystem is also built to make recovering a phone’s contents, as well as moving its contents to a new phone, easy. Apple’s new iCloud service automatically backs up a phone’s apps and data to the cloud. In addition, iTunes, the software used to sync a phone with another computer, keeps a copy of a phone’s contents locally.

The iPhone’s support of ActiveSync compares starkly with Android smartphones, where VPN connections are hampered by no support of PEAP-secured WiFi in versions 2.x and 3.x of the operating system. In addition, on-device encryption and complex passwords are unsupported by 2.x.

Some administrators, though, are less concerned about security with all these alien devices than with providing support for them. That’s where the iPhone can really shine. Its intuitive interface makes it not only easy for its operators to use, but for support people to troubleshoot.

A study released during the summer, for instance, showed that it costs, on average, $4 more per person to support an Android or Blackberry user than its costs to support an iPhone operator. One of the biggest factors contributing to those increased costs was support call referrals.

Support organizations are usually organized into levels. If one level can’t solve a caller’s problem, it booted to another level staffed with more expertise. What the study found was that 37 percent of Blackberry support calls had to be referred to another agent. For Android calls, it was far worse: 77 percent.

So administrators, when BYOD starts invading your bailiwick, you may want to become a cheerleader for the iPhone, not only because it’s more secure, but a lot easier to support.

Why the iPhone should be the BYOD of choice for administrators

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Most email administrators don’t have celebrities like Scarlett Johansson on their networks, but that doesn’t mean they don’t host some pretty juicy targets for cyber robbers.

Hollywood hotties can grab headlines for a hacker, but anyone in a corporation’s chain of command whose identity can be compromised and exploited to filch trade secrets, bank account numbers, and the like, is just as worthy a target for crackers, if not more so. After all, exposing some embarrassing pix about a starlet may earn a hacker some fame, but cajoling bank account credentials from a “suit” can earn him a fortune.

While an Internet invader attacking a corporate network hunts different quarry than one focused on entertainers, their trade craft works in both realms. That was apparent in a presentation made by the Assistant Director in Charge of the FBI’s Los Angeles Field Office when he announced the capture of the infamous “Hollywood Hacker” earlier this month.

The alleged hacker, Christopher Cheney, 35 of Jacksonville, Fla. used a brew of online searching, social engineering and account manipulation to break into the email accounts of Scarlett Johansson and Christina Aguilera and posting information from them, including nude pictures of Johansson, on the Internet.

In his presentation to reporters, U.S. Attorney Steven Martinez displayed a chart titled “Operation Hackerazzi: Anatomy of a Hack” that broke down the steps used by Cheney to crack the accounts of more than 50 victims.

The hacker started his campaign by gathering information about his prey from online public sources. Although the government didn’t identify those sources, they are, no doubt, the same sources any miscreant would consult to obtain that kind of info on someone in any organization—Facebook, LinkedIn and online forums.

Using the information garnered from the Internet, the hacker then breached his target’s email account. Again, the government was stingy with details, but the information was probably used to craft a social engineering pitch—some kind of persuasive phishing message, for example—or a direct attack on an account, using the information to guess the subject’s password.

Once an account was breached, the hacker locked out the account’s owner by changing their password. That gave the hacker unfettered control of the account for a short period of time. During that time, he could communicate with the contacts in the target’s address book without the account holder knowing about it. He could also mine the target’s files for nuggets of information. In Cheney’s case those nuggets were risqué personal pics of celebrities, but in corporate environments, it would be contracts, strategy memos, new product specs, and the like.

After discovering that their passwords no longer worked, targets reset them. Did the temporary lockout set off any alarms in their minds? Maybe, but most likely they just considered it a computer glitch and went on their merry way, until the material clipped from their accounts started appealing on the Internet.

What’s more, the hacker planned for the inevitable repossession of the account by its owner. He accessed the account settings while in possession of it and modified them so all email was forwarded to one of his email accounts. In that way, he could still monitor what was happening in the account.

Meanwhile, the hacker took the contact information stolen from the account to harvest new targets.

What lessons can you learn from the “Hollywood Hacker?” Here are a few:

• Create secure passwords and don’t share them with anyone no matter how persuasive their reasons may be for knowing them.
• Create secure challenge questions—ones with answers that can’t be discovered on the public Internet.
• Do not use the same password for multiple accounts because discovering one can tip over all your accounts like a house of cards.
• Periodically check your mail account settings and sent mail items for suspicious activity.
• Don’t store sensitive information on a smartphone or computer unless it’s encrypted.

Assistant Director in Charge of the FBI's Los Angeles Field Office

Lessons Email Administrators Can Learn from ‘Hollywood Hacker’ Bust

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Whenever a new cool technology is introduced into a consumer smartphone, for every “wow” it sparks from an early adopter, an “ouch” is elicited from a system administrator. That appears to be the case with Siri, the “personal assistant” in the latest model of Apple’s iPhone, the 4S.

The 4S was introduced on October 5 and has proven to be extremely popular, with four million units sold during the first weekend it was available to consumers. Some of those consumers, however, are going to find that their shiny new toys are going to be mobilis non gratus when they try to connect them to their corporate networks. That’s because some organizations consider the smartphones a security risk.

At the root of the problem is Siri. It allows you to use your voice to issue commands and posit queries to the phone. For instance, you can say, “Where can I eat pizza around here?” And Siri will respond with a map with nearby pizza joints tagged on it. Or, without any training, you can ask it to call someone from your address book while you’re driving your car so you don’t have to touch the phone.

Sounds cool, doesn’t it? It’s so cool that Apple couldn’t resist turning the feature on by default. So when you take the 4S out of the box, Siri is on when you power up the mobile. What’s worse—and the real rub for administrators—is that Siri continues working even when the phone is locked with a password.

Ordinarily, when an iPhone is password protected, when you turn the phone on, a lock out screen appears. To get past that screen, you need to enter your password. With Siri activated, though, the lock out screen appears, but you can still give the phone voice commands. You can send email and text messages. You can access the phone’s address book and calendar. And you can make phone calls.

The only thing you can’t do is search the Net. Try to do that and Siri’s female voice will inform you that she will not ferret the Web when the phone is locked.

While Apple wasn’t about to disable a shining achievement like Siri from an out-of-the-box 4S, doing so is pretty easy. You drill down through settings>general>passcode lock and turn off “allow access to Siri when locked with a passcode.” That, though, reduces the utility of the phone, since part of Siri’s value is it allows you to perform functions with the phone without touching it. If you have to type in a pass code, you’ll definitely have to touch it.

However, the fact that Siri can be turned off is irrelevant to administrators. That’s because they need to compel devices that connect to their networks to be password protected. If a phone full of corporate secrets is lost or stolen, they don’t want to be wondering if it was password protected or not.

That’s not the case with the iPhone 4S. An administrator can never know when or if Siri’s passcode override has been turned off by a user. The possibility will always be lurking that Siri will be used to compromise an errant phone. Until administrators can access a phone’s Siri settings, the way they can access passcode settings through the Microsoft Exchange interface Apple supplies with its iPhones, the 4S will remain a pariah in many security-conscious organizations.

iPhone’s Siri Could Pose Threat to Email Security

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Have you checked the spam flowing into your organization lately? Microsoft has, and it has reported its findings in its Security Intelligence Report for the first half of this year.

The report, which is based data collected from 600 million computers worldwide, noted that pharmacy spam remains a favorite of junk emailers. An analysis of telemetry data from Microsoft customers who process tens of billions of messages a month using the company’s Forefront Online Protection for Exchange (FOPE) shows that 28 percent of all spam is non-sexual pharmacy junk. By comparison, sexual pharma spam is at the low end of the spectrum at 3.1 percent.

Behind pharma junk are non-pharmacy product ads (17.2 percent), 419 or “Nigerian” scams (13.2 percent), financial services (8.9 percent) and gambling (6.1 percent).

In the past, the report noted, some spammers tried to evade content filters by sending messages composed entirely of one or more images. This tactic appears to be losing favor among junko artists, as only 3.1 percent of the spam blocked by FOPE during the first half of the year was image spam, compared to 8.7 percent in 2010.

Microsoft researchers also found fewer “spikes” in spam activity during the period than in the past. Typically, volumes for a spam category spike as junksters mount short-lived, large-scale campaigns for it. Month to month volume changes were much more gradual during the first half of 2011, they discovered, except in one category: fraudulent university diplomas. That’s usually a very low volume type of spam, but in February it spiked to four percent of all spam. A similar spike occurred around the same time in 2010.

While the kind of junk spammers are flinging at organizations remains similar to the past, the amount of it has decreased significantly, according to Microsoft. From July 2010 to May 2011, the amount of spam blocked by FOPE plummeted from 89.2 billion to 21.9 billion messages. Microsoft attributed the volume declines to two botnet takedowns: Cutwail, in August 2010, and Rustock, in March 2011. “The magnitude of this decrease suggests that coordinated takedown efforts such as the ones directed at Cutwail and Rustock can have a positive effect on improving the health of the email ecosystem”, its report said.

FOPE is stopping most spam at the perimeter of the organization’s using it, the report noted, which frees up resources that would be consumed by more-intensive anti-spam methods. From 85 to 95 percent of incoming messages are blocked at the network edge each month, while the remaining five to 15 percent must have content-based rules applied to them. However, over the last year, the report showed the amount of edge blocked spam steadily declining, from 95 percent in July 2010 to around 85 percent in June 2011.

Much of the world’s spam is delivered through botnets, networks of compromised computers that respond to spammers’ commands remotely. During the first half of the year, Microsoft researchers found some interesting jockeying for position among the nations hosting spambot IP addresses.

While India remained at the top of the heap, with around 11 percent of all spambot IP addresses, and Russia remained strong with around a 7.7 percent share, some newcomers broke into the top five ranks from the first to second quarter of the year. Korea, for instance went from a 2.9 percent share to 8.4 percent to claim second place. Meanwhile, Vietnam jumped from four percent to 7.3 percent and Indonesia increased from 2.4 percent to 5.6 percent.

What Spam Is in Your Inbox? Microsoft Breaks it Down

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

When the U.S. CAN SPAM Act was passed eight years ago, critics of the measure doubted it would put a dent in the flow of Internet junk mail. They were right, but few would have predicted that many spammers would use the law as a subterfuge for their pesky activities. They do that with “snowshoe spam.”

It’s called that because it exploits the principal used by snowshoes to prevent their wearer from sinking into deep snow. They do that by distributing a walker’s weight over a larger area of snow. Snowshoe spam keeps junk e-mail from being sunk by a system’s spam defenses by spreading the spew across multiple IP addresses.

That can be particularly effective against an email system’s volume filters. Those filters monitor the origin of email. If a large volume of email with the same content is coming from an IP address, those filters will start blocking the email and treat it as spam. By using multiple IP addresses, spammers can keep the volumes on any single IP address low enough to submarine the thresholds used by the volume filters.

Another distinctive feature of snowshoe spam is that it’s designed to appear to conform to CAN SPAM, the Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003. That act requires email marketers to include an unsubscribe mechanism and a postal address in their solicitations, as well as bars the use of forged headers and requires messages to be sent from a marketer’s own network.

Spammers have found is easy to “game” the law, however. They include unsubscribe links, as the law prescribes. Some, though, have the links lead to virtual dead letter boxes on the Internet where they can be ignored. Most honor the links, however, because they know very few people will use them. That’s because most organizations advise their employees not to respond to such links. Doing so, they warn, verifies an email address to a spammer, making it more valuable to them.

They include postal addresses in their spam, too. Those are usually post office boxes, which allow the spammers to preserve their anonymity.

They meet the other requirements in the law by registering hundreds or thousands of static domains. That gives their messages true headers but the domains can be easily disposed of. They also lease hundreds of IP addresses to meet the “own your network” requirement. That also allows them to move from one range of IP addresses to another should a range be blocked by spamfighters.

Unlike illegal spammers, who distribute malware and pedal black market prescription drugs with their junk mail, snowshoe spammers tend to make their money from affiliate programs where they’re paid on a pay per click or pay per action basis.

In recent months, some large illegal spam operations have been taken down by law enforcement authorities. Earlier this year, for example, Microsoft and U.S. Marshals took down the Rustock network, which at the height of its operation infected 1.6 million computers worldwide and gorged the Net with 30 billion spam messages a day. And in April, the FBI began dismantling the Coreflood botnet, which had infected 2.3 million PCs.

While those high visibility raids appear to have an impact on worldwide spam levels—cbl.abuse.com reports that spam volumes have dropped from 2800 messages per second in October 2010 to 800 a second in September 2011—snowshoe spam levels continue to climb and will continue to do until CAN SPAM is amended to address the problem.

Junk Mail Law Contributes to Expansion of ‘Snowshoe Spam’

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

If there’s one rule that’s been drummed into the heads of all email users, it’s “don’t open executable files in email attachments.” But what if an email recipient doesn’t know they’re opening an executable file because its name has been cleverly disguised using Unicode?

Unicode is an international standard used to create a unique number for every character used by computers regardless of program, platform or language.

Its 109,000 characters, though, contain more than just letters from the alphabets of the world. It includes control characters, too. One of those characters can switch the direction at which a computer reads text. That can be valuable when a processor has to deal with languages like Hebrew and Arabic that read right to left or, as malware artists have discovered, when someone wants to camouflage a file name.

Those felonious fellows have found that inserting the right-to-left override character (U+202e) at a strategic point in a file name can mask its malevolent potential. What’s more, not only does it hide that potential from the recipient of the email carrying the pernicious payload, but it hides it from email filters, too.

This tactic isn’t new. In 2009, the Mozilla Foundation issued an advisory on the subject.

“When downloading a file containing a right-to-left override character (RTL) in the file name, the name displayed in the dialog title bar conflicts with the name of the file shown in the dialog body,” wrote Mozilla security researchers Jesse Ruderman and Sid Stamm.

“An attacker could use this vulnerability to obfuscate the name and file extension of a file to be downloaded and opened, potentially causing a user to run an executable file when they expected to open a non-executable file,” they explained.

About a year after Mozilla issued its advisory, a security firm identified the tactic being used to disguise executable files attached to billions of messages from spammers. But when those spam outbreaks occurred once every 10 to 14 days, recent activity sends spam blasts out as frequently as three times a day.

Hidden in many of those devious file names is the Bredolab Trojan. It’s a malware family designed to steal system information and turn a computer into a zombie on a botnet, where it will receive malicious URL’s and files from a Net bandit’s command and control server.

What the spammers are doing is taking their malware and giving it a name like corp_invoic_8.14.2011_pr.phylcod.exe. Then they insert the left-to-right override character after the p-h-y-l in phylcod. That tells a computer to take everything after the control character, read it right to left and display the results. The file name then looks like this: corp_invoic_8.14.2011_pr.phylexe.doc.

Some email programs will recognize the true name of a file, even it has been altered with a control character. Prominent security writer Brian Krebs, for instance, tried to send an executable file with a name disguised by the right-to-left method through Gmail. The Web application recognized the ruse and gave him its standard message about not allowing executable files to be sent through Gmail—only it displayed the message backwards!

Unfortunately, many email programs can be fooled by the right-to-left dodge, especially if the executable is in a zip or archive file. That’s why a good policy for any organization is to have its members check with the sources of unexpected files they receive attached to emails.

Clever Coding Conceals Malware in Email Attachments

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Typo squatting has been around as long as the Internet Domain Naming System (DNS), but Net bandits have added a twist to the practice that appears to be very effective in intercepting corporate email.

In a typical typo squatting scenario, people register misspelled domain names of high traffic websites. The idea is to capture traffic they ordinarily wouldn’t get at their website and turn it into money, either through advertising at the site or by compromising the visitor’s computer by infecting it with malware.

A variation of that technique that’s gaining popularity uses “doppelganger domains” to exploit typos in corporate email addresses. Those typos result less from misspellings than from failing to properly punctuate addresses with subdomains.

For example, the URL for IBM Sweden is se.ibm.com. A doppelganger attacker would register the domain seibm.com to capture email whose authors forget to type in that pesky extra period.

Once the domain is registered, the dop sets up a server configured to catch all email traveling through the net addressed to someone at a misspelled email address for which they’ve set up a domain.

Now the bunco artist is ready to mount a classic “man-in-the-middle” attack. Misaddressed mail enters the dop’s server, is copied, and forwarded to its destination with the doppelganger domain in the return address. If a response is sent from its destination, it will travel back to the dop server, be copied, and then sent on its way to the original sender. Those exchanges can continue indefinitely.

But who really types in email addresses anymore? Apparently, a lot of people.

Two researchers at the Godai Group set up 30 doppelganger domains and in six months, they were able to intercept 20 gigbytes of data. In that data were invoices, contracts, employee credit card and banking information, configuration details for the external routers of a large IT consulting company and the passwords for accessing the devices, and information for accessing the VPN network of a company that manages motorway tolls in the United States.

“Each company in the Fortune 500 was profiled for susceptibility to doppelganger domains and 151 companies (or 30%) were found to be susceptible,” wrote the researchers, Peter Kim and Garrett Gee, in a recently released report.

“In large corporations, email usage is extremely high which dramatically increases the likelihood of mis-sent emails and data leakage,” they explained.

Remarkably, they discovered, only one company detected its doppelganger and only two users noticed they were sending mail to a dop.

Kim and Gee also noted [pdf] that many doppelgangers had already been created for the world’s largest corporations, including Cisco, Dell, HP, IBM, Intel and Yahoo. Most of those dops were owned by entities in China, they added.

What’s an email administrator to do to counter this kind of attack?

• Persuade your company to buy up and register all your doppelganger domains. Then configure your external DNS server to bounce mails sent to the dops.
• If you discover a doppelganger domain, file a Uniform Domain Dispute  Resolution Policy complaint with ICANN.
• Configure your internal DNS servers not to resolve doppelganger domains. Of course, that will only affect the outbound email of your organization. External email could still be picked off by the dops.
• As an alternative to configuring your DNS server, you can configure your email server to block any outbound mail headed for a dop.
• Let everyone in your business network—employees, customers and partners—know about the doppelganger domain so they’ll be aware of the attack.
• You can also make sure that auto-addressing is turned on across your system. If your users don’t have to type in email addresses, then they can’t make typos in them.

Configure your email system to prevent exploitation by doppelganger domains

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The lives of email administrators would be a lot rosier if their systems could be sure of the origin of an email, and if the name on the “from” line in a message was actually from the person who sent it. Add to that a way to assure authentic connections to websites accessed by their users, and there will be a host of happy faces in IT land.

If those things were possible, spam and messages bearing malicious payloads could be easily turned away. Spear phishing attacks—attacks targeted at a specific set of individuals within an organization—could be blunted. Diversions to dangerous websites could be averted.

Sounds like éclairs in the ether? Not necessarily. There is a technology that’s now being implemented on the Internet that, while no magic bullet, could, when widely adopted, foil many kinds of attacks based on hackers hijacking the domain names behind websites. It’s called DNSSEC.

DNSSEC, a standard that took 18 years to develop, is considered by some as the best method now available to authenticate DNS queries. Those queries are used by a web browser to communicate with a website. To some extent, those queries are protected now at websites using SSL. The problem with SSL is that it doesn’t protect the query while it’s traveling from the query’s author to the website. That enables a hacker to alter the information in the query’s data stream.

With DNSSEC, when a query is sent to a website, the answer to it is returned with a digital signature. That signature can be compared to an authentication database for the entire Internet to assure the authenticity of the website answering the query. If a hacker tries to hijack a website and redirect its traffic to an outlaw outpost, the tactic would be exposed to visitors because answers originating from the hacker’s website would not contain the digital signature identifying them as authentic.

The technology also addresses another kind of attack on how the Internet resolves queries to websites. Called DNS poisoning, it occurs when a hacker inserts malicious code into a DNS server. Say a request arrives at the server to go to google.com. Ordinarily, the server would take that address, convert it to the IP address for google.com, and send the web surfer on their way. If the DNS cache is poisoned, however, when that conversion takes place, the Webster is redirected to a malicious site. Once again, though, with DNSSEC in place, that malicious site would be exposed once it tried to communicate with the visitor’s browser because that communication would lack proper authentication.

What’s good about DNSSEC is that it can be used beyond just authenticating website traffic. That Internet-wide authentication database created by the technology could also be used to authenticate email certificates. Those certificates would go a long way in reducing spam, muzzling phishing attacks and enabling private email—email that’s encrypted and can only be decrypted by its intended recipient. In order for that to happen, however, DNSSEC needs to be adopted throughout the cyberspace food chain—from those at the top of the domain structure to the ISPs to the browser and client makers.

Email Admins Can Benefit from New Secure Domain Technology

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators