Credit card numbers of Argos customers were exposed in emails sent to them.

An email snafu by an online catalogue company is a good example of why both inbound and outbound electronic correspondence should be filtered not only to ensure that nasty payloads aren’t delivered to an organization but also to prevent sensitive information from being exposed to unsavory elements.

The email blunder involved a company called Argos. It is a multi-channel retailer, based in the United Kingdom, of merchandise for the home. During its last financial year, it had more than $6.4 billion in sales, 26 percent of it from the Internet.

After a probe by PC Pro magazine, it was discovered that the High Street retailer was sending out the credit card numbers of their online customers in plaintext emails confirming purchases. Should the emails be intercepted in transit or otherwise hijacked, the credit card information could be used for fraudulent charges.

What’s worse, the emails also contain an Internet link, or URL, that contains the recipient’s name, address and credit card details. If the customer clicks on the link, the URL containing the personal information would become part of the customer’s browser history, where it could be vulnerable to cyber snoopers. Moreover, the URL would be stored in the service logs of whomever is providing the customer with Internet service–his or her employer or ISP–as well as in Argos’s web analytics software which captures URLs used to access its Web site.

Two victims of the security lapse by Argos were cited by PC pro. Paul Lomax, chief technology officer at Dennis Publishing, and Tony Graham, reader of the publication. Both reported their credit card details stolen after receiving the vulnerable emails from the retailer.

Graham discovered the gaff when searching through his email for the last four digits of his credit card number. When he checked a message from Argos that appeared in the search results, he was puzzled. No credit card numbers appeared in the text of the correspondence. It was only when he opened up the source code behind the email that he discovered the URL bursting with personal and sensitive information.

Continue reading Solid email security requires inbound and outbound filtering

I read a tip just recently that advocated the use of fake MX records as a spam deterrent.  The solution was apparently devised after struggling with the server load that was being generated by spam emails.

As we all know, spam makes up as much as 90% of global email traffic, so it is not unusual for spam load to be a serious issue for email server performance.  The natural instinct is to prevent that load from being applied to the server in the first place.  Fake MX records are not the best way to do this.

MX records are the DNS records that tell email servers where to send email that is addressed to a particular domain.  For example, if I send an email to john@company.com my email server will look up the MX record for company.com, determine the associated IP address, and transmit the message over SMTP to that IP address.

To maintain redundancy most organizations will use multiple MX records that point to multiple email servers, so that if one is unavailable the others can still receive incoming email.  MX records are given a priority, an arbitrary number that is only relative to the priority of other MX records for that domain.  The lower the number, the higher the priority.

So for the same example as above, my email server looks up the MX record for company.com and gets the following response.

company.com MX preference = 10, mail exchanger =
 maila.company.com

company.com MX preference = 20, mail exchanger =
 mailb.company.com

It knows then to send to maila.company.com first, and then try mailb.company.com if the first try is not successful.

The idea of fake MX records is to create multiple MX records (usually at least 3) of varying priority, and have the highest and lowest priority MX records be pointing to non-existent servers.  The theory is that spammer’s botnets will only try to send to the highest or lowest priority MX, and then when they get no response will give up and move on to the next victim.  Some email administrators use as many as 10 MX records with only one real one among them.

The theory has some merit.  Spammers want to send out as much email as possible so usually won’t waste time and resources by having their bots try multiple MX records for a targeted domain.  However the technique impacts legitimate senders as well. Continue reading Fake MX Records More Harm Than Good

The most prevalent vulnerability by overall frequency identified by the report is cross-site scripting (XSS).

Most software used by large companies in critical business applications is insecure, according to a report released by a company that tests programs for security vulnerabilities.

In a report titled “State of Software Security,” the company, Veracode, of Burlington, Mass. disclosed that when it first tested some 1600 business critical applications, 58 percent of them failed to achieve an acceptable security score.

The worst culprits were programs developed by companies for internal use. Failure rates for those applications were as high as 88 percent, the report said.

“Extrapolating from the application sample set, more than half of the software deployed in enterprises today is potentially susceptible to an application layer attack similar to that used in the recent Heartland or Google security breaches,” it noted.

The most secure software submitted to Veracode for testing originated with the financial industry or government sector. More than half the applications from those industries passed muster on their first go-round with testers, which placed them at the top of the list of 15 industries represented in the study’s data set.

The report also plugged open source software as a viable solution for businesses. The failure rate for open source programs was on par with their commercial counterparts–39 percent for open source, 38 percent for commercial wares.

What’s more, the speed at which security vulnerabilities were addressed in open source programs was far better than their competitors–36 days for open source, 48 days for internal software and 82 days for commercial apps.

In addition, open source programs contained the fewest vulnerabilities that could potentially be converted into backdoors which could be exploited by crackers for havoc. “The relative absence of potential backdoors is apparent testimony to the positive effect of transparency in the Open Source community,” the report reasoned.

Continue reading 58% of critical apps insecure

These days everyone is well aware of the needs for security and the value of firewalls, anti-virus and anti-spam software and the many other protection measures in the enterprise.

But sometimes too much security can actually inhibit productivity. At the very least it might be considered an annoyance but some end users. And at its worst too much security can become redundant with many features and function overlapping one another.

Sometimes your users are attempting to open email attachments from the outside they will receive messages indicating that they are not allowed to access those attachments. In Outlook 2000 such messages look like the following:

“Outlook blocked access to the following potentially unsafe attachments.”

If Outlook blocks an attachment, then end users cannot save, delete, open, print, or otherwise work with the attachment in Outlook. However, there are several methods available which will allow end users the capability to safely access those attachments.

The reason why some users receive the attachment blocked message is that with Outlook 2000 SR-1 and SR-1a there was a new security feature included which prevented some attachments from being opened if they were categorized as containing potentially unsafe data. This feature was very useful since a lot of malicious attacks coming in from the outside could easily be disguised as or hidden in attachments. Continue reading Blocked Access to Outlook Attachments

20 percent of accounts could be compromised in 5000 attempts.

A recent study of some 32 million pilfered passwords has exposed some revealing lessons on how computer users choose their watchwords.

The analysis conducted by the iMperva Applications Defense Center discovered that 60 percent of users picked passwords from a limited set of alpha-numeric characters. What’s more, 50 percent of the watchwords were names, slang, dictionary words or trivial passwords, such as 123456 or “Password.”

What distinguishes this study from similar research in the past is that, rather than being based on user surveys, this analysis is based on a database of actual user passwords, which were stolen by a hacker and posted to the Internet as plain text.

“The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic, brute force password attacks,” the researchers wrote in their white paper.

“Ironically,” they added, “the problem has changed very little over the past 20 years. In 1990, a study of Unix password security revealed that password selection is strikingly similar to the 32 million breached passwords.”

When scrutinizing the purloined passwords, the researchers used standards published by NASA for the creation of strong watchwords. Here’s how the words fared against those benchmarks.

NASA recommends that passwords be at least eight characters long. The researchers found that nearly half (49.4 percent) of the filched watchwords contained seven characters or less. What’s more, more than 30 percent of them were six characters or less. By comparison, more than 28 percent of the passwords in the mix were greater than eight characters in length.

Continue reading Survey identifies worst password practices

For many employees of a large company having access to email twenty-four by seven (24×7) is what sets them apart from other companies. And for those employees who are away from the office or while traveling on business a connection can be the difference between success and missed deadlines. 

A service that most remote users can benefit from is called Outlook Web Access (OWA) which is a webmail service of Microsoft Exchange Server. OWA provides email functionality and mailbox features such as: Contacts, Calendar, Tasks, Notes and Public Folders. Mobile devices with Outlook Web Access functionality can support many corporate users and provide that valuable connection to corporate email.

Using a web browser on their handheld device users can access their much needed email. But as will often happen with technology Outlook Web Access is not bullet-proof. So administrators can expect to be called upon to solve problems that can come up from time to time when supporting remote users, their handhelds and their web accessible email connections.

One of those problems can involve the 0×80072f0d error code.

Continue reading Troubleshooting the 0×80072f0d Error Code

As often happens with electronics trends, the proliferation of a consumer device soon results in that gadget knocking on the door to the enterprise.  That’s the case with smartphones. The trend started with the Blackberry, was supercharged by the iPhone and will continue to grow with phones running Google’s Android operating system.

What’s worrisome about these devices is that they run applications… far too many applications that any IT department could vet for security purposes. Jupiter Research, purchased by Forrester research in 2008, estimates that by 2014, 20 billion apps will be downloaded annually to smartphones.

That is a nightmare in the making for network administrators, who see legions of unknown programs touching their enterprises. Such apps already exist for the iPhone to directly access enterprise programs like SAP and Oracle. And with more apps on the way, the potential for them to spread malware or facilitate unauthorized access to precious data is a sobering thought for gatekeepers.

One way to get a handle on mobile devices invading an enterprise is to impose tough policies on employee use of their mobiles when performing office tasks. Monitoring policy compliance manually, though, can be an overwelming task for overtaxed IT departments. There are automated systems for ensuring compliance, but they can be expensive to implement.

There are also some drawbacks to keeping a tight rein on smartphone use. By limiting an employee’s choices on how he or she must work, a policy could adversely impact the worker’s productivity. Then there’s the problem with exceptions to the rule. If someone higher up on the corporate food chain than an IT gatekeeper wants to use a particular application, whether it’s risky or not, an exception to its use will likely be made.

Continue reading Protecting the enterprise from mobile devices

Gmail has always had an encryption option, but until this week, it has been turned off by default. Now IT people, who tend to be a bit paranoid (but in a good way), would have gone through the trouble to switch on the SSL encryption option, but most ordinary users would simply not be aware that it exists. And for that matter, all those paranoid IT people probably wouldn’t have even used Gmail to begin with.

Google announced last week that it would start encrypting all Gmail traffic. In a blog post, Google noted that they initially rolled out the option to always use https back in 2008. This allows email to be encrypted on the path between the user’s web browser and Google servers. However, when Google first enabled the option, it was off by default. Now, SSL will be used by default, with users gaining the option of selecting “Don’t always use https” from the Settings menu. Some may choose to not enable the extra security option for performance reasons, but in reality, the performance hit will be minor, especially for broadband users—and well worth the extra couple of milliseconds. The login page will still remain encrypted. Using encrypted email can stop several types of attacks, such as man-in-the-middle attacks where an attacker may be snooping email in a public WiFi spot. Using encryption also prevents attacks such as DNS poisoning attacks where a domain name record is hijacked and redirected.

Google decided to make the upgrade just hours after they revealed information about having been victimized by specialized attacks, including certain attacks on Chinese human rights activists’ accounts. Users are cautioned however, not to get lulled into a false sense of security, thinking that turning on Gmail’s encryption option is going to prevent all potential attacks—because it certainly won’t. The same anti-virus, anti-spam and anti-malware software installations should continue in full force, regardless of any added encryption.

With Google making the switch, the next big question is whether the other main free email services like Hotmail or Yahoo! Mail will follow suit; my guess is that they will.

A fix for a flaw in an important Internet security protocol is ready for prime time but it will be many months before the patch is fully implemented, according to technical experts.

The authentication vulnerability in TSL/SSL, which is the most common security code on the Net, could be exploited by hackers for all kinds of mischief. Built into browsers and Web servers to protect high-value information, the flaw impacts a wide scope of technologies including online banking, back-office systems using Web-based protocols, non-HTTP applications such as mail and database servers, mobile phones, wireless access points, DECT phones and home security systems.

The vulnerability was discovered last September by researchers at PhoneFactor, a security service provider in Overland Park, Kansas, but was kept under wraps until November when another security expert, working independently, made the flaw public on a mailing list sponsored by the Internet Engineering Task Force (IETF).

With the cat out of the bag, PhoneFactor decided to push out a press release on the subject. In it CTO Steve Dispensa, who, along with Marsh Ray, initially unearthed the flaw, stated,

“Because this is a protocol vulnerability, and not merely an implementation flaw, the impacts are far-reaching. All SSL libraries will need to be patched, and most client and server applications will, at a minimum, need to include new copies of SSL libraries in their products. Most users will eventually need to update any software that uses SSL.”

“The discovery of this vulnerability speaks to a larger issue with single channel authentication protocols,” he added. “While this vulnerability is larger in scope than many, man-in-the-middle attacks have been a known threat for some time. Out-of-band protocols should be considered when possible to help mitigate the risk of these attacks.””

Continue reading Net security hole could take year to fix

Microsoft set dubious record in 2009.

Microsoft set a dubious record in 2009. In the month of October, it released the most updates (13) to address the most vulnerabilities (34) in the history of the company.

Ironically, if all the updates released by the company during the year were ignored, a user would still have averted more than 70 percent of all attacks launched during the period–if he or she kept their Microsoft Word patches up to date through June 2006. That’s because, according to one researcher, 71 percent of all attacks in 2009 exploited a vulnerability in the company’s word processor that was patched three years ago. Another 13 percent of all attacks exploited a vulnerability on Microsoft Excel that was patched in March 2008.

Since one never knows what vulnerabilities will catch a cracker’s fancy, the wisest course of action is to install patches when they become available, but if you’ve fallen behind in that department, you may want to move the following patches to the top of your to-do list. According to security experts, they’re the most important ones released in 2009, although one was actually introduced in 2008.

One such patch fixes a flaw in the Active Template Library used to build ActiveX controls. ActiveX has long been a juicy target for malware writers because it can be used to automatically download malicious software. In this case, the vulnerability negates certain security patches previously released by Microsoft. This patch for Microsoft Visual Studio allows developers to produce programs with vulnerability-free code.

In 2009, information highwaymen boosted their efforts to compromise Adobe PDF files. Adobe has contributed to efforts to poison its products by acting slowly to address vulnerabilities in them. Last year, the company emulated Microsoft’s action by releasing a monster update aimed at 29 vulnerabilities. Implementing this patch now, though, will just be a stop-gap measure as the most recent Acrobat exploit won’t be tackled until Adobe’s next update expected to be released in January 12. Continue reading Top patches, data breaks of 2009