Some major players in the email game are banding together to create a unified specification to attack domain spoofing.

While the prospect of less spam and phish clogging email systems should incite administrators to cry “hurrah”, the immediate prospects of that happening are dim.

The new spec is called DMARC—Domain-based Message Authentication, Reporting & Conformance. With DMARC, email powerhouses like Google, Microsoft, AOL and Yahoo hope to unify how they authenticate the origin of email messages.

For years, spammers and phishers have “spoofed” domain names to disguise the origin of their junk mail. That allows them to slip by spam filters, as well as mount phishing attacks on unsuspecting targets.

DMARC is designed to make two existing email authentication methods—SPF and DKIM—more effective.

The Sender Policy Framework (SPF) authenticates where an email originates by comparing its IP address to a list of valid IP addresses submitted by the domain owner to the Domain Name System. If a message arrives at a mail exchange saying it’s from a certain domain, but the IP address where it came from doesn’t correspond to the addresses in the SPF record for that domain, the message is bounced.

DomainKeys Identified Mail (DKIM) insures a message’s origin by attaching a cryptographic digital signature to it that associates a message to a domain. That signature can be reviewed at any point in the message’s path to its destination.

When it gets to its destination, the receiving system can determine what to do with the message based on the reputation of the signature’s owner. If the owner has a good reputation, it will probably deliver the message without a lot of hassle. If a reputation is tarnished, closer scrutiny of the message may be in order.

The problem with these schemes is that everyone doesn’t use them. In addition, those organizations that do use them, tend to be in silos. Users of SPF don’t use DKIM, and vice versa. DMARC is designed to address that problem.

Since DMARC is predicated on those existing schemes, its effectiveness is questionable. That’s because users of SPF and DKIM have been reluctant to fully trust the schemes to identify malmail. That means they’re not ready to tell a recipient system to reject all mail that doesn’t jibe with policy rules set forth in an SPF record or with a DKIM signature.

Some elements of DMARC are designed to help build trust in SPF and DKIM. For instance, it allows a recipient to report to a sender that a message was found to be out-of-policy, whether it was delivered or not. That allows sender to evaluate what would happen if they go “whole hog” and require all out-of-policy messages to be trashed.

It also allows policy rules to be applied to a subset of cases. That, too, permits senders to tweak a scheme before applying it to all its mail across the Internet.

However, to make a dent in malmail, widespread adoption of SPF and DKIM would have to occur. That’s a tall order. It means thousands of organizations will have to modify their email systems to accommodate the schemes—something that won’t happen overnight, or even in a decade or two.

Malmail fighters get on same page with DMARC

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

According to most reports, the amount of email spam is diminishing.

Experts credit the takedown of massive botnets like Rustock, a more educated user base and advancements in spam fighting technologies for this trend. However, even though one of the most annoying, and troublesome, threats to email accounts is on a downswing it doesn’t mean for one second that email is no longer a part of the IT infrastructure that is vulnerable to threats.

Understanding the different ways cyber criminals and script kiddies can use vulnerabilities in email clients and servers to attack a system will help any email administrator keep email services running smoothly, and the entire infrastructure safe from a great number of exploits that can do some serious damage.

Listed below are three of the most serious problems that, if ignored, can cause some serious security problems with your email systems.

1. Malware being spread via email

To say that spam levels are dropping dramatically is almost a half truth. While users are seeing less spam advertising pharmaceuticals, financial services, pornography and work at home schemes it doesn’t necessarily mean that spam itself is being beat back.

Actually, while the use of spam for advertising and marketing may be down the numbers are increasing for spam messages that carry something far worse than the Nigerian prince scam. These messages actually contain malware or links to malicious sites.

Knowing full well that many users have been taught not to download attachments they don’t trust, cyber criminals have turned to simply inserting a link to a web site in their emails. When the victim clicks the link, they are taken to a site that runs scripts to infect their computers with Trojan horses, keystroke loggers and other types of malicious software.

2. Information leaks

Not all threats come from outside. Anyone who has worked to secure confidential data knows all too well that one of the biggest areas of concern is information being leaked from an inside threat.

Inside threats happen through a variety of means. You could have a disgruntled employee who is looking to hurt the company or you could have an employee who is looking to make a little extra money moonlighting as a corporate spy. There have even been instances where someone lands a job with a company for the sole reason of stealing confidential or proprietary information.

While these scenarios seem like they came from a Hollywood studio, they do happen – just not that often.

Most likely, you will find that information is leaked by accident. An employee includes something in an email message that is considered sensitive. That email, once it leaves the protection of your company, can now be forwarded on or even intercepted in transit. The contents can then be easily exposed revealing trade secrets, private information or even embarrassing content.

3. Go phish

Phishing is a threat that has been on the radar of most IT administrators for some time. And with recent data breaches, like the recent attack against Epsilon, millions of corporate email addresses have been compromised and are ready to be used in phishing attacks.

The scary part of phishing attacks nowadays is that it is becoming harder to tell them apart from legitimate emails. Take a look at recent PayPal and banking emails that have been sent out requesting people to reset their account passwords or log in to address some issues with their account.

It is becoming tough for people to tell the difference between a real request from their financial institution and one aimed at compromising their login details.

Of course, financial data isn’t the only thing that phishers chum the waters for. They know full well that a majority of people use the same user name and passwords for a majority of web sites. If they can capture a password, they can usually recreate the username for your businesses network resources to allow them free reign over anything the victim has access to.
Safeguarding against email based attacks is something that every IT admin needs to take seriously if they want to protect their network. Employing a solution that addresses the mail servers, mail client, users and other network resources is one of the key steps to protect against as many points of attack as possible.

Addressing Three Major Email Threats

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Administrators confident about the safety of their data encrypted on company laptops should start squirming if a recent court decision passes muster in the United States.

The case involves a Colorado woman who has been ordered to open the encrypted drives on her laptop for federal investigators.

Unlike the cops on television shows and movies, who always seem to have a computer wizard on hand to decrypt a hard drive or crack a password, law enforcement authorities in Colorado, stymied by the encryption on a notebook in the possession of Romona Fricosu, simply went to a judge and asked him to order her to type in her password so they could see what was in the encrypted files.

In arguing against opening the files, Fricosu claimed doing so would violate her civil rights, in particular her Fifth Amendment rights against self-incrimination. Her reasoning was that the government, by forcing her to give up her password for decrypting the drive, were forcing her to incriminate herself if there were anything on the drive tying her to their criminal investigation of a mortgage scam. They believe Friscou is involved the scam that defrauded banks in the Colorado Springs area of some $900,000.

Federal District Court Judge Robert Blackburn didn’t buy that argument. Fricosu might be self-incriminating  herself if she were being asked to utter the password to the files or to give it to the investigators in some other way. However, she was only being asked to type in the password.

The government said it wasn’t interested in knowing what the password was. In fact, it said Fricosu could type the password into the laptop without any government operatives hovering over her. For that reason, the password could be treated like a key is treated in the physical world. Since the courts have ruled that the government can compel someone to give it the key to a safe or other repository of potential evidence in a case, Judge Robinson reasoned, it can compel Fricosu to type in her password.

Although the Fricosu case will be appealed and isn’t settled in law yet, it should give administrators some food for thought. It’s not that far of a stretch, for instance, from treating a password for decrypting files  as a key to treating passwords to anything that way.

That can have broad implications for your data’s security should you ever have to lock horn with any government for any reason. While Fricosu was involved in a criminal matter, the logic underlying the case could be extended to non-criminal government activity such as tax audits or compliance reviews.

With that in mind, should alternatives to passwords be considered? For example, if voice recognition were used to replace passwords, then the “utterance” test might be met and your data might be better protected against intrusive legal searches. Then there’s the question of whether other biometric solutions used for authentication are as legally vulnerable as simple passwords. If a retina has to be supplied to open a laptop, is that a potential act of incrimination?

One thing administrators should take away from the Fricosu decision, should it be upheld by the appellate courts, is that their passwords and the passwords of their organization’s users aren’t as safe as they as they used to be—and neither is anything that can be decrypted with a password.

Government can force you to decrypt your data

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Gates: Momentous security memo

For computer security experts, January 15 marked the anniversary of a red letter day. It was the 10th anniversary of the day that Microsoft decided to get serious about security.

On that day in 2002, a memo from Bill Gates to Microsoft employees declared the company would be entering a new era, an era of “Trustworthy Computing.”

“In the past,” Gates wrote, “we’ve made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We’ve done a terrific job at that, but all those great features won’t matter unless customers trust our software.”

“So now,” he continued, “when we face a choice between adding features and resolving security issues, we need to choose security.”

Gates’ commitment to security came when the Windows world was reeling from two monster malware attacks from the previous year Code Red and Nimda. Code Red exploited buffer overflows to attack Internet Information Services (ISS) running under Windows Server. It infected an estimated 300,000 PCs.

Unlike Code Red, Nimda was a worm that used multiple attack vectors to rapidly infect computers connected to the Internet. The technique was extremely effective and within 22 minutes of its release on September 18, 2012, it became the most widespread malware in the world.

It’s with that backdrop that Gates emailed his memo to his employees. One group of workers was particularly glad to see their boss’s missive: the company’s malware fighters.

“It’s not an understatement that the memo felt, to me, like the arrival of Gandalf and Eomer at Helm’s Deep in the film The Lord of the Rings: The Two Towers at a moment of great despair; at last we were getting some relief and might survive” Christopher Budd, who worked on security issues for 10 years at Microsoft, wrote in Betanews.

“In a single movement, Gates enshrined security, privacy and reliability as central, aspirational ideals,” Budd observed. “Like all ideals, there have been better and worse times in realizing them, but their central importance was never open to question. That memo eliminated the resistance that made our work so hard and gave us the power to do the right thing for customers.”

Budd asserted that the memo gave the security and privacy factions in the company the power to stand toe-to-toe with those primarily concerned with revenue and growth. He wrote:

“In a way, it represents a statement of conscience for the company and we used it as such, with success.”

Since the memo was issued, Microsoft has made security an important part of its product development cycle. That’s led to security features like library randomization and BitLocker drive encryption in Windows 7 and Secure Boot, a way in Windows 8 to foil BIOS attacks. It has made Windows Server IIS as secure as its open source competitor, Apache, too.

It has also lifted Microsoft’s browser, Internet Explorer, from a security nightmare to one of the most secure ways to surf the Web today. A 2010 report from independent software tester NSS Labs found:

“Internet Explorer 9 was by far the best at protecting users against socially-engineered malware.”

Unfortunately, it’s hard to change a bad security reputation forged over many years and IE’s user share has fallen from its once dominant position of more than 90 percent to under 50 percent of all users.

Microsoft's Trustworthy Computing program turns 10 years old

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Gestures can replace passwords in Windows 8.

Why it has taken Microsoft so long to make password security more than an afterthought when it introduces a new operating system is anybody’s guess. Nevertheless, with Windows 8 it is making an effort to help users manage their passwords in an efficient and secure way.

Everyone has dozens of accounts they need for which they need to memorize passwords. Most people, though, only commit a few passwords to memory and just reuse them over and over again. A study in 2007, for example, found that the average Internet user had 25 accounts that required password access, but they only used six passwords to access their accounts.

Security pros decry the multiple use of passwords but there are plenty of sites on the web where if your password fell into the wrong hands, the consequences would be trivial. Reusing passwords for those sites should be acceptable. There are sites where unique passwords are a must, though, such as banking or credit card payment sites.

With Windows 8, Microsoft is addressing several nettlesome issues that discourage people from creating and using strong passwords. In the upcoming version of Windows, user names and passwords are stored in a secure location called the Credential Password Vault.

The latest version of Microsoft’s web browser, Internet Explorer 10, is designed to automatically access the Vault for your credential information, but other browsers and applications will eventually be able to access the area, too.

What’s more, if you have or obtain a Windows Live ID, you’ll be able to synchronize the Vaults across all your devices. Not only does that remove the annoying situation of trying to remember credentials for a site when you’re away from the device where you created those credentials, but it can provide a safety net should the password information on any one device be corrupted.

Synchronization appears to be pretty robust too. Microsoft says it can take place behind a firewall. However, websites can block the storage of credentials used to access them. Some banks do that. In that case, synchronization will not work because your credentials won’t be stored in your Vault.

Another intriguing aspect of the Credentials Password Vault is that it can also store security keys. Typically, those keys involve the use of hardware tokens to authenticate a person’s identity. The Vault, however, is designed to work with something called the Trusted Platform Module, which is being incorporated into more and more computers these days. The Vault and the Module, which acts as a virtual security token, can team up to perform the same function as token-based key pair system.

For tablets or computers with touchscreens, Windows 8 has an even neater password option. It allows you to take a photo of your choice and use it to access your slate by performing a series of gestures on it.

Although some security experts are skeptical of the method, and even Microsoft acknowledges that smudges on a screen could compromise the gesture password, the approach has the potential to be more secure than ordinary password schemes. Microsoft estimates that there are 398 trillion five gesture combinations that could be applied to a photo, compared to 182 million combinations for a five-character password and nine trillion combinations for an eight character one.

Windows 8 Offers New Password Features

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

BYOD can give administrators a headache.

More and more organizations are finding their employees using personal devices to access company data. Without some measure of control, those workers can create serious security problems for their employers.

As much as some administrators would like to block the use of personal devices in the workplace, that’s unlikely to happen for a number of reasons. For example, many employees are already using their own devices at work, as a recent survey by IDC shows. That poll found that 95 percent of workers use one personally purchased device on the job.

In addition, businesses are demanding more and more productivity from their workers, and that’s what they can get by allowing employees to use their own gadgets for work. One study by iPass, for instance, showed that employees using personal devices worked 240 more hours a year.

Not many companies would want to part with that kind of productivity, and they’re not going to, according to a Gartner analysis. To do so, that report noted, corporations will be embracing the practice by placing their apps on their workers’ devices. In fact, by 2014 Gartner predicts that 90 percent of all employee-owned devices will have corporate apps running on them.

Other cultural and technology trends are also making opposition to the Bring Your Own Device futile. Hardware makers are finding they need to produce products with a consumer bent if they want to stay in business.

Virtualization and cloud computing encourage access to corporate technology resources whenever worker wants to access them and with whatever they want to access them with.

Meanwhile, as the line between work and non-work becomes more and more obscure, the case for creating a clear line of demarcation between work and home devices becomes weaker and weaker.

To address issues created by the use of personal devices in the workplace, companies have begun to adopt BYOD policies. Before adopting such a policy, here are some questions an organization might want to consider.

• Should data be classified to determine what can and can’t be downloaded by personal devices?
• What happens to company data on a personal device when an employee leaves the company?
• What happens if a personal device is lost or stolen?
• Do personal devices need to be configured in any special way?
• How can an acceptable password policy be implemented on a personal device?
• What forms of encryption should be acceptable?
• What personal devices are acceptable for use with corporate resources?
• Should employees be allowed to jailbreak or root their devices, as doing that may make the device more susceptible to security risks.
• Should employees be required to sign the BYOD policy before they’re granted access to the company’s network?

Some of those questions were considered by Unisys when it formulated its BYOD policy. Among the requirements of that policy is that Unisys has the right to confiscate a device if it’s needed for litigation purposes.

That policy requires employees to accept a digital certificate to be installed on their personal device. It authenticates the device to Unisys’s systems, and it allows the company to analyze access behavior. Knowledge of that behavior can be used to identify abuse of access privileges.

The certificate gives an employee access to email and calendar functions on the system. Access to other functions can require additional authentication.

Another requirement of the policy, and one most administrators will find desirable, is the installation of a program on the device that enables all data to be remotely wiped on a unit that is lost or stolen.

What should be in your BYOD policy?

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Despite the claims of one CEO of a major global high tech company, many workers believe their internal email is important enough to scrutinize when they should be kicking back and being jolly during the holiday season.

In a poll of some 1000 people with full-time jobs in the United Kingdom, surveyors found that nearly half of the workers (46 percent) intend to check their office email either frequently (15 percent) or intermittently (31 percent) during yuletide. About a third of the sample (34 percent) said they’d totally resist the temptation to check their email during their stay at home during the festive period.

Younger workers (18-24 year olds) were more likely to check their email during the holidays that older ones (50 years old or older), according to the survey conducted by OnePoll and sponsored by SecurEnvoy, a firm specializing in two-factor authentication without tokens.

While 21 percent of the respondents said that there was no expectation or compulsion by their employers to have them check emails while at home, 20 percent felt they’d be at a competitive disadvantage at the office if they failed to do so. Nevertheless, nearly half (46 percent) of the respondents told the pollsters that if they were contacted by their employer during the holidays, they’d be “very angry” (28 percent) or “really annoyed” (18 percent).

No doubt, along with any office nuggets in their inboxes, employees will find one of these scams making the rounds right now:

• Offers for free screen savers never seem to lose their appeal to scammers or their allure to victims, who want to give their computer displays a festive look during the holidays.
• Gift cards have become popular with gift givers, as well as with Net grifters. Typically, they’ll offer a gift card from a popular store at a discount. That’s because the card has been stolen or is bogus. Gift cards are best purchased directly from the store that issues them.
• An assortment of deals, special offers and discounts tied to the season. While these may have the appearance of legitimacy—scammers have become very adept at mimicking the official mail of banks, retailers and such—these missives usually contain malicious links aimed at conning personal information from a target or infecting their computer or smartphone with malware.

While many workers are thinking of checking email during the holiday out of a concern, either real or imagined, for keeping their jobs, few are thinking about protecting themselves or their companies from cyber criminals. Nearly half (46 percent) of the survey sample polled by OnePoll admitted that they don’t use any kind of security on their mobile phones, not even a simple personal information number (PIN), even though they acknowledged that they’d be reading emails on them that could include sensitive information and unencrypted documents.

“If you’re accessing the corporate network to retrieve emails, using a password or hardware token that’s left next to your PC just isn’t adequate,” warned SecurEnvoy CTO Andy Kemshall. “Should Santa, his elves or someone a little more sinister drop by and liberate you of your token or copy your password, they could be stealing vast amounts of critical company data,”

Cell phones can be a great alternative to passwords and custom tokens for accessing corporate systems because unlike custom tokens, most people always keep their phones with them and are diligent about keeping tabs on them. They’re even a better alternative if access to them is protected by a PIN or password.

Santa's checking his list for Christmas, everyone else their email

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

This morning I noticed the flashing red light on my Blackberry alerting me to a new message. Since this device is connected to my work email account, I decided to give it a look to see what was so important that it couldn’t wait until Monday.

I was lucky that I did check it. The new message was actually from my personal email account and the contents of the message contained only one link and other people were also sent the same message.

I realized immediately that my personal email account was sending spam. I was upset with this because working with email and security, I write and train others on best practices. Not only this, but I follow them as well. I make sure that:

• I use strong passwords and phrases
• I change my passwords frequently
• I don’t use the same password over and over
• I update my anti-malware software regularly
• I run anti-malware scans regularly (ironically, I had just run a scan the day before)
• I am careful about what sites I visit
• I am careful about clicking links in emails
• I am careful about what I download, even checking the MD5 hashes when available.

However after I realized what had happened I didn’t make the classic mistake of denial that this could happen to me. After all, people much smarter than me have had their systems compromised. Driven by a classic saying in computer security, “The only way to ensure that a computer is 100% secure is to unplug it from everything and seal it up in a box,” I moved ahead with fixing the problem.

Steps taken

When I opened up my personal email account there were over 100 mail delivery subsystem errors and Out of Office replies waiting for me.

At first I thought that my email address had possibly been spoofed. After all, most of the sites I write for include it as a way to contact me so I am sure it comes up quite often when people are mining the Internet for email addresses.

However looking at a few of these messages I noticed that the spam messages were being sent to every address that I had ever sent an email to, not just my contacts. What this said is that:

A) My email address had not been spoofed.

B) It wasn’t malware that was abusing my contact list. This was the result of my account credentials being compromised.

It may appear that the first step anyone should take in this situation is to change the password immediately. Not entirely true.

Most passwords are captured from a keystroke logger installed on your computer. If you go ahead and change your password, you are simply letting the attacker know what your new one is.

Instead, I went ahead and attempted to update all of my anti-malware definitions. Since I had just run a scan the day before, there was nothing to update. The next step was to run all of these scans again.

The three scans from Malwarebytes Anti-Malware, TDSSKiller Antirootkit utility and Ad-Aware all came up clean so I went ahead and changed the password on my account. Even after I changed the password, more delivery error messages came up but looking at the headers, these were delayed as the original message sent from my account occurred between 6:48 AM and 6:54 AM so everything looked clean.

Digging deeper

Once I was sure that everything was cleaned up, curiosity got the better of me and I decided to look a bit deeper into the emails that were being sent out from my address.

To make sure I didn’t infect my computer once again, I created a virtual machine and loaded it up with my three favorite anti-malware tools and ran a scan using each just to ensure the new “computer” was clean.

Then I clicked on the link just to see where it went. Of course, the link was spoofed and redirected to cretep.ru registered out of Russia advertising for an herbal Viagra clone, Viagrow. Of course, by their claims it had been featured in Men’s Health, Maxim, MSN, Esquire and other media outlets.

After closing out the site, I fired up all of the anti-malware software to see what really happened when I visited this site. The first scan found two installations of PUP.FunWebProducts and one installation of Adware.MyWebSearch.

Even as the so-called experts when it comes to email, we have to realize that as threats escalate in sophistication we too are vulnerable. Following the best practices and taking the proper measures to secure our email accounts certainly help, but there is no way that any of us can assume that our accounts are 100% safe.

Yes, My Email Account Was Compromised

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

There’s an appealing logic to the notion that as technologies focused on a problem improve, the problem will diminish. That’s not always the case, however, and it may not be so when it comes to plugging email leaks.

Technologies don’t develop in bubbles. While improvements in Data Loss Prevention (DLP) technology are advancing, so are other technologies, technologies and trends that can offset or undermine those improvements.

“You might think the constant progress of technology means more innovative DLP methods will be coming down the pike to prevent sensitive data from being leaked through email and other communications channels,” security expert Jim Rapoza wrote in a white paper published recently by InformationWeek Reports. “But technology is advancing in ways that will make preventing data loss a much tougher task.”

One trend that will make controlling data leaks through email harder than ever is the use of consumer technology in the workplace.

“Many companies are increasingly dealing with the demands of employees (and upper management) who want to use their own devices for business tasks,” he wrote.

“This lets workers take advantage of the latest smartphones and tablets—systems that are likely generations newer than the company could provide—but also adds considerable management headaches, especially in terms of security,” he explained.

Even for administrators who can persuade the brass in their organizations that consumer devices should be kept out of the workplace, enforcing that policy may be more trouble than it’s worth.

“You can ban these devices from your company,” Rapoza wrote, “but chances are good that employees will use them anyway—which only increases the possibility of data leakage.”

As Rapoza explained in his paper, there are a number of ways to control data loss through email, although they can be undermined by the introduction of consumer devices into the office.

For example, encryption can be used to ensure that only the sender and recipient of a message can read it. A drawback to encryption, though, is that a sender and recipient have to coordinate their efforts on a message. That can be cumbersome, although there are systems that automatically manage the exchange of encrypted email within an organization.

Rights management is another way to prevent leakage. It allows rules to be imposed on how a message can be shared, viewed or distributed. You can prohibit a message from being forwarded to someone or shut off “reply to all”. You could bar the message from being sent to an external email address, too. The problem is that rights management may not work on some personal devices brought into work by employees.

Email gateways are another means of staunching leakage. Since they analyze email traffic, consumer devices don’t pose a problem to them. Gateways can be set up to look for content—words, phrases, attachments—that flag errant emails. One drawback to gateways, though, is false positives, which can be annoying to both administrators and their flocks.

And for organizations that need the full metal jacket treatment to prevent leaks, there are Full DLP systems, which combine encryption, rights management and gateways with network and storage policy management and next generation firewalls. That kind of protection is typically priced at six-figures and is costly to maintain on an annual basis to boot.

March of technology will make plugging email leaks tougher than ever

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

How about a quick show of hands? How many of you, reading this, administer a corporate email system? Hmmm, looks like practically all of you, except for that guy in the back of the corner wearing the yellow t-shirt. Okay, not sure why you’re here, but I appreciate you reading nonetheless. Okay, next question. How many of you have a password policy that makes you change your corporate  password every month, for example?

You hear that? That’s the sound of crickets chirping as practically each and every one of you tries to avoid eye contact with everyone else, because most of you probably haven’t changed the password to your personal email account since you first set it up. Now consider how many things are tied to that email account. Password resets for your bank accounts, your credit card accounts, your Facebook, Twitter, and blog accounts; personal email accounts are treasure troves of information for attackers. A compromised personal email account is the perfect information source for an ongoing attack against a user because so many other accounts can be compromised without the victim being aware. And the majority of users will not change their password unless a system prompts them to.

Which is why Google has started a campaign to get users of its popular Gmail service to start changing their password. A new banner will appear at the top of the Gmail web page on accounts with passwords that haven’t been changed in an unspecified, but likely, long time.

The link takes users to a page that offers advice for good password management, including

1. Using a unique password for each unique account.
2. Using a complex password.
3. Advice for creating a password that is difficult to guess.
4. Updating password recover information, and
5. Tips for storing passwords when your memory just isn’t good enough.

And after all, with dozens if not a hundred or more unique accounts, who can keep unique passwords for each and every account in their head?

Google has also led the industry by offering two factor authentication to users at no charge, using SMS messages to their cell phones to provide the second factor, and offers it as an additional way to secure accounts on this same page. Whether you choose to take advantage of this or not, or even whether or not you use Gmail, changing your password for your personal email account is something that is probably long overdue.

They even included a pretty good, very short, video that talks about how to create strong passwords. It lasts less than a minute, is easy for non-techies to follow, and is completely neutral. Here is a link to that video. As soon as you have changed your password, write up a nice little blurb to include in your weekly security tips to your users, reminding them to change the password on their personal accounts too. Remember this bit of security advice my dentist taught me years ago:

“passwords are like toothbrushes; you don’t want to share them with anyone, and you need to change them often.”

Google States What Needs To Be Said

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Small and medium-sized businesses face many of the same threats that large companies do when it comes to their email systems. Some of the common problems that email administrators face are:

• Spam delivered via email
• Viruses and malware delivered via email
• Email messages that contain inappropriate content
• Information leaks.

So in addition to steps taken to secure the company’s network and desktops, a strategy to secure the organization’s email system is also a necessity.

Yet while small and medium sized businesses face the same threats as their larger counterparts, they rarely have the same resources to fight back.

Of course the first step for any organization, regardless of size, is to make sure that they have a reliable spam filter in place.  More often than not, a content filter will be part of this solution as it makes finding illicit email messages much easier.

For some, this is where most email security strategies stop. For those who do put additional measures in place to help mitigate the threats facing email, now is a perfect time to review these policies to see if they effectively protect your email from attack.

1. Review your archiving system

One of the most commonly overlooked aspects of email security is the archiving system that stores email messages in the event that they need to be accessed at a later date.

Look over your current archiving (or backup and recovery) solutions and policies to make sure that they are consistent with industry and regulatory requirements. Also, ensure that they are in line with your company’s culture.

2. Review malware protection

Enterprise anti-malware solutions make definition and signature updates easy to maintain. If your company has a solution in place that pushes updates out to desktops, remote computers and mobile devices, then make sure everything is running the way it should be.

One thing that organizations fail to check for is newly added devices, especially mobile devices. Check to make sure that every computer that connects to your network and email is properly secured by your anti-malware solution.

It is also important that you, or someone in your organization, review any software or appliances in place to fight malware, spam and other attacks to see if they are still relevant. As threats evolve, it is important that the tools used to fight them are up to date as well.

3. Review email policies for relevance

At one time email was considered the biggest threat when it came to information leakage. With social media, mobile communication devices and instant messaging becoming more infused into business it is important that the policies used to govern communication are relevant with the communication tools used in your organization.

Review policies with every department to see how communication tools are used and identify where they are vulnerable. Once this is determined, you can work with these tools to best secure them from the specific vulnerabilities they present.

4. Update computer systems

Making sure that your anti-malware and anti-spam tools are up-to-date is part of the solution, but not all of it. You still have to make sure that everything that connects to your network and runs your software is updated as well.

Desktop and laptop operating systems should be up-to-date and fully patched. The same should be said for your server operating systems.

Once these are current make sure that a schedule and policy is put in place to keep your software current.

5. Educate again

Educating users is always part of an effective security strategy but, like everything else, training has an expiration date.

When was the last time your users were trained on how to identify and address email threats like spam, phishing scams or malware? Is the information they were provided with current or is it so outdated that you still reference the Michelangelo virus?

If you have made changes to any policies, or plan to after reading this, then your training needs to be updated to reflect them. While you are at it, you should also make sure that any other information you are passing along to your co-workers is relevant as well.

In any organization, there are too many variables so no one can say that their email system is 100 percent secure. However, taking the time to eliminate as many possible vulnerabilities as you can will certainly bring the level of risk down significantly.

5 Tips for Better Email Security

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Microsoft Exchange 2010 was first introduced two years ago. While adoption was initially slow, despite Microsoft’s aggressive efforts to spur rapid adoption, it seems that companies are finally starting to see the benefits of the software and ready to migrate to it in a big way.

According to a recent independent survey of some 500 IT decision makers, more than three-quarters of them (77 percent) said they expected to migrate to Exchange 2010 or Office 365 in the next two years. If that happens, that means hundreds of thousands of businesses will be embracing the software in the next 24 months.

There are many reasons why the migration to Exchange 2010 has become a stampede. Two of the top rationales are new features (57 percent), which includes better support for mobile devices, and easier administration (50 percent). Also high on the list of migration motivators were security (49 percent), larger mailboxes (49 percent), improved storage options (48 percent), and improved web access (46 percent), the survey said.

Also, to some extent  companies’ enthusiasm to migrate is being fired by a recognition of the increased role email is playing to business success. Not only does Exchange 2010 offer better handling of email while imposing less of a burden on harried IT personnel, but it can do it at a lower cost.

According to a recent report in The Independent, email is far more effective in converting eyeballs into cash than any other web medium. 25 percent of people who open an email in a sales campaign will be converted into a buyer, the publication reported. That’s far and away higher than conversions from clicking on links (10 percent) and website visitations (2 percent).

As important as email is to a successful business, it can be costly to store and archive, which must be done for compliance as well as business reasons. Companies that have clung to older versions of Exchange are finding that the storage options offered by Exchange 2010—most notably the ability to swap out expensive SAN architecture for low cost SATA drives—can save them barrels of money. For instance, storage and archiving costs for an Exchange 2003 deployment can be 40 percent higher compared to what they cost with Exchange 2010.

There are productivity costs associated with older Exchange deployments too, especially because they don’t have the robust support of Exchange 2010 for the web and mobile platforms, the independent reported.

Another factor contributing to the step-up in Exchange 2010 adoption is its unique position as a bridge to the cloud. As the high-tech research firm Gartner has pointed out in the past,

“Exchange 2010 represents both the beginning of the end of the premises-based email era, and the dawn of the cloud-based email era.”

The strategy adopted by Microsoft for Exchange 2010 could pay off big for the company as it faces a growing number of competitors trying to capture a piece of its Exchange business.

“With several low-cost competitors snapping at its heels,” observed one technology commentator, “Microsoft’s hybrid strategy is a win-win one as it allows the company to protect its customer base in the on-premise model—while simultaneously giving customers the choice to migrate to a new cloud-based model.”

Migration to Exchange 2010 becoming stampede

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Organizations that want to see that their employees have the tools to get their jobs done often allow them to use their own devices to do it. While that policy can set the teeth of many administrators on edge, it’s fast becoming a fact of life in the workplace.

One of the prime culprits behind the popularity of BYOD—Bring Your Own Device—is Apple’s iPhone. Not only did it become a favorite among the rank and file workers in many companies, but also among the top brass in many of them, too. That made it difficult for IT departments to keep the smartphones from invading their domains.

Now all kinds of smartphones are slipping by the door, many of them ill-suited for a corporate environment. They can be insecure. They can also be a headache to support. The iPhone, though, while conceived as a consumer device, has an edge on its competitors in an enterprise environment. That’s why administrators should be in Apple’s corner when the BYOD wave breaks over their organizations.

Granted, Research In Motion’s Blackberry smartphones are among the most secure in the world, which is why they’re the favorites of law enforcement, military and intelligence agencies, but RIM hasn’t been able to keep up with the technology breakthroughs made by its competitors, like Apple and Google, so it has been losing its adherents even in corporate markets where it was a darling for many years. A recent outage where some customers lost Blackberry service for up to three days hasn’t helped the platform’s image either.

One of the iPhone’s strongest suits is its robust support of Microsoft Exchange ActiveSync policies. In fact, outside of phones that run Windows Mobile, which are dwindling since Microsoft moved to its Windows Phone 7 platform, the iPhone supports more ActiveSync policies than any other mobile.

The iPhone ecosystem is also built to make recovering a phone’s contents, as well as moving its contents to a new phone, easy. Apple’s new iCloud service automatically backs up a phone’s apps and data to the cloud. In addition, iTunes, the software used to sync a phone with another computer, keeps a copy of a phone’s contents locally.

The iPhone’s support of ActiveSync compares starkly with Android smartphones, where VPN connections are hampered by no support of PEAP-secured WiFi in versions 2.x and 3.x of the operating system. In addition, on-device encryption and complex passwords are unsupported by 2.x.

Some administrators, though, are less concerned about security with all these alien devices than with providing support for them. That’s where the iPhone can really shine. Its intuitive interface makes it not only easy for its operators to use, but for support people to troubleshoot.

A study released during the summer, for instance, showed that it costs, on average, $4 more per person to support an Android or Blackberry user than its costs to support an iPhone operator. One of the biggest factors contributing to those increased costs was support call referrals.

Support organizations are usually organized into levels. If one level can’t solve a caller’s problem, it booted to another level staffed with more expertise. What the study found was that 37 percent of Blackberry support calls had to be referred to another agent. For Android calls, it was far worse: 77 percent.

So administrators, when BYOD starts invading your bailiwick, you may want to become a cheerleader for the iPhone, not only because it’s more secure, but a lot easier to support.

Why the iPhone should be the BYOD of choice for administrators

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Most email administrators don’t have celebrities like Scarlett Johansson on their networks, but that doesn’t mean they don’t host some pretty juicy targets for cyber robbers.

Hollywood hotties can grab headlines for a hacker, but anyone in a corporation’s chain of command whose identity can be compromised and exploited to filch trade secrets, bank account numbers, and the like, is just as worthy a target for crackers, if not more so. After all, exposing some embarrassing pix about a starlet may earn a hacker some fame, but cajoling bank account credentials from a “suit” can earn him a fortune.

While an Internet invader attacking a corporate network hunts different quarry than one focused on entertainers, their trade craft works in both realms. That was apparent in a presentation made by the Assistant Director in Charge of the FBI’s Los Angeles Field Office when he announced the capture of the infamous “Hollywood Hacker” earlier this month.

The alleged hacker, Christopher Cheney, 35 of Jacksonville, Fla. used a brew of online searching, social engineering and account manipulation to break into the email accounts of Scarlett Johansson and Christina Aguilera and posting information from them, including nude pictures of Johansson, on the Internet.

In his presentation to reporters, U.S. Attorney Steven Martinez displayed a chart titled “Operation Hackerazzi: Anatomy of a Hack” that broke down the steps used by Cheney to crack the accounts of more than 50 victims.

The hacker started his campaign by gathering information about his prey from online public sources. Although the government didn’t identify those sources, they are, no doubt, the same sources any miscreant would consult to obtain that kind of info on someone in any organization—Facebook, LinkedIn and online forums.

Using the information garnered from the Internet, the hacker then breached his target’s email account. Again, the government was stingy with details, but the information was probably used to craft a social engineering pitch—some kind of persuasive phishing message, for example—or a direct attack on an account, using the information to guess the subject’s password.

Once an account was breached, the hacker locked out the account’s owner by changing their password. That gave the hacker unfettered control of the account for a short period of time. During that time, he could communicate with the contacts in the target’s address book without the account holder knowing about it. He could also mine the target’s files for nuggets of information. In Cheney’s case those nuggets were risqué personal pics of celebrities, but in corporate environments, it would be contracts, strategy memos, new product specs, and the like.

After discovering that their passwords no longer worked, targets reset them. Did the temporary lockout set off any alarms in their minds? Maybe, but most likely they just considered it a computer glitch and went on their merry way, until the material clipped from their accounts started appealing on the Internet.

What’s more, the hacker planned for the inevitable repossession of the account by its owner. He accessed the account settings while in possession of it and modified them so all email was forwarded to one of his email accounts. In that way, he could still monitor what was happening in the account.

Meanwhile, the hacker took the contact information stolen from the account to harvest new targets.

What lessons can you learn from the “Hollywood Hacker?” Here are a few:

• Create secure passwords and don’t share them with anyone no matter how persuasive their reasons may be for knowing them.
• Create secure challenge questions—ones with answers that can’t be discovered on the public Internet.
• Do not use the same password for multiple accounts because discovering one can tip over all your accounts like a house of cards.
• Periodically check your mail account settings and sent mail items for suspicious activity.
• Don’t store sensitive information on a smartphone or computer unless it’s encrypted.

Assistant Director in Charge of the FBI's Los Angeles Field Office

Lessons Email Administrators Can Learn from 'Hollywood Hacker' Bust

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Whenever a new cool technology is introduced into a consumer smartphone, for every “wow” it sparks from an early adopter, an “ouch” is elicited from a system administrator. That appears to be the case with Siri, the “personal assistant” in the latest model of Apple’s iPhone, the 4S.

The 4S was introduced on October 5 and has proven to be extremely popular, with four million units sold during the first weekend it was available to consumers. Some of those consumers, however, are going to find that their shiny new toys are going to be mobilis non gratus when they try to connect them to their corporate networks. That’s because some organizations consider the smartphones a security risk.

At the root of the problem is Siri. It allows you to use your voice to issue commands and posit queries to the phone. For instance, you can say, “Where can I eat pizza around here?” And Siri will respond with a map with nearby pizza joints tagged on it. Or, without any training, you can ask it to call someone from your address book while you’re driving your car so you don’t have to touch the phone.

Sounds cool, doesn’t it? It’s so cool that Apple couldn’t resist turning the feature on by default. So when you take the 4S out of the box, Siri is on when you power up the mobile. What’s worse—and the real rub for administrators—is that Siri continues working even when the phone is locked with a password.

Ordinarily, when an iPhone is password protected, when you turn the phone on, a lock out screen appears. To get past that screen, you need to enter your password. With Siri activated, though, the lock out screen appears, but you can still give the phone voice commands. You can send email and text messages. You can access the phone’s address book and calendar. And you can make phone calls.

The only thing you can’t do is search the Net. Try to do that and Siri’s female voice will inform you that she will not ferret the Web when the phone is locked.

While Apple wasn’t about to disable a shining achievement like Siri from an out-of-the-box 4S, doing so is pretty easy. You drill down through settings>general>passcode lock and turn off “allow access to Siri when locked with a passcode.” That, though, reduces the utility of the phone, since part of Siri’s value is it allows you to perform functions with the phone without touching it. If you have to type in a pass code, you’ll definitely have to touch it.

However, the fact that Siri can be turned off is irrelevant to administrators. That’s because they need to compel devices that connect to their networks to be password protected. If a phone full of corporate secrets is lost or stolen, they don’t want to be wondering if it was password protected or not.

That’s not the case with the iPhone 4S. An administrator can never know when or if Siri’s passcode override has been turned off by a user. The possibility will always be lurking that Siri will be used to compromise an errant phone. Until administrators can access a phone’s Siri settings, the way they can access passcode settings through the Microsoft Exchange interface Apple supplies with its iPhones, the 4S will remain a pariah in many security-conscious organizations.

iPhone's Siri could pose threat to email security

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Have you checked the spam flowing into your organization lately? Microsoft has, and it has reported its findings in its Security Intelligence Report for the first half of this year.

The report, which is based data collected from 600 million computers worldwide, noted that pharmacy spam remains a favorite of junk emailers. An analysis of telemetry data from Microsoft customers who process tens of billions of messages a month using the company’s Forefront Online Protection for Exchange (FOPE) shows that 28 percent of all spam is non-sexual pharmacy junk. By comparison, sexual pharma spam is at the low end of the spectrum at 3.1 percent.

Behind pharma junk are non-pharmacy product ads (17.2 percent), 419 or “Nigerian” scams (13.2 percent), financial services (8.9 percent) and gambling (6.1 percent).

In the past, the report noted, some spammers tried to evade content filters by sending messages composed entirely of one or more images. This tactic appears to be losing favor among junko artists, as only 3.1 percent of the spam blocked by FOPE during the first half of the year was image spam, compared to 8.7 percent in 2010.

Microsoft researchers also found fewer “spikes” in spam activity during the period than in the past. Typically, volumes for a spam category spike as junksters mount short-lived, large-scale campaigns for it. Month to month volume changes were much more gradual during the first half of 2011, they discovered, except in one category: fraudulent university diplomas. That’s usually a very low volume type of spam, but in February it spiked to four percent of all spam. A similar spike occurred around the same time in 2010.

While the kind of junk spammers are flinging at organizations remains similar to the past, the amount of it has decreased significantly, according to Microsoft. From July 2010 to May 2011, the amount of spam blocked by FOPE plummeted from 89.2 billion to 21.9 billion messages. Microsoft attributed the volume declines to two botnet takedowns: Cutwail, in August 2010, and Rustock, in March 2011. “The magnitude of this decrease suggests that coordinated takedown efforts such as the ones directed at Cutwail and Rustock can have a positive effect on improving the health of the email ecosystem”, its report said.

FOPE is stopping most spam at the perimeter of the organization’s using it, the report noted, which frees up resources that would be consumed by more-intensive anti-spam methods. From 85 to 95 percent of incoming messages are blocked at the network edge each month, while the remaining five to 15 percent must have content-based rules applied to them. However, over the last year, the report showed the amount of edge blocked spam steadily declining, from 95 percent in July 2010 to around 85 percent in June 2011.

Much of the world’s spam is delivered through botnets, networks of compromised computers that respond to spammers’ commands remotely. During the first half of the year, Microsoft researchers found some interesting jockeying for position among the nations hosting spambot IP addresses.

While India remained at the top of the heap, with around 11 percent of all spambot IP addresses, and Russia remained strong with around a 7.7 percent share, some newcomers broke into the top five ranks from the first to second quarter of the year. Korea, for instance went from a 2.9 percent share to 8.4 percent to claim second place. Meanwhile, Vietnam jumped from four percent to 7.3 percent and Indonesia increased from 2.4 percent to 5.6 percent.

What spam is in your inbox? Microsoft breaks it down.

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Over the years, Microsoft has taken its lumps when it comes to security however as a company, they have taken some pretty impressive strides to make sure that their products are more secure.

However, their security efforts have not been limited to just their products. They have launched several educational campaigns aimed at helping users better secure their computers and networks.

These efforts can be seen by Microsoft’s latest report, Microsoft Security Intelligence Report, and its corresponding website.

This project was set up to provide businesses and consumers with hard data concerning security risks and best practices from Microsoft themselves on how to mitigate the various risks.

Being the producer of the most popular email client software packages – Outlook, Hotmail, Outlook Express and Windows Live Mail – they have a definite interest when it comes to helping users guard against email threats.

Spam, according to Microsoft:

• Wastes resources
• Distracts recipients
• Puts assets at risk for greater security problems
• Provides an avenue for social and criminal hacking attempts
• Provides an avenue for phishing scams against users

While stopping these issues definitely is a concern for Microsoft internally, educating their customers on how to eliminate the problems associated with spam will certainly help them sell more products to people looking for the most secure product on the market.

A Look Inside Microsoft

According to their website, Microsoft filters between five to ten million email messages every day that contain malware and/or spam. On a daily basis, they see threats that include spyware, worms, attacks from botnets and polymorphic viruses attacking their email messaging systems. Each day more than 100 different types of executable files are removed from incoming messages sent to Microsoft employees.

So we can safely say that as an organization, there is little that they haven’t seen when it comes to protecting email systems.

To best fight the many different threats facing email, all inbound email to Microsoft much pass a three-tiered process to include anti-malware scanning, file removal and spam filtering.

The importance of this approach is simple. Stop threats before they reach the user.

Incorporating an anti-malware scan into messaging systems helps protect the integrity of your systems because threats can be stopped before a user has the opportunity to allow infected files to compromise a computer or network.

Likewise, a file removal process prevents malicious executables sent via email attachment from ever having the chance to launch. Followed with adequate spam filtering, this process reduces the need for organizations to rely solely on a desktop based security solution or a network firewall. Both of which do not provide comprehensive protection on their own.

These strategies seem like common sense steps that we would hardly need to rely on Microsoft to provide. However many organizations neglect to incorporate these simple strategies into their planning.

Other Ideas from Redmond

Keeping systems protected cannot be done by simply scanning incoming messages for threats. Other steps need to be taken. The best practices that Microsoft recommends to organizations are as follows:

• Provide email submission services on port 587.
• Require SMTP authentication for email submissions.
• Abstain from interfering with connectivity to port 587.
• Configure email client software to use port 587 and authentication for email submission.
• Block access to port 25 from all hosts on your network other than those you explicitly authorize to perform SMTP relay functions.
• Monitor outbound email traffic patterns and look for deviations from normal behavior, such as abnormally large bursts of email traffic.
• Disable computers or individual email accounts that have been compromised and are being used to send out spam.
• When possible, process abuse complaints from third parties for email that originated from your mail servers. These complaints often point the way to a compromised computer.

As email administrators, we tend to look to hardware and software solutions to keep things running smoothly and securely. However, protecting systems and users from threats is ultimately our responsibility. Knowing the best way to do so is part of the job description.

Turning to experts for advice when it comes to security does not mean we are unable to do things on our own, it means we are wise enough to use what works and smart enough to know where to look.

Email Security Best Practices from Microsoft

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

When the U.S. CAN SPAM Act was passed eight years ago, critics of the measure doubted it would put a dent in the flow of Internet junk mail. They were right, but few would have predicted that many spammers would use the law as a subterfuge for their pesky activities. They do that with “snowshoe spam.”

It’s called that because it exploits the principal used by snowshoes to prevent their wearer from sinking into deep snow. They do that by distributing a walker’s weight over a larger area of snow. Snowshoe spam keeps junk e-mail from being sunk by a system’s spam defenses by spreading the spew across multiple IP addresses.

That can be particularly effective against an email system’s volume filters. Those filters monitor the origin of email. If a large volume of email with the same content is coming from an IP address, those filters will start blocking the email and treat it as spam. By using multiple IP addresses, spammers can keep the volumes on any single IP address low enough to submarine the thresholds used by the volume filters.

Another distinctive feature of snowshoe spam is that it’s designed to appear to conform to CAN SPAM, the Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003. That act requires email marketers to include an unsubscribe mechanism and a postal address in their solicitations, as well as bars the use of forged headers and requires messages to be sent from a marketer’s own network.

Spammers have found is easy to “game” the law, however. They include unsubscribe links, as the law prescribes. Some, though, have the links lead to virtual dead letter boxes on the Internet where they can be ignored. Most honor the links, however, because they know very few people will use them. That’s because most organizations advise their employees not to respond to such links. Doing so, they warn, verifies an email address to a spammer, making it more valuable to them.

They include postal addresses in their spam, too. Those are usually post office boxes, which allow the spammers to preserve their anonymity.

They meet the other requirements in the law by registering hundreds or thousands of static domains. That gives their messages true headers but the domains can be easily disposed of. They also lease hundreds of IP addresses to meet the “own your network” requirement. That also allows them to move from one range of IP addresses to another should a range be blocked by spamfighters.

Unlike illegal spammers, who distribute malware and pedal black market prescription drugs with their junk mail, snowshoe spammers tend to make their money from affiliate programs where they’re paid on a pay per click or pay per action basis.

In recent months, some large illegal spam operations have been taken down by law enforcement authorities. Earlier this year, for example, Microsoft and U.S. Marshals took down the Rustock network, which at the height of its operation infected 1.6 million computers worldwide and gorged the Net with 30 billion spam messages a day. And in April, the FBI began dismantling the Coreflood botnet, which had infected 2.3 million PCs.

While those high visibility raids appear to have an impact on worldwide spam levels—cbl.abuse.com reports that spam volumes have dropped from 2800 messages per second in October 2010 to 800 a second in September 2011—snowshoe spam levels continue to climb and will continue to do until CAN SPAM is amended to address the problem.

Junk mail law contributes to expansion of 'Snowshoe Spam'

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Administrators of Novell’s flagship messaging and collaboration product Groupwise should move quickly to apply the latest security patch from Novell, which addresses multiple vulnerabilities that could lead to code execution.

The Groupwise Internet Agent (GWIA) is responsible for all SMTP connections with external mail systems, and it was discovered recently that this agent has three distinct memory corruption issues that can be exploited when the GWIA parses rule variables in weekday, weekly, and yearly vcalendar messages.

There is currently no known exploit in the wild for any of these three vulnerabilities, but the first one was assigned a CVE last year, and the other two just last month. CVE-2010-4325 contains more information on the Weekday RRULE vulnerability, while CVE-2011-2662, and CVE-2011-2663 are reserved and awaiting updates. Novell has released three security advisories around these issues:

Security Vulnerability – GroupWise 8 Internet Agent Weekday RRULE (VCALENDAR) Vulnerability

Security Vulnerability – GroupWise 8 Internet Agent Weekly RRULE (VCALENDAR) Vulnerability

Security Vulnerability – GroupWise 8 Internet Agent Yearly RRULE (VCALENDAR) Vulnerability

Novell has also released Hot Patch 3, which addresses all three of the vulnerabilities. If you are running that already, your server is not vulnerable to any of the three vulnerabilities. If you are not, you should test HP3 in your environment as soon as possible and deploy it to your systems. Systems running earlier versions of Groupwise are also vulnerable, but no patch will be released for these unsupported platforms.

Researchers determined that successfully exploiting any of the three vulnerabilities could result in the server executing arbitrary code with system level privileges. Even a failed exploit could lead to a denial of service condition that would require the server to be rebooted. The attack can be launched by sending a maliciously formatted iCal calendar file to a user of the system by anyone external to the system.

Sebastien Renaud of VUPEN Security is credited with discovering one, while the other two are credited only to an anonymous researcher at Verisign’s iDefense Labs and an anonymous researcher at TippingPoint’s Zero Day Initiative.

While my posts tend to focus more on Microsoft Exchange than any other email platform, and I’m sure most of us are in the habit of checking our email early on patch Tuesday every month for the latest security patches from Microsoft, it is crucial that we do not overlook other vendors’ software that is sitting on our network. Whether we are using a third party application that runs on Windows, a distro of Linux, or network hardware, we as admins must pay attention to the security bulletins that come out from our vendors, and stay on top of necessary security patches. If you do not already have a patch management program in place, take a look at these three blog posts on patching:

1. What should be included in your patch management policy?
2. A Patch Management Strategy for Your Network
3. 6 Tips for a Successful Patching Process

and then consider a good patch management application for your network. Look for one that can address not just the operating system, but also the applications that run on your network, and that can scan for network hardware firmware as well.

Novell Patches Critical Issue in Groupwise

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Every year, the Online Trust Alliance publishes its Online Safety Honor Roll and Scorecard to measure the adoption of security measures across the Internet.

Basically, it is a report card of measuring the steps public and private companies, as well as government agencies, are taking towards cyber security.

This year email made some promising gains when it comes to authentication.

“Domain level email authentication is a potent weapon in the fight against spam and phishing attacks.  But, for it to work, legitimate emailers must authenticate the messages they send and receiving domains must refuse delivery of unauthenticated messages,” according to David Vladeck, Director of the FTC’s Bureau of Consumer Protection.

According to this year’s scorecard, more than 56 percent of all those surveyed are using either Sender Policy Framework (SPF) or DomainKeys Identified Mail (DKIM). For the first time, email authentication has gone beyond 50 percent showing a marked improvement when it comes to email security.

The report, which breaks down results by segment, shows that:

• Social media sites lead with 92 percent adopting email authentication
• Internet retail coming in second with 84 percent adopting standards
• FDIC banks just making the grade at 59 percent
• Government agencies falling behind at 38 percent

However, while government still lags behind the average, they did make an 18.8 percent increase from last year’s numbers – so they are getting better.

So if your organization is one of those lagging behind there are a few things you can do when it comes to email authentication.

Sender Policy Framework

Sender Policy Framework is an IP based solution to prevent spammers and attackers from spoofing your email addresses. By creating an SPF record for your email’s Domain Name System, recipients can be assured that email with your domain actually comes from your organization.

To set this up the email administrator needs to follow these steps:

1. Inventory the IP addresses that send emails from your company. This needs to include remote workers, email service providers and third parties.
2. Once you have a collection of all the necessary IP addresses you would need to create the authentication records, TXT files, for your organization using the Microsoft Sender ID Framework Wizard (http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard)  or the SPF Record Wizard (http://www.openspf.org). These records are then published by your team.
3. Now using the tool from OpenSPF (http://www.openspf.org/why.html) your team needs to validate that the records published are error free.

Once the records are published your email administrative team will need to maintain these records and make changes as necessary.

DomainKey Identified Mail

DKIM, used in conjunction with SPF, is considered to be the best way to authenticate your email messages.

Essentially, when using DKIM, a certificate is created and added to the txt field on a specific DNS server.

When the recipient receives the email, it verifies the signature in the DKIM header against the certificate that is on the DNS server of the signer’s domain preventing it from being spoofed.

Unfortunately, setting up DKIM is not as simple as SPF as it varies based on your infrastructure. Working with your email provider and IT department you will be able to set up this complimentary piece to the Sender Policy Framework. More information can be found at http://www.dkim.org.

Even though using DKIM and SPF together are considered one of the most effective ways to prevent spoofing and phishing attacks using your email addresses it is not foolproof.

Whenever there is money to be made through illicit means, there will be people out there one step ahead of the game. This is certainly true when it comes to email.

In addition to employing solutions like those mentioned here, it is more important than ever for organizations to monitor their brand to make sure that nothing is being done to compromise the level of trust that customers, and constituents, have for them.

As email security measures grow increasingly complex, so do the attacks against these systems. Using trusted methods and professionals is the only way that security can stay out in front.

Email Authentication More Important Than Ever

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators