Exchange 2010 makes extensive use of certificates to secure client communications. Whether you are using Outlook Anywhere, Outlook Web App, Exchange ActiveSync, or secure versions of SMTP, IMAP, and POP3, you are going to need a certificate to handle the encryption of your traffic. Since that’s how you protect your critical data from prying eyes and sniffing nodes, using a certificate is a key part of your Exchange implementation. Exchange 2010 will handle generating its own certificate when you install it, but unless you want to deal with constant client warnings about a certificate being untrusted, or even worse, training your users to ignore such warning, you are going to want to use a commercial certificate, from a Public Certificate Authority. Before we go over how to get a certificate and install it, let’s review some encryption concepts and certificates at a very high level. Continue reading Understanding and Using Certificates in Exchange 2010 – Part One

There are a number of calls that email administrators dread.

“My inbox is filled with spam!” means you are going to spend precious time tweaking your anti-spam filters to find out how spam is getting through.

“My password isn’t working!” could mean you have an irresponsible user or someone has compromised an email account and changed the password.

“My inbox is filled and I can’t send or receive emails!” means that someone isn’t managing their email too efficiently.

But when you are informed that an email account under your control is sending out spam the worry factor kicks into high gear. Continue reading Email Address Spoofing – What You Need To Know

Email accounts are frequently hacked allowing an attacker complete access to an individual’s account, but it also gives them the opportunity to gain access to other accounts as well because once a criminal has unrestricted access to a victim’s email account, he or she can request authentication credentials to any account they need.

Just ask some of the celebrities who recently found their accounts cracked by Christopher Chaney. Stars like Scarlett Johassonn, Mila Kunis and Christina Aguilera found their email accounts compromised and private pictures of them leaked all over the Internet.

Sarah Palin also found her personal email account compromised. While her messages did not contain racy photos, the break in did draw attention to the fact that she was conducting government business using her private account. David Kernell, the man found guilty in this case, also made information found in the private emails available to the public. Continue reading Your Email Password Could Be a Goldmine

Much to-do is made about people choosing poor passwords to protect sensitive information in their care. Just this week, for example, a company that could well serve as the poster child for password worst practices paid the U.S. Federal Trade Commission US$250,000 for its security sins.

The company, RockYou, exposed the personal information of about 32 million of its customers to hackers in 2009. A subsequent study of that information revealed that the passwords chosen by those customers were so weak, a brute force attack using a dictionary containing 5000 of the most commonly used passwords could crack 1000 accounts every 17 minutes.

However, administrators can be as careless as the members of their flocks when it comes to password practices. In its annual data breach report [PDF] released earlier this month, Verizon discovered that only 42 percent of the 855 companies contributing information for the study said they do not use vendor-supplied defaults for system passwords and other security parameters. That means 58 percent of the companies use passwords that are publically available on the Internet.

Continue reading Default passwords pose security problems for many organizations

One problem that email administrators face is keeping their users informed regarding all of the different types of spam, malware and phishing emails that could potentially cause larger issues for the organization’s infrastructure.

It’s not that educating users is always a difficult task, it is the fact that these scams change so frequently that it is hard to keep up with the different threats that pose as innocent, or even helpful, emails.

To help keep track of potential risks, here is a list of emails that made the rounds last month that were considered to be a substantial threat. Continue reading Top Email Malware for March

Here’s some good news for any administrator who has cursed spam under their breath: junk mailers appear to be on the run.

Spam volumes have been on the decline for about 18 months, according to a report released last week by IBM. Other spam watchers have estimated that spam flows have dropped from all time highs of 225 billion messages a day to 25 billion.

That’s not to say that spam volumes haven’t declined before. What’s different about this decline, though, is that it seems to be sustained.

A major contributor to those declines, in IBM’s view, has been the takedowns of some large botnets during that period, most notably Microsoft and law enforcement’s seizure of the servers supporting the Rustock botnet and McColo network. Continue reading Declining volumes mean spam in transition

A study from the Ponemon Institute, a research firm located in Traverse City, Mich., revealed recently that nearly four-fifths (78 percent) of organizations have experienced a data breach that could be attributed to a malicious or negligent employee or insider.

An even more telling finding of the study [PDF] was that more than three-quarters (76 percent) of the 709 IT and IT security professionals participating in the survey acknowledged that their data was not protected (29 percent), partially protected (43 percent) or were unsure it was protected (four percent). Continue reading Data Protection Plans can curb data breaches

Web-based email systems can be convenient to consumers, but they can be convenient to spammers, too. And if they’re convenient to spammers, they can be very inconvenient for an organization’s email system.

One way to deter spammers from compromising mass numbers of webmail accounts has been a device called a CAPTCHA — Completely Automated Public Turing-test to tell Computers and Humans Apart. These common puzzles present visitors to websites with a word composed of letters distressed in a number of ways.

The idea is to make the puzzles difficult to solve for automated systems used by spammers, but easy enough for humans to crack. As use of the puzzles grew, though, spammers steadily improved their technology for cracking them. Continue reading Researcher Cracks Video CAPTCHAS

As the Internet slowly moves towards accepting the new addressing system known as IPv6, email administrators need to keep an eye on how that change may affect their organizations, especially when it comes to security.

IPv6, as you may know, was created because the Net was running out of IP addresses under the old IPv4 standard. Don’t ask what happened to IPv5. It’s a complicated story. Suffice it to say the term IPv5 wasn’t available when the Lords of the Internet concluded their realm was running out of numbers, and they’d better do something about it.

One problem that may arise as email servers are configured to handle mail originating from IPv6 addresses is what to do about inbound mail from those locations. That’s because email from IPv6 addresses could pose security threats to your system not posed by the older IPv4 addressing system.

Continue reading IPv6 can make inbound email less secure

On March 8, the FBI will be pulling the plug on the ad hoc DNS infrastructure it set up when it took down the DNSChanger network last November. When that happens, any computers infected with that Trojan will lose their Internet access.

And that includes plenty of computers around the world. According to an analysis conducted by Internet Identity (IID) earlier this month, 250 of all Fortune 500 companies and 27 of 55 major government entities have at least one computer or router infected with DNSChanger.

When the FBI and other law enforcement authorities took down the DNSChanger network, it was estimated that four million computers, including half a million in the United States, were infected by the Trojan around the world. Six Estonian men were arrested in what was called Operation Ghost Click. An Estonian court ruled on February 21 that four of those men could be extradited to the United States for trial. Continue reading Will the FBI be shutting down your Internet access on March 8?