Gmail has always had an encryption option, but until this week, it has been turned off by default. Now IT people, who tend to be a bit paranoid (but in a good way), would have gone through the trouble to switch on the SSL encryption option, but most ordinary users would simply not be aware that it exists. And for that matter, all those paranoid IT people probably wouldn’t have even used Gmail to begin with.

Google announced last week that it would start encrypting all Gmail traffic. In a blog post, Google noted that they initially rolled out the option to always use https back in 2008. This allows email to be encrypted on the path between the user’s web browser and Google servers. However, when Google first enabled the option, it was off by default. Now, SSL will be used by default, with users gaining the option of selecting “Don’t always use https” from the Settings menu. Some may choose to not enable the extra security option for performance reasons, but in reality, the performance hit will be minor, especially for broadband users—and well worth the extra couple of milliseconds. The login page will still remain encrypted. Using encrypted email can stop several types of attacks, such as man-in-the-middle attacks where an attacker may be snooping email in a public WiFi spot. Using encryption also prevents attacks such as DNS poisoning attacks where a domain name record is hijacked and redirected.

Google decided to make the upgrade just hours after they revealed information about having been victimized by specialized attacks, including certain attacks on Chinese human rights activists’ accounts. Users are cautioned however, not to get lulled into a false sense of security, thinking that turning on Gmail’s encryption option is going to prevent all potential attacks—because it certainly won’t. The same anti-virus, anti-spam and anti-malware software installations should continue in full force, regardless of any added encryption.

With Google making the switch, the next big question is whether the other main free email services like Hotmail or Yahoo! Mail will follow suit; my guess is that they will.

The increasing popularity of in-the-cloud email delivery and email security solutions, and the wealth of innovations available, raises the discussion of whether email administrators should consider cloud-based solutions. While the free, Web-based email remains out of the question for corporate use, some other cloud solutions that offer more robustness and security may be appropriate for some users.

Security is always imposed in cloud-based systems to one degree or another, but a major limitation is that many cloud providers still implement their own proprietary security approaches. While such an approach may well impose good security, this has still limited the uptake of cloud-based models. A more appropriate approach to cloud-based security would be the adoption of a common security model, made available through the cloud platform-as-a-service.

As outlined in “Cloud computing made easy,” co-authored by yours truly, a cloud platform (as opposed to cloud “software as a service” applications) imposes common software elements, which are used by developers to write cloud applications without having to re-invent the wheel for every aspect of each application. The use of a cloud platform is particularly useful for imposing rigorous security, in that it presents a standard security model for managing things like authentication and authorization, role-based access, secure storage, multi-tenancy, and privacy policies. Developers of common SaaS applications may not always be experts in security, but by using the common security model of a cloud platform, the developer is able to draw against the expertise of other developers who are. Continue reading Security and the cloud

There are many areas of Outlook that are potential problems for administrators. Once such area is the sending and receiving of digitally signed messages.

Digitally signing email messages is a form of protection that can be used to prevent identity fraud and the abuse of email messages sent to and from Outlook. Outlook allows email messages to be sent with cryptographic features such as S/MIME digital signatures and encryption.

Such messages can utilize “public key/private key” encryption technology to make private their email messages so that only recipients who possess a public key are able to view the encrypted email message. There is a complicated mathematical relationship between the two keys such that any message encrypted with the public key can only be decrypted using the specific private key. The reverse relationship is also true: any message encrypted with the private key can only be decrypted using the corresponding public key. It is this reverse relationship which supports digital signatures.

Oftentimes you will run across the situation where an end user complains to you that they cannot open a digitally signed message. When they attempt to do so they receive the following warning message: “Signature not trusted.” This is usually an indication that their email system has not implemented email security yet.

Continue reading Troubleshooting Security Problems in Outlook

The BBC reported today that Google is the latest in several cloud-based email systems that have been subject to a widespread phishing attack. The British news agency reported seeing two lists with over 30,000 names and passwords, which have been posted online. Google has since discovered a third list.

The cracked email passwords aren’t just from Google’s popular Gmail system though, the list also includes names of Microsoft Hotmail users, along with Yahoo, AOL, and other providers.  The first reports of the scam appeared when Pastebin, a legitimate web site used by programmers to share code, was used to post 10,000 Hotmail addresses.

Are there even more lists out there? Probably. The Neowin blog first reported the hack on Hotmail accounts, noting on October 1 that the lists detail 10,000 accounts with email addresses starting with “A” and “B”. Although only three lists have been detected so far, the alphabetical nature of the lists would imply that there are more floating around to account for the rest of the alphabet.

Bloggers, commentators and security folks are recommending that if you use Hotmail or Gmail, that you change your password immediately. Even better—stop using Hotmail or Gmail and stay away from free cloud-based email services altogether.

For their part, Google issued a forced password reset to all affected accounts, and Microsoft indicated that they too are taking steps to help customers regain control of their accounts.

Sending secure email often involves the process of also having to troubleshoot error messages related to TLS and SMTP in Outlook.

Transport Layer Security (TLS) is a cryptographic protocol used to encrypt traffic over networks such as the Internet. Use TLS encryption for servers that require basic authentication. With so much critical information such as usernames and passwords passing through your network, why take the risk that someone snooping could eavesdrop and pull out important corporate information? Implementing encryption and other security measures can help to protect your corporate jewels. The enforcement of security will require users to use the same encryption level that you set when they try to negotiate access to your network and servers. Without the same level of security, messages will be returned and non-delivery reports (NDR) will be generated.

Simple Mail Transfer Protocol (SMTP) is used for sending outgoing mail for both POP and IMAP clients and is well known for its vulnerabilities such as spoofing of emails.

Continue reading Debugging SMTP and TLS errors in Outlook

U.S. Appeals Court for Ninth Circuit.

Workers who use company email for disloyal activities may be targeted for administrative sanctions, but they’re not necessarily criminals under U.S. law, according to a recent decision by a federal court. The ruling by the Court of Appeals for the Ninth Circuit, which includes California, found that an employee for a residential treatment center for addicted persons in Nevada could not be prosecuted under the federal Computer Fraud and Abuse Act (CFAA) for emailing himself client files for use in a competing business after his employment was terminated from the center.

The case, LVRC Holdings v. Brekka, involves Christopher Brekka, who was hired by LVRC and worked at its Fountain Ridge facility in Nevada. Brekka’s duties included conducting Internet marketing programs and interacting with Web metrics company, LOAD, which LVRC employed to provide email, Web site, and related services for the treatment center. At the time of his hiring, Brekka owned and operated EBSN and EBSF, two consulting businesses that obtained referrals for addiction rehabilitation services and provided referrals of potential patients to rehabilitation facilities through the use of Internet sites and advertisements. According to the court, LVRC was aware of Brekka’s involvement with EBSN and EBSF when it brought him on board.

Continue reading Disloyal use of email isn’t a crime

There’s a bank clerk in Wyoming who is in deep trouble with the boss. According to news reports, an employee of a bank in Wyoming sent an email that contained customer data to the wrong recipient’s Gmail account. The employee of Rocky Mountain Bank made two critical errors: First, they sent it to the wrong address, and second, they attached a file with sensitive information that should not have been attached.

According to news reports, the employee, realizing they had sent it to the wrong address, tried to “recall” it after sending it. Huh?? How long has this employee been using email? Just about anybody that isn’t living in a cave knows that you can’t recall an email once you’ve sent it out. That’s why standard procedure should include at least a quick once-over of the contents and recipient list before hitting the “send” button.

The attachment that was sent contained customer information, including social security numbers and loan data.

Continue reading Bank learns its lesson, you can’t recall email

My recent posts have discussed identifying commonalities in new occurrences of spam, and concerns to keep in mind regarding indirect attacks using email as a vector. A strong perimeter defense and solid virus protection, along with an effective anti-spam solution can lull us into a false sense of security. The seemingly constant stream of unwanted mail begins to look like little more than an annoyance and not a continuing threat. In this post let’s examine technically other methods of attack, how to recognize them, and ways and means to defend against them.

Attacks against email servers, systems, and infrastructure are in many ways similar to attacks against other Internet-facing services, but are different in several important ways. Just as a concerted attack that brings down your Web servers stops communication with customers, vendors, and others on the Internet, the same is true for email communication attacks.

Continue reading Email Attacks and Defense Against Them

If you still think your web-based email account is safe enough to use for business (or anything else for that matter), take a look at an article in last week’s Washington Post. The story details an account of the “other woman” who engaged the services of a cracker web site called YourHackerz.com to break into her boyfriend’s email and her boyfriend’s wife’s email.

The service is able to quickly deliver a password to a customer, for a surprisingly small fee. And YourHackerz.com isn’t the only one of its kind; there are dozens of similar services on the Internet that advertise their dark services freely. For a hundred bucks, they promise to “crack all major web based emails”, including Yahoo!, Hotmail, AOL and Gmail. The service even provides proof cracking before payment. How’s that for good marketing?

Although the cracker service bureau doesn’t specify their techniques, the Washington Post article speculates that they use a Trojan horse technique, which sends the victim an email with a link to a greeting card or some other innocuous-looking item, which when downloaded, launches a keystroke grabber that captures passwords and then sends them back to the host. It’s quite likely that these types of services use a combination of techniques.

The first thing to do to protect yourself is to realize that yes, there are people who want to read your email. Probably more than you think. And it’s very easy for those people to get access, for a small fee, from one of these cracker services within just two or three days. We all tend to think we’re immune. We think nobody can break in, and what’s worse, we think nobody wants to. Unfortunately, it happens all the time, and when we least expect it. Spying, espionage, and just plain snooping happens every day, both in business and in social life. It may be to steal our bank accounts, or it may just be to gather corporate secrets or personal information. If you think your spouse is cheating on you, how far would you go to confirm it?

Regardless of what motivations people may have to crack your email password, there are things that you can do to protect yourself. First and foremost, don’t use free webmail accounts. These are the easiest to crack by far (as Sarah Palin found out). Next, use complex passwords. This can actually only go so far as a means of protection though—if the cracker has a keystroke grabber, no matter how complex your password is, it can be stolen. Use encrypted email for sensitive messages, and connect to your login screen using a secure session.

Despite the generally excellent performance of most modern, well-tuned anti-spam engines, some spam is going to get through. We may be lulled into a false sense of superiority when for a period of time our anti-spam tools and techniques have borne fruit, and we see that we have more-than-just-excellent results; we have no spam in our inboxes for an entire day, week, whatever. Then, it returns. We’ve all seen it happen. Some strangely formatted message that you or I can surely tell is garbage, a bizarre attempt to sneak through your heuristics that has surprisingly succeeded.

Lately it has been some rather clever nonsense. I’ve been getting these spam emails with a particularly peculiar twist. Many of them have what appear to be at first glance meaningful, but “non-spam” sentences. On closer look, the sentences are strange, and not quite sensible. For some reason they consistently were getting through the spam filtering. What was strangest to me was the lack of any marketing content or attempt to sell whatsoever. They did have a link in the message, and the link was not ever to the same web destination or even clearly directed to an obvious undesirable site. This may have been one of the reasons this set of spam got by; to the filters, it looked really no different than a sentence or two sent by a friend describing some link they thought I would be interested in.

Continue reading The Latest Spam Getting Through Your Filtering – and What to Do About It