According to most reports, the amount of email spam is diminishing.

Experts credit the takedown of massive botnets like Rustock, a more educated user base and advancements in spam fighting technologies for this trend. However, even though one of the most annoying, and troublesome, threats to email accounts is on a downswing it doesn’t mean for one second that email is no longer a part of the IT infrastructure that is vulnerable to threats.

Understanding the different ways cyber criminals and script kiddies can use vulnerabilities in email clients and servers to attack a system will help any email administrator keep email services running smoothly, and the entire infrastructure safe from a great number of exploits that can do some serious damage.

Listed below are three of the most serious problems that, if ignored, can cause some serious security problems with your email systems.

1. Malware being spread via email

To say that spam levels are dropping dramatically is almost a half truth. While users are seeing less spam advertising pharmaceuticals, financial services, pornography and work at home schemes it doesn’t necessarily mean that spam itself is being beat back.

Actually, while the use of spam for advertising and marketing may be down the numbers are increasing for spam messages that carry something far worse than the Nigerian prince scam. These messages actually contain malware or links to malicious sites.

Knowing full well that many users have been taught not to download attachments they don’t trust, cyber criminals have turned to simply inserting a link to a web site in their emails. When the victim clicks the link, they are taken to a site that runs scripts to infect their computers with Trojan horses, keystroke loggers and other types of malicious software.

2. Information leaks

Not all threats come from outside. Anyone who has worked to secure confidential data knows all too well that one of the biggest areas of concern is information being leaked from an inside threat.

Inside threats happen through a variety of means. You could have a disgruntled employee who is looking to hurt the company or you could have an employee who is looking to make a little extra money moonlighting as a corporate spy. There have even been instances where someone lands a job with a company for the sole reason of stealing confidential or proprietary information.

While these scenarios seem like they came from a Hollywood studio, they do happen – just not that often.

Most likely, you will find that information is leaked by accident. An employee includes something in an email message that is considered sensitive. That email, once it leaves the protection of your company, can now be forwarded on or even intercepted in transit. The contents can then be easily exposed revealing trade secrets, private information or even embarrassing content.

3. Go phish

Phishing is a threat that has been on the radar of most IT administrators for some time. And with recent data breaches, like the recent attack against Epsilon, millions of corporate email addresses have been compromised and are ready to be used in phishing attacks.

The scary part of phishing attacks nowadays is that it is becoming harder to tell them apart from legitimate emails. Take a look at recent PayPal and banking emails that have been sent out requesting people to reset their account passwords or log in to address some issues with their account.

It is becoming tough for people to tell the difference between a real request from their financial institution and one aimed at compromising their login details.

Of course, financial data isn’t the only thing that phishers chum the waters for. They know full well that a majority of people use the same user name and passwords for a majority of web sites. If they can capture a password, they can usually recreate the username for your businesses network resources to allow them free reign over anything the victim has access to.
Safeguarding against email based attacks is something that every IT admin needs to take seriously if they want to protect their network. Employing a solution that addresses the mail servers, mail client, users and other network resources is one of the key steps to protect against as many points of attack as possible.

Addressing Three Major Email Threats

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

You may have read the stories about how Atos Origin, a French IT services company, is looking to make their offices an email-free workplace by the year 2013 to eliminate what they call email pollution.

By turning to collaborative social medial tools, such as the Atos Wiki, employees have already seen a 20% reduction in “email pollution” six months after this initiative went into practice.

Volkswagen has also attempted to cut back on after hour’s emails being sent to and from employees Blackberrys in a similar effort. However, while cutting back on emails like Atos is trying to do may seem trend setting, it hardly seems to be a realistic goal.

Not only because of how many workplaces have become reliant on emails to get work done, but rather how these people use email to get work done.

As we all know, emails are not only used to deliver electronic messages. People in office buildings all over the world have found ways to “hack” their email accounts to do much more than send and receive messages.

Let’s take a look at some of the most creative, but common, ways email is used for things other than email.

Instant Messaging

Instant messaging is still taboo in many corporate settings. For some reason, IMs still conjure up images of the old AOL chat rooms in the eyes of most managerial types. So instead of embracing the technology, it becomes banned in the workplace.

Creative employees have learned that they can send a quick message to a coworker using the subject line alone. For example, sending a message with a subject that reads I have the research for your project EOM tells the recipient everything they need to know and lets them know that your subject line is the entire message (that is what the EOM, or End of Message, means).

Online/Portable Storage

There is hardly a person with an office job who hasn’t found themselves working on something that they needed to take home to complete. When they reach for that trusty USB portable hard drive they remember it is sitting on their desk at home still plugged into their laptop.

Email becomes a quick replacement as you can simply attach the document, spread sheet, etc to an email message and send it to yourself. Problem solved. Of course you would want to be extra careful when doing this with content that is considered sensitive or confidential.

File Transfer

Sending files to other people, or even yourself, can be tricky in the workplace.

Many companies block executable files from being attached to email messages to prevent malware from being spread via email.

However many employees have realized that they can get around this by changing the file extension from .exe to something that is permitted, like .docx. The recipient then needs to simply rename the file extension when they download it.

Setting Reminders

While most email clients have some sort of calendar that allows us to set reminders, we don’t always have access to them.  We may remember something late at night that we need to remind ourselves to do when we get to the office in the morning. If you can’t get to your calendar, you can always send a reminder to your work email. That way, when you are sifting through your morning emails you will remember what it is you have to do.

The same can be done in reverse.

Saving Hyperlinks

Bookmarking interesting or useful websites is great if you only use one computer. Using a solution like Evernote or Thirsty solves this, if your company allows these services through the firewall that is.

Then there are those who copy links and paste them into an email message. Sending this email to themselves almost assures them of the fact that they will be able to find these web sites at another time.

This little email hack is applied to just about anything found online. Sites, videos, presentations, etc. are all saved by cutting and pasting into email messages.

Of course, all of these tricks just add to the scourge of email pollution that companies like Atos are trying to get rid of. But hey, if they make your employees work easier, and better, and they don’t violate any acceptable use policies, is there really any harm?

5 Creative Uses For Email

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

This morning I noticed the flashing red light on my Blackberry alerting me to a new message. Since this device is connected to my work email account, I decided to give it a look to see what was so important that it couldn’t wait until Monday.

I was lucky that I did check it. The new message was actually from my personal email account and the contents of the message contained only one link and other people were also sent the same message.

I realized immediately that my personal email account was sending spam. I was upset with this because working with email and security, I write and train others on best practices. Not only this, but I follow them as well. I make sure that:

• I use strong passwords and phrases
• I change my passwords frequently
• I don’t use the same password over and over
• I update my anti-malware software regularly
• I run anti-malware scans regularly (ironically, I had just run a scan the day before)
• I am careful about what sites I visit
• I am careful about clicking links in emails
• I am careful about what I download, even checking the MD5 hashes when available.

However after I realized what had happened I didn’t make the classic mistake of denial that this could happen to me. After all, people much smarter than me have had their systems compromised. Driven by a classic saying in computer security, “The only way to ensure that a computer is 100% secure is to unplug it from everything and seal it up in a box,” I moved ahead with fixing the problem.

Steps taken

When I opened up my personal email account there were over 100 mail delivery subsystem errors and Out of Office replies waiting for me.

At first I thought that my email address had possibly been spoofed. After all, most of the sites I write for include it as a way to contact me so I am sure it comes up quite often when people are mining the Internet for email addresses.

However looking at a few of these messages I noticed that the spam messages were being sent to every address that I had ever sent an email to, not just my contacts. What this said is that:

A) My email address had not been spoofed.

B) It wasn’t malware that was abusing my contact list. This was the result of my account credentials being compromised.

It may appear that the first step anyone should take in this situation is to change the password immediately. Not entirely true.

Most passwords are captured from a keystroke logger installed on your computer. If you go ahead and change your password, you are simply letting the attacker know what your new one is.

Instead, I went ahead and attempted to update all of my anti-malware definitions. Since I had just run a scan the day before, there was nothing to update. The next step was to run all of these scans again.

The three scans from Malwarebytes Anti-Malware, TDSSKiller Antirootkit utility and Ad-Aware all came up clean so I went ahead and changed the password on my account. Even after I changed the password, more delivery error messages came up but looking at the headers, these were delayed as the original message sent from my account occurred between 6:48 AM and 6:54 AM so everything looked clean.

Digging deeper

Once I was sure that everything was cleaned up, curiosity got the better of me and I decided to look a bit deeper into the emails that were being sent out from my address.

To make sure I didn’t infect my computer once again, I created a virtual machine and loaded it up with my three favorite anti-malware tools and ran a scan using each just to ensure the new “computer” was clean.

Then I clicked on the link just to see where it went. Of course, the link was spoofed and redirected to cretep.ru registered out of Russia advertising for an herbal Viagra clone, Viagrow. Of course, by their claims it had been featured in Men’s Health, Maxim, MSN, Esquire and other media outlets.

After closing out the site, I fired up all of the anti-malware software to see what really happened when I visited this site. The first scan found two installations of PUP.FunWebProducts and one installation of Adware.MyWebSearch.

Even as the so-called experts when it comes to email, we have to realize that as threats escalate in sophistication we too are vulnerable. Following the best practices and taking the proper measures to secure our email accounts certainly help, but there is no way that any of us can assume that our accounts are 100% safe.

Yes, My Email Account Was Compromised

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Small and medium-sized businesses face many of the same threats that large companies do when it comes to their email systems. Some of the common problems that email administrators face are:

• Spam delivered via email
• Viruses and malware delivered via email
• Email messages that contain inappropriate content
• Information leaks.

So in addition to steps taken to secure the company’s network and desktops, a strategy to secure the organization’s email system is also a necessity.

Yet while small and medium sized businesses face the same threats as their larger counterparts, they rarely have the same resources to fight back.

Of course the first step for any organization, regardless of size, is to make sure that they have a reliable spam filter in place.  More often than not, a content filter will be part of this solution as it makes finding illicit email messages much easier.

For some, this is where most email security strategies stop. For those who do put additional measures in place to help mitigate the threats facing email, now is a perfect time to review these policies to see if they effectively protect your email from attack.

1. Review your archiving system

One of the most commonly overlooked aspects of email security is the archiving system that stores email messages in the event that they need to be accessed at a later date.

Look over your current archiving (or backup and recovery) solutions and policies to make sure that they are consistent with industry and regulatory requirements. Also, ensure that they are in line with your company’s culture.

2. Review malware protection

Enterprise anti-malware solutions make definition and signature updates easy to maintain. If your company has a solution in place that pushes updates out to desktops, remote computers and mobile devices, then make sure everything is running the way it should be.

One thing that organizations fail to check for is newly added devices, especially mobile devices. Check to make sure that every computer that connects to your network and email is properly secured by your anti-malware solution.

It is also important that you, or someone in your organization, review any software or appliances in place to fight malware, spam and other attacks to see if they are still relevant. As threats evolve, it is important that the tools used to fight them are up to date as well.

3. Review email policies for relevance

At one time email was considered the biggest threat when it came to information leakage. With social media, mobile communication devices and instant messaging becoming more infused into business it is important that the policies used to govern communication are relevant with the communication tools used in your organization.

Review policies with every department to see how communication tools are used and identify where they are vulnerable. Once this is determined, you can work with these tools to best secure them from the specific vulnerabilities they present.

4. Update computer systems

Making sure that your anti-malware and anti-spam tools are up-to-date is part of the solution, but not all of it. You still have to make sure that everything that connects to your network and runs your software is updated as well.

Desktop and laptop operating systems should be up-to-date and fully patched. The same should be said for your server operating systems.

Once these are current make sure that a schedule and policy is put in place to keep your software current.

5. Educate again

Educating users is always part of an effective security strategy but, like everything else, training has an expiration date.

When was the last time your users were trained on how to identify and address email threats like spam, phishing scams or malware? Is the information they were provided with current or is it so outdated that you still reference the Michelangelo virus?

If you have made changes to any policies, or plan to after reading this, then your training needs to be updated to reflect them. While you are at it, you should also make sure that any other information you are passing along to your co-workers is relevant as well.

In any organization, there are too many variables so no one can say that their email system is 100 percent secure. However, taking the time to eliminate as many possible vulnerabilities as you can will certainly bring the level of risk down significantly.

5 Tips for Better Email Security

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Over the years, Microsoft has taken its lumps when it comes to security however as a company, they have taken some pretty impressive strides to make sure that their products are more secure.

However, their security efforts have not been limited to just their products. They have launched several educational campaigns aimed at helping users better secure their computers and networks.

These efforts can be seen by Microsoft’s latest report, Microsoft Security Intelligence Report, and its corresponding website.

This project was set up to provide businesses and consumers with hard data concerning security risks and best practices from Microsoft themselves on how to mitigate the various risks.

Being the producer of the most popular email client software packages – Outlook, Hotmail, Outlook Express and Windows Live Mail – they have a definite interest when it comes to helping users guard against email threats.

Spam, according to Microsoft:

• Wastes resources
• Distracts recipients
• Puts assets at risk for greater security problems
• Provides an avenue for social and criminal hacking attempts
• Provides an avenue for phishing scams against users

While stopping these issues definitely is a concern for Microsoft internally, educating their customers on how to eliminate the problems associated with spam will certainly help them sell more products to people looking for the most secure product on the market.

A Look Inside Microsoft

According to their website, Microsoft filters between five to ten million email messages every day that contain malware and/or spam. On a daily basis, they see threats that include spyware, worms, attacks from botnets and polymorphic viruses attacking their email messaging systems. Each day more than 100 different types of executable files are removed from incoming messages sent to Microsoft employees.

So we can safely say that as an organization, there is little that they haven’t seen when it comes to protecting email systems.

To best fight the many different threats facing email, all inbound email to Microsoft much pass a three-tiered process to include anti-malware scanning, file removal and spam filtering.

The importance of this approach is simple. Stop threats before they reach the user.

Incorporating an anti-malware scan into messaging systems helps protect the integrity of your systems because threats can be stopped before a user has the opportunity to allow infected files to compromise a computer or network.

Likewise, a file removal process prevents malicious executables sent via email attachment from ever having the chance to launch. Followed with adequate spam filtering, this process reduces the need for organizations to rely solely on a desktop based security solution or a network firewall. Both of which do not provide comprehensive protection on their own.

These strategies seem like common sense steps that we would hardly need to rely on Microsoft to provide. However many organizations neglect to incorporate these simple strategies into their planning.

Other Ideas from Redmond

Keeping systems protected cannot be done by simply scanning incoming messages for threats. Other steps need to be taken. The best practices that Microsoft recommends to organizations are as follows:

• Provide email submission services on port 587.
• Require SMTP authentication for email submissions.
• Abstain from interfering with connectivity to port 587.
• Configure email client software to use port 587 and authentication for email submission.
• Block access to port 25 from all hosts on your network other than those you explicitly authorize to perform SMTP relay functions.
• Monitor outbound email traffic patterns and look for deviations from normal behavior, such as abnormally large bursts of email traffic.
• Disable computers or individual email accounts that have been compromised and are being used to send out spam.
• When possible, process abuse complaints from third parties for email that originated from your mail servers. These complaints often point the way to a compromised computer.

As email administrators, we tend to look to hardware and software solutions to keep things running smoothly and securely. However, protecting systems and users from threats is ultimately our responsibility. Knowing the best way to do so is part of the job description.

Turning to experts for advice when it comes to security does not mean we are unable to do things on our own, it means we are wise enough to use what works and smart enough to know where to look.

Email Security Best Practices from Microsoft

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

If there’s one rule that’s been drummed into the heads of all email users, it’s “don’t open executable files in email attachments.” But what if an email recipient doesn’t know they’re opening an executable file because its name has been cleverly disguised using Unicode?

Unicode is an international standard used to create a unique number for every character used by computers regardless of program, platform or language.

Its 109,000 characters, though, contain more than just letters from the alphabets of the world. It includes control characters, too. One of those characters can switch the direction at which a computer reads text. That can be valuable when a processor has to deal with languages like Hebrew and Arabic that read right to left or, as malware artists have discovered, when someone wants to camouflage a file name.

Those felonious fellows have found that inserting the right-to-left override character (U+202e) at a strategic point in a file name can mask its malevolent potential. What’s more, not only does it hide that potential from the recipient of the email carrying the pernicious payload, but it hides it from email filters, too.

This tactic isn’t new. In 2009, the Mozilla Foundation issued an advisory on the subject.

“When downloading a file containing a right-to-left override character (RTL) in the file name, the name displayed in the dialog title bar conflicts with the name of the file shown in the dialog body,” wrote Mozilla security researchers Jesse Ruderman and Sid Stamm.

“An attacker could use this vulnerability to obfuscate the name and file extension of a file to be downloaded and opened, potentially causing a user to run an executable file when they expected to open a non-executable file,” they explained.

About a year after Mozilla issued its advisory, a security firm identified the tactic being used to disguise executable files attached to billions of messages from spammers. But when those spam outbreaks occurred once every 10 to 14 days, recent activity sends spam blasts out as frequently as three times a day.

Hidden in many of those devious file names is the Bredolab Trojan. It’s a malware family designed to steal system information and turn a computer into a zombie on a botnet, where it will receive malicious URL’s and files from a Net bandit’s command and control server.

What the spammers are doing is taking their malware and giving it a name like corp_invoic_8.14.2011_pr.phylcod.exe. Then they insert the left-to-right override character after the p-h-y-l in phylcod. That tells a computer to take everything after the control character, read it right to left and display the results. The file name then looks like this: corp_invoic_8.14.2011_pr.phylexe.doc.

Some email programs will recognize the true name of a file, even it has been altered with a control character. Prominent security writer Brian Krebs, for instance, tried to send an executable file with a name disguised by the right-to-left method through Gmail. The Web application recognized the ruse and gave him its standard message about not allowing executable files to be sent through Gmail—only it displayed the message backwards!

Unfortunately, many email programs can be fooled by the right-to-left dodge, especially if the executable is in a zip or archive file. That’s why a good policy for any organization is to have its members check with the sources of unexpected files they receive attached to emails.

Clever Coding Conceals Malware in Email Attachments

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Malware writers are constantly challenging an email administrator’s domain with their malicious mischief, but a recent trend should be very troubling to system defenders. That trend shows an increase in nasty apps that attacks the Master Boot Record of a computer running Windows.

The Master Boot Record (MBR) is the first thing your computer accesses when you turn it on. Why are these threats to it scarier than others? One reason is they launch their pernicious programs while a computer is in that twilight zone between power-on and the loading of Windows. A machine is particularly vulnerable during that time because many of its defenses are dormant until Windows loads into memory.

Malware assaulting the MBR isn’t new. During the 1980s, there was a rash of viruses that targeted the MBR as a means of propagating themselves. Those viruses however, mainly targeted floppy disks. Malware writers wanted to continually infect floppies to spread the virus. The waning popularity of floppies though, and the ease at which anti-virus programs detected the malware, drove it to near-extinction.

However, pernicious programmers rediscovered the art of MRB attacks in 2007, with the introduction of the Mebroot Trojan. Mebroot was a far cry from the MBR malware of the 20th century. It not only targeted the MBR, but grabbed control of direct disk access to a computer’s hard drive and wrote its own code into unused sectors on it. Since the sectors were unused and data was being written to them before the operating system loaded into memory, the code in the sectors was invisible to the OS. That kind of infection working in tandem with a rootkit can be very difficult to eradicate from a computer.

With Mebroot to light the way, malware writers turned to MRB with a vengeance. This year alone, new MRB malware includes Backdoor.Tidserv.M, Trojan.Smitnyl, Trojan.Fispboot, Trojan.Alworo, and Trojan.Cidox. In fact, one report found that the number of boot-time threats in the first seven months of the year exceeds the number of such threats in the last three years combined.

This new breed of boot sector attack apps can do a number of things. They can extort money from a user (“Pay me, if you want to use your computer again.”). They can push unwanted advertising at the user. They can clandestinely communicate with a computer and order it to do things, such as distribute spam, without a user being aware of them. They can steal data from a computer and sell it on the Internet.

As with all malware, an ounce of protection is worth a pound of repair. This litany of tips from Microsoft are familiar, but they’re worth repeating:

• Enable a firewall on your computer.
• Get the latest computer updates for all your installed software.
• Use up-to-date antivirus software.
• Limit user privileges on the computer.
• Use caution when opening attachments and accepting file transfers.
• Use caution when clicking on links to web pages.
• Avoid downloading pirated software.
• Protect yourself against social engineering attacks.
• Use strong passwords.

If a computer in an email administrator’s realm does become infected with malware that attacks the MBR, especially one that installs a rootkit, drastic solutions may be necessary. All data on the computer’s hard drive may have to be backed up, the drive reformatted and Windows reinstalled.

Be Prepared for Master Boot Record Attacks

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The recent spike in security breaches resulting from meticulously planned and executed spear phishing attacks may have forced email administrators to start thinking of topics that they may never have considered previously, such as the repercussion of a hacked Exchange Server account, or the reasons why hackers would be interested in attacking your email server.  Indeed, you may have already read Securing Your Microsoft Exchange 2010 Server, and have duly implemented the various hardening measures that I’ve linked to in that article.

Moving ahead though, you may be wondering if your Exchange Server is truly protected against malicious attacks.  Beyond waiting for a hacker to successfully break in, is there anything that the diligent administrator can do to reduce the chances of a successful break in?  I had the opportunity to attend an EC-Council Certified Ethical Hacker course recently, and one indelible lesson I gained would be how proper penetration tests can facilitate better security.  The rationale is simple – if you can break in, then so can hackers.  Today, I want to highlight some very simple penetration testing strategies that cash-strapped businesses can perform on their Exchange Servers to get a better pulse on their security readiness.

Obviously, permission must first be obtained from the relevant management prior to any penetration testing – preferably in writing.  Also, the usual caveat emptor about the dangers of tinkering with malware applies; there is also the very real possibility of Trojans hidden within typical tools used by hackers.  Finally, I would strongly advocate hiring a properly qualified and professional penetration team, which has the added benefit of a detailed report on any findings with recommendations for improvements.

Port scan

One of the simplest ways to establish the presence of malware or illicit server software would be to do a port scan on your Exchange Server.  While simplistic, this is nevertheless one of the first steps that a hacker will perform when targeting your organization, and could potentially reveal flawed configurations or the presence of unwanted (and forgotten) software services.

An extension of this idea would be to scan for the presence of SMTP (Port 25) listeners on your internal network, the presence of which could indicate the presence of unauthorized software or zombie computers running spamming software.  A basic and very well-known network and security scanner would be the free NMap, though many commercial variants exist that are capable of more detailed scans such as detecting common misconfigurations.

Sending malware to yourself

An easy way to test the capability of one’s malware filter or gateway antivirus scanner would be to deliberately send malware to an account on your server.  This may range from executable files, hiding them within archives, or malformed PDF files or Word documents – you essentially employ the same tricks that spammers and hackers are known to use.  Obviously, administrators should take pains to send infected email attachments only to unused accounts or one that has been set aside for the purpose of testing.

It should also be noted  that many of the recent attacks rely more on phishing or social engineering that push users into clicking a link to a malware-laden website as opposed to sending malware as an email attachment.

Brute Force Password Hacking

A brute force password attack entails repeatedly logging into an account with various combinations of passwords, and is a strategy employed by hackers looking for soft targets on the Internet.  Unlike cracking an actual password hash file or database, attempting to break in via brute forcing the password as part of a penetration test is a lower risk proposition, and viable if care is taken not to disrupt the access of legitimate users.

Moreover, this is a good way of weeding out easy-to-guess passwords that may be used by some employees, and is an activity that be conducted when server and network utilization is lower (such as over the weekend or overnight).  Dictionary files in your company’s native language can be compiled relatively easily, or downloaded from various repositories on the Internet.  Finally, there is no need to find a tool dedicated to breaking into Exchange Server either, since any password brute force tool that supports POP or IMAP can be made to work.

Are you aware of any simple penetration testing strategies that can be used to test the robustness of an Exchange Server deployment?  Feel free to highlight them in the comments section below.

Simple Penetration Testing Strategies for Your Exchange Server

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

In just one week Google, the International Monetary Fund and Citigroup have all made headlines as a result of email associated with them being under attack. The reason we continue to see companies make the news as a result of email attacks is that email security is sometimes ignored when it comes to training users properly and making good decisions. In some cases, having the latest and greatest when it comes to security tools even creates a false sense of security that causes us, and our users, to overlook the little things. A multi-layered defense that has been properly configured with all the best technology can be rendered useless if the little things are forgotten.

This list displays some of the most common mistakes that are made when it comes to email security and a brief description of what you can do to prevent them.

Leaky emails

There are many times when sensitive information is passed along via email. If everything is encrypted properly you, and your users, often assume that it will only be seen by the appropriate people. Unfortunately this isn’t always the case. Too many times a recipient may answer an email with sensitive information and hit the reply all button without checking to see who will be receiving the email.

The fix: Put a policy in place that addresses sensitive emails and reply to emails. However a policy alone isn’t enough. Make users aware of the policy through training and keep a record that all users were trained/informed of the policy and repercussions of not adhering to it.

Trusting others

When we receive emails from family, friends and business colleagues we often blindly open them without much concern. Especially if they are contacts we communicate with on a regular basis. However malware can easily be spread through emails by attachment or embedded code and links.

The fix: HTML in emails should be blocked if this is a concern, as should the ability for your users to receive attachments that are scripts or executable files.

Passwords that are easy to guess

Remember when Sarah Palin’s personal email account was breached? It was because her password was easy to guess using information the attacker found on her Wikipedia page. Companies often list information on corporate sites that provide attackers enough information to guess passwords as well.

The fix: Enforce strong passwords or password phrases for all users. Also, make sure that people don’t give up information that may be used to guess their passwords when providing bios.

Ignoring malware protection on the desktop

While scanning all emails for malware needs to be done, the desktop should not be ignored. And all too often it is. Malware definitions are outdated, software is not configured to run properly or protection is completely left to the user.

Even if you have a policy that enforces strong passwords, a keystroke logger can easily give up even the most complex password combination.

The fix: Email administrators should work closely with IT security to make sure that the desktop and network security isn’t lax so passwords are tougher to expose.

Failing to check on backups

Some companies and industries are required, by law, to back up and archive emails for a set period of time. Others are not required to do so. Regardless of the laws, every person and company should be in the practice of backing up emails. Emails often provide important records and information that could be lost.

But what happens if you need to restore your emails and find that something went wrong? Maybe the backup was incorrectly configured or the backup location was insecure. In any event, the inability to restore emails from a backup can render the entire solution useless.

The fix: Frequently test the ability of your backup solution, and staff, to restore emails.

These five tips may seem basic and simple. But that is the point. Working in IT we often gravitate towards the more complex issues and ignore simple techniques and solutions until it is too late. By taking the time to do the little things when it comes to security, we build an even stronger foundation for all the bells, whistles and technologies that really impress us and our bosses.

5 Simple Mistakes When it Comes to Email Security

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

While the Oak Ridge National Laboratory’s may be famous for its role in the Mahanttan Project, recent cyber attacks have brought the Department of Energy’s research center back into the news again. According to Barbara Penland, a spokesperson for the lab, Internet service and access to external email was brought down by the lab as part of preventative measures to secure the network’s sensitive data against a spear phishing attack launched against the lab on April 7^th.

The attack targeted lab employees disguised as a message sent by the Human Resources Department that contained a link exploiting a vulnerability in Internet Explorer. Microsoft has claimed that this vulnerability was fixed on April 12^th, one day after Oak Ridge noticed the attack against them.

“We ended up with an excess of 570 of those emails coming in to different people and we had some folks who clicked on the email,” Penland stated. “One or two of them managed to get through into the system.”

After tracking the attack for a week, the IT department at Oak Ridge decided that the best thing to do was shut down access. Luckily, the attack was not able to infiltrate any of the Lab’s classified networks that are not connected to the public Internet.

Penland stated that service to the Internet should be restored early this week and email access is one again up however attachments have been blocked for the time being.

What this means for Email Administrators

The Oak Ridge lab is obviously a huge target housing some of the United States’ most secretive research projects in nuclear energy, biological systems as well as a great deal of research for the military and Department of Homeland Security. Aside from being such a lucrative target, it is also thought to be one of the most secured facilities there is.

What this recent attack, actually the second major attack against the lab in the last five years, shows us, is that security of our email systems cannot be taken for granted. Oftentimes, those responsible for email at small to medium sized organizations have a set it and forget it attitude towards security. Due to limited budgets, limited staff and requirements that are more critical to the business plan smaller companies simply don’t have the staff, time or money to fight the threat of cybercrime. The thought that a solid anti-virus solution and a firewall will adequately protect an organization is far too common.

When it comes to email, administrators are faced with a growing number of threats that come from:

• Botnets delivering SPAM
• Phishing attacks against employees
• Blended threats using malicious links
• Social engineering like the one at Oak Ridge
• Outbound spam being sent from your network

The problems with these attacks are that a traditional firewall does little to address many of these threats and unless the attack utilizes malware with a known signature file, anti-virus protection won’t identify the attack until it is too late.

To offer the best defenses against email borne threats, a comprehensive solution needs to be put in place to fight SPAM, malware attacks and prevent false positives. Email administrators also need to look to solutions that help educate users against phishing and spear phishing attacks that co-workers commonly fall victim to.

Continued threat

Over the past year and a half, private businesses have seen an increase in attacks similar to the one launched against the Oak Ridge lab. Google and RSA both claimed to be victims of Advanced Persistent Threat attacks to steal sensitive data from their networks as well. As this attack trend has proven to be successful when launched via email against some of the most highly secured targets, we can expect that it will be used against organizations with less security measures in place.

SMEs offer not only the benefit of being low-hanging fruit to such attackers, but many of them do business with larger companies or even government agencies. Being able to compromise a smaller organization that does business with a larger target can offer attackers another in road to relay an attack against the more lucrative objective.

Being that email continues to be one of the most effective methods for delivering malicious code it is up to the email administrator to work towards securing this compromise vector.

What we can Learn from the Oak Ridge Attack

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Malware

According to Secure List malicious files were found in 3.18% of all emails sent during the month of February showing a rise in .43% when compared to January’s numbers of this year. While this may look insignificant, the Radicati Group estimates that 294 billion emails are sent every day so that equates to almost 10 billion malicious emails sent on a daily basis.

While this doesn’t represent the numbers seen in the early days of commercial email when email messages were the primary methods used to spread malware, it does show that this trend is rising again. And if there is an increase over time then it can only mean that this method of spreading malware must be working on a significant enough level for attackers to use it in such numbers.

As we know, malware can be sent to users as a malicious attachment that infects a computer when the file is opened or through a link that takes the user to a malicious web site when the link is followed. The ten most common malicious programs spread through email are as follows:

1. Trojan-Spy.HTML.Fraud.gen
   This malicious program uses spoofing to trick victims into visiting a fraudulent web page under the premise that the email is coming from a bank, store or financial institution. Once there anyone who enters private account information will most likely fall victim to theft whether it be identity or financial
2. Worm.Win32.Mydoom.m
   Mydoom, once the quickest spreading worm, falls into the number two spot and opens a backdoor that listens on TCP port 1034, which is used primarily by ActiveSync, and will send itself to email addresses it finds on the host using its own STMP engine. This can be used in concert with other malware further infect computers.
3. Worm.Win32.Mabezat.b
   Mabezat was commonly spread through removable drives and network shares but can also be spread through email attachments. Its payload will single out files with certain extensions and encrypt them then demands payment to have the files restored.
4. Trojan-Banker.Win32.Banker.bgsd
   This is a new addition to the Banker family of Trojans that is used to steal financial information such as passwords, usernames and account information by scanning the keylog and sending information it finds back to the attacker.
5. Worm.Win32.Agent.gnd
   According to Microsoft’s security portal, “Malicious files detected as variants of Win32/Agent can have virtually any purpose.” Commonly these are used to terminate security software and open a backdoor on the computer to allow future attacks.
6. Worm.Win32.NetSky.q
   NetSky’s code originally had comments that insulted the authors of the Bagle and Mydoom worms. For those infected, NetSky will email itself as an attachment to email addresses it finds on the host computer and can be used to perform other actions. Most notably, NetSky was used to launch Denial of Service attacks against certain peer to peer file sharing websites.
7. Trojan-Spy.Win32.SpyEyes.ffc
   SpyEyes is another Trojan that in addition to opening a backdoor will steal confidential information by capturing keystrokes and makes use of the form grabbing technique to steal user authentication information. This Trojan also uses a rootkit to help hide any malicious activity from the user.
8. Worm.Win32.Bagle.qt
   Bagle is a mass mailing work that can also be spread through peer to peer networks. It will open a backdoor on the host computer allowing the attacker access and control of the infected machine.
9. Trojan-Ransom.Win32.PornoBlocker.efo
   Like Mabezat, PornoBlocker is another form of ransomware. This malicious program takes control over the victim’s computer and locks the screen to prevent access. The victim is told to send an text message via SMS to a premium number for the code to unlock the desktop.
10. Trojan-Banker.Win32.Banker.bghb
    This is another variant of the Trojan-Banker family and performs the same actions as mentioned earlier under Trojan-Banker.Win32.Banker.bgsd.

While these malicious programs are indicative of the ones most frequently spread over a certain period of time they do provide us with three things of note:

• Email is still a viable method of transporting malware
• Malware spread through email can be used to launch further attacks against an organization’s network through backdoors
• Malware that is used for identity and financial theft can be applied to theft of confidential and proprietary information at a corporate level

As mail administrators, we can expect to see these programs and their continued variants being sent to our addresses and it is up to us to work with our security teams to put effective tools in place to stop them.

10 Most Common Malicious Programs Sent By Email

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The issue of “ethical malware” has raised its ugly head this week in the blogosphere, sparking heated discussions and soapbox speeches everywhere. As reported this week in LinuxInsider, a lengthy Slashdot discussion was sparked when a participant wrote, “I was fed up with the general consensus that Linux is oh-so-secure and has no malware. After a week of work, I finished a package of malware for Unix/Linux. Its whole purpose is to help white-hat hackers point out that a Linux system can be turned into a botnet client by simply downloading BOINC and attaching it to a user account to help scientific projects.”

The writer, Johannes, is of course correct. Unix/Linux can indeed be vulnerable to malware. We must remember that absolutely no operating system is completely bulletproof. We may like its features, it may have good security, and the OS may be perceived as being “cool”, but it’s not magic. Like any other OS, it’s just lines of code. Armchair computer users that aren’t in the industry may have the incorrect notion of absolute security, but nobody in the business can seriously make that claim with a straight face.

The larger question that is raging on the Slashdot discussion thread is whether Johannes was within his rights to release malware on Linux for the purpose of illustrating his point.

Most people would agree that malware is a scourge on society, and in most cases is illegal. But, Johannes’ malware wasn’t malicious, so was he within the scope of ethical computing to release it? On one hand, the logic is indisputable that by releasing the malware, he was able to highlight a flaw in the OS. And especially when an OS is written the way Linux is written, it’s very likely that any flaw that is brought to public knowledge will be repaired soon enough.

On the other hand, there is naturally a window of vulnerability between when the flaw is made public, and the flaw is fixed, giving the real evil-doers a short but realistic opportunity to exploit it. Would we think it okay for example, if somebody broke into a bank vault one evening, but didn’t take the money, just to show the bank that it could be done? I don’t think there would be any debate about it, the perpetrator would go straight to prison. “White-hat” hacking of this nature may have good intentions, but the writer is taking a risk here that an aggressive prosecutor may decide to pursue the matter in court.

Ethical malware argument raises eyebrows

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Sometimes spam, viruses, and other malware filtering at your email gateway isn’t enough. It’s important to keep your host anti-virus signatures up to date, and if you don’t have anti-virus protection at your firewall or on your network at the Internet gateway you should seriously consider it.

Here’s why these items are critical. Some recent malware attacks have used malware embedded in video and audio streams as a transfer. They can gain an initial foothold, so to speak, by managing to get a link to your users in a spam email. If your spam filter doesn’t block the message, a link in the email appears to be a video or audio link, but in fact the destination contains a trojan that is embedded in the content stream.

This method of attack isn’t exactly new. For example, the ZLOB Trojan began making rounds in 2005, and began gaining traction in 2006. Some attacks with it simply involved downloading other viruses or malware. Using a video link, however, for users that have their ActiveX controls set to download codecs automatically means that those users with poor virus protection would automatically download the virus and become infected.

Now, most of us won’t have this problem, right? Surely you and your users would, at a minimum:

1. Have host-based as well as network/perimeter-based anti-virus protection.
2. Keep your anti-virus signatures up-to-date for all your systems.
3. Not have your browsers set to automatically download and install ActiveX controls or codecs.
4. Have users trained, understanding not to install random codecs or ActiveX controls themselves.
5. Have in place strong anti-spam protection that may block messages from domains likely to send these messages.
6. Have perimeter security measures in place that detect and block or intercept malicious content as it appears.
7. Have users trained well on the risks of clicking unknown links, or going in search of suspicious content.
8. Have a proxy or firewall with content filtering in place, with a policy that prohibits visiting or traffic from certain domains known to be sources of malware.
9. Keep your systems patched with the latest security patches from your OS vendor and from your application vendors.
10. Frequently review your security protections and rules in place, and carefully consider before making changes allowing more permissive use and access to and from protected resources.

The most security conscious of us and those that keep current with security risks and trends in security technology may think that all of this is old news, that of course they won’t have any problems–and they may be right. I hope so. However, new small businesses and new business Internet users are appearing all the time. As these businesses grow and expand, they may have transition periods where their deployed technology changes and of course upgrades will happen sometime. At those times, extra vigilance is required. If you are brought on board during a transition period as an email administrator, network administrator or security administrator, be aware that such risks are heightened.

While the attempt to execute malicious code via a codec installation may seem to be old hat, consider that new vulnerabilities appear frequently. Consider that Windows Media Player can play streaming content, and couple that with the recent vulnerability MS09-047, Microsoft Windows Media Playback Memory Corruption Vulnerability. This vulnerability can permit remote code execution. Exactly the sort of vector needed by the sender of the spam we started this discussion with. A maliciously crafted Windows Media Format file pointed to by a link in a spam email. Granted, this vulnerability and other like it have been patched, and if you are up-to-date on your patches it isn’t actually a threat.

Where this can become a problem (and as far as I know it isn’t with this vulnerability) is when the patches interfere or conflict with mission critical applications and can’t be applied, and when system updates (unfortunately including some antivirus and security patches) that may require reboots can’t be done as soon as they are received. Testing and verification may be required in your business (and is a good idea if it’s not part of your routine) before applying new patches and updates. During this window of time, when the attacks are launched on “zero day”, till your patches are applied, your systems may be vulnerable. During this (hopefully brief) time period the sort of attack described at the beginning of this post could actually penetrate your security and wreak havoc. Follow the ten tips listed above, and minimize your vulnerability.

Malware Threats from Unexpected Sources: Trojans Embedded in Streaming Video Links

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

We can all generally agree that encryption is good, and that implementing regularly updated anti-malware software is also good. But the two have never been compatible. The only way that encrypted email traffic can be scanned for malware is to decrypt it before scanning, then recrypt it afterwards before sending it on the rest of its journey to the email server. It’s certainly possible to do so, but it’s tricky and can introduce delay into the equation. So why can’t we just scan the encrypted email traffic for viruses?

As reported in Forbes this week, an IBM researcher has made some progress towards solving that dilemma. Although there is no current commercial implementation of the solution, the researcher, Craig Gentry, has effectively set the wheels in motion. Gentry has solved the problem of fully homomorphic encryption, which allows the anti-malware analysis, as well as other processes, to be performed directly on encrypted data, without having to decrypt it first. No software is currently able to do that, and in reality, it may be several years before it is commercially available–but it’s nonetheless a big breakthrough in security.

Breakthrough encryption technology discovered

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Microsoft is changing the AutoPlay feature of Windows 7, so that it will not be able to enable AutoRun for USB devices. The change was necessary, since some malware (including Conficker), uses the AutoRun feature to spread. Malware isn’t just an email-borne problem any more–specifically, malware writers recognize that email security has been improving overall, and are looking for new attack vectors. Removable media, such as USB devices, make a perfect attack vector for them.

Although Conficker is the most well-known piece of malware that uses the default AutoRun settings to propagate itself, others have also used this feature in the past and continue to do so now. Spreading malware via USB devices started to become prevalent last year.

There will no doubt be some outcry about Windows 7 hampering usability, but the move makes sense. With this update, the AutoRun task will continue to work for removable media such as CDs and DVDs, but it will not be enabled for other devices, such as USB drives. In addition to being incorporated in Windows 7, the change will also be reflected in future updates of Vista and XP.

Microsoft issues anti-malware changes to Windows 7

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

April Fool’s Day has always been a favorite of Internet “pranksters”, hackers and disseminators of online evil. Reports are floating around that the Conficker worm’s latest variant will become active on April 1. Conficker malware is designed to spread the malware and grow a massive botnet, and the latest version, W32.Downadup.C, will strengthen the purposes of the worm’s creators. This latest version deactivates security processes on the victim’s PC, preventing some security products from running. It also prevents computers from connecting to some security Web sites. Security software commonly “phones home” to update blacklists and other up-to-date anti-malware information. The latest version also generates thousands of domain names, which are used by the zombified PCs to check in for further instructions.

The new version of the worm, by registering so many domain names, attempts to foil the so-called “Conficker Cabal,” a Microsoft-led group which attempted to predict the domain names Conficker would register, and register them before Conficker had a chance to do so.

Conficker has achieved widespread coverage, with some nine million infected machines, although to date, it’s still a ticking time bomb that has yet to release its payload. So far, its main purpose has been to grow a botnet, and it’s been quite successful–what the authors plan to do with that botnet is still up in the air. There’s no question though, Conficker is going to be a force to be reckoned with, and we haven’t seen the worst of it yet.

April 1st – A good day to leave the computer off

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The most annoying pieces of malware are the fake security programs which pop up on your screen, informing you that they have detected malicious files on your computer. The program, which often disguises itself to look like it’s part of the Microsoft operating system, is very persistent. If I get one of these on my screen and try to press the “cancel” button, it won’t cancel. Usually the only way to cancel the popup is to click on the “X” button in the upper-right hand corner of the box, or go directly to the program manager with a “Control-Alt-Delete” and do it there. The little devils do everything they can to stay on the screen, even though I know very well they are not who they claim to be.

These fake security programs usually do very little if anything to protect your security, and are designed to either just take your money, steal your personal information, or implant malware or adware onto your computer. In some cases, devious bad guys infect computers with popups and adware, and in the same infection, will also implant the bogus security popup at the same time, to make it seem like it’s all the more needed. Don’t fall for it!

In a recent regular Microsoft patch, Microsoft pushed the Malicious Software Removal Tool (MSRT) to users. The MSRT tool is used to remove one of the most egregious of these fake security applications, called “Antivirus 2009″. According to some reports, the Microsoft tool deleted the bogus program from nearly 400,000 computers within the first nine days of the patch release. In addition to Antivirus 2009, Microsoft has also targeted similar bogus security porgrams, including Advanced Antivirus, Ultimate Antivirus 2008, and XPert Antivirus.

Unsolicited security popups that tell you you’re infected and then suggest an immediate download are always a bad idea. Don’t allow these downloads to occur. Do your research, compare products, and deploy security software from legitimate companies with an established reputation.

Knowing when it’s the Real McCoy

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Let me make one thing clear. There is a perception that the Apple Mac cannot have malware. This is incorrect.

Apple Computer posted a note on its support site late last month, and removed it this week, which encouraged people to use anti-virus software. The presence of the note has caused much consternation among the media, the blogosphere and the Apple faithful, the latter of which have long proclaimed that Apple does not need anti-virus software. The notice read, “Apple encourages the widespread use of multiple antivirus utilities so that virus programmers have more than one application to circumvent, thus making the whole virus writing process more difficult.”

In fact, Apple should be praised (initially at least) for issuing such a common-sense notice, but spanked for taking it down. No security expert in his or her right mind would recommend going without anti-virus software, regardless of platform. Those who have drunk the Apple Kool-Aid and believe that their machines are impenetrable are making a big mistake. An unprotected Apple is a disaster waiting to happen–sooner or later, an attacker will take a bite out of it.

It’s true that there have been very few viruses targeted at the Apple OS, although that is largely because of market share, and not technical superiority. Attackers want to cast the widest net possible, so they write Windows viruses, because there are more Windows machines. Cute television commercials aside, that’s really all there is to it. And besides traditional viruses, there is a greater shift among cybercrooks to Web-based attacks designed to steal passwords and other data.

It’s very curious that the message disappeared shortly after it was put up–more than likely because it conflicts with Apple’s ad campaign that implies that only Windows PCs need antivirus software. Ultimately though, the threat is very real, and will only become more serious as time goes by. Viruses and other malware threats cannot be ignored, and if Mac gains more market share–which is presumably the company’s goal–there will be viruses. You can count on it.

Mine’s a Mac; Mine’s a PC – both need anti virus

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators