Always on the lookout for a new tool or website to give me a leg up or a second opinion on my security, I was delighted to find GFI’s Email Security Testing Zone, a website that can run several security tests of your email system to evaluate your security posture, and provide you with a detailed analysis and report you can use to assess how well you are doing securing your systems, and/or to create a list of things that need your attention.

This simple web-based tool is free for use, and can run tests in seventeen categories, and then provides a grade, a ranking of how you stack up against other servers, and a detailed report of the results.

Continue reading Email Security – How does your Email Server Rate?

Exploit creating new rule in Outlook Web Access.

Microsoft has finally patched a vulnerability in its Outlook Web Access application that has been known to the public since early summer. If successfully exploited by a hacker, the vulnerability could have been used to use the identity of an authenticated user to perform actions with that user’s computer without the user’s knowledge.

Although the vulnerability does not affect Microsoft Exchange Server 2007 Service Pack 3 and Microsoft Exchange Server 2010, it does affect earlier versions of Exchange 2007, as well as Exchange 2003 and Exchange 2000.

Microsoft’s solution to the problem may not please some system in administrators. It recommends that customers running versions of the program affected by the vulnerability upgrade those programs to versions unaffected by the flaw.

“Of course system administrators have nothing better to do than upgrade the version of Exchange on all of their mail servers and shift thousands of mailboxes to a new version of Exchange,” Lawrence Latif observed snidely in the Inquirer.

Continue reading Microsoft finds another vulnerability in OWA

A fix for a flaw in an important Internet security protocol is ready for prime time but it will be many months before the patch is fully implemented, according to technical experts.

The authentication vulnerability in TSL/SSL, which is the most common security code on the Net, could be exploited by hackers for all kinds of mischief. Built into browsers and Web servers to protect high-value information, the flaw impacts a wide scope of technologies including online banking, back-office systems using Web-based protocols, non-HTTP applications such as mail and database servers, mobile phones, wireless access points, DECT phones and home security systems.

The vulnerability was discovered last September by researchers at PhoneFactor, a security service provider in Overland Park, Kansas, but was kept under wraps until November when another security expert, working independently, made the flaw public on a mailing list sponsored by the Internet Engineering Task Force (IETF).

With the cat out of the bag, PhoneFactor decided to push out a press release on the subject. In it CTO Steve Dispensa, who, along with Marsh Ray, initially unearthed the flaw, stated,

“Because this is a protocol vulnerability, and not merely an implementation flaw, the impacts are far-reaching. All SSL libraries will need to be patched, and most client and server applications will, at a minimum, need to include new copies of SSL libraries in their products. Most users will eventually need to update any software that uses SSL.”

“The discovery of this vulnerability speaks to a larger issue with single channel authentication protocols,” he added. “While this vulnerability is larger in scope than many, man-in-the-middle attacks have been a known threat for some time. Out-of-band protocols should be considered when possible to help mitigate the risk of these attacks.””

Continue reading Net security hole could take year to fix