AT&T. still stinging from embarrassment after their poor network coverage prevented Steve Jobs from connecting to the internet with his iPad during his WWDC keynote speech, now has an even bigger PR nightmare to contend with. A group of hackers revealed that they were able to gain access to over 100,000 email addresses belonging to iPad users-and not just any users. Among those whose personal info was compromised are New York City Mayor Mike Bloomberg, White House Chief of Staff Rahm Emanuel, the CEO of the New York Times, and Steve Jobs himself, along with many other public figures.

The group discovered that a program on AT&T’s website would display the email addresses when given the unique identification number given to each iPad. Once they wrote a script to automate the process it took them just 6 hours to collect 114,000 email addresses. AT&T said it fixed the security hole promptly once it was informed of it. Continue reading Data Breach Exposes Email Addresses of Over 100,000 iPad Users»

A popular security term is “defence in depth”.  It sounds really clever and evokes images of multiple layers of protection from a threat.

An example of defence in depth would be a perimeter network firewall, a secondary firewall, third tier firewalls at branch offices, and maybe even client firewalls.  If one firewall fails, or is circumvented somehow, another one potentially saves the day.

It is a good concept but it naturally adds complexity to any environment.  And when applied to email spam and virus protection the complexity sometimes undermines the effectiveness and efficiency of the system.

Why Defence In Depth for Email Threats?

Quite a few years ago IT departments had a problem.  Email viruses would sometimes get through their servers and infect the network.  It happened when your server did not receive a new signature database from the vendor in time to stop the infection.

There were two underlying weaknesses with the older generation of email security products.  Firstly, they updated usually only once per 24 hours.  Secondly, they utilised a single engine for scanning emails for threats.

Under those conditions it made sense to deploy more than one product in a multi-tiered fashion, so that more than one detection engine could inspect the content.  If an outbreak did occur, you hoped that one of your vendors would get an update out fast enough to stop it. Continue reading Should You Use More Than One Anti-Spam Product?»

When a Wyoming bank’s employee unwittingly created a large data breach, an innocent GMail user paid the price. It all began when a clerk at Rocky Mountain Bank sent an email containing nearly 1500 customer names, addresses, SSN numbers and loan information to a random GMail address. It’s not known who the email was actually intended for nor how it got sent to the wrong one. Perhaps it was a typo. When the accidental breach was discovered a second email was sent to the address asking that the first email be destroyed and that the owner of the account contact them. They got no response, so the bank contacted Google and demanded the user’s information be turned over to them. Google (and rightly so) refused saying they did not honor such requests unless accompanied by a court order. Rocky Mountain bank went to court and not only got that court order, but they took it a step further and asked that the account be shut down. The judge agreed and ordered Google to do so, so now a completely innocent person, who probably ignored both emails thinking they were spam or a phishing scam, has lost their email account.

Google says it has been able to resolve the situation to the bank’s satisfaction and they have filed a motion to dismiss the case. But until the judge approves it they are barred from giving that innocent user their account back.

The bank hasn’t had any comment. One can hope they will become a little more tech savvy and also that they will apologize to the GMail user their employee’s blunder so inconvenienced.

Protection of email traffic flowing between hub servers and separate servers that store mail box accounts is established through encryption in an Exchange 2007 environment. So interception of emails transported between the hub and mail server is nearly prevented with an Exchange journaling system in place. Although email traffic is encrypted, there are other steps required to tighten security with the Exchange journaling mail box.

What still keeps the Exchange journaling system susceptible to attack is the ease of anyone being able to spoof an email.  Being able to compose an email message outside of Microsoft Outlook lets you specify the sender, rather than having Outlook do it. Exchange must authenticate the message, but you can set your display name to anything you want. This can create the illusion that a message was sent by someone else.   A spammer’s daily routine includes using this technique regularly.

When you send an email message using Microsoft Outlook, it combines the sender, subject and body with various SMTP mail delivery control commands. Then Outlook sends out the message to the server. Although isn’t usually practical, a person can actually use the same commands to manually send a message from the command line or from a script without using Microsoft Outlook. Continue reading Go Beyond Encryption with a Tunnel»

PGP recently sent the following message to potential customers:

          Good Afternoon

I work in the PGP Business Development team, working with organisations that have a need to prevent the exposure of intellectual property that can result in financial loss, legal ramifications, and significant brand damage. I understand that you may have an interest in securing sensitive company and/or customer data using PGP encryption solutions.

The PGP evaluation that you may have downloaded from the web does not include PGP Universal version 2.8 – a core component of the PGP Platform, for automated operations, key management, password recovery and enforced security policies across the enterprise. I am more than happy to provide this to you, should this be important.

What’s the problem? Well, according to The Register, PGP sent the message without using BCC and so the recipients were able to see each others email addresses. The situation was then made even worse when irate recipients used “Reply to All” when firing off their complaints to the sender of the email. Ouch! For a company that specializes in email security – and whose customers are probably much more security/privacy concsious than most people – this was certainly a silly boo-boo.

Continue reading BCC Blues»

When planning an email security solution many organizations put a lot of thought and effort into protecting their environment from external threats.  They use such measures as blocklists and content filtering to prevent spam from reaching end user mailboxes.

Despite this effort some businesses fail to also consider filtering outbound emails.  Often the outbound email path bypasses the system that scans incoming emails from the internet, and instead sends the emails directly out to the destination.

Why should we scan and filter outbound email messages?

Outbound email messages should be checked for spam or malicious content because of the risk such content poses to the organization’s reputation.

An organization found to be sending spam or viruses risks:

• Damage to their brand names
• Loss of trust and reputation with customers and business partners
• Being blocked by other email administrators
• Being added to IP block list provider databases such as SpamHaus
• Bandwidth saturation impeding other online communications

How can spam or viruses be sent from our business networks?

I’ve worked with a lot of customers over the last 10 years and it is not uncommon to find more than one of the following weaknesses in their network security: Continue reading The importance of filtering outgoing email in Exchange environments»

Around the holiday, I always see more chain emails coming through from well-intended friends and relatives, and so it’s time for an annual warning. Some of these chain emails just have interesting pictures, some make outrageous claims. A large majority of the latter are hoaxes.

A chain email is just like an old-fashioned chain letter. A message is sent to thousands of people, encouraging them all to “pass it on”, often because of either extreme cuteness, or because some bogus message is being trotted out as so incredibly important that recipients will see it as their duty to send it on to as many people as possible. It’s surprising too, how many intelligent and well-educated people actually take the bait, and send it on to everyone in their address book. Here’s a tip: Don’t do it! You’re not going to win a prize from Microsoft. You’re not going to help a sick little girl, and you’re not going to help your favorite cause. In most cases, all you will do is help spread misinformation. But even if on rare occasions the claim does turn out to be true, spreading it through chain emails is still not a good idea–first, because it does very little for whatever cause you may be trying to promote, and second, because there is a security risk involved.

Continue reading Don’t Pass It On!»