When a Wyoming bank’s employee unwittingly created a large data breach, an innocent GMail user paid the price. It all began when a clerk at Rocky Mountain Bank sent an email containing nearly 1500 customer names, addresses, SSN numbers and loan information to a random GMail address. It’s not known who the email was actually intended for nor how it got sent to the wrong one. Perhaps it was a typo. When the accidental breach was discovered a second email was sent to the address asking that the first email be destroyed and that the owner of the account contact them. They got no response, so the bank contacted Google and demanded the user’s information be turned over to them. Google (and rightly so) refused saying they did not honor such requests unless accompanied by a court order. Rocky Mountain bank went to court and not only got that court order, but they took it a step further and asked that the account be shut down. The judge agreed and ordered Google to do so, so now a completely innocent person, who probably ignored both emails thinking they were spam or a phishing scam, has lost their email account.

Google says it has been able to resolve the situation to the bank’s satisfaction and they have filed a motion to dismiss the case. But until the judge approves it they are barred from giving that innocent user their account back.

The bank hasn’t had any comment. One can hope they will become a little more tech savvy and also that they will apologize to the GMail user their employee’s blunder so inconvenienced.

Protection of email traffic flowing between hub servers and separate servers that store mail box accounts is established through encryption in an Exchange 2007 environment. So interception of emails transported between the hub and mail server is nearly prevented with an Exchange journaling system in place. Although email traffic is encrypted, there are other steps required to tighten security with the Exchange journaling mail box.

What still keeps the Exchange journaling system susceptible to attack is the ease of anyone being able to spoof an email.  Being able to compose an email message outside of Microsoft Outlook lets you specify the sender, rather than having Outlook do it. Exchange must authenticate the message, but you can set your display name to anything you want. This can create the illusion that a message was sent by someone else.   A spammer’s daily routine includes using this technique regularly.

When you send an email message using Microsoft Outlook, it combines the sender, subject and body with various SMTP mail delivery control commands. Then Outlook sends out the message to the server. Although isn’t usually practical, a person can actually use the same commands to manually send a message from the command line or from a script without using Microsoft Outlook. Continue reading Go Beyond Encryption with a Tunnel»

PGP recently sent the following message to potential customers:

          Good Afternoon

I work in the PGP Business Development team, working with organisations that have a need to prevent the exposure of intellectual property that can result in financial loss, legal ramifications, and significant brand damage. I understand that you may have an interest in securing sensitive company and/or customer data using PGP encryption solutions.

The PGP evaluation that you may have downloaded from the web does not include PGP Universal version 2.8 – a core component of the PGP Platform, for automated operations, key management, password recovery and enforced security policies across the enterprise. I am more than happy to provide this to you, should this be important.

What’s the problem? Well, according to The Register, PGP sent the message without using BCC and so the recipients were able to see each others email addresses. The situation was then made even worse when irate recipients used “Reply to All” when firing off their complaints to the sender of the email. Ouch! For a company that specializes in email security – and whose customers are probably much more security/privacy concsious than most people – this was certainly a silly boo-boo.

Continue reading BCC Blues»

When planning an email security solution many organizations put a lot of thought and effort into protecting their environment from external threats.  They use such measures as blocklists and content filtering to prevent spam from reaching end user mailboxes.

Despite this effort some businesses fail to also consider filtering outbound emails.  Often the outbound email path bypasses the system that scans incoming emails from the internet, and instead sends the emails directly out to the destination.

Why should we scan and filter outbound email messages?

Outbound email messages should be checked for spam or malicious content because of the risk such content poses to the organization’s reputation.

An organization found to be sending spam or viruses risks:

• Damage to their brand names
• Loss of trust and reputation with customers and business partners
• Being blocked by other email administrators
• Being added to IP block list provider databases such as SpamHaus
• Bandwidth saturation impeding other online communications

How can spam or viruses be sent from our business networks?

I’ve worked with a lot of customers over the last 10 years and it is not uncommon to find more than one of the following weaknesses in their network security: Continue reading The importance of filtering outgoing email in Exchange environments»

Around the holiday, I always see more chain emails coming through from well-intended friends and relatives, and so it’s time for an annual warning. Some of these chain emails just have interesting pictures, some make outrageous claims. A large majority of the latter are hoaxes.

A chain email is just like an old-fashioned chain letter. A message is sent to thousands of people, encouraging them all to “pass it on”, often because of either extreme cuteness, or because some bogus message is being trotted out as so incredibly important that recipients will see it as their duty to send it on to as many people as possible. It’s surprising too, how many intelligent and well-educated people actually take the bait, and send it on to everyone in their address book. Here’s a tip: Don’t do it! You’re not going to win a prize from Microsoft. You’re not going to help a sick little girl, and you’re not going to help your favorite cause. In most cases, all you will do is help spread misinformation. But even if on rare occasions the claim does turn out to be true, spreading it through chain emails is still not a good idea–first, because it does very little for whatever cause you may be trying to promote, and second, because there is a security risk involved.

Continue reading Don’t Pass It On!»