AT&T. still stinging from embarrassment after their poor network coverage prevented Steve Jobs from connecting to the internet with his iPad during his WWDC keynote speech, now has an even bigger PR nightmare to contend with. A group of hackers revealed that they were able to gain access to over 100,000 email addresses belonging to iPad users-and not just any users. Among those whose personal info was compromised are New York City Mayor Mike Bloomberg, White House Chief of Staff Rahm Emanuel, the CEO of the New York Times, and Steve Jobs himself, along with many other public figures.

The group discovered that a program on AT&T’s website would display the email addresses when given the unique identification number given to each iPad. Once they wrote a script to automate the process it took them just 6 hours to collect 114,000 email addresses. AT&T said it fixed the security hole promptly once it was informed of it.

           This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses,” a written statement by AT&T said. “The person or group who discovered this gap did not contact AT&T. We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS [iPad identification numbers] may have been obtained. “We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.”

The breach could have serious legal implications for the company, which says it will inform all the affected users.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Data Breach Exposes Email Addresses of Over 100,000 iPad Users

A popular security term is “defence in depth”.  It sounds really clever and evokes images of multiple layers of protection from a threat.

An example of defence in depth would be a perimeter network firewall, a secondary firewall, third tier firewalls at branch offices, and maybe even client firewalls.  If one firewall fails, or is circumvented somehow, another one potentially saves the day.

It is a good concept but it naturally adds complexity to any environment.  And when applied to email spam and virus protection the complexity sometimes undermines the effectiveness and efficiency of the system.

Why Defence In Depth for Email Threats?

Quite a few years ago IT departments had a problem.  Email viruses would sometimes get through their servers and infect the network.  It happened when your server did not receive a new signature database from the vendor in time to stop the infection.

There were two underlying weaknesses with the older generation of email security products.  Firstly, they updated usually only once per 24 hours.  Secondly, they utilised a single engine for scanning emails for threats.

Under those conditions it made sense to deploy more than one product in a multi-tiered fashion, so that more than one detection engine could inspect the content.  If an outbreak did occur, you hoped that one of your vendors would get an update out fast enough to stop it.

Too Much Complexity for Today’s Business

The defence in depth strategy for email security is less attractive these days.  Server consolidation is in vogue both for cost reduction and because of “green IT” initiatives.  But more importantly, the best email security products now ship with multiple detection engines included in them.

So instead of multiple products on multiple servers, you can deploy several detection engines within a single product on a single server.  The number of actual engines in effect is only limited by your choice of email security product, and by the power of your server.  But with computing power a relatively low cost these days, running two or three detection engines on a single host is easily within the reach of most businesses.

Most products are in themselves a defence in depth solution anyway.  A single product can perform RBL lookups, sender verification, recipient filtering, reputation checks, URL filtering, and content filtering all within the one package, with no need to deploy multiple products to gain all of those security features.

For those companies still holding on to a defence in depth strategy the final argument is that of complexity.  The more servers you have in your email transit path the more points at which a failure can occur.  And the more security products you have in the mix the harder it is to apply a consistent security policy across the network, and the more places you need to look for missing or quarantined emails.

There is no ’set and forget’ anti-spam solution, but you still want it to be as low maintenance as possible.  So adding complexity for no gain is not a strategy to stick with any longer.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Should You Use More Than One Anti-Spam Product?

When a Wyoming bank’s employee unwittingly created a large data breach, an innocent GMail user paid the price. It all began when a clerk at Rocky Mountain Bank sent an email containing nearly 1500 customer names, addresses, SSN numbers and loan information to a random GMail address. It’s not known who the email was actually intended for nor how it got sent to the wrong one. Perhaps it was a typo. When the accidental breach was discovered a second email was sent to the address asking that the first email be destroyed and that the owner of the account contact them. They got no response, so the bank contacted Google and demanded the user’s information be turned over to them. Google (and rightly so) refused saying they did not honor such requests unless accompanied by a court order. Rocky Mountain bank went to court and not only got that court order, but they took it a step further and asked that the account be shut down. The judge agreed and ordered Google to do so, so now a completely innocent person, who probably ignored both emails thinking they were spam or a phishing scam, has lost their email account.

Google says it has been able to resolve the situation to the bank’s satisfaction and they have filed a motion to dismiss the case. But until the judge approves it they are barred from giving that innocent user their account back.

The bank hasn’t had any comment. One can hope they will become a little more tech savvy and also that they will apologize to the GMail user their employee’s blunder so inconvenienced.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Bank Forces Google to Shut Down a GMail Account After Data Breach

Protection of email traffic flowing between hub servers and separate servers that store mail box accounts is established through encryption in an Exchange 2007 environment. So interception of emails transported between the hub and mail server is nearly prevented with an Exchange journaling system in place. Although email traffic is encrypted, there are other steps required to tighten security with the Exchange journaling mail box.

What still keeps the Exchange journaling system susceptible to attack is the ease of anyone being able to spoof an email.  Being able to compose an email message outside of Microsoft Outlook lets you specify the sender, rather than having Outlook do it. Exchange must authenticate the message, but you can set your display name to anything you want. This can create the illusion that a message was sent by someone else.   A spammer’s daily routine includes using this technique regularly.

When you send an email message using Microsoft Outlook, it combines the sender, subject and body with various SMTP mail delivery control commands. Then Outlook sends out the message to the server. Although isn’t usually practical, a person can actually use the same commands to manually send a message from the command line or from a script without using Microsoft Outlook.

For the cyber criminal, spoofing an email message is only half of the equation. A hacker must also know the email address of the mailbox that’s being used as the journal repository. With these two factors in place, it’s fairly easy for a hacker to sneak a spoofed message into the journaling mailbox.  By changing certain properties of an email (i.e. From, return path,  reply to fields etc.), the bad guys can make an email appear to be from someone other than the actual sender. The result is the email appears to come from a fake email address indicated in the “From” field, when it actually comes from a totally different source.

Other journaling defense methodologies include the protecting Exchange email archives from spoofing attacks. The key component to protecting your archives against these types of attack is a clear understanding that there is a difference between the sender and the display name. The display name is the name the email recipient sees. It has no value in authenticating the user. The user’s true identity is connected to the account’s globally unique identifier (GUID).

Within the same Exchange Server organization an email recipient can be deceived by a  spoofed display name, when an authenticated email user sends a spoofed message to that  email recipient’s mail box. The Exchange server is not fooled. It knows exactly who actually sent the message, because of how the sender was authenticated.

This authentication process is significant, because journaling always sends messages to the designated recipient mail box in a consistent manner regardless of who sent or received the message being placed in the journal mail box. For example, let’s say email user #1 sends a message to email user #2. The Exchange mail server is also set up to journal a copy of the message to a mail box called “Journal”.  In this scenario, email user #1 or email user #2 won’t send the message to the Journal mailbox. The email will be sent to the Exchange hub server. Then the Exchange hub server sends the message as a Microsoft Exchange message on behalf of the message’s original sender.

If we know that all email messages sent to the journaling mailbox are only supposed to be from Microsoft Exchange, some easy steps can be taken to prevent anyone else or any other entity from sending messages to this mail box. Not publishing the mailbox in the directory is one way to do this.

A further step would be to ensure that only the Exchange server can place items into the journaling mail box.  Below is the process for creating a tunneling mechanism only between the Exchange server and the journal mail box. This ensures the journal mail box does not accept email from any outside entity.

1. Open the Exchange Server Management console.
2. Select Recipient Configuration > Mailbox.
3. Right click on the journal mail box and choose Properties from the menu. This causes the console to display the mailbox’s properties sheet.
4. Go to the properties sheet’s “Mail Flow Settings” tab
5. Select the Message Delivery Restrictions option.
6. Click the “Properties” button to display the Message Delivery Restrictions dialog box.  At this point you can require that all senders to this mailbox be authenticated.  You can also choose to accept only specific senders.  For the journal mail box, accept only messages from Microsoft Exchange.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Go Beyond Encryption with a Tunnel

PGP recently sent the following message to potential customers:

          Good Afternoon

I work in the PGP Business Development team, working with organisations that have a need to prevent the exposure of intellectual property that can result in financial loss, legal ramifications, and significant brand damage. I understand that you may have an interest in securing sensitive company and/or customer data using PGP encryption solutions.

The PGP evaluation that you may have downloaded from the web does not include PGP Universal version 2.8 – a core component of the PGP Platform, for automated operations, key management, password recovery and enforced security policies across the enterprise. I am more than happy to provide this to you, should this be important.

What’s the problem? Well, according to The Register, PGP sent the message without using BCC and so the recipients were able to see each others email addresses. The situation was then made even worse when irate recipients used “Reply to All” when firing off their complaints to the sender of the email. Ouch! For a company that specializes in email security – and whose customers are probably much more security/privacy concsious than most people – this was certainly a silly boo-boo.

PGP are certainly not the first company to have made such an error, and nor shall they be the last. In fact, while it’s not a particularly common problem, it doesn’t seem to be a particularly uncommon one either. Once a month or so I see a CC’d email which should really have been BCC’d – and those emails are often sent by people and companies that should really know better. Actually, they almost certainly *do* know better – mistakes happen.

What surprises me is that the vendors of most messaging products do not provide a mechanism that would enable admins to force users to use the BCC option in certain situations (when an email is being sent to X or more people, for example). This would be easy enough to do and would certainly spare some blushes.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

BCC Blues

When planning an email security solution many organizations put a lot of thought and effort into protecting their environment from external threats.  They use such measures as blocklists and content filtering to prevent spam from reaching end user mailboxes.

Despite this effort some businesses fail to also consider filtering outbound emails.  Often the outbound email path bypasses the system that scans incoming emails from the internet, and instead sends the emails directly out to the destination.

Why should we scan and filter outbound email messages?

Outbound email messages should be checked for spam or malicious content because of the risk such content poses to the organization’s reputation.

An organization found to be sending spam or viruses risks:

• Damage to their brand names
• Loss of trust and reputation with customers and business partners
• Being blocked by other email administrators
• Being added to IP block list provider databases such as SpamHaus
• Bandwidth saturation impeding other online communications

How can spam or viruses be sent from our business networks?

I’ve worked with a lot of customers over the last 10 years and it is not uncommon to find more than one of the following weaknesses in their network security:

• Unsecured wireless networks
• No doors or security barriers in offices
• Firewalls that allow any device on the network to sent outbound SMTP
• Email servers that permit any device on the network to relay SMTP

Some of these combinations create very serious security problems.  If I can get access to your network via an unsecured wireless access point, and your email server permits any device on the LAN to relay so that the photocopiers can automatically order more toner from the supplier, then what is to stop me sending spam or virus emails from your network?

A worse scenario is what can potentially be done with a legitimate user account without any of the abovementioned security weaknesses existing.  A disgruntled staff member, or someone who gains access to an unlocked computer in an insecure part of the office, could use those network credentials to send email out of the network.

How do we filter outbound email messages?

Although Exchange Server 2007 contains anti-spam features that can be used to protect an organization from incoming spam, they provide no protection for outgoing threats.  The inbound protection also suffers from some disadvantages such as a lack of Bayesian capabilities, poor reporting, and cumbersome quarantine management.

Combine this with the habit of many email administrators of sending outbound email directly from Exchange to the destination on the internet and the risks become clear.

The solution to this problem is to implement an email security solution into the network.  This carries a dual benefit in that it can be used to filter both inbound and outbound email for the organisation.  The email security solution solves the weaknesses and deficiencies of the built in Exchange Server 2007 anti-spam features as well as provides outbound protection to preserve the reputation of the business.

Always consider outbound filtering when planning your email protection strategy.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

The importance of filtering outgoing email in Exchange environments

Around the holiday, I always see more chain emails coming through from well-intended friends and relatives, and so it’s time for an annual warning. Some of these chain emails just have interesting pictures, some make outrageous claims. A large majority of the latter are hoaxes.

A chain email is just like an old-fashioned chain letter. A message is sent to thousands of people, encouraging them all to “pass it on”, often because of either extreme cuteness, or because some bogus message is being trotted out as so incredibly important that recipients will see it as their duty to send it on to as many people as possible. It’s surprising too, how many intelligent and well-educated people actually take the bait, and send it on to everyone in their address book. Here’s a tip: Don’t do it! You’re not going to win a prize from Microsoft. You’re not going to help a sick little girl, and you’re not going to help your favorite cause. In most cases, all you will do is help spread misinformation. But even if on rare occasions the claim does turn out to be true, spreading it through chain emails is still not a good idea–first, because it does very little for whatever cause you may be trying to promote, and second, because there is a security risk involved.

Besides the risk of spreading misinformation, there are greater dangers afoot. When you receive one of these emails, if you scroll down through it, you will notice that there are perhaps hundreds of email addresses contained in the thread, from all of the people who have passed it on before you. The security of your own email account is at risk here. If you pass on that chain email, your own personal email address will be exposed to a great many people, as it continues to get passed on down the line. You may well trust the person who sent it to you, and you may well trust your friends that you would send it to. But do you trust your friends’ friends? How about your friends’ friends’ friends? We’re talking about complete strangers here. When it comes to Internet security, the watchword always should be, “trust no one.” All those email addresses could be very easily harvested for use in spamming operations or worse.

A quick look at BreakTheChain.org shows some of the most popular of these chain hoaxes. Many of them sound very realistic, and are often designed to tug at your heartstrings and get your sympathy. Don’t fall for it! Here’s just a few examples:

“Bonsai cats”–completely false. This long-running hoax claims that a Japanese man sells kittens that he has placed in a bottle and feeds through a tube, so that they take on the shape of the bottle. This plays on your sense of outrage, and includes a petition to sign which will somehow end up at the US Animal Protection Society. Unfortuantely, petition-based chain emails don’t work, because once they are in the wild, they are, well, wild! There’s no direction to them, and no way to get the so-called petition to its intended destination.

Petition to stop religious programming. This one plays the religion card, claiming that the FCC is going to put a stop to all religious broadcasting on television, and asks for your help (and your signature on a petition). Also completely false, the FCC does not have the authority to do what the email claims, nor is it seeking such authority.

Dunkin’ Donuts involved in unpatriotic activity. Come on now! My favorite donut shop! There have been a few variations of this one, claiming that owners of Dunkin’ Donuts shops have burned the American flag, that somebody saw an American flag with Arabic writing on it, and that Dunkin’ Donuts shops won’t serve American servicemen. As BreakTheChain put it, this is “ridiculous paranoia masquerading as patriotism.” And not to mention, it’s maligning a pretty darn good donut, too. Completely bogus. DON’T pass it on. Enjoy your donuts instead.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Don’t Pass It On!