Tom Olzak

Archive for the ‘Email’ Category

A Different Kind of Whitelist?

In Business Continuity, Cybercrime, Email, Phishing, Risk Management, Spam on September 30, 2010 at 13:45

During my years as a security director, one of the weekly challenges I faced was how to tell my peers in engineering that we have more items to add to the growing list of blocked domains or IP addresses.  This was not only a management headache; it also occasionally caused a backup of the email queue feeding our perimeter Barracuda devices. If only there was a better way…

Well, Spamhaus claims it has found the answer.  Using a tightly controlled whitelist–membership is possible upon invitation by another member–Spamhaus says it provides comprehensive email filtering, free and without all the management issues faced by many enterprises.

“Unlike traditional whitelists, the Spamhaus Whitelist is not a service to help bulk mail senders improve delivery rates. You can not whitelist an IP address or domain that is used for sending marketing or soliciting bulk email, or used for sending any email on behalf of third parties. This rule therefore automatically excludes makes not eligible for whitelisting Email Service Providers, ISP customer mail relays and mail servers used by third-parties, and all bulk mailing list servers and services,” the company said in its explanation of the service.

(Source: Spamhaus Debuts New Whitelist Service | threatpost.)

Setup is easy and well documented at the Spamhaus site. At a high level,

The Spamhaus Whitelist is actually made up of two whitelists: an IP address whitelist called the ‘SWL’ and a domain whitelist called the ‘DWL’. These are published as swl.spamhaus.org and dwl.spamhaus.org respectively.

The SWL is both an IPv4 and IPv6 whitelist. It responds to queries of either IPv4 or IPv6 addresses. (Note: IPv6 handling is not yet active. Spamhaus estimates IPv6 service starting in 2011)

The DWL is a VBR (vouch-by-reference) domain whitelist designed to automate DKIM certification.

(Source: Spamhaus.org, 2010)

So what happens if a sender abuses their membership in the whitelist?  Since the new service is in beta, we really don’t have any examples of deviant behavior.  However,

Spamhaus is reserving the right to revoke whitelist status for any email etiquette transgressions, such as the distribution of bulk mail of any type. The whitelist will be maintained in both IP addresses and domain name forms as two separate, but matched, lists. Controls mean no domain or IP address that is on the Spamhaus Project blocklist can ever be whitelisted.

(Source: Spamhaus debuts whitelist service, The Register, 28 September 2010)

Note that this service uses DKIM, something Microsoft Exchange DOES NOT support.  There are third-party solutions (example) that make Exchange compatible.  But if you use Exchange, I recommend adding a front end solution, like Barracuda Spam Firewall, between the Internet and your mail servers.  Other DKIM-compatible solutions are listed at DKIM.org.

Help for the Clueless

In Data Security, Email, Mobile Device Security, Network Security, Risk Management, Uncategorized on July 15, 2009 at 08:06

For the past four years, I haven’t connected to any public hotspot unless I was using a service which encrypts my session over the local network unless I was doing someone not even remotely important online.  I did this—and continue to do so—because it’s been common knowledge for at least long that connecting to public wireless is like posting your personal information on a bulletin board in the parking lot; it’s available to anyone interested in looking.

So why are so many users still connecting to hotel, airport, coffee shop, rogue, and restaurant public wireless networks and sending passwords, PINs, and other sensitive information in the clear?  A few years ago we might have given them the benefit of the doubt.  But today there is enough information available from numerous sources to ensure every computer user has at least heard that public wireless is dangerous.  In my opinion, the problem is they can’t be bothered or they have no clue how to protect themselves.

Evidence of the problem showed up recently in an online article in which the author writes,

“Much of the time, people just log in to the first robust network they see,” says AirTight spokeswoman Della Lowe. “When we did our airport study, we found only 3 percent of the people were using secure networks.” (Wireless Cybercriminals Target Clueless Vacationers, Fox Charlotte, 11 Jul 2009)

As security professionals, we may need to speak a little louder about solutions for this growing—and largely ignored—problem.  Every chance we get we should discuss with our mobile business users, acquaintances, and anyone else who will listen how to protect themselves, including:

  1. Resisting the urge connect to the first hotspot they see without giving it some thought and without protecting their user session
  2. Using HTTPS protected Web mail, such as Gmail
  3. Using online VPN services, such as WiTopia or ShareVPN, both fee-based but inexpensive

Going beyond one-off user solutions, organizations with more than a few mobile users should encourage or force their users to access the Internet via a company-hosted VPN solution, such as SSL VPN.  Under no circumstances should company laptops access the Web via public hotspots unless the sessions are encrypted, at least through the hotspot infrastructure.

Send secure email free, including attachments

In Data Security, Email on July 7, 2009 at 18:48

The other day (or once upon a time, whatever), I tried to use Gmail to send an attachment encrypted with SecureZIP.  I was quickly reminded by the Google email service that it didn’t allow encrypted attachments.  So I tried our restaurant’s Yahoo mailbox.  Same result.  I needed to send a secure attachment, and I didn’t want to sign up for a for-fee service to do so.  So I searched the Web for a free secure mail service.  I found two which show promise: Lockbin.com and SendInc.com.

Lockbin.com was simple to use.  After accepting the user agreement and entering a CAPTCHA string, I was presented with the text entry form shown below.  Since the connection established with the site was encrypted (HTTPS), anything I entered and sent was safe from unauthorized sets of eyes.

Lockbin Text Entry

I entered a short test message and clicked Continue.  The next window (below) prompted for a password to lock the message until picked up by the recipient.  The password, or “Secret Word,” has to be sent to the person receiving the message via standard email, phone call, text message, etc.  I entered a password and clicked Continue.

linkbinword 

Finally I was prompted for my name, my email address and the recipient’s email address.  I was also shown how the alert message would look when it showed up in the destination mailbox.  The text was not editable at this point.  Clicking enter again, the message was sent. 

Since I had sent the test message to one of my addresses, an alert quickly appeared in my mailbox (shown below) letting me know I had a secure message to retrieve.  To read the message, I clicked the link as instructed.  This opened a secure session with Lockbin.com.  After entering the password I provided when I sent the message, I was shown the message text.  Simple, but not quite what I needed.

lockbinMail

There are two potential issues with Lockbin.  First, the sent email is deleted from the Lockbin server as soon as the recipient opens it.  If the person you correspond with doesn’t understand this, you might find yourself resending it.

Second, Lockbin doesn’t support attachments.  This is OK if what you want to share is a small list of private data.  However, I needed to send a complete document.  So on to SendInc.

Like Lockbin, SendInc is a free secure email service which requires no downloads.  But unlike the first solution, SendInc is a better fit for home office or small business use.

With SendInc, I can send up to twenty messages per day.  This would be a serious limitation for larger businesses, but it’s fine for my needs.  And although there is a send limit, I can receive an unlimited number of secure messages.  The best thing about SendInc, however, is that I can include attachments up to 10 MB.

With Lockbin, no account is necessary.  This is not true with SendInc.  This is probably due to the eventual offering of a for-fee service for users with a need for more than 20 outgoing secure messages per day.  SendInc knew immediately after I entered my email address that I didn’t have an account.  I was presented with an account activation form.  Once the form was complete, I entered an activation code sent as the final form completion step.  Now I was ready to enter the test message, as shown below.

SendMailEntry

After entering my test message and attaching a 5 MB Word attachment, I clicked the send button at the bottom of the form.  The email was  immediately processed, and I received a notification in my Gmail account.  The following image shows the contents of the alert.

Sendincreceived

Again, I simply clicked the provided link to establish a secure session with SendInc.  However, the Gmail account I sent the message to was not registered with SendInc.  So I was required to activate an associated account with a form similar to the one I completed when activating the sending account, as shown in the following image. 

SendActivate

Once both accounts were activated, I was able to send and receive secure messages with them by supplying the relevant passwords.  Messages once processed are not retained by SendInc.

Both of these solutions work as advertised.  Neither are perfect, and I wouldn’t use them to share national defense secrets.  But I don’t deal with national security issues.  For quick messages without an attachment, Lockbin is certainly easier to use.  For attachments, there is always SendInc.

%d bloggers like this: