This scenario was an invitation from Linkedin, posing as an invitation from Bill Gates to join his network. Linkedin was selected due to availability, and the fact that it is a social network recognized by most executives. This selection of Linkedin was also based on the fact that linked-in email should be already identified by most existing email system(s), and this may have helped delivery through into the mailbox.

While this particular research-project was mainly intended to document the (in)effectiveness of anti-spam filters in protecting against this kind of attack, it goes on to illustrate other vulnerabilities.  Just visiting the phishing site may provide enough information, obtained from the browser’s User Agent headers, to launch a targeted attack.

Specifically, we are interested in the IP address, the OS, Browser, and any plug-ins installed on the client. This information could be used in a multi-layered attack. We have scripts that read this USERAGENT information, and direct the targeted user to specific application pages.

An example of this could be if we had setup and tested a specific client exploit for Win XP and IE 6. Based on this exploit, we could direct only users with Windows XP AND IE6 to a specific page. If they don’t have this specific OS/Browser combo they will be sent to another page. This is invaluable in increasing the chance of exploit success. It works by setting up the exploit (Browser, OS) then, redirecting a targeted user to this page.

This case reiterates that continued user education is a key part of a comprehensive security policy. You may even consider running your own internal phishing campaign to assess current exposure and help raise awareness within your organization.

Share/Save

“Using social networking sites may divert employees’ attention away from more pressing priorities, so it’s understandable that some companies limit access,” said Dave Willmer, executive director of Robert Half Technology, in a statement.

Another study conducted by Nucleus Research also indicated that employees who use social networking sites at work do so up to 2 hours a day. 87% of employees admitted they weren’t using the sites for business, but for personal purposes instead.

Does your company have a social networking use policy in place? Perhaps a good time to check before HR comes knocking.

Update: I just found this short presentation on slideshare…

Share/Save

It appears that currently only accounts starting with the letters A-B are affected, but other lists could exist.

I suggest that you change your password on your msn, hotmail or live account just to be safe.

Share/Save

“The FBI said it uncovered a sophisticated phishing operation that was designed to swipe personal information and then use the data to defraud banks. On Wednesday, authorities arrested 33 of the 53 defendants named in an indictment. Egyptian authorities charged another 47 alleged cybercrooks.”

Each of the defendants indicted in the US, is charged with conspiracy to commit bank and wire fraud, with a statutory maximum penalty of 20 years in federal prison. Hopefully this case will result in convictions with stiff sentences, sending a strong signal to other aspiring cyber crooks.

Share/Save

This convenience comes at a price.  Not only do our our inboxes become increasingly cluttered, but the more often we share our primary address on the Internet the greater the chance of getting onto spammers distribution lists as well.

I learned that lesson the hard way at the end of Dot-Com.  As fast as many of those companies went out of business, their customer or subscriber email addresses seemed to end up in spammer’s hands, either because of carelessness or perhaps for profit.

I decided then to stop sharing my primary email address with just anybody. Instead, I set up a special catchall email domain that allowed me to assign a dedicated address to every vendor, newsletter subscription, internet forum etc.  Any email addressed to the catchall domain is by default accepted and forwarded to a single mailbox.  That way I can hand out new addresses on the fly, like: amazon@catch-all-email.com, ups@catch-all-email.com, etc.  If I start receiving spam on any of these addresses I simply put them on a blacklist and future emails won’t go through. As a nice side effect, I can also track who is sharing or leaking my address purposely or due to internal data security problems.

This system has worked really well for many years now.  Of course, not everybody has the time and know-how to set this up, but there are a number of ways and solutions around that.

Many people are simply using free email accounts on Google, Yahoo! or Hotmail for this purpose.  Google’s powerful inbox filters easily sort and organize this catchall inbox.

There are now also a number of new services that productize the concept I described above.  Here are a couple that are worth mentioning:

• OtherInbox has launched a private Beta for their consumer service. There are a few Beta invites that they have shared with me. So feel free to check it out.
• Reflexion is offering a similar solution targeted at enterprise customers and ISP’s.

While it’s never too late to bring some order to your inbox, the best time to set up this kind of inbox management is when you switch to a new email address.

Technorati Tags: email overload, inbox management, catchall inbox, catchall account, otherinbox, refexion

Share/Save

Last week’s outage at Google, recent repeat problems at Amazon’s S3 storage services and Apple’s “insanely grating” MobileMe launch highlight the need to carefully consider all aspects when weighing hosted vs. on-premise solutions.

Cost reduction is typically a key motivator, especially for smaller and non-tech companies, when eying a utility or SaaS model for email.  Jason Brooks at eWeek Labs wrote an article last week that lists five key issues to consider when evaluating a hosted email service.  Jason’s list was a good start, but missed a few key issues – specifically around security and compliance. Here’s my extended version:

1. Control – Outsourcing email may significantly limit the control over data and users. Many companies have extensive regulatory requirements such as content control, data leakage protection (DLP), Chinese walls / ethical firewalls and content archiving, that are not yet addressed by hosted solutions.
   -> Don’t forget to check your company’s specific requirements.
2. Security – Email has become the primary communication medium for business. Corporate messaging systems host a wealth of proprietary and confidential information, which typically doesn’t leave the corporate network. Hosted services will have to provide extensive encryption, data access security and audit capabilities before enterprise customers will even consider moving this data outside their corporate firewall.
   -> Make sure all your corporate legal, risk management, and compliance needs are satisfied by the services offered.
3. Performance – Moving user’s mailboxes into the cloud typically means drastically increased WAN traffic. Many companies have learned this the hard way while consolidating mail servers behind the firewall. A bandwidth upgrade to the Internet pipe is most likely a requirement to guarantee reasonable response times and happy users.
   -> Make sure to plan for peak-hour bandwidth needs.
4. Reliability – Service availability/reliability depends mainly on two factors for hosted email:  service uptime and connectivity.  Hosted services are still weak on SLA commitments and proactive monitoring/notification of service outages. Connectivity problems can cut off users from their data possibly for an extended period of time, as few (smaller) companies have redundant Internet access in place.
   -> Consider deploying multiple access paths, and review service level commitments and planned downtime schedules carefully.
5. Integration – Email should really not be treated as an isolated messaging service. The premise of unified communication is starting to deliver on its potential. Many companies are already deploying integrated solutions that combine email, IM, eMeetings, telephony and presence with other collaborative applications, and even with traditional enterprise software such as CRM and ERP. None of the current hosted offerings can provide such feature-rich capabilities yet. Furthermore, any existing integration points may be severed or will be costly to reestablish with a hosted service.
   -> Carefully review the integration between your existing email and other enterprise apps, and evaluate possible barriers for future integration and unified messaging plans.
6. Scalability – Many users are already complaining about mailbox and message size restrictions imposed on their on-premise systems. Hosted solutions will have similar limitations although typically driven by cost considerations.
   -> Make sure to evaluate the needs of your power users.
7. Cost – The promise of significant cost reduction is often the most compelling reason to consider a hosted solution. All of the issues listed above play into the cost model, and critical cost drivers such as necessary bandwidth upgrades and premiums paid for power users are often overlooked in the initial assessment.
   -> List all requirements and all current costs associated with providing the on-premise services for a thorough comparison to the hosted service.

Technorati Tags: hosted email, SaaS, hosted service

Share/Save

“E-mail is an extraordinarily useful tool, as virtually all of us recognize. However, it can create enormous liabilities for an organization and it can cost an organization more than it should.”

In the article, Osterman lists examples of corporate liability and unnecessary cost caused by un-managed corporate email. He suggests four steps to address the problem:

1. Establish detailed corporate use policies.
2. Deploy monitoring and reporting solutions to gain insight and assure compliance.
3. Implement real-time policy enforcement that automatically handles suspect messages.
4. Think beyond email. IM and collaborative applications are exposing the company to similar problems just like email.

Permessa is listed as one of the vendors that provides extensive solutions in this space. As an additional reference on this topic, check out our latest whitepaper titled: “6 Best Practices That Reduce Email Overload and Costs“.

Technorati Tags: Osterman, email policy, email policy management

Share/Save

Websense Security Labs reported first indications that CAPTCHA might be in trouble when researchers noticed unusually fast response times, of less than 6 seconds, to the CAPTCHA challenge. Check out this blog post for a detailed description how these attacks work.

Spammers are highly motivated to get their hands on free email accounts for the following reasons:

• Public mail services such as Live Mail, Gmail or Yahoo! Mail cannot be blacklisted.
• Sending email through those services is free.
• It is hard to track spammers’ criminal activity in the vast volume of other legitimate mail traffic.

The latest attack on CAPTCHA is nothing new. In the past, spammers tricked unsuspecting users to do their dirty work by redirecting captcha challenges from legitimate sites to bogus game sites where players filled out captchas to win prizes.

Let’s just hope that CAPTCHA can be improved fast enough to prevent a likely surge of spam.

Technorati Tags: spam, captcha, websense

Share/Save

New web browser anti-phishing tools expose fake URLs, but the best defense still is simply not clicking email-embedded URLs, and always going directly to a vendor’s website by typing the URL in the browser, especially for login pages and account authentication.

Spear-phishing is a narrowly focused variant of phishing. Rather than bottom trawling the Internet by sending massive numbers of generic messages, spear-phishers gather detailed personal information readily available via Google and Social Networking sites, to craft convincing emails that can trick even seasoned professionals into opening tainted email attachments or visiting fake websites.

Roger Matus wrote an interesting blog post about a particular spear-phishing attack on a Booz Allen Hamilton executive.

“Its authors knew enough about the ‘sender’ and ‘recipient’ to craft a message unlikely to arouse suspicion. Had the Booz Allen executive clicked on the attachment, his every keystroke would have been reported back to a mysterious master at the Internet address cybersyndrome.3322.org, which is registered through an obscure company headquartered on the banks of China’s Yangtze River.”

Targeted phishing attacks on senior executives are now also referred to as Whaling (you’ve got to love the lingo). The case highlights how common exploitive internet techniques are being perfected and used for sophisticated corporate and military espionage attacks. The stakes are high and it is important to train and inform senior executives proactively about these risks. Executives in non-technical fields may be especially vulnerable. Worse, the fear of potential embarrassment may delay the discovery of a problem.

Technorati Tags: phishing, spear phishing, whaling, email risks, electronic espionage

Share/Save

While there are many theories about the missing emails, reaching from government conspiracy to sheer incompetence, I would side with the latter.

I have witnessed the decision by some companies to switch their enterprise messaging vendors over recent years. Often these decisions were driven from the top down based on personal preference, false promises of massive cost savings by the new vendor and utter ignorance of existing infrastructure dependencies. I’m not sure what the driving force was behind the decision to move from Lotus Notes to Microsoft Exchange at the White House, but the mistakes made follow the same pattern as seen in numerous other corporate cases. If your company considers the move from Notes to Exchange, review these key points in your planning and assessment to avoid making the same mistakes:

• Make sure that any existing 3rd party applications (anti-spam, anti-virus, archiving, records management, system monitoring, etc.) will still work with the new platform. Don’t forget to include any 3rd party upgrade costs in the overall migration budget.
• Include audit and retrieval costs in your evaluation. Moving to a client-based storage model (e.g. pst files) may seem like a great idea for reducing server load and storage cost, but will inherently make auditing and retrieval at a later time almost impossible. Retrieving data from remote and portable media is extremely difficult and costly, but apparently that will not be a valid legal excuse.
• Assess the skill set of your existing IT staff. Large messaging systems are complicated and require highly skilled IT workers to manage and administer. Switching platforms may require a significant retraining of existing staff, or worse, cause the defection of key resources.
• Evaluate other dependencies. Lotus Notes is much more than email, a fact that is frequently overlooked by people unfamiliar with the platform. Companies that have been running Lotus Notes for years have often custom-built rich enterprise Notes applications running mission-critical corporate functions. These dependencies are often downplayed or simply overlooked. Migrating these applications can be expensive or simply impossible, which has forced some companies to continue running both Outlook and Notes on the desktops after the migration.

Technorati Tags: lotus notes migration, missing white house emails, John Facciola

Share/Save