Steve Riley on Security : email

Today’s spam

Steve Riley — Wed, 21 Jan 2009 21:13:31 GMT

Here’s what’s in my junk mail folder today:

What is up with all that? Apparently I sent a payment to myself, I initiated another payment to myself, I am a user of myself who’s received exclusive offers for January, and I received a payment from myself. Wow! Furthermore, an internal discussion group (IPv6) is apparently engaging in a PayPal transaction, and M & T Bank’s mailer needs to make doubly sure that I realize I’m receiving a new message.

I don’t know where to direct my ire—at the spammers who litter the Internet with their spew or at the people who still get duped by it. Spam would wither away if everyone just ignored it. But I guess enough people are lured by cheap mortgages for their penis extensions that the spammers rake in enough money to cover their costs…so sad.

The opt-out from hell

Steve Riley — Tue, 16 Sep 2008 22:22:03 GMT

One problem with making your email address available (which I will continue to do, don't worry) is that folks with something to sell assume you're interested in their stuff. To wit, let's consider an email I received today (copied, headers and all, after my griping).

Note that if I want to opt out of further communications, I have to do two separate things -- which actually becomes three things.

First I have to click the last link to opt out of future TechTarget spam. (Yes, I deleted the actual links. But certainly none of my trustworthy readers would attempt to re-subscribe me, right...? <g>
But that isn't enough -- I also have to separately opt out of future Avaya spam! (Why does the no-more-from-Avaya link live on a techtargetmail.com server? Whatever.) Clicking on that link eventually does land me on an avaya.com page, where I have to confirm my email address and indicate they don't have my permission to send me spam. Hmm, too difficult to embed my email in that link, when the other techtargetmail.com link did embed my email?
Then after submitting it, another page pops up telling me that I'll soon receive an email with additional instructions! In this email there's a link -- to avaya.com with my email address embedded -- that I must click, I guess to double plus confirm that yes, I really really really do wish never to hear from you again. Clicking that link takes me to a page that promises my "permissions have successfully been set. Thank you."

A pox on both your houses, TechTarget and Avaya. I never asked for your stuff. Go away.

Spam, my friends, is only going to get worse. It was so easy to ban junk faxes in 1991. But even those regulations were weakened in 2005. So do you really think we'll see anything even remotely logical for outlawing spam? I doubt it, unless we the citizens foment a revolt. Let's get cracking!

Received: from SVC-EXGWY-E801.partners.extranet.microsoft.com (10.251.24.242)
by tk5-exhub-c102.redmond.corp.microsoft.com (157.54.18.53) with Microsoft
SMTP Server (TLS) id 8.1.291.1; Tue, 16 Sep 2008 11:27:56 -0700
Received: from mail139-wa4-R.bigfish.com (216.32.181.113) by
mail04.microsoft.com (10.253.160.184) with Microsoft SMTP Server (TLS) id
8.1.291.1; Tue, 16 Sep 2008 11:27:55 -0700
Received: from mail139-wa4 (localhost.localdomain [127.0.0.1])    by
mail139-wa4-R.bigfish.com (Postfix) with ESMTP id 018C11184C2    for
<steriley@microsoft.com>; Tue, 16 Sep 2008 18:27:50 +0000 (UTC)
X-BigFish: ps16(zz18c1K1936K2b7wcak69jzzzz2af1jz2fh6bh5eh65h)
X-Spam-TCS-SCL: 4:0
Received: by mail139-wa4 (MessageSwitch) id 1221589667478982_28100; Tue, 16
Sep 2008 18:27:47 +0000 (UCT)
Received: from pp.techtargetmail.com (pp.techtargetmail.com [65.211.80.227])
    by mail139-wa4.bigfish.com (Postfix) with SMTP id 46566978071    for
<steriley@microsoft.com>; Tue, 16 Sep 2008 18:27:47 +0000 (UTC)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=pp.techtargetmail.com; b=iOmibOrM91/1Ugy2gj3QbWo74T2m3GuhmwxZCXJQpFT+nwRES8QKg+4vjt48SNp7WWJExG61Ge+DtnKD3KVI3KwqTKzkPRVrEBF0DCHhYot6VAG/EyEr5vb5RhBz+91yvNhbIqITzGnuQ+uBDJzyc6gU0FHfBl0Fa3S/phcPELM=;
Message-ID: <a818b044.724694.236c8ee748f7dd97.1.n.4.2971370188@pp.techtargetmail.com>
Date: Tue, 16 Sep 2008 14:27:47 -0400
thread-index: a818b044.724694.236c8ee748f7dd97.1.n.4
Reply-To: Avaya <a818b044.724694.236c8ee748f7dd97.1.n.4@pp.techtargetmail.com>
From: Avaya <Avaya@pp.techtargetmail.com>
To: Steve Riley <steriley@microsoft.com>
Subject: 7 Tips to Ensure Readiness for UC Deployment
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
Return-Path: a818b044.724694.236c8ee748f7dd97.1.n.4@pp.techtargetmail.com
X-MS-Exchange-Organization-PRD: pp.techtargetmail.com
Received-SPF: Pass (SVC-EXGWY-E801.partners.extranet.microsoft.com: domain
of Avaya@pp.techtargetmail.com designates 65.211.80.227 as permitted sender)
receiver=SVC-EXGWY-E801.partners.extranet.microsoft.com;
client-ip=65.211.80.227; helo=mail139-wa4-R.bigfish.com;
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.6916.600;SV:3.3.6916.813;SID:SenderIDStatus Pass;OrigIP:65.211.80.227
X-MS-Exchange-Organization-SCL: 2
X-MS-Exchange-Organization-SenderIdResult: PASS

The following message was sent to you as a subscriber to third party offers from a TechTarget property, including our network of Search sites, Bitpipe.com, CIO Decisions Magazine, Information Security Magazine, Storage Magazine, KnowledgeStorm, TheServerSide.com and/or TheServerSide.NET. To unsubscribe, see below.
____________________________________________________________

How should you evaluate the move to unified communications (UC)? Who within which parts of an organization will benefit? Will UC reduce the time to market? Read this E-Guide for answers to these questions and a better look at how the value of UC will, at first, be less of a financial issue and more of a productivity improvement issue that translates into financial benefits. Download this white paper now: http://pp.techtargetmail.com/c.asp?724694&236c8ee748f7dd97&1

When implementing unified communications, there are a number of important issues to think about and questions to ask. This E-Guide analyzes seven phases to ensure you reap the full benefits of UC in each. If you're ready to take the plunge but you're not sure your business or your infrastructure is - download this E-Guide now.

Click here to learn more: http://pp.techtargetmail.com/c.asp?724694&236c8ee748f7dd97&1

"If you do not wish to receive future promotions directly from Avaya please forward this e-mail to {link removed} ; please note that there is a separate opt-out procedure below to be removed from the list from which this email originated."
____________________________________________________________

Please do not reply to this email. To unsubscribe from all future third party offers from all TechTarget properties, simply click here: {link removed}

TechTarget | 117 Kendrick Street, Suite 800 | Needham, MA 02494

FanBox: the latest in password scams

Steve Riley — Mon, 07 Jan 2008 21:09:00 GMT

Looks like spammers have found yet another way to worm (ha ha) themselves into the computers of the unsuspecting. In my junk email folder this morning, I saw this message:

From: Question It [mailto:question_it@fanboxapps.com]
Sent: Monday, January 07, 2008 2:34
To: Steve Riley
Subject: Ratul has asked you a question on FanBox
<http://ai.hitbox.com/ai?hb=DM550726CGWB&ai=EMC-FBX_Questionit_sync>
Ratul asked you a question. View the question <http://www.sms.ac/WidgetAPI/Service.ashx?version=1&Method=GoToMyWidget&FROMeUid=4ZIFG1mO1m6PfQKo06SrHw==&eWid=KO7kd3aLplJrKkBpaarhhg==&AssocData=+kt0NC6UaHnnVtU7bTsqPw==&source=ViralWidgetEmail&encemail=mygm7I2EtPGYgkjfT5Bu/3oQesFPnbnqWXKIA33YOI0=&mlid=590803540> and answer it.
FanBox.com is the web-based desktop that instantly turns every computer into your computer. It includes over 10,000 web applications and games to choose from, including the Question It application.
This email was sent by Ratul while using the Question It application on FanBox. Go here <http://profile.fanbox.com/preferences/EmailBlock.aspx> to learn more or stop receiving emails from friends using Question It. FanBox: 255 G Street #723, San Diego, CA 92101, USA
<http://www.sms.ac/WidgetAPI/Service.ashx?method=OpenEmail&FROMeUid=4ZIFG1mO1m6PfQKo06SrHw==&eWid=KO7kd3aLplJrKkBpaarhhg==&encemail=mygm7I2EtPGYgkjfT5Bu/3oQesFPnbnqWXKIA33YOI0=&mlid=590803540>

For most of the well-known marketing profiling--oops, I mean social networking--sites, I've enrolled my email addresses in their opt-out mechanisms (I simply don't care about LinkedIn, Plaxo, Facebook, MySpace, and so on). But this one seemed suspicious. I don't know anyone named Ratul, and everyone who wants to ask me questions certainly knows my email address. It raised my bullshit detector.

So after a bit of foraging I found this: http://spamhuntress.com/2007/12/15/smsac-turns-into-fanbox/. Seems like the company running FanBox got in trouble for doing this crap once before. Funny, isn't it, how you can just change your name and suddenly all your past sins evaporate! Well, not on the Internet, apparently. Your past sins can and do come back to haunt you.

When you sign up for FanBox, they ask for your permission to email everyone in your address book (FanBox knows how to talk to most webmail systems). To do this, of course, FanBox needs your password. Most people, sigh, willingly supply their passwords to any seemingly innocuous service. We all know that these services really are vile disgusting filth, the very embodiment of whatever nefarious supreme being you now strongly wish would unleash itself on FanBox and their ilk.

So in this case, I'm certainly not going to click on the link to stop receiving more emails. Rather, I'll put fanbox.com, fanboxapps.com, and while I'm at it, sms.ac in my blocked senders list. I recommend you do the same, and get the word out to your friends, too. FanBox--and anyone else who asks for your password--is evil, eeeeeevil I say.

Bogus Microsoft sweepstakes emails

Steve Riley — Mon, 20 Aug 2007 01:35:48 GMT

Over the past month I've received at least three enquiries from people asking about the legitimacy of emails claiming the recipients have won large amounts of money in a Microsoft sweepstakes or lottery -- often 500,000 British pounds. This is an easy question to answer: they're fake.

Recently, someone forwarded me the email. Let's examine some of its characteristics.

The sending address is microsoft.co.uk-00@adelphia.net. The address was a hidden hyperlink. Legitimate emails you receive from us almost always come from @microsoft.com domain; occasionally a marketing partner will use their own domain -- this we're trying to eliminate. No legitimate mail from us would use an ISP's domain: Adelphia is a cable TV company that's been split up and sold to Time Warner and Comcast. Furthermore, the email has the appearance coming from Microosft UK, so using an American domain seems odd.
The subject line is "YOU WON (£500,000.00GBP)! Microsoft congratulates you!" Official communications from us typically DON'T SHOUT FROM THE ROOFTOPS. Also, it's incorrect to use both a currency symbol and the three-letter currency name. This like saying "$1,000USD." It's either "$1,000" or "1,000USD," but not both. And why is the amount in parentheses? Doesn't that indicate (on balance sheets, anyway) that the number is negative? One could interpret the subject line this way: "Congratulations! You've won the privilege of sending 500,000 pounds to Microsoft! Warm up your check book!"
The email insists that you contact Mr. Peter Garry, Microsoft's "fiduciary agent." There are some capitalization errors in this particular sentence.
There are several official-looking reference numbers, file numbers, and batch numbers in the email -- none of which would be useful information to the recipient.

Folks, were we to ever run a sweepstakes where we're giving away the equivalent of a million dollars, it's safe to say that we wouldn't use email to send winning notifications. Please tell your friends and neighbors that stuff like this is fake.

Oh, in case you're curious, do a search on the winning prize number: 14-21-25-40-40-47(21). Looks like hundreds, maybe thousands, of people have all coincidentally guessed the exact same number!

Tell us about the junk email you receive

Steve Riley — Thu, 21 Dec 2006 02:53:00 GMT

Another gem in the download center: an Outlook (2003/2007) add-in with which you can report junk email to FrontBridge.

Junk E-mail Reporting Tool 1.0 for Outlook

The Junk E-mail Reporting Tool submits e-mail to Microsoft when you explicitly choose to do so. If you receive a junk e-mail and want to report it to us for analysis, first select the e-mail in Outlook and then click the junk e-mail button on your tool bar. You will see a pop-up window asking whether you want to report the selected e-mail to Microsoft and its affiliates. When you click “Yes” to confirm that you’d like to report the selected e-mail as junk e-mail, the junk e-mail will be deleted from your Inbox and sent to FrontBridge, a Microsoft company, for analysis to help us improve the effectiveness of our junk e-mail filtering technologies.

Did you know that you ALREADY have an e-mail policy?

Steve Riley — Mon, 11 Sep 2006 03:34:00 GMT

An email access policy can be expressed in one of two ways:

E-mail is mission critical to our business. Therefore, we permit employees to read and compose e-mail from any location in the world where employees can access the Internet, using either company-issued devices or public Internet terminals. This allows our employees to be maximally productive.
E-mail is mission critical to our business. Therefore, we permit employees to read and compose e-mail only from company-owned computers built and maintained according to IT standards. This ensures the security and integrity of our e-mail systems and data.

Which policy is yours? You can't have both, of course.

Selecting a policy should never be a technical exercise, and the decision isn't up to the IT department or even the security group. It's a decision the business makes. The decision begins with the answer to the question, "What does mission critical mean to our business?"

For some, mission critical means maximum access -- that no matter where an employee is, or what the employee might be doing, if there's a device with an Internet connection, the employee should do some mail. Timeliness is of utmost importance; the organization will accept the risks associated with using public terminals (and deal with any exposure caused by potential threats that materialize).

For others, mission critical means absolute integrity -- that the organization simply can't tolerate the risks associated with access from unknown computers and will therefore permit access only to those on the corporate network (or maybe connecting via a VPN, but even that can be too much for some).

Which definition of mission critical is yours? It can't be both, of course.

Outlook Web Access = your email policy

If your organization uses Outlook Web Access, then it's already selected its policy: the first one. An organization who uses OWA values anytime, anywhere, any-device access as being necessarily critical to the success of its business that it's willing to accept the risks associated with such access. Let's consider some of the risks of using public terminals:

Malware infects an e-mail message
Keystroke logging software steals credentials
Evil person reads and writes e-mail after a user walks away without logging out
Evil person reads left-over attachments sitting in the browser's cache
Someone shoulder-surfs (an employee at a competing organization, for example)

But yet, for many organizations, the benefits of OWA outweigh the risks -- and there's nothing inherently wrong with that. In some cases, it's possible to mitigate the risks. Returning to our list, consider:

Malware scanners on the e-mail gateway
Two-factor authentication like RSA SecurID or VeriSign Unified Authentication (note: while 2FA helps guard against credential theft, it's powerless to stop malware)
- The folks at CryptoCard have some interesting products, including a software token that you can run on a Windows Mobile device or a Blackberry for generating the token that you then enter into the OWA login page -- however, I've got no experience with their stuff
Forms-based logon with a timeout (using a browser cookie)
Attachment conversion like Messageware AttachView -- converts to non-cached HTML
Not being stupid

Risk awareness and mitigation: the security group's job

Our job, as security experts, is never to say "no." Rather, our job is to enable the business to succeed as safely and securely as possible. We do that by staying close the business, understanding (perhaps even anticipating) its needs, and making it aware of any associated risks. It's up to the business to make the decision. Then the work returns to us, and now we select and deploy appropriate processes and technologies to mitigate the risks we can, while perhaps simply ignoring or transferring (by buying insurance) the remainder.

I know of few organizations who choose the second e-mail policy: prohibiting remote access to e-mail. Indeed, I would wonder if that kind of organization really knows what e-mail is for. Work in the modern age is rarely limited to daylight hours in traditional offices. If your organization is among the majority that expects its employees to work for free (ha ha), then it's your job to make sure the business understands the risks and deploy appropriate processes and technology to mitigate those risks.

And this is only the beginning. Done right, an OWA architecture can be extended into a general access model that's simpler to design, build, and maintain; its simplicity results in cost savings and greater security. I'll have more to say about the "web-enabled data center" in a future blog post. My goal is to shove all DMZ-laden complex network beasts into the dustbin of history.

What do YOU need out of two-factor authentication?

Steve Riley — Fri, 21 Apr 2006 01:37:00 GMT

Two-factor authentication continues to grow in popularity and emerge as a security requirement for many people I meet with. At Microsoft, we use smartcards internally for VPN access right now; soon we'll be requiring smartcards for domain logon, too.

We are also looking at ways to require two-factor authentication for web-based services, like Outlook Web Access, published SharePoint servers, and other bits in our extranet. I love smartcards, and it's Microsoft's preferred product direction and corporate IT approach. But here we encounter a problem with them: most public workstations (kiosks, Internet cafes) don't have smartcard readers. So how do we require two-factor authentication when the infrastructure can't support it?

Ideally, my answer would be: too bad. Public workstations are too great a risk. No self-respecting organization would ever allow access to corporate resources from unknown machines, right? What possible business justification would ever permit exposure to such risk?

A lot, it turns out. Any organization (Microsoft included) that permits access to corporate resources, like OWA, is making a risk statement, whether they know it or not. That statement is this: "Our business activities require access to certain resources from any device, anywhere, at any time. We accept the risks associated with this because the value to the business is determined to be higher."

But just like us, many organizations are starting to become wary of these risks. Two-factor authentication can help to mitigate some, but not all, of them. The choice, then, is which kind of two-factor authentication to use? If smartcards won't work because readers aren't yet ubiquitous (they will someday -- remember, once upon a time a mouse was a rarity), what's left to choose? (I wish we'd include smartcard readers in every box of Windows we ship, just like we included mice in Office.)

Some form of token card with a one-time password is generally the option, with RSA SecurID being the most popular. Lately I've been reading about VeriSign's Unified Authentication product -- a number of you have mentioned your success with it, and you like that it integrates natively into Active Directly without requiring a separate authentication infrastructure (unlike SecurID, which requires an ACE/Server). I would like to play with this myself someday (hint hint).

I want to hear from you, though. What do you need from a two-factor authentication mechanism? What are your requirements? Have you used the products currently on the market? What do you like or not like? What do you want to see done differently? Would you like for Microsoft to develop something, or do you prefer to rely on partners?

Tell me what you think. Our IT department is engaged in a lot of research here; I'd like to know what you've learned in your research and through your experience, too. Post a comment here or email me if you'd prefer to remain private. Either way, I'd really like to get a good body of customer thinking on this. Thanks!

Cluelessness abounds

Steve Riley — Wed, 14 Sep 2005 19:08:00 GMT

So yesterday I received a rather interesting email. Subject: "INFOSEC Scholarships & Fellowships for PhD or MS + Free CISSP Exam Prep Events." Hm, I didn't know that "information security" suddenly became an all-caps acronym. How come no one asks me first about these things? Anyway, it purports to come from the University of Fairfax, who seems to be outsourcing their spam to IQMailer.net. I suppose if you're gonna set up an outsourcing business, spam is as good as anything. There's no paperclip icon next to the message, so I open it. Sure enough, it's an ad enticing me to "advance my INFOSEC career to the next level" (the next time I hear "to the next level" I'm gonna throttle whoever says it) because "the federal information security budget will grow to $20B+ by 2008, will your INFOSEC career grow as fast?" I'm so happy that the University of Fairfax and Aladdin Knowledge Systems care so much about me! I'm honored! Yeah right.

Here's the clueless, somewhat frightening, and hugely ironic part. This message -- sent to me because I'm a subscriber at SearchSecurity.com, advertising a way to learn more about security through courses and exam prep, had an ActiveX control attached! You'd think that people teaching security would know better, and you'd also think that SearchSecurity.com would know better too and at least make sure the email abides by standard security practices. I guess not. Shame on you SearchSecurity.com, and shame on you University of Fairfax. You're doing exactly the wrong things to appeal to your intended audience.