Categories ArchivesEnterprise Security

Proofpoint Patches URL Sandbox Bypass Bug standard

Or, how a travel website’s newsletter clued me in to a huge security gap in a popular email protection service. tl;dr: I discovered URLs of sufficient length (over 770 characters) would bypass Proofpoint’s URLDefense service leaving the original link untouched, allowing malicious links directly into users’ email inboxes. Proofpoint let me know this week that they finally have patched all the instances of their service that had this particular bug, so it’s time to disclose how I discovered it. Many of you know I switched my personal email protection away from Postini/Google Apps for Business to modusCloud by Vircom. My users and I are 100% satisfied with the service! One of the technologies powering Vircom is Proofpoint Essentials, and one ...

Continue Reading

Improve Outbound Email with SPF, DKIM, and DMARC standard

“Oh sorry, I missed your email. It got dropped into my SPAM folder for some reason.” Isn’t that frustrating? All you did was send over a proposal and it got dropped into the SPAM folder. Perhaps it was word choice, perhaps you ended up on a list somewhere, or perhaps you are not doing your part to elevate the confidence of your emails leveraging the tripod of email security frameworks known as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC). I started experimenting with these years ago noting that there are several vendors who will happily do this for you—and by the way, their products are pretty awesome. Given that I’m running ...

Continue Reading

Life after G-Suite/Postini standard

Postini was a technology darling in the mid-2000s that sold email filtering technology as a service to companies struggling to combat the onslaught of SPAM and malicious emails that were sprayed at corporate inboxes. For small companies or small footprints, the price was right as well. $1/user/month translated to super cheap filtering with a nice web interface to boot. Google thought so highly of the technology that they paid $625M in cash in 2007 for the company, which was absorbed into Google Apps over time. Those of us legacy Postini users were drug along for a time as the service continued to dwindle in quality and usability, culminating in a complete shutdown and forced migration in December. Google handled the ...

Continue Reading

The Breach Research We Need standard

I’m not afraid to point out misleading or questionable research findings funded by marketing groups strictly to gain headlines. Studies like the cost per record or cost per breach white papers come to mind here that give us excellent, attention grabbing headlines supported by a house of cards (specifically the cost per record studies). The information presented is unusable for risk management purposes, and is a quick way to get laughed out of a room if you quote these studies. What risk managers need is something that is comparable to their companies when trying to think about costs. Simply taking an average cost per record or an average cost per breach is not concrete enough to make risk management decisions. ...

Continue Reading

Pushing Vendors to Abandon SMS standard

SMS-based authentication continues to be a great way to placate a user into thinking they are safe while creating an avenue for attackers to gain access to their accounts. Fabio Assolini and Andre Tenreiro from Kaspersky published some research that puts numbers in fraud losses to these threats. SIM Swaps cost criminals $10-15/SIM with gains from fraud being over $1,000. That’s a good return on investment. It’s why I’ve become a huge fan of U2F and other non-SMS authenticators (see my guide here). Companies like Yubico have made real multi-factor authentication doable for the masses with zero client-side infrastructure. Major companies like Google and Facebook are leading the charge to remove SMS-based authentication and account recovery options by allowing users ...

Continue Reading

What’s the craic on KRACK? standard

For those who are not familiar with the Irish slang, read this. We got another fun named vulnerability this week that goes after WPA2 encryption, something that is ubiquitous but not impenetrable. Key Reinstallation Attacks, or KRACK for short, exposes a weakness in the WPA2 protocol. It’s an attack on the protocol itself, so anything that is unpatched and properly implemented to the Wi-Fi and WPA2 standard is vulnerable. Patches are already well on their way to being released and deployed. But this problem is going to stick around for a long time like Shellshock and Heartbleed. Many Wi-Fi hotspots are running outdated firmware that cannot be upgraded in some cases. Just like Shellshock and Heartbleed, the only way to ...

Continue Reading

More Printer Security Talk standard

If you don’t have the context, read my previous post on comparing printers to VoIP—i.e., it’s another computer on our network. Now that you are in the right mindset, look around your office and see if you see a printer sitting somewhere. It might even do copies, scanning, and faxing. Super fancy ones might even connect to WiFi networks to make things easy for interoperability. So many of them have hard drives in them for document storage, logs, configuration, and the operating system that powers the device itself. When is the last time you upgraded the operating system on that printer? Are you using a default configuration or have you locked down all the things you don’t need? Better yet, ...

Continue Reading

That Printer is gonna GIT ya! standard

Of all of the devices we have out there on our networks, is it going to be printers, cameras, and thermostats that cause our undoing? “Wait… did you say, PRINTERS!?! Are you off your rocker, Brando?” That was one of the key warnings that came from HP, Inc. in January of this year. I was one of a dozen individuals invited to a day long summit at HP, Inc., where their product leaders and various security experts talked to us about hidden security problems in the enterprise, provided live demonstrations, a tour of the facility, and the highlight, an evening at the HP Garage in Palo Alto. Let’s take a moment and think back to the advancement of Voice over ...

Continue Reading

Conference Wrap-Up, 2016 standard

As we get ready to close out 2016, there have been quite a few events I have neglected to post here. I know I owe a larger update and more tools soon, but here’s one in the meantime to recap October and November. For this post, I’m taking a cue from Bill Brenner and supplying some mood music. My mood music is a little more fun than his is, though. October and November was a busy month for speaking and writing. Here’s a quick recap. Ever wonder why it might be a good idea to segment your home network? All those smart devices have to connect somewhere. I wrote an article for Tactics and Preparedness that discusses some of these issues ...

Continue Reading

Is Retail Ready for the 2016 Holiday Season? When Toasters Attack! standard

The holiday season is upon us, and the biggest days for retailers to make their 2016 plan commitments is coming. The popularity of online shopping always seems to claim a few retailers every year who did not plan capacity accordingly. We’ve seen both Black Friday and Cyber Monday shut down websites in the past, and even though elastic computing has grown in popularity, we can expect one or two that under planned their capacity for this year. But this post is not about poor IT capacity planning—it’s about the latest string of Distributed Denial of Service (DDoS) attacks that has claimed a number of prominent web properties over the last month. Internet of Things (IoT) devices, when improperly designed, can ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!