Categories ArchivesEnterprise Security

Selective Domain Filtering with Postfix and a SPAM Filtering Service standard

Yes, that title was a mouthful, but I’m trying to make sure I’m descriptive enough for the next guy who is in this situation. I was facing something interesting lately. There is a spambot network that is ignoring whatever you put in the MX record, and trying to send emails to other IPs associated with the domain. Yep, rookie mistake on my part. Should have set things up so that domains forwarding to my spam filtering service can only be delivered locally if they come FROM that service. So I turned to the extremely helpful Postfix Users group. Essentially, they suggested leveraging access(5) rules to define this in main.cf. You could throw the domains into a hash table as well, ...

Continue Reading

Preventing Account Takeover, Enable MFA! standard

Welcome to October where we celebrate National Cybersecurity Awareness Month! In a previous job, we would host a Cybersecurity Expo and learn together. Last year, I presented a version of this presentation to a large audience with representation across the business (not just IT folks) and I wanted to make a version of it that could be consumed anywhere. This all was created from a conversation with a former consultant who made it her personal crusade to get everyone she knows to turn on some form of MFA for their GMail accounts. Just think about all the information someone could learn about you from your email. From there, I wrote this post that urges you to disable SMS and use ...

Continue Reading

Proofpoint Patches URL Sandbox Bypass Bug standard

Or, how a travel website’s newsletter clued me in to a huge security gap in a popular email protection service. tl;dr: I discovered URLs of sufficient length (over 770 characters) would bypass Proofpoint’s URLDefense service leaving the original link untouched, allowing malicious links directly into users’ email inboxes. Proofpoint let me know this week that they finally have patched all the instances of their service that had this particular bug, so it’s time to disclose how I discovered it. Many of you know I switched my personal email protection away from Postini/Google Apps for Business to modusCloud by Vircom. My users and I are 100% satisfied with the service! One of the technologies powering Vircom is Proofpoint Essentials, and one ...

Continue Reading

Improve Outbound Email with SPF, DKIM, and DMARC standard

“Oh sorry, I missed your email. It got dropped into my SPAM folder for some reason.” Isn’t that frustrating? All you did was send over a proposal and it got dropped into the SPAM folder. Perhaps it was word choice, perhaps you ended up on a list somewhere, or perhaps you are not doing your part to elevate the confidence of your emails leveraging the tripod of email security frameworks known as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC). I started experimenting with these years ago noting that there are several vendors who will happily do this for you—and by the way, their products are pretty awesome. Given that I’m running ...

Continue Reading

Life after G-Suite/Postini standard

Postini was a technology darling in the mid-2000s that sold email filtering technology as a service to companies struggling to combat the onslaught of SPAM and malicious emails that were sprayed at corporate inboxes. For small companies or small footprints, the price was right as well. $1/user/month translated to super cheap filtering with a nice web interface to boot. Google thought so highly of the technology that they paid $625M in cash in 2007 for the company, which was absorbed into Google Apps over time. Those of us legacy Postini users were drug along for a time as the service continued to dwindle in quality and usability, culminating in a complete shutdown and forced migration in December. Google handled the ...

Continue Reading

The Breach Research We Need standard

I’m not afraid to point out misleading or questionable research findings funded by marketing groups strictly to gain headlines. Studies like the cost per record or cost per breach white papers come to mind here that give us excellent, attention grabbing headlines supported by a house of cards (specifically the cost per record studies). The information presented is unusable for risk management purposes, and is a quick way to get laughed out of a room if you quote these studies. What risk managers need is something that is comparable to their companies when trying to think about costs. Simply taking an average cost per record or an average cost per breach is not concrete enough to make risk management decisions. ...

Continue Reading

Pushing Vendors to Abandon SMS standard

SMS-based authentication continues to be a great way to placate a user into thinking they are safe while creating an avenue for attackers to gain access to their accounts. Fabio Assolini and Andre Tenreiro from Kaspersky published some research that puts numbers in fraud losses to these threats. SIM Swaps cost criminals $10-15/SIM with gains from fraud being over $1,000. That’s a good return on investment. It’s why I’ve become a huge fan of U2F and other non-SMS authenticators (see my guide here). Companies like Yubico have made real multi-factor authentication doable for the masses with zero client-side infrastructure. Major companies like Google and Facebook are leading the charge to remove SMS-based authentication and account recovery options by allowing users ...

Continue Reading

What’s the craic on KRACK? standard

For those who are not familiar with the Irish slang, read this. We got another fun named vulnerability this week that goes after WPA2 encryption, something that is ubiquitous but not impenetrable. Key Reinstallation Attacks, or KRACK for short, exposes a weakness in the WPA2 protocol. It’s an attack on the protocol itself, so anything that is unpatched and properly implemented to the Wi-Fi and WPA2 standard is vulnerable. Patches are already well on their way to being released and deployed. But this problem is going to stick around for a long time like Shellshock and Heartbleed. Many Wi-Fi hotspots are running outdated firmware that cannot be upgraded in some cases. Just like Shellshock and Heartbleed, the only way to ...

Continue Reading

More Printer Security Talk standard

If you don’t have the context, read my previous post on comparing printers to VoIP—i.e., it’s another computer on our network. Now that you are in the right mindset, look around your office and see if you see a printer sitting somewhere. It might even do copies, scanning, and faxing. Super fancy ones might even connect to WiFi networks to make things easy for interoperability. So many of them have hard drives in them for document storage, logs, configuration, and the operating system that powers the device itself. When is the last time you upgraded the operating system on that printer? Are you using a default configuration or have you locked down all the things you don’t need? Better yet, ...

Continue Reading

That Printer is gonna GIT ya! standard

Of all of the devices we have out there on our networks, is it going to be printers, cameras, and thermostats that cause our undoing? “Wait… did you say, PRINTERS!?! Are you off your rocker, Brando?” That was one of the key warnings that came from HP, Inc. in January of this year. I was one of a dozen individuals invited to a day long summit at HP, Inc., where their product leaders and various security experts talked to us about hidden security problems in the enterprise, provided live demonstrations, a tour of the facility, and the highlight, an evening at the HP Garage in Palo Alto. Let’s take a moment and think back to the advancement of Voice over ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!