[SecurityRatty] tag: outlook

Will Economic Slowdown Cause More Consumer Awareness of Security?

Tue, 12 Aug 2008 11:13:54 +0000

The Consumerist has a post today exploring the possibility that consumers are more hesitant to get into credit card debts, and they’re realigning their needs and wants with a more realistic financial outlook.

Of course, if you’re broke and have no access to credit you don’t have much choice but to be frugal, but is that all that’s going on here? Or are consumers tired of being pressured to take on massive debt in order to “super size” and “bling” everything? What do you think? Is credit card consumerism over?

I doubt consumerism is over entirely, but a slowdown seems inevitable in light of our current gloomy economic situation. What does this all mean for IT Security? Well, all the credit accounts are still out there, so there’s still plenty of information that is available to be exploited.

But will consumers’ hesitance to go into debt also make them more watchful for ID Theft and other fraud-related crime, and more afraid of hackers online? In other words, is it possible the economic slowdown may also make people more hesitant to use technology for their commerce, and encourage them to check their bank accounts more regularly and thoroughly for fraud, and to make them altogether more cautious about IT Security? What is your thought?

Microsoft and BearingPoint see space to play in the Enterprise GRC market

Thu, 07 Aug 2008 12:12:55 +0000

Earlier this week in a joint press release, Microsoft and BearingPoint announced the new BearingPoint Enterprise Governance, Risk, and Compliance product offering. Ok... it will be a while before the more veteran enterprise GRC vendors start really losing sleep over this deal. But BearingPoint continues to be a top risk consulting firm, and Microsoft’s reach through the business user community will be an attractive benefit for compliance and risk professionals trying to get hundreds or thousands of staff members to contribute to the GRC program. There’s potential here for sure.

With software giants IBM, Oracle, SAP, and now Microsoft increasing their level of commitment in the enterprise GRC space, the 2-3 year market outlook continues to change. The risk and regulatory landscape is only going to get tougher to handle, and the more GRC programs can run seamlessly with existing business processes and applications, the better. The vendors focused solely on GRC still have the advantage for now, but market consolidation is on its way... and it’s coming maybe just a tiny bit faster than it was at the start of this week.

Simulating Email in .NET

Fri, 01 Aug 2008 09:59:01 +0000

I use email as a notification mechanism a lot, and often in class I'll demo sending email via a technique that I use frequently when developing code. It allows you to simulate sending an email message.

The trick to doing this is not to hardcode things like host, port, etc. for your SMTP server when you use System.Net.Mail to send mail. Instead, use the default ctor for SmtpClient as I've done in the code below.

static void Main(string[] args)
{
    // note the use of the MailAddress class
    // this allows me to specify display names as well as email addresses
    MailAddress from = new MailAddress("admin@fabrikam.com", "Fabrikam Website");
    MailAddress to = new MailAddress("mari@fabrikam.com", "Mari Joyce");

    MailMessage msg = new MailMessage(from, to);
    msg.Subject  = "Testing 123";
    msg.Body = "This is only a test!";

    // note use of default ctor
    // this looks in config to figure out how to send mail
    new SmtpClient().Send(msg);
}

.csharpcode, .csharpcode pre { font-size: small; color: black; font-family: consolas, "Courier New", courier, monospace; background-color: #ffffff; /*white-space: pre;*/ } .csharpcode pre { margin: 0em; } .csharpcode .rem { color: #008000; } .csharpcode .kwrd { color: #0000ff; } .csharpcode .str { color: #006080; } .csharpcode .op { color: #0000c0; } .csharpcode .preproc { color: #cc6633; } .csharpcode .asp { background-color: #ffff00; } .csharpcode .html { color: #800000; } .csharpcode .attr { color: #ff0000; } .csharpcode .alt { background-color: #f4f4f4; width: 100%; margin: 0em; } .csharpcode .lnum { color: #606060; }

What you're telling .NET by using the default ctor for SmtpClient is, "please use my config file to figure out how to send mail". Now you can use the system.net/mailSettings/smtp section in config to specify the details of your mail server, and all of the code in your app that is written to use the default SmtpClient ctor will inherit these settings. Here's an example of what the config on a production server might look like (if you put passwords in your config files, be sure to encrypt those sections):

<configuration>
  <system.net>
    <mailSettings>
      <smtp deliveryMethod="Network">
        <network host="mail.fabrikam.com"
                 port="25"
                 userName="WebsiteMailAccount"
                 password="whatever"/>
      smtp>
    mailSettings>
  system.net>
configuration>

During development, I use different settings because I don't usually want to deal with the hassle of installing an SMTP server on my development box. Instead, I want email messages delivered as individual files in a directory on my hard drive (I always have a c:\mail directory on my development box for just this purpose):

<configuration>
  <system.net>
    <mailSettings>
      <smtp deliveryMethod="SpecifiedPickupDirectory">
        <specifiedPickupDirectory pickupDirectoryLocation="c:\mail"/>
      smtp>
    mailSettings>
  system.net>
configuration>

Now when I run the program above, I get a .EML file in my c:\mail directory:

Outlook Express is normally registered as the viewer for .EML files, so double-click the file to view it:

If you've never seen this method of simulating email before, I hope you find it as useful as I have. Happy coding!

Dissecting a Managed Spamming Service

Wed, 30 Jul 2008 01:32:44 +0000

With cybercrime getting easier to outsource these days, and with the overall underground economy's natural maturity from products to services, "managed spamming appliances" and managed spamming services are becoming rather common. Increasingly, these "vendors" are starting to "vertically integrate", namely, start diversifying the portfolio of services they offer in order to steal market share from other "vendors" offering related services like, email database cleaning, segmentation of email databases, email servers or botnets whose hosts have a pre-checked and relatively clean IP reputation, namely they're not blacklisted yet.

How much does it cost to send 1 million spam emails these days? According to a random spamming service, $100 excluding the discounts based on the speed of sending desired, namely 10-20 per second or 20-30 per second. Let's dissect the service, and emphasize on its key differentiation factors, as well as the customerization offered in the form of a dedicated server if the customer would like to send billions of emails :

"-- High quality and percentage of spam delivery
-- Fast speed of delivery
-- Spam database on behalf of the vendor, or using your own database of harvested emails
-- Easily obtainable and segmented spam databases on per country basis
-- Randomization of the spam email's body and headers in order to achieve a higher delivery rate
-- Support for attachments, executables, and image files

The cost - $100 for a million for letters delivered spam, with the large volume of spam discounts 20% -30% -40% based on the value-added Do-it-yourself customer interfare based on a multi-user botnet command and control interface :

-- Automatic RBL verification
-- Support for many subjects, headers,
-- Total customization of the email sending process
-- Autogenerating junk content next to the spammers email/link in order to bypass filtering
-- Faking Outlook Message ID / Boundary / Content-ID
-- Interface added. Now do not necessarily understand all the features into the system to start the list.
-- Convenient management tasks.
-- A high percentage of punching, on the basis of good europe - 40-60% (For the United States - less because there aol and others).
-- Improved metrics, whether or not the emails have been sent, lost, unknown receipt, or have been RBL-ed

With the weight of a billion - even discounts and the possibility of making a personal server. "

Rather surprising, they state that European email users have a higher probability of receiving the spam message compared the U.S due to AOL. What they're actually trying to say is due to AOL's use of Domain Keys Identified Mail (DKIM). As far as localization of the spam to the email owner's native language is concerned, this segmentation concept has been take place for over an year now.

This service, like the majority of others rely entirely on malware infected hosts, which due to the multi-user nature of most of the malware command and control interfaces, allows them to easily add customers and set their privileges based on the type of service that they purchase. This leaves a countless number of opportunities for targeted spamming, and yes, spear phishing attacks made possible due to the segmentation of the emails based on a country, city, even company.

In the long term, the people behind spamming providers, web malware exploitation kits and DIY phishing kits, will inevitably start introducing built-in features which were once available through third-party services. For instance, hosting infrastructure for the spam/phishing/live exploit URLs, or even managed fast-flux infrastructure, have the potential to become widely available if such optional features get built-in phishing kits, or start getting offered by the spamming provider itself. And since the affiliate based model seems to be working just fine, the ongoing underground consolidation will converge providers of different underground goods and services, where everyone would be driving customers to one another's services and earning revenue in the process.

Diane Greene Ousted from VMware

Tue, 08 Jul 2008 15:09:35 +0000

VMware and EMC announced today that co-founder Diane Greene is leaving her post as CEO of the virtualization giant, effectively immediately. Former Microsoft executive, Paul Maritz, head of EMC’s cloud computing division, will replace her. (img credit Fortune Magazine/Joe Pugliese)

There’s speculation that falling VMware share prices, with no end in sight because of “poor revenue outlook” is the reason for the ouster.

Hmm. The stock went public at $29, went as high as $125 and is now at $40.26 (and falling as I write), almost a 40% premium over the first offering. Say what you will about the recently launched Microsoft Hyper-V and the Citrix offering that we never hear about, but VMware is the dominant virtualization player (and likely to remain so for at least some time given Microsoft’s track record with new product releases) in an exploding market. Gartner predictions are that the installed base of VMs will grow more than 10x between 2007 and 2011 and that by 2012 the majority of x86 server workloads will be running in a VM.

The future still looks pretty rosy for VMware – perhaps they’ll be taking a smaller chunk of the pie, but the pie’s getting much bigger. And all indications pointed to VMware moving up the stack and providing more management solutions (and more revenue streams) for the x86 virtualization market they helped to build.

So why the change? And why now? Is it a coincidence that it’s an ex-Microsoft exec taking over just as Hyper-V ships? Can only someone who knows the Microsoft Way combat the Microsoft Way? Remember this is the guy who wrote that Microsoft should “cut off Netscape’s air supply”.

So, good idea to say that Microsoft execs are better than VMware execs just as the Hyper-V juggernaut gets rolling? If I didn’t know better, I’d say this is the latest example of a MS FUD campaign…

ShareThis

Xobni and LinkedIn - perfect together

Tue, 01 Jul 2008 03:53:00 +0000

A while back I wrote about how much I liked the Xobni email add on for Outlook. A short time later I heard rumors that Microsoft was buying them, but that appears not to be true at this point, though I still think it makes a lot of sense. In the meantime, I have continued to use and be impressed with Xobni. I have come to rely on its ultra fast search and the way it organizes threads of conversations and groups of people, as well as attached files.

An interesting thing though about Xobni. As I was given invitations, I would send them out to people I know. Though many of them liked the functionality of the product, they said that it slowed their Outlook to a crawl and just did not think the performance hit was worth it. Maybe I got used to the slowness or I am just not seeing it, but I did not see what they saw. In any event, many people were not using the product.

Well the Xobni folks just released a new version of the product that promises improved performance. I hope that helps those people who were complaining about this. It also offers several other new features, the biggest being LinkedIn integration. I really like this LinkedIn integration as it gives you yet another layer of information on the people writing to you. All in all, I think this just makes the product more indispensable than it is already. It is now available to the public, so I would encourage you to check it out for yourself!

Xobni and LinkedIn - perfect together

Tue, 01 Jul 2008 02:53:00 +0000

Errant email exposed Department of Consumer Affairs personal information

Tue, 24 Jun 2008 13:51:19 +0000

Technorati Tag: Security Breach

Date Reported:
6/23/08

Organization:
State of California

Contractor/Consultant/Branch:
Department of Consumer Affairs

Victims:
"employees, contractors and board members"

Number Affected:
5,000

Types of Data:
Names, Social Security numbers, salaries and job titles

Breach Description:
"The state Department of Consumer Affairs (DCA) has sent letters to 5,000 employees, contractors and board members warning them of a security breach that has compromised their names and social security numbers. "

Reference URL:
Capitol Weekly
Central Valley Business Times
Props to PogoWasRight

Report Credit:
Malcolm Maclachlan, Capitol Weekly

Response:
From the online sources cited above:

The state Department of Consumer Affairs (DCA) has sent letters to 5,000 employees, contractors and board members warning them of a security breach that has compromised their names and social security numbers.

About 2,800 of the people on the list are current, full-time employees of the DCA.

The document also included some former employees and numerous contractors, such as people who proctor state job examinations.

The rest of the names were employees and board members of the 56 professional boards and bureaus administered by the DCA, such as the Bureau of Automotive Repair and the Medical Board.

The breach occurred on June 5 or 6 when a Microsoft Word document was improperly transmitted electronically outside of the department, said DCA spokesman Russ Heimerich.

The document also contained the salaries and titles of everyone on the list, but Heimerich noted that this was public information.

"The thing that is troubling to us is that information was coupled with their social security numbers," Heimerich said.
[Evan] Troubling to you? It's probably hard for the victims to have much sympathy.

The main danger with giving away a social security number is that it can be used to set up new credit cards, loans or purchases in someone's name.

However, a thief would generally need other information that was not included and could be harder to get, such as addresses, phone numbers and driver's license numbers.
[Evan] Addresses and phone numbers are usually pretty easy to obtain and I would think are much easier to get than Social Security numbers. Unless of course, somebody emails them to you.

The DCA is the main state agency charged with protecting consumers in California.
[Evan] Ironic.

From 2003 to 2007, it also housed the office charged with educating consumers and businesses about identity theft and fraud.
[Evan] More Ironic

One agency whose employees were not on the list is the California Office of Privacy Protection (OPP).

Heimerich said the incident is still being investigated, and that he could not disclose who had received the document.

He said that so far there is no evidence that any information has been used. It was not even clear the recipient had opened the document.

"We know that it left the building and that it wound up somewhere it shouldn't have wound up," Heimerich. "We're looking into how that happened."

“We kind of know where it was sent,” Mr. Heimerich says
[Evan] Sounds obvious, but did anyone check "Sent Items"? Yeah, probably. Seriously though, does the California DCA not log email sends and receives? It's hard to believe that the sender does not recall to whom they sent the email and there is no evidence of where it was sent.

The breach was discovered on Monday, June 9
[Evan] It took 3 or 4 days for the DCA to discover the breach.

People's whose names were on the list were sent an email the next day and an official letter a week later.
[Evan] Excellent quick notification. The earlier that a breach is detected and communicated to the data owner, the better.

Heimerich said the DCA will pay for a year of free credit reports and provide fraud insurance of up to $25,000 for everyone on the list.
[Evan] One year of protection does not adequately protect information that has a lifespan that far exceeds that one year. Most bad guys (or gals) know that the "standard" organization response to a breach includes one year of free credit monitoring/protection, so many of them wait a year to use the information. It is also important to point out that just because a person monitors their credit, does not mean that their identity isn't being used elsewhere. It's a scary thought, but it's a broken system.

He said the DCA had not yet determined how much these protections were going to cost.
[Evan] You can estimate the cost yourself.

Commentary:
I like how Microsoft Outlook helps me when I am typing an email address in the "To:" field of my email. It saves me some keystrokes and a few precious seconds. Sometimes I am in such a hurry that I don't even notice that Outlook put in the wrong email address. I type my email, click send and away I go onto another task. A couple of days later, I get a call from a customer asking where their information is. I state that I sent it to them a couple of days ago, but they claim to have never gotten my email. I look through my sent items, and HOLY #*@^! I just sent some confidential (sensitive and potentially damaging) information to a competitor instead of my customer.

Sound conceivable? Have you ever sent an embarrassing email to the wrong person? It is very easy to do if your not paying attention.

There are a number of controls us information security guys can put in place to reduce the risk of this happening. One of the best is information security training and awareness (kind of an administrative control).

Past Breaches:
State of California:
March, 2008 - San Quentin visitor and volunteer information lost

ESoft spam filter goes mobile

Wed, 18 Jun 2008 20:00:00 +0000

Security appliance developer eSoft has updated its e-mail gateway with the ability for users to spam-file or whitelist e-mails from any device, including a BlackBerry or smartphone. Previously, only Outlook users could train the gateway's Bayesian spam-filter.

Links for 2008-06-13 [del.icio.us]

Fri, 13 Jun 2008 20:00:00 +0000