Yes, Security is important

Chema Alonsochema@informatica64.com

http://twitter.com/chemaalonsohttp://www.elladodelmal.com

You have an e-mail

Domain1 outgoing e-mail Server

Domain 2 incominge-mail Servers

user1@domain1.com

user2@domain2.com

POP3HTTPMAPI

IMAPRPC/HTTPS

DNS

MX domain2.com?

SmartHostsList

SMTP

SpamSecurityIntelligenceReport volumen 9

1 in 47 e-mail messages is not spam

Spam Confidence Level

• Identifies which is the probability of an e-mail message of being spam– 0 – 3 Not spam -> Inbox folder– 4 – 6 Probably Spam -> Junk folder– 7 – 9 Is spam -> Delete

• A lot of technics based on analyses message’s characteristics– Bayesian Filters– S.T.A.R. (Spammer Tricks, Analysis and Response)

- Only images- Hidden txt- Links pointing to different URLs- …

It´s not spam for everybody

• Some users mark as spam messages from:– Newsletters they have been subscripted without

been informed previously– Newsletters they were agree to be added but now

they are boring of it, and don´t want to unsubscribe (Mark it as spam is easier)

– Words in Bayesian filters can be spam for mostly of the people, but not for everybody

User Actions: Clean up the inbox• Sweeping options– Block senders forever

• Spam & Clutter mails

– Move/delete messages from senders:• One or more senders in a row

User Actions:Mark as Spam/Phishing/Secure

User Actions:Read, Response and/or delete e-mails

• If a type of e-mail is always deleted without previously be opened– Analyzing sender and subject user is able to know

that those e-mails are not useful for they -> SCL++• If a type of e-mail is always opened at first

position, that means it´s important -> SCL -- • If user search e-mails using a characteristic

and then delete them• Etcetera…

Server Reputation Level (SRL)

• Reduces the impact of spamming servers.

• Identifies server reputation based on the SCL obtained by the previous e-mails which it sent

• SRL allows to quickly detect a new spamming server or an unsecure e-mail server which is being used to spam.

Microsoft SmartScreen

• Evaluates message characteristics– SCL

• Evaluates user opinions– SCL is interactive

• Evaluates user actions– SCL is dynamic and customized

• Evaluates server reputation– SCLs based on which is sending the message– Real-Time Black-hole Lists

My “own” spams

My “own” spams• They are coming from our contacts– The password has been stolen– There is a malware/Trojan/Bot in our contact’s machine

• Solutions:– Antimalware

• Microsoft Security Essentials 2.0

– Improve protection of Windows Live account– Use SSL– Single-Use Codes– Password retrieval

• Trusted PC• Mobile number

Steal of credentials

Microsoft Security Essentials 2.0

• Free for home-users• Free for companies of 10

or less installations.• Automatic updates• Real-Time protection• It is the same antimalware

engine which is currently in use in corporate solutions as:– Forefront Client Protection– Forefront Endpoint

Protection 2010

IE9: Download Reputation

Dirty Dozen

http://www.bit9.com/company/news-release-details.php?id=175

Associated mobile number• It allows users to access to Single-Use Codes• It allows to quickly obtain a new password

Single-Use Codes• From a secure connection, users

can request for a Single-Use Code. • Users can request as much codes

as they think they will need.• Codes are sent to the mobile

number associated to the Windows Live account.

• Every code can be only used once.• If the user connects to Windows

Live from an unsecure connection/computer and code is stolen, nothing happens.

• Single-Use codes are useful after used.

Connect to Hotmail using Http-s

Windows Live Messenger• Chats are not encrypted• Microsoft Office Communications Server: encrypt, antimalware,

corporate policy, etc…• There are a lot of partners with free/professionals add-ins to

encrypt Windows Live Messenger messages. Ex: Secway Simp Lite.

Multiple sessions alerts

Trusted PC

• Windows Live allows users to mark a PC as trusted. This gives user the opportunity of:– Quickly retrieve the password from it.– Protect the account against DOS attacks

Identity impersonating

• «Attackers» spoof the mail from field• E-mails are coming from servers which don´t

belong to the domain in the sender address.• No digitally signed• Solutions?– Sender Policy Framework / SenderID– DKIM: DomainKey Identified Mail– Mutual TLS

SPF/Sender IDSPF:-Need a TXT record in the DNS-Check the IP of the server and the domain in the mail from field-It is configured as v=spf1• -all -> fail• ~all -> Softfail• ?all -> Neutral• +all -> Pass

Sender ID:-Need a TXT record in the DNS-Four operational modes:

- spf2.0/mfrom - spf2.0/mfrom,pra - spf2.0/pra,mfrom - spf2.0/pra

• -all -> fail• ~all -> Softfail• ?all -> Neutral• +all -> Pass

•PRA: Purported Responsible Address• From • Sender • Resent-From • Resent-Sender

Some SPF TXT RecordsBank Of AmericaBankofamerica.com

v=spf1 include:_sfspf.bankofamerica.com include:_txspf.bankofamerica.com include:_vaspf.bankofamerica.com include:_cfcspf.bankofamerica.com ~all

Banco Central de la República Argentina bcra.gov.ar

v=spf1 mx ptr ~all

Facebook.com

v=spf1 ip4:69.63.179.25 ip4:69.63.178.128/25 ip4:69.63.184.0/25 ip4:66.220.144.128/25 ip4:66.220.155.0/24 ip4:66.220.157.0/25 mx -all

Twitter.com v=spf1 ip4:199.16.156.0/22 ip4:128.121.145.168 ip4:128.121.146.128/27 mx ptr a:postmaster.twitter.com mx:one.textdrive.com include:cmail1.com include:aspmx.googlemail.com include:support.zendesk.com –all

Gmail.com v=spf1 redirect=_spf.google.com_spf.google.com= "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all"

Google.com v=spf1 include:_netblocks.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all

Banco de España (bde.es) v=spf1 a:out-smtp1.bde.es a:out-smtp2.bde.es –allLa Caixa Lacaixa.es v=spf1 ip4:130.117.98.78/32 ip4:213.229.186.0/27 ip4:217.148.73.96/28

ip4:217.148.74.96/28 ip4:217.148.73.160/28 ip4:217.148.74.160/28 ip4:217.16.255.27 ip4:80.68.128.18/31 mx exists:%{s}.S.%{i}.I.spflog.lacaixa.com -all

Domain1 outgoing e-mail Server

Domain 2 incoming e-mail Servers

user1@domain1.com

user2@domain2.com

POP3HTTPMAPI

IMAPRPC/HTTPS

DNS

MX domain2.com?

SmartHostsList

SMTP

You have an e-mail with SPF record

SPF domain1.com?

Gmail with SPF

Hotmail.com with SenderID

Gmail: Resent email

Hotmail: Resent e-mail

DKIM & Mutual-TLS

• DKIM: Pushed by CISCO, Google & Yahoo. Outgoing servers sign e-mails messages with a private key. Public key is in a TXT DNS record. It doesn´t warrant a spoofed e-mail and doesn´t sign the headers. Not so much used on the Internet. Yahoo is using it in test mode and Gmail hasn´t any policy about what to do with a non-signed e-mail from Gmail.

• Mutual-TLS: Pushed by Microsoft, actually it is working in MS Exchange Servers (and Hotmail). It used a TLS channel between outgoing and incoming servers. Before that, servers authenticate each other using digital certificated. Messages are crypt and communication between servers signed.

Summary

• Keep a system secure needs a constant effort.• Threats are changing quickly. Security

protections for yesterday risks are not good for today’s ones.

• Keep a safe and secure e-mail service depends on:– Domain owners– Server administrators– Users owning the inboxes

Questions?

Chema Alonsochema@informatica64.com

http://www.elladodelmal.comhttp://twitter.com/chemaalonso