The ROI of Info Sec is the absence of chaos, or in other words Boring is Beautiful

The concern over targeted emails from sophisticated attackers is only increasing after the Aurora attacks, not to mention the latest Google vs. China row, and RSA’s compromise. One technique the attacker’s use to make their targeted email more legitimate is to fake or spoof the email’s from address using the recipient’s own domain, so it is more likely to be opened. The constant message from security about the dangers of email can make opening a spoofed message cause much alarm for the average user, which of course is usually only evident after the message has been opened. Which is quickly followed by the usual questions, why am I getting this email Joe said he didn’t send it? It says I sent it! It’s not in my sent items, am I infected? Spoofing email addresses has a long history of being allowed by the SMTP protocol and many companies currently rely on that “feature” to deliver mail legitimately, think surveys, send this link to a friend, web page forms, mailing lists etc. So it’s not as simple as just blocking everything with an internal domain that comes from the Internet; because it’s not all bad. It’s also made more difficult in how SMTP works, where the MAIL FROM (aka. Smtp from, RFC2821, envelope from) is often is what is evaluated at the mail gateway/server level, but the user will just see the FROM (aka. RFC2822, message from).

What would help is a way for the average user to see the difference between an externally sent email from your internal domain(s) and an internally sent email from your internal domain(s) BEFORE opening it. I’ve thought of a way to do this with Outlook Client rules and would like to share that here. So if your organization, especially small businesses and SOHOs are struggling with this, give it a shot and let me know how it goes. (The screenshot’s below are from Outlook 2007)

The rule will essentially look for messages with your internal domain(s) in the message from, then look for a special line that your SMTP gateways put in the Received Headers, then if found the rule performs some action. Because if your internet facing mail servers relayed the message it had to come from outside your organization, and hence somebody musta spoofed ya’. I will explain below.

A barebones rule, just to get the idea, will look like this… (just replace @example.com with your own work’s email domain)

Here’s what it does if not obvious…

1. Search for @example.com in the sender’s FROM address (not MAIL FROM:)
2. And then look for Received: from mail1.example.com in the message headers
   (you can add other servers separated by an OR, yes the colon and spacing are important!)
3. Assign the message to the “Spoofed” category.  (I made this up, you could also delete, or move the message to a separate folder, marking the subject unfortunately does not appear to be an option with client rules)

If you don’t know what “mailserver1.example.com” is at your workplace, the best thing is to ask your IT mail admin, if that’s you and you are still clueless (we’ve all been there) you can USUALLY get that information from the DNS MX records your company publishes on the internet.   The site http://mxtoolbox.com will allow you resolve those records.  Just enter your email domain where I have scottfromsecurity.com in screenshot below.  The info under the column “hostname” will be what you want to put in your rule, there will most likely be more than one.

If you want to categorize the suspiciously spoofed message like I did (because deleting or moving it can cause its own problems with lost mail and helpdesk calls) you’ll just need to create an Outlook Category, and choose a color (Red for example).  In Outlook main window click Actions…Categorize…All Categories…New…Add text that you want the user to see when they open the email.

This will allow the message to be categorized and will show a colored bar when opened.  To make it obvious to the user BEFORE the message is opened you’ll have to have them modify their current view.  The view will then color messages that are categorized with your new “Spoofed” category.  In Main Outlook and with your Inbox selected window go to View…Current View…Customize Current View…then click Automatic Formatting… Add,  name the auto formatting rule and set font to desired color, by clicking Font button, as shown.  Then click Condition button…More Choices Tab..Categories…and check off the “Spoofed. Please be CAUTIOUS of Web LINKS contained in this email.” category.

Death by Screenshot continues with some pics on the end result of the above configuration.

And here is the opened message showing the red bar with your category message at the top, in case the user does open it. Hopefully discouraging them from clicking any links the email may contain before checking with IT.

For the IT professionals here’s more along the lines of what the a fully functional rule would look like with more than one internet facing MTA, gives it low importance, and has some notable email address exceptions (ie. the good spoofing).

Caveats:

1. This probably won’t work if your external mail relays are also your internal mail relays, ie you don’t have MS Exchange or something to handle internally sent mail separately.  All mail will be shown as spoofed, unless you use separate interfaces and DNS names.
2. Far as I know GPO’s can not be used to push out Outlook client rules/configuration; you could potentially export the rule to a .rwz file and have users import it themselves. Tools…Rules and Alerts…Options(upper right)…Export or Import Rules button…navigate to .rwz file.   So deploying the config probably won’t be possible to do automatically, screen shots and a company wide email will most likely be required for the .rwz file import, category and view creation as well.
3. Also this is a Client only rule. As Outlook warns about when you go to save it.   That simply means if your Outlook client isn’t running the rule won’t take effect.  So on Monday you will need to launch Outlook and let it process your new email to see if it matches the rule.
4. It will be a window’s user profile specific setup, so might be something to add to the workstation build process or when desktop support delivers the box to the new user, after they log in for the first time.

I’m still in the planning stages of rolling this out at my current contracting position, so as I learn the positive and negatives around this approach I’ll be sure to update this post.

I was also toying with the idea, of using different actions such as “run a script” and “custom action” but they would further complicate what’s now is pretty simple. Also my current security monitoring analyst job does not get heavily into administration so can I  leave that up to the Exchange admins out there?  If anyone thinks up a better way to do this or anything cool (like marking the subject, so the category and view setup wouldn’t be needed) using a VB script or custom action with a .dll, feel free to leave a comment and share it with the 5 other people who read this blog.

___________________________________________________________________________
PS:  Lastly if all of the above is not appealing another blogger had a simpler approach involving tagging everyone’s email signature with some consistent text string and then writing a rule to filter on that.  This technique would identify the good (whitelist), where as mine identifies the bad(blacklist), why not try both and see which one works best for you? It also just occurred to me, with his approach, you might even want to make that text string white so it’s not overly obvious when the recipient sees it.  Read about it here… http://www.countryipblocks.net/training/the-cheap-way-to-keep-spoofed-email-out-of-your-inbox/

Good luck in your SPAM fight.

So I had a debate with my wife and father in law the other day.  They insisted that his 2 month old HP laptop with Vista HOME was broken. He had just started staying with us after being in the shoe-horned suburbs of Las Vegas for about a year. Seriously those houses are WAY too close, anyway, it went something like this…

Me:       How is it broken?
Them:  We can’t get to the internet.
Me:       Well how do you usually get there?
Them:  We just “click on the internet”
Me:       Please show me.
Them:  “Double clicking on the Desktop Internet Explorer icon”
Me:        You need a connection to an ISP before IE will work.
InLaw:   I always have a connection to an ISP, I just have to boot.

At this point I understood what was confusing them, and it struck me as a scary thought.  They were so used to the prevalence of unsecured Wireless Routers in suburbia, it made more sense that the laptop was broken then there happen to be no wide open Wireless internet signals in range.  It goes to show how accommodating Windows is when it detects a Wireless LAN, it simply connects so the user doesn’t have to do anything but “Click on the Internet.”

   I hear the new routers you get are starting to come out with Pre-shared Keys already defined and “SecureEasySetup” technology which is good, hopefully they are all WPA and not WEP.  But that doesn’t change the fact there are tons of them already out there just waiting for someone to boot up.  Now I’m going to surprise you and not go on a diatribe about why you should lock down your Wireless router, isn’t the fact that someone else is using your $40 / month connection enough?  Linksys has some flash video targeted at the average home user on how to setup WPA, MAC filtering, SSID broadcasting, etc  here is a link.  Remember your security is your responsibility, in other words you reap what you sow.

I really wish people would stop complaining about creating passwords.  All it would take is a shift in thinking.  If I may be so bold, consider this, your passwords are the most important thing standing between you and anyone, in any country, doing anything you can!  Reading your email, accessing your files, changing the locations of your money, etc.  I submit that you should think of passwords as virtual keys to your house, would you want anyone else to have the same key to your house as you?  Probably not. 

    Now to complexity,  the most important thing when making passwords is length.  Sometimes that is considered a part of complexity, sometimes not, but in reality it trumps everything.  And by complexity I mean Uppercase, Lowercase, Special Characters, Numbers, etc… For example, I’d rather have a 10 character alpha password then a 6 character alphanumeric password.  A Securityfocus thread in August 2007 brings up some interesting mathematics involving the ancient (NT4 sp2) passfilt.dll that M$ stubbornly refuses to update at least in a currently released OS.  This dll creates the restriction that passwords must be 6 characters and contain 3 of 4 categories (upper,lower,number,special) among other things, M$ article here.  The posters debate about how these M$ restrictions may actually lower the possible number of passwords a cracker would have to try as opposed to having no requirements at all.  While I don’t feel comfortable, or motivated, to get into the mathematics I think a good point to remember that length trumps any argument about variation of password makeup.  Although it is not commonly accepted by the army of “pay me now” government regulation auditors, and even many “old school” directory administrators.  I recommend concentrating on length as opposed to only passfilt.dll restrictions.  Unfortunately companies often need to be more concerned with those auditor’s blessings then InfoSec guys like me. 

    The problem in my opinion is about being blinded by the mathematics while ignoring common sense.  Yes a 6 character alpha password has 308,915,776 possible combinations (26^6 = 308,915,776), and since it locks out after 3 attempts and 3 - 308,915,776 = impossible.  But you can manipulate statistics & mathematics to prove many falsehoods, did you know 4 out of 5 people think the fifth one is an idiot?  My point is malicious users love administrators and auditors who believe such logic, because they are forgetting about the weakest link in the InfoSec world.  The average user (no offense).  Such logic does not apply to them because is assumes a completely random 6 character password where as users will pick anything but, can you say 123456? “That’s Amazing! I’ve got the same combination on my luggage!” 

So longer is better, the next time you have to change your a password, try something like this “Wow, I loved going to Pacific Beach that 1 time”  You, your data, and your company’s network will be MUCH better off.

I’m going to keep this article from the Miami Herald, so I can forward it to anyone who complains about needing a One-Time-Password to remotely access their employer’s network.   I encourage everyone to program a red flag to pop up in your head whenever anything asks you for username/password.  Ask yourself…

1. Do I believe I can trust this physical location
   1. Is it shared internet and/or computer access?
   2. Do I trust who had access before me?
2. Do I believe I can trust this virtual location?
   1. Is it HTTPS with valid certificate?
   2. Did I get here from a reliable source?
3. What would happen if these credentials were compromised?
   1. Remember many sites will allow a password change while relying on nothing but the belief that only you know the password to your web-mail.

Of course almost all of the long term risk posed by these threats can be mitigated by using a one-time-password.  Next time you have to use one thank an Information Security Administrator instead of complaining to one.