la seguridad sí importa: windows live & ie9
DESCRIPTION
Charla impartida por la empresa Informática 64 en la Gira Up to Secure 2011.TRANSCRIPT
Yes, Security is important
Chema [email protected]
http://twitter.com/chemaalonsohttp://www.elladodelmal.com
You have an e-mail
Domain1 outgoing e-mail Server
Domain 2 incominge-mail Servers
POP3HTTPMAPI
IMAPRPC/HTTPS
DNS
MX domain2.com?
SmartHostsList
SMTP
SpamSecurityIntelligenceReport volumen 9
1 in 47 e-mail messages is not spam
Spam Confidence Level
• Identifies which is the probability of an e-mail message of being spam– 0 – 3 Not spam -> Inbox folder– 4 – 6 Probably Spam -> Junk folder– 7 – 9 Is spam -> Delete
• A lot of technics based on analyses message’s characteristics– Bayesian Filters– S.T.A.R. (Spammer Tricks, Analysis and Response)
- Only images- Hidden txt- Links pointing to different URLs- …
It´s not spam for everybody
• Some users mark as spam messages from:– Newsletters they have been subscripted without
been informed previously– Newsletters they were agree to be added but now
they are boring of it, and don´t want to unsubscribe (Mark it as spam is easier)
– Words in Bayesian filters can be spam for mostly of the people, but not for everybody
User Actions: Clean up the inbox• Sweeping options– Block senders forever
• Spam & Clutter mails
– Move/delete messages from senders:• One or more senders in a row
User Actions:Mark as Spam/Phishing/Secure
User Actions:Read, Response and/or delete e-mails
• If a type of e-mail is always deleted without previously be opened– Analyzing sender and subject user is able to know
that those e-mails are not useful for they -> SCL++• If a type of e-mail is always opened at first
position, that means it´s important -> SCL -- • If user search e-mails using a characteristic
and then delete them• Etcetera…
Server Reputation Level (SRL)
• Reduces the impact of spamming servers.
• Identifies server reputation based on the SCL obtained by the previous e-mails which it sent
• SRL allows to quickly detect a new spamming server or an unsecure e-mail server which is being used to spam.
Microsoft SmartScreen
• Evaluates message characteristics– SCL
• Evaluates user opinions– SCL is interactive
• Evaluates user actions– SCL is dynamic and customized
• Evaluates server reputation– SCLs based on which is sending the message– Real-Time Black-hole Lists
My “own” spams
My “own” spams• They are coming from our contacts– The password has been stolen– There is a malware/Trojan/Bot in our contact’s machine
• Solutions:– Antimalware
• Microsoft Security Essentials 2.0
– Improve protection of Windows Live account– Use SSL– Single-Use Codes– Password retrieval
• Trusted PC• Mobile number
Steal of credentials
Microsoft Security Essentials 2.0
• Free for home-users• Free for companies of 10
or less installations.• Automatic updates• Real-Time protection• It is the same antimalware
engine which is currently in use in corporate solutions as:– Forefront Client Protection– Forefront Endpoint
Protection 2010
IE9: Download Reputation
Dirty Dozen
http://www.bit9.com/company/news-release-details.php?id=175
Associated mobile number• It allows users to access to Single-Use Codes• It allows to quickly obtain a new password
Single-Use Codes• From a secure connection, users
can request for a Single-Use Code. • Users can request as much codes
as they think they will need.• Codes are sent to the mobile
number associated to the Windows Live account.
• Every code can be only used once.• If the user connects to Windows
Live from an unsecure connection/computer and code is stolen, nothing happens.
• Single-Use codes are useful after used.
Connect to Hotmail using Http-s
Windows Live Messenger• Chats are not encrypted• Microsoft Office Communications Server: encrypt, antimalware,
corporate policy, etc…• There are a lot of partners with free/professionals add-ins to
encrypt Windows Live Messenger messages. Ex: Secway Simp Lite.
Multiple sessions alerts
Trusted PC
• Windows Live allows users to mark a PC as trusted. This gives user the opportunity of:– Quickly retrieve the password from it.– Protect the account against DOS attacks
Identity impersonating
• «Attackers» spoof the mail from field• E-mails are coming from servers which don´t
belong to the domain in the sender address.• No digitally signed• Solutions?– Sender Policy Framework / SenderID– DKIM: DomainKey Identified Mail– Mutual TLS
SPF/Sender IDSPF:-Need a TXT record in the DNS-Check the IP of the server and the domain in the mail from field-It is configured as v=spf1• -all -> fail• ~all -> Softfail• ?all -> Neutral• +all -> Pass
Sender ID:-Need a TXT record in the DNS-Four operational modes:
- spf2.0/mfrom - spf2.0/mfrom,pra - spf2.0/pra,mfrom - spf2.0/pra
• -all -> fail• ~all -> Softfail• ?all -> Neutral• +all -> Pass
•PRA: Purported Responsible Address• From • Sender • Resent-From • Resent-Sender
Some SPF TXT RecordsBank Of AmericaBankofamerica.com
v=spf1 include:_sfspf.bankofamerica.com include:_txspf.bankofamerica.com include:_vaspf.bankofamerica.com include:_cfcspf.bankofamerica.com ~all
Banco Central de la República Argentina bcra.gov.ar
v=spf1 mx ptr ~all
Facebook.com
v=spf1 ip4:69.63.179.25 ip4:69.63.178.128/25 ip4:69.63.184.0/25 ip4:66.220.144.128/25 ip4:66.220.155.0/24 ip4:66.220.157.0/25 mx -all
Twitter.com v=spf1 ip4:199.16.156.0/22 ip4:128.121.145.168 ip4:128.121.146.128/27 mx ptr a:postmaster.twitter.com mx:one.textdrive.com include:cmail1.com include:aspmx.googlemail.com include:support.zendesk.com –all
Gmail.com v=spf1 redirect=_spf.google.com_spf.google.com= "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all"
Google.com v=spf1 include:_netblocks.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all
Banco de España (bde.es) v=spf1 a:out-smtp1.bde.es a:out-smtp2.bde.es –allLa Caixa Lacaixa.es v=spf1 ip4:130.117.98.78/32 ip4:213.229.186.0/27 ip4:217.148.73.96/28
ip4:217.148.74.96/28 ip4:217.148.73.160/28 ip4:217.148.74.160/28 ip4:217.16.255.27 ip4:80.68.128.18/31 mx exists:%{s}.S.%{i}.I.spflog.lacaixa.com -all
Domain1 outgoing e-mail Server
Domain 2 incoming e-mail Servers
POP3HTTPMAPI
IMAPRPC/HTTPS
DNS
MX domain2.com?
SmartHostsList
SMTP
You have an e-mail with SPF record
SPF domain1.com?
Gmail with SPF
Hotmail.com with SenderID
Gmail: Resent email
Hotmail: Resent e-mail
DKIM & Mutual-TLS
• DKIM: Pushed by CISCO, Google & Yahoo. Outgoing servers sign e-mails messages with a private key. Public key is in a TXT DNS record. It doesn´t warrant a spoofed e-mail and doesn´t sign the headers. Not so much used on the Internet. Yahoo is using it in test mode and Gmail hasn´t any policy about what to do with a non-signed e-mail from Gmail.
• Mutual-TLS: Pushed by Microsoft, actually it is working in MS Exchange Servers (and Hotmail). It used a TLS channel between outgoing and incoming servers. Before that, servers authenticate each other using digital certificated. Messages are crypt and communication between servers signed.
Summary
• Keep a system secure needs a constant effort.• Threats are changing quickly. Security
protections for yesterday risks are not good for today’s ones.
• Keep a safe and secure e-mail service depends on:– Domain owners– Server administrators– Users owning the inboxes