Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2009-10-15 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cyber Security Awareness Month - Day 15 - Ports 995, 465, and 993 - Secure Email

Published: 2009-10-15
Last Updated: 2009-10-15 22:16:13 UTC
by Deborah Hale (Version: 1)
6 comment(s)

Email has become a mainstay for both businesses and individuals.  It seems a day does not go by that we are online checking for that ever important message from someone important to us.  In the business world email is now our most important and timely form of communications.  Information is passed from boss to employee – employee to boss –
owner/manager to employee groups and employee to employee.  Email is a way we can make sure that our message is heard and acted upon.  I for one could not function even a day without my email.

Email security is the process of using encryption to send messages that can only be opened and read by the intended recipient.  Sending an email without encryption is much like sending a postcard through the Postal Service, it can be read by everyone who handles it on his way through the system from the sender to the receiver.

Most of the email sent today is sent using standard SMTP without using encryption or authentication. This email is sent on port 25 in clear text format and is exposed to view.  This means that there is a danger that the email can be intercepted and read by anyone, anywhere.  Now for most of the email that I send and receive this is not really a problem.  I really don’t care if anyone has my super Chocolate Chip Cookie recipe or my Super Hot Chili recipe. I am however involved in some organizations that provide FOUO (For Official Use Only) information.  For this information I need to protect the data from prying eyes.  So how do I do that?

There are some really great client side utilities such as Secure MIME (S/MIME) or Pretty Good Privacy (PGP).  These programs however require user involvement.  The user has to know when and how to use the program and the recipient has to have the “Key” to unlock the encryption.  This could be a problem for some of the users that can barely use their email.

A perhaps better place to focus your security efforts is securing your SMTP traffic.  There are a lot of good articles about securing SMTP traffic and the basics are the same whether you are using Linux mail programs or Microsoft Exchange or Novell Groupwise.  However, each of them has their own little caveats.

With the sending of secure email comes the receiving of secure email as well.  One method used to accomplish this is Secure POP3 (POP3S) and Secure SMTP (SMTPS).  Again there are probably as many ways to accomplish this as there are people using it.  I am going to look at one way and some of our readers may have some suggestions for others.

POP3S over SSL is one method utilized.  Let me preface this discussion with the fact that there are some known vulnerabilities with OPEN SSL so please make sure that you apply patches or fixes as recommended by your OS manufacturer http://openssl.org/news/vulnerabilities.html. With that said, one of the methods that we have utilized is using POP3 over SSL.  This a free, open source implementation of Secure Socket Layers (SSL) the same encryption layer that is used for standard, secure Internet based secure e-commerce transactions.  This method uses port 995 for POP3-over-SSL and port 465 for SMTP-over-SSL and for those using IMAP it uses port 993 for IMAP-over-SSL communication.

One of the key things that we did is use stunnel to create a secure channel for all of the POP3 data to be exchanged. This stunnel requires a piece of data called a Certificate be generated.  This certificate is then used to validate and exchange information from device to device.  These certificates can be purchased from providers such as GoDaddy or Thawte
or they can be self generated. Once the certificates are in place the email passed through the ports are encrypted and validated end to end using the key.

This is a very brief explanation of what Ports 995, 465 and 993 are used for.  These three ports can take you from a postcard environment to a secured envelope environment with just a bit of effort.


 Deb Hale Long Lines, LLC

 

6 comment(s)

Yet another round of Viral Spam

Published: 2009-10-15
Last Updated: 2009-10-15 14:29:53 UTC
by Deborah Hale (Version: 1)
3 comment(s)

Reports are coming in today regarding another round of spam attempting to spread malicious programs on machines all over the world. 

I just checked my Postini and I too am seeing these emails.  Here is the content of the new round:

You have (6) New Message from Outlook Microsoft<br /> <br /> - Please re-configure your Microsoft Outlook Again.<br /> - Download attached setup file and install.<br />

These emails contain an attachment.  The ones in my Postini filter contain an attachment with the name install.zip.  (This doesn't mean that is the only
name that is being used. )

According to the headers these emails are coming from IP addresses all over the world and are using various mailservers including servers from well
known services like Yahoo and GMail as well as private mail servers at private companies.

In addition to the Outlook spam we are seeing a new influx of IRS spam with an attachment tax-statement.exe, and of course the DHL Service spam.

Yesterday my company got hit with a round of the emails with OWA links.  We don't use Exchange for our external email so the link was "broken".  We
received a number of phone calls and emails from customers telling us they clicked on the link and it didn't work and asking what they should do now.  
Luckily the link was "broke" or we would have had a pretty nasty mess on our hands today.  The interesting thing about this was the email was sent to 
one email account with  "Dear another email account" and the users still clicked on the link. May wonders never cease. 

I find this unusual increase in virus spam emails rather ironic beings this is Security Awareness month.  Might be a good time to remind your
users about the dangers of clicking on links or attachments that they get in emails.  Make sure that they understand what the procedure is for reporting
these emails to your company or your security department.  

Deb Hale Long Lines, LLC

3 comment(s)
Diary Archives