All posts tagged Security

By on December 12, 2011

What’s in an email address?

PasswordThere has been much debate recently about the value of email when compared to Instant Messengers and Social Media. I’m not going to reinvigorate that debate here, but the whole passionate brouhaha has got me thinking about what it means to actually have an email address and how important that short string of text has become.

Two words spring immediately to mind when I think about what is actually in an email address, those words describe a process that has quite a profound affect on you as a users of Internet services. Those words are;

           “Password reset”

Your email address, whether given to you by your employer, your ISP (remember CompuServe?), or chosen by your own fair hand seeks to identify you. In many cases an email address is your name, or part thereof, and is generally recognizable unless you’ve taken steps to make it less so.

I have an incomplete thought about this identity; we take this identity for granted, we assume that this identity is true, and we generally don’t question the legitimacy of an email address or the identity of the supposed sender. This of course is exploited fantastically well by malicious senders who are attempting to dupe us out of our financial information or login credentials. As a former penetration tester I can tell you that I’ve always had 100% success with email-based attacks sent from addresses that ‘claim’ to be from someone they’re not, especially if the sender demonstrates a little knowledge of the recipient or subject at task.

But, and here’s the paradox; we understand social engineering and phishing very well, yet we still treat an email address as an identity don’t we?

Often this identity is all you need to carry out that password reset; gain control of an email address or account and you have instant access to a mind-boggling array of personal accounts and information. Often the ‘forgotten password’ link simply asks you for your address, sometimes you may be prompted for more information – ‘mothers maiden name,’ ‘place of birth,’ ‘month of birth’ etc – social media anyone? Some sites even ask you for ludicrous validators like “your preferred internet password.”

I expect that just supplying an email address to a website to request a password reset is a shortcut on that website’s part, they could do more but probably don’t want to over complicate things for you. This is a fantastically naive expectation of identity on a simple, string of text. I suppose the expectation is that the recipient hasn’t had their email account compromised, but no website I’ve ever used has asked that question.

Culturally an email address now makes up a significant part of you identity, in some cases it is 100% you. I suspect without the casual and formal asynchronous subject centric communications currently known as email (to coin a phrase of our CTO) you will find you lose a little of your identity, even if you can no longer reset your <insert website of choice here> password.

Add your comment (0)

CISSP, CCSK
Mimecast, North America.

Article Tags

, ,

By on November 18, 2011

How Does Microsoft Approach Cloud Security?

Doug Cavit, the Chief Security Strategist at Microsoft recently did a great video on Cloud Trust at 10,000 feet.

It boiled down to- Can you trust it and how does Microsoft do Cloud Security? Which raises the obvious question: How does Mimecast compare?

Doug is a really interesting guy- he was the CIO of McAfee for 8 years- protecting them from threats – an important job if you consider what happened to RSA. When he joined Microsoft he worked on the OneCare product team as Microsoft started to become more of a service provider in the security space, so he’s definitely one of those people that’s been on both sides of the table.

In the video he’s answering one of the questions we get asked most: How can I trust my data is going to be safe in the Cloud? And it’s a question we take more seriously than anything else.

The fundamental difference in Cloud vs On-Premise is control.

When your data is on your own equipment, you have ultimate visibility and control over the policies and processes that operate on that data, which means you can be the ultimate arbiter as to how it’s treated. With the Cloud, you aren’t. So how do you deal with that?

With Cloud, you need to trade control for transparency.

That’s the only sustainable way to cede control over something so important- your business data, and in our case, your primary communication method, email.

So we take transparency extremely seriously here at Mimecast, to the point where we have a whole team of people here at dedicated to transparency- helping our customers receive the insight and information from us.

What makes a provider transparent and therefore trustworthy?

Policies are the jumping off point- ensuring these meet your requirements as a customer. Policies are fine, but how do you make sure they are followed into procedures? This has consistently been one of the hardest things for Cloud companies to prove because in an emerging sector like Cloud, standards always lag behind the technology. So we’ve had to forge best practices and procedures through collaboration with organisations like the Cloud Security Alliance, which is helping ISO update the Cloud security controls for ISO 27001. But we’re getting there, and hopefully soon we’ll have the most comprehensive ISO 27001 implementation of any Cloud provider to date.

What about reliability?

This is where the rubber meets the road. To take a phrase from the financial services industry- “Past performance is no guarantee of future results” couldn’t be further from the truth- what has the service provider delivered to date? Are they open about it? What’s their SLA to back it up? And we like to put our money where our mouth is too, with an industry leading 100% uptime SLA.

Thinking more broadly about putting your data in the Cloud- one of the most important things to think about is the actual data- how much risk does it represent? It sounds like a ridiculous question, but classifying the data is such an important part of GRC: you don’t need to protect your marketing brochures the same way you protect your trade secrets. Doug has a great quote from the video “I can’t protect something if I don’t know what it is”.

Thinking about the lifecycle of the data and your relationship with the Cloud provider is critically important-  I talk about Birth, Marriage and Divorce in my presentations. It’s easy to think about the birth and marriage when going to Cloud, but vital to think about divorce, in case you need to get it out at the end. It’s a tough question for structured data, like accounting or ERP but significantly easier for unstructured data like emails. Our customers can download their data at any time.

One thing he doesn’t mention is data sovereignty… where your data is physically located, which is becoming more and more important because of legislative requirements and judicial concerns, like the Patriot Act. Having your data located in the right jurisdiction is critical.

So like Microsoft we take a two step approach to security.

  1. We reduce vulnerabilities as much as we possibly can in software
  2. And recognising that issues will happen- when they do, the key is how you deal with them. Triage, Identify, Learn and Integrate that learning into processes. We’ve been doing that for 9 years- that’s a lot of experience built into our processes.

To top that off you can always reach a human being at Mimecast. Someone to help you resolve your issues and escalating them appropriately. I love that. When I got locked out of my Google Apps account the other day- it took a few days for them to respond to my email…

Having a deeper understanding of Cloud security will enable you to use the Cloud provider to do what they do well – abstracting your IT department away from the complexity of running the service.

So can you trust the Cloud? I think so. Like Doug says, just know what you’re trying to accomplish and make sure the vendor offers you the right amount of transparency.

Add your comment (0)

Cloud Strategist
Mimecast

Article Tags

, ,

By on May 19, 2011

The Hidden Security Danger- Don’t Let Email Be Your Downfall

Despite seeming like an age ago, InfoSecurity Europe has only just come and gone for another year… Boy this year is going fast!

I took the opportunity at InfoSec to update my take on Generation Gmail- Why are corporate email users flocking to webmail to get their job done?

Before you can answer that question, it’s important to ask why that’s even a relevant question?

  • It is believed around 80% of corporate Intellectual Property (IP) is contained within email- when it goes to personal webmail you lose control of this
  • If 80% of your corporate IP is in email- that means a lot of your trade secrets are in there too.
  • There are Data Protection and Data Sovereignty requirements to comply with, with legal bodies like The ICO, FSA etc to comply with.
  • Does Personal email comply with anti-malware requirements?
  • Password Policy?
  • Retention and audit policies to enable e-discovery?
  • Legal requirements- like disclaimers and notices (Company Number, VAT etc)
  • What about Data Leak Prevention?
  • Interception by third parties?

The answer, clearly is a resounding NO. And why should personal webmail providers comply? It’s personal webmail – not intended for corporate use.

This is creating a complete nightmare for corporate IT- and despite IT making individuals aware that this isn’t allowed and the risks involved: they’re still doing it….

What’s driving this?

Overwhelmingly, the evidence is pointing to the consumerisation of technology. The increasing use of technology in peoples personal life is making them aware of, and used to, what is possible, and they’re bringing (demanding?) the same technology in their work life. iPhones and iPads are a case in point though our research shows email is becoming the new battleground.

This represents a massive shift- is this the first time personal or consumer technology is driving the business technology agenda? Our Generation Gmail research suggests so- 65% of people say that home and work technology overlaps.

Yet despite this consumerisation- people keep saying “email is dead”. New data I got yesterday from Neilsen (via Hubspot) shows that time spent using email on mobile phones leads almost any other mobile internet use by nearly 4x, at 38.5%. Social Networking is second at a paltry 10.7%.

Clearly email is not dead- it’s the lifeblood of communication. And with mobile shipments surpassing PC shipments for the first time ever this year it’s going to continue it’s ascendence.

What should companies do about it?

It’s a complex answer, dependent on your particular technology situation, location and regulation you’re subject to. There isn’t a one size fit’s all answer. Typically we’ve seen that email hasn’t been a priority investment area through the last few years- with a lot of businesses remaining on Exchange 2003 and 2007 as a way to mitigate against the costs of migration. Users now feel like the corporate email doesn’t compare favourably with consumer webmail- which is right, since the technology is nearly a decade old in some cases. That’s why they’re finding innovative ways to work around perceived obstacles and becoming “workaround workers”.

Policies alone aren’t enough to stop them- they have to feel like corporate email is a better alternative to personal email. They have to want to use corporate email.

So what can companies do?

Typically the majority of migration costs aren’t the Exchange piece- it’s the environment that sits around it. Over the years IT has had to bolt on solutions such as Archiving, Security, Disclaimers, Secure delivery, etc. The list goes on. Managing this complexity through a migration adds to risk and complexity which creates cost. I think IT needs to put themselves in a position where they can migrate, when they’re ready, because Exchange 2010 for example, is a big step up from 2003. Night and day different actually, especially if users are on Outlook 2000 or 2003 and make the move to Outlook 2010.

Don’t let users put you on the back foot with personal email- start putting the steps in place today to get migration ready and get them wanting to use corporate email.

Here’s the deck:

The Hidden Security Danger – Don’t Let Email Be Your Downfall
View more presentations from Justin Pirie

Add your comment (0)

Cloud Strategist
Mimecast

Article Tags

, ,

By on April 25, 2011

10 Signs You Might be a Server Hugger

Some Definitions

Server (sûr’vər) – noun – A computer that manages centralized data storage or network communications resources. A server provides and organizes access to these resources for other computers linked to it.

Hugger (huh’ger) – noun – A tight clasp with the arms; embrace.

I would therefore suggest that if you’re tightly clasping or embracing, with your arms, a computer that provides and organizes data, network resources or other computers – you’re a server hugger, even just metaphorically.

Why

I had never heard of a Server Hugger before; tree hugger maybe. After checking the authoritative tome on the subject, the Little Book of Hugs (of course), I am none the wiser.

This all came about after a meeting where the topic of discussion was mostly Cloud and Email Management in the Cloud; a quick debrief revealed that one of the ‘opposing team’ was a card carrying Server Hugger, and staunchly opposed to all things Cloud. So that got me thinking,

There’s no known cure for being a server hugger, but luckily it is yet to be a terminal problem; unless you include Terminal Services. It’s no bad thing if you are a Server Hugger, even if undiagnosed, just think of all the new concepts and technologies you can offer your employees by adding just a teeny little bit of Cloud to your network.

10 Signs you Might be a Server Hugger

These 10 signs might indicate you’re a server hugger.

1. You enjoy large air-conditioned rooms, lit only by strip lights, devoid of all soft furnishing. The rows of metal boxes or racks will appeal to your organized side. The constant hum and fizz of white noise relaxes you.
2. Using a fingerprint or hand biometrics to gain access to rooms still excites you.
3. You can’t walk past messy or disorganized cabling (of any kind) without tutting and shaking your head
4. When you apply patches to your servers or application you can’t help but think services take longer to start when you watch them.
5. You believe any ‘progress bar,’  especially the blue ones, have built in anxiety detectors. The more anxious you get the slower they go.
6. Blinking green or yellow lights have a calming effect as you look at them, almost hypnotic. Red ones give you that ‘ohno second‘ feeling.You would go out of your way to buy things with blue LEDs
7. You like the feel of cold rackable metal boxes. You touch them often.
8. You’re thinking Cloud is the same as virtualization, something we should take a look at sooner or later, but for now you have users to deal with.
9. You believe there is no security applied to Cloud data, regardless of what the vendor tells you.
10. You have half thought about Aralditing up your users’ USB ports to stop them plugging things in.
11. (One for luck): You worry about all those servers and boxes and applications and green lights and red lights, but secretly you just need a big Cloud hug.

If you or someone you know if affected by this problem or you recognize more than six of the symptoms you should consult us straight away for the only known cure.

Add your comment (0)

CISSP, CCSK
Mimecast, North America.

Article Tags

, ,

By on April 7, 2011

Spear-phishing; worryingly accurate for EMC, Condé Nast & possibly Epsilon?

I’m itching to find out exactly how the attackers who broke into Epsilon did it. Speculation so far is pointing at a well crafted social engineering or phishing attack, specifically a spear-phish. Epsilon are remaining tight lipped about the whole saga, but the press release on their website gives us a small clue.

“…an incident was detected where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system”

Unauthorized entry into the email system eh? So you mean someone either gave their username and password away or the system was cracked. The former being the most likely.

The reason I’m so keen to find out exactly how this happened is because Epsilon use a popular hosted security service for their spam and virus filtering, so if the attack was indeed delivered by email there will be some interesting questions being asked. Probably similar to the navel gazing that is currently going on at EMC and Condé Nast, along the lines of ….”given all our protections how did this happen?” If a spear-phishing attack does turn out to be the cause it will have circumvented classic protections – and that is alarming.

Phishing is not new

Criminals have been after our bank, credit card and financial information for years. Initially their use of the English language is what gave them away, but recently the attackers have been using native English speakers to craft their wares in the hope their motives will be less obvious.

Combine this with the 419 crime and advanced fee fraud that has been floating around since the Internet was invented, even before, and you’ve got a wonderful cocktail of mischievousness waiting to catch you out. I’ve lost count of the number of distant Nigerian relatives lost in plane crashes and even closer relatives who are regularly getting whacked by London buses. For the record my grandmother would never email me from hospital after being hit by a bus.  She’s only just getting the hang of her “New” VHS Video player.

The problem

A few weeks ago we wrote about another unfortunate organization that suffered an …ahem… unauthorized entry to their email system. The HBGary incident was overshadowed by a very well executed attack on EMC, specifically a spear-phishing attack. The interesting detail about the drama at EMC is that the first ‘malicious’ email ended up in the users’ Outlook Junk Folders, but was still actioned. The attackers sat back and waited until they had worked their way far enough up the tree, laundering their own actions through the actions of the unsuspecting users’. HBGary was slightly different, in that the user’s password was compromised on a 3rd party CMS application, given the user had the same password on their email account.  In other words, the attacker got lucky.

I have spent many years carrying out discrete penetration tests for customers, where weaknesses that gave up root access to a box were quite common. If not, you simply walked in the front door and took whichever box you wanted. Today phishing plays a major part in these types of tests, and for good reason – socially engineering end users is unbearably easy. A friend of mine who still carries out penetration tests tells me that a well crafted phishing attack is usually all they need these days; in fact she routinely sees success rates of up to 90%. In one case the email was actually forwarded on so the success rate came in at 110%.

What does this mean for you?

There will be more attacks, more disclosures and more embarrassment – why? Because it’s breathtakingly simple to phish your way into an organization.  But don’t let this scare you. Use this knowledge and the recent events to motivate the training of your users.

Importantly, remind them that no matter who they are or what their job function is, everyone is at risk – especially those of you that publish huge amounts of personal data on social networks. If I see you like a particular bar/shop/pizza joint/football team, you can bank on me using that as an angle to get you to do things for me.

After-all who turns down free beer/shoes/pizza/football tickets, especially by email?

Add your comment (0)

CISSP, CCSK
Mimecast, North America.

Article Tags

, , , ,

By on March 9, 2011

Generation Gmail: 10 tips for keeping corporate email users happy

At Mimecast we discovered a new type of corporate user, the Generation Gmail user; and they are really making a splash. We’ve already written a blog post on who they are and why they exist. The research backing up our discovery can be found here (registration required).

The gist of the story so far is as follows: Our research has identified a new type of user within the corporate network; a user who is happy to use his or her personal accounts outside of the organization to work around restrictive or productivity-sucking policies. We call this user a Generation Gmail user, as they are likely to be under 25, and jump out to Gmail in order to get their work done when their business email account doesn’t deliver the goods.

We seem to have caused a stir as many of you have emailed us to say this is exactly what has been happening within your own organizations; some have told me that they are the prime example of a Generation Gmail user and have gone into great detail when telling me why. Thank you – it’s always great to hear your real life stories.

So we put our brains together, including the huge brain of our top email scientist Dr Nathaniel Borenstein, and came up with ten handy hints to help you keep your users happy, contented and, importantly, working inside your network and the systems you have worked so hard to provide.

Mimecast’s Ten Top Tips

1.       Look for clever ways to keep your users ‘on the reservation’ and inside the corporate email environment. The steps below will help, but so will motivating them in the right direction. By clever ways, I mean think of things like the ‘Deals of the Day’ websites that deliver enticements directly to users’  inboxes. Doing this internally isn’t that much of a stretch and would have many other knock-on benefits.

2.       Keep your business email up and running. One way or another this is getting cheaper and easier to do. Tolerating downtime is very old fashioned these days, as the technology exists to keep your email up and running at 100%.  So why not use it?

3.       Educate your users away from the ‘controlling and enforcing’ position. Let them know that the odd personal email isn’t a problem. Of course explain what you mean by “appropriate use” and what’s generally bad, but also explain the benefits of the business system.

4.       In the same conversation, don’t just tell your employees not to use external or personal email systems for work. Explain to them the real-world risk, use a few demonstrations or case studies and make this a story that resonates, rather than another plain old policy update.

5.       Make mobile access work. Decide on the mobile platforms which will work and then make them work! If you support one type of mobile device, consider what users of the other device will do. If this means providing your users will a common mobile platform, consider this a goodwill gesture to them.

6.       Make mobile access really work. Do your users really need a cumbersome VPN solution with pin and token code? Is it realistic to expect them to fire up their laptops and login to the network just to send an email? See number 5.

7.       Make your corporate email system better than the personal solutions your users are going to. Give them the tools they need, the technology is out there you just need to deploy it.

8.       Importantly don’t limit email storage. See number 7. This is something the IT department has had to do in the past because of the limitations built into core email platforms, but those problems are slowly disappearing and the cloud is a great way to offer a bottomless mailbox integrated with your corporate inbox. This includes finding a solution that allows you to eliminate PSTs too.

9.       Update your systems. Keep the platforms fresh, review on an annual basis, and make a change. Too many businesses get stuck in the past. Technology moves at such a pace, if you don’t keep up you’re often left, at best, incubating your own workaround-workers, and at worst being uncompetitive in your market.

10.   Above all; listen to your users. They vote with their mouse and keyboard. If they argue that their personal system outperforms the work email find out why. Fix the problem rather than fob them off. See number 9.

From here it is really going to be down to you. I’ll bet that you know you already have a few workaround Generation Gmail workers? That’s nothing to panic about, but does give you a focus for how you develop your email systems in the future.

Good luck!

Add your comment (0)

CISSP, CCSK
Mimecast, North America.

Article Tags

, ,

By on February 23, 2011

The Hidden Menace of ‘Generation Gmail’

Back in July last year, an analyst report was published that suggested that the use of webmail – or ‘personal’ – email accounts inside businesses presented a potentially huge risk to corporate intellectual property (IP). While CIOs and their IT teams focus their attention on what goes on within the firewall, their Information Workers are using their gmail/Windows Live/Yahoo accounts to send important files.  Just how much important data is stored on public servers?  How out of control is the situation in reality?  Do CIOs have any idea of the scale of the risk?  Why do Information Workers do this?  Surely they know it is bad practice?

So we decided to do our own study to see what we could find out, and the first results of ‘Generation Gmail’ are announced today.

It’s not surprising that our study revealed a direct correlation between age and a propensity to use personal email in a corporate context.  In fact, 85% of Information Workers under the age 25 admitting they sent work-related emails or documents to or from personal email accounts.  The million dollar question, of course, is ‘why?’.

There’s no question that ‘Generation Gmail’ enters the workplace with a different perspective on technology and its role in work and life in general.  It’s an ‘always-connected’ world, where smart-phones, social media platforms, email, IM and SMS enable a constant flow of communication, both personal and professional.  And this ‘work/life blend’ makes it difficult – perhaps impossible – to quarantine personal communications habits from the behaviours expected of employees when they cross the corporate threshold.

If this was all about age, and culture, forty-somethings like me could just shrug, as I do when my nephew suggests I listen to Dubstep on his iPod.  But it isn’t.  Of the under 25s surveyed, more than half said that if they were not subjected to mailbox limitations by their IT departments, they would be less likely to send work emails from their personal accounts.

So the subtext here, which we will explore further in part 2 next week, is that the risk to corporate data that Generation Gmail is creating is largely down to frustrations with the tools available to them in the workplace, and the feeling that IT policies more or less force them to find other ways of getting their jobs done.  We’ve called them ‘Work-around workers’.

I can’t stop my nephew listening to Dubstep.  And IT departments can’t stop young workers from using social media, or personal email.  In fact, ‘banning’ people from using tools is tantamount to a failure.  But they do need to look at the policies they are imposing, and possibly the tools they are or aren’t deploying to enable larger mailboxes, or larger file sizes … so as to reduce the perceived NEED to send documents outside the firewall.  Watch this space …

Add your comment (0)

Communications Director
Mimecast

Article Tags

, ,

By on December 3, 2010

Wikileaks: Lessons for CEOs. Information Security Management is there to protect, not to ignore

Like nearly everyone else on the planet, I’ve been transfixed by the ongoing saga of WikiLeaks’ release of hundreds of thousands of secret diplomatic cables.  Leaving aside all questions of the ethics or criminality of either the leakers or the diplomats whose activities were revealed, it’s a fascinating story about information security — or the lack thereof — with important implications for any organization that feels a need to protect some of its information from prying eyes.

The main lesson is simple:  information security is hard.

If the US State Department and military can screw up this badly, every organization on the planet should take a hard look at their own internal competencies.  And make no mistake about it:  whatever you think of the leakers, they have revealed an appalling lack of sophistication about how information should be protected in the age of the Internet.

I’m not privy to the internals of the affected systems, so my information is based on possibly-flawed news accounts, but the emerging picture is astonishing.  It appears that anyone with the lowest level of security clearance is able to gain access to far more information than he needs for his job. Otherwise, it’s hard to imagine how anyone — even with a much higher clearance — would be able to download so many documents without being noticed.

An important corrolary should also be obvious, though hard to enforce:  even the most important users need to take security protocols seriously!

If the Secretary of State is going to authorize an obvious no-no like stealing credit card numbers and other personal information from UN diplomats, she shouldn’t say so in a document with the lowest level of security classification.  All the security mechanisms in the world are to no avail if important people are allowed to ignore them.  This has implications for every CEO in the world:  as important as you are, your information security team should have a veto over certain kinds of actions that you might take.

To paraphrase Lord Acton: in the age of the Internet, absolute power can embarass absolutely.

But the most important lesson from this sad affair may be the importance of truly independent third parties.

It’s incredibly hard for an IT security specialist to stand up to a CEO or a Secretary of State.  It’s more likely to happen when that specialist is relatively protected, as part of an independent organization whose sole job is to protect and secure information for a client organization.    This is why we have independent auditors and certifiers and consultants, and it’s also why most organizations are better off outsourcing most of their information security tasks.  (Knowing who to trust in such outsourcing is no easy matter, but it’s easier than knowing everything about information security policy internally.)

I’d love to brag about how Mimecast’s customers appear to have better security than the US State Department.  But the revelations about the latter’s information security are so distressing that it’s a shockingly modest claim, and one that I hope most of our competitors can also make.   Nowadays, outsourcing much of your information security to almost any specialist company is likely to yield better results than trying to do it yourself, whether you’re a small law firm, a giant multinational, or the most powerful government in the world.

Add your comment (1)

Chief Scientist
Mimecast

Article Tags

, , ,

By on November 19, 2010

Honey, they’ve stolen the Internet – How a little TLS goes a long way to keep your data secure

This week the US senate was exposed to a security report that spoke about a BGP Hijacking event that occurred in April 2010. It is all over the wires that there are claims that China “stole 15% of the Internet” – for 18 minutes – with China unsurprisingly denying these allegations.

While the politicians prattle on about whether or not China is stealing Internet traffic or if this was a geniunly innocent error, I am more interested in the fact that scaremongers talk about how “Experts fear sensitive data, such as the contents of email messages, could have been seen and viruses implanted”.

BGP hijacking is an old problem (the earliest referenced at WikiPedia was in 1997) and has been in use, albeit on a smaller scale, by spammers and malware writers for a long time already. This 2006 paper by Anirudh Ramachandran and Nick Feamster, discusses in detail how spammers use BGP hijacking to create short lived networks that have IP addresses not yet seen by any of the RBL services.

So why is such an old and well known problem still causing so much consternation?

I believe that it is because this is the first time most companies have really understood the potential ramifications of not securing their transmissions. Everybody knows that sending data across public infrastructure is dangerous, and what we’re seeing here is one huge, indiscriminate risk that could expose your organizations intellectual property quite by chance!  It highlights that you don’t actually need to be the target of such an event in order to expose sensitive information; just in the wrong place at the wrong time.

Because of risks like this, encryption standards like TLS (Transport Layer Security) have become much more widely adopted over the past few years and various institutions have imposed encryption requirements on parties with whom they may share sensitive information.  Any encrypted transmissions captured during a BGP hijacking would be useless without a costly and time-consuming cryptographic effort to decrypt it…

All of which makes it doubly important that we make use of the technologies that are available to us. Use your DLP (Data Leak Prevention) system to ensure that nothing leaves your control that shouldn’t, and use encryption standards like TLS to ensure maximum coverage for any data that does have to traverse the public Internet.  And NEVER submit private information to unsecured websites.

Add your comment (0)

Enterprise Consultant
Mimecast

Article Tags

, ,

By on September 28, 2010

ASP.NET vulnerability in Microsoft Exchange [FIXED]

On the 17th of September, Microsoft  released Microsoft Security Advisory (2416728) which detailed an information disclosure vulnerability in ASP.NET.

All versions of Microsoft Exchange since 2003 use ASP.NET in a way in which the vulnerability could exist and the MS Exchange Team told administrators to look out for warnings in the application log that looked similar to: -



Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 11/11/1111 11:11:11 AM
Event time (UTC): 11/11/1111 11:11:11 AM
Event ID: 1309
Event sequence: 133482
Event occurrence: 44273
Event detail code: 0
Application information:
Application domain: c1db5830-1-129291000036654651
Trust level: Full
Application Virtual Path: /
Application Path: C:\foo\TargetWebApplication\
Machine name: FOO
Process information:
Process ID: 3784
Process name: WebDev.WebServer40.exe
Account name: foo
Exception information:
Exception type: CryptographicException
Exception message: Padding is invalid and cannot be removed.

Even this is not a clear indicator that a system was under attack as it could exist for many legitimate reasons. They simply asked that if you see inexplicable versions of this and increased quantities of it that you investigate a bit deeper.

Thankfully today Microsoft announced the release of a security patch that will fix this vulnerability!

The Exchange Team say:

“The Exchange Server team has completed validation of this fix against Microsoft Exchange Server 2010, 2007 and 2003 and we are pleased to report that we have not identified any issues related to the application of this patch on an Exchange Server.

We recommend that Exchange customers consider applying this fix to all of their Exchange Servers which have an affected version of ASP.NET installed on the underlying Operating System in a timely manner to help protect against any attempts to exploit this vulnerability within their environment.”

So if you are a company that applies hotfixes and security patches only after serious testing, you better get on with it as this vulnerability is fixable so you have no excuses if you get exploited through it.

Good one Microsoft. Turning around a vulnerability from announcement on the 17th to repair on the 28th. That is a record 11 days!

Add your comment (0)

Enterprise Consultant
Mimecast

Article Tags

, ,
Previous Posts