Charla impartida por la empresa Informática 64 en la Gira Up to Secure 2011.

1. Yes, Security is importantChema Alonsochema@informatica64.comhttp://twitter.com/chemaalonsohttp://www.elladodelmal.com

2. Youhavean e-mail MX domain2.com? SMTP Domain1 outgoing e-mail Server SmartHosts List user1@domain1.com POP3 HTTP MAPI IMAP RPC/HTTPS DNS Domain 2 incoming e-mail Servers user2@domain2.com

3. Spam Security Intelligence Report volumen 9 1 in 47 e-mail messagesisnotspam

5. Hidden txt

6. Links pointing to different URLs

8. User Actions: Clean up the inbox Sweeping options Block senders forever Spam & Clutter mails Move/delete messages from senders: One or more senders in a row

9. User Actions:Mark as Spam/Phishing/Secure

10. User Actions:Read, Response and/or delete e-mails If a type of e-mail is always deleted without previously be opened Analyzing sender and subject user is able to know that those e-mails are not useful for they -> SCL++ If a type of e-mail is always opened at first position, that means it´s important -> SCL -- If user search e-mails using a characteristic and then delete them Etcetera…

11. Server ReputationLevel (SRL) Reduces the impact of spamming servers. Identifies server reputation based on the SCL obtained by the previous e-mails which it sent SRL allows to quickly detect a new spamming server or an unsecure e-mail server which is being used to spam.

12. Microsoft SmartScreen Evaluates message characteristics SCL Evaluates user opinions SCL is interactive Evaluates user actions SCL is dynamic and customized Evaluates server reputation SCLs based on which is sending the message Real-Time Black-hole Lists

13. My “own” spams

14. My “own” spams They are coming from our contacts The password has been stolen There is a malware/Trojan/Bot in our contact’s machine Solutions: Antimalware Microsoft Security Essentials 2.0 Improve protection of Windows Live account Use SSL Single-Use Codes Password retrieval Trusted PC Mobile number

15. Steal of credentials

16. Microsoft Security Essentials 2.0 Free for home-users Free for companies of 10 or less installations. Automatic updates Real-Time protection It is the same antimalware engine which is currently in use in corporate solutions as: Forefront Client Protection Forefront Endpoint Protection 2010

17. IE9: DownloadReputation

18. DirtyDozen http://www.bit9.com/company/news-release-details.php?id=175

19. Associated mobile number It allows users to access to Single-Use Codes It allows to quickly obtain a new password

20. Single-Use Codes From a secure connection, users can request for a Single-Use Code. Users can request as much codes as they think they will need. Codes are sent to the mobile number associated to the Windows Live account. Every code can be only used once. If the user connects to Windows Live from an unsecure connection/computer and code is stolen, nothing happens. Single-Use codes are useful after used.

21. Connect to Hotmail using Http-s

22. Windows Live Messenger Chats are not encrypted Microsoft Office Communications Server: encrypt, antimalware, corporate policy, etc… There are a lot of partners with free/professionals add-ins to encrypt Windows Live Messenger messages. Ex: SecwaySimp Lite.

23. Multiple sessions alerts

24. Trusted PC Windows Live allows users to mark a PC as trusted. This gives user the opportunity of: Quickly retrieve the password from it. Protect the account against DOS attacks

25. Identity impersonating «Attackers» spoof the mail from field E-mails are coming from servers which don´t belong to the domain in the sender address. No digitally signed Solutions? Sender Policy Framework / SenderID DKIM: DomainKey Identified Mail Mutual TLS

27. Four operational modes:

28. spf2.0/mfrom

29. spf2.0/mfrom,pra

30. spf2.0/pra,mfrom

31. spf2.0/pra

32. -all -> fail

33. ~all -> Softfail

34. ?all -> Neutral

35. +all -> Pass

36. PRA: Purported Responsible Address

37. From

38. Sender

39. Resent-From

41. Check the IP of the server and the domain in the mail from field

42. It is configured as v=spf1

43. -all -> fail

44. ~all -> Softfail

45. ?all -> Neutral

47. Youhaveane-mail with SPF record MX domain2.com? SMTP Domain1 outgoing e-mail Server user1@domain1.com SmartHosts List POP3 HTTP MAPI IMAP RPC/HTTPS DNS SPF domain1.com? Domain 2 incoming e-mail Servers user2@domain2.com

48. Gmailwith SPF

49. Hotmail.com withSenderID

50. Gmail: Resent email

51. Hotmail: Resent e-mail

52. DKIM & Mutual-TLS DKIM: Pushed by CISCO, Google & Yahoo. Outgoing servers sign e-mails messages with a private key. Public key is in a TXT DNS record. It doesn´t warrant a spoofed e-mail and doesn´t sign the headers. Not so much used on the Internet. Yahoo is using it in test mode and Gmail hasn´t any policy about what to do with a non-signed e-mail from Gmail. Mutual-TLS: Pushed by Microsoft, actually it is working in MS Exchange Servers (and Hotmail). It used a TLS channel between outgoing and incoming servers. Before that, servers authenticate each other using digital certificated. Messages are crypt and communication between servers signed.

53. Summary Keep a system secure needs a constant effort. Threats are changing quickly. Security protections for yesterday risks are not good for today’s ones. Keep a safe and secure e-mail service depends on: Domain owners Server administrators Users owning the inboxes

54. Questions? Chema Alonso chema@informatica64.com http://www.elladodelmal.com http://twitter.com/chemaalonso