Email security

May 11 2009   8:44PM GMT

Real Spam Statistics

Posted by: Ken Harthun
Security, Email security, spam, email

Depending on whose reports you view, spam accounts for from 85 to 95 percent of all emails sent. This may hold true over the Internet at large, but as with any other statistical data, there are local and regional variations. My own inbox is an exception to the general rule; I get far more legitimate emails than spam.

The company I work for provides spam filtering for several SMBs, so I have to hand real data that I can evaluate. Based on last week’s numbers, we processed nearly 100,000 messages in our filters. Of those messages, nearly 70,000–70%–were spam; nearly 30,000–30%–were accepted as legitimate. Our data has its own wild variations: one set is very low with only 18% spam; another set reaches a high of 92% spam.

I’m not a statistician, but it’s easy for me to see how big a problem spam has become. I’m not ready to say email is dead as a business communication medium, but it certainly needs an overhaul.

Apr 30 2009   1:21AM GMT

Swine Flu Breeds Spam

Posted by: Ken Harthun
E-mail scam, Email security, spam, Security, Scam

As usually happens with major disaster events—in this case the impending Swine Flu pandemic—email scammers are busy perpetrating pharmaceutical and other types of scams. In some cases, they’re using celebrity names to grab attention. Spam is hitting inboxes with various subjects. The following list, compiled by McAfee and posted on the McAfee Avert Labs Blog, shows some of the subject lines they’ve seen:

First US swine flu victims!
US swine flu statistics
Salma Hayek caught swine flu!
Swine flu worldwide!
Swine flu in Hollywood!
Swine flu in USA
Madonna caught swine flu!

They also report a 30x increase in the number of domain name registrations mentioning “swine.” It’s a good bet that many of those names will be used by scammers.

I’ve alerted my clients to this latest wave and sent reminders to everyone that should they receive any such emails, they should immediately delete them. That’s good advice to pass along.

Apr 15 2009   12:31AM GMT

Beware U.S. Tax Phishing Scams

Posted by: Ken Harthun
Email security, E-mail scam, Scam, IRS Phishing, Tax scam

It’s tax time in the U.S. and with that generally comes an increase in the number of phishing scams directed at taxpayers. The IRS, whether we like them or not, has an excellent anti-scam/anti-phishing web site. One key thing to remember is that the IRS does not initiate taxpayer communications through e-mail. Here’s an excerpt from their site:

The IRS does not initiate taxpayer communications through e-mail.

* The IRS does not request detailed personal information through e-mail.
* The IRS does not send e-mail requesting your PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.

If you receive an e-mail from someone claiming to be the IRS or directing you to an IRS site,

* Do not reply.
* Do not open any attachments. Attachments may contain malicious code that will infect your computer.
* Do not click on any links…

Additional information is provided by the IRS in a recent press release:

Beware of IRS’ 2009 “Dirty Dozen” Tax Scams

IR-2009-41, April 13, 2009

WASHINGTON — The Internal Revenue Service today issued its 2009 “dirty dozen” list of tax scams, including schemes involving phishing, hiding income offshore and false claims for refunds….

The IRS urges taxpayers to avoid these common schemes:

Phishing

Phishing is a tactic used by Internet-based scam artists to trick unsuspecting victims into revealing personal or financial information. The criminals use the information to steal the victim’s identity, access bank accounts, run up credit card charges or apply for loans in the victim’s name.

Phishing scams often take the form of an e-mail that appears to come from a legitimate source, including the IRS. The IRS never initiates unsolicited e-mail contact with taxpayers about their tax issues. Taxpayers who receive unsolicited e-mails that claim to be from the IRS can forward the message to phishing@irs.gov. Further instructions are available at IRS.gov. To date, taxpayers have forwarded scam e-mails reflecting thousands of confirmed IRS phishing sites. If you believe you have been the target of an identity thief, information is available at IRS.gov.

I highly recommend you visit the IRS site and heed their excellent advice: How to Report and Identify Phishing, E-mail Scams and Bogus IRS Web Sites

Feb 11 2009   10:30PM GMT

Software for Secure Computing: Easy Email & File Security with AxCrypt

Posted by: Ken Harthun
Security, Encryption, Email security, Secure Computing

Most of the email we send and receive from our co-workers, family, and businesses contains little that requires any degree of confidentiality. The same goes for most of the files we have stored on our hard drives and thumb drives. Occasionally, however, we need to pass on or store some information that wouldn’t be prudent for us to send or store in clear text, i.e., unencrypted. To go through all of the effort (and it’s a bit of effort, believe me) to set up secure email or create encrypted partitions or directories on the hard drive is a waste of time for most people. Fortunately, there’s a simple, free solution: AxCrypt.

AxCrypt is open source file encryption software for Windows. It integrates seamlessly with Windows to encrypt, decrypt, store, send and work with individual files. It runs on Windows 2000/2003/XP/Vista and uses AES-128 encryption.

Once installed, AxCrypt is integrated into Windows Explorer’s context menu. You simply right-click files and folders in Windows Explorer, select AxCrypt and then select the action you want from the sub-menu (see screen shot). If you choose Encrypt Copy to .EXE, AxCrypt makes a copy of the document, asks you for a passphrase, and creates a standalone, self-decrypting file that you can safely send across the network or store anywhere you choose.

To use AxCrypt for secure email, simply create a text file that contains all of the sensitive information you want to send, make a self-decrypting EXE file, and send it as an attachment. You’ll have to make contact with the recipient off-line to give them the passphrase, but your information will be secure in transit.

The AxCrypt site has plenty of information on how to use the program, as well as an excellent FAQ and command line reference.

Check it out. It’s a great addition to your secure computing software collection.

Jan 14 2009   2:28AM GMT

Security Resolutions for 2009

Posted by: Ken Harthun
Secure Computing, Email security

We’re nearly two weeks into the New Year and how many of those resolutions we made during the glow of the holiday season (and maybe some martinis) have gone off with the Grim Reaper? We all make them and break them; it wouldn’t be the New Year without making resolutions, after all. Lose weight, quit smoking (or drinking), start exercising, all are fine resolutions, but how about making a couple security resolutions that will help keep you safe on the Wild, Wild, Web? Here’s a list that you can pick from. Choose one, two, or all of them and pledge to yourself that whichever of them you choose, you won’t break them.

• I will never view, open or click on an email attachment unless I know who sent it, why they sent it and what it is.
• I will never click on a link in an email without knowing exactly where it will take me.
• I will never send sensitive personal or financial information to anyone via email.
• I will download and study Recognizing and Avoiding Email Scams provided by US-CERT.
• I will also download and study Avoiding Social Engineering and Phishing Attacks.
• I will install security software on my computers and keep the software up to date.
• I will set up and begin using a backup plan to protect my data.
• I will use only WPA2 encryption on my wireless access point and a strong password.
• I will review all my passwords, change them regularly, and use strong passwords where sensitive information is at stake.
• I will keep up with security issues by reading Security Corner on a regular basis (shameless plug!)

Any one or more of these security resolutions will get you off to a good start in 2009. I recommend you adopt them all.

Happy New Year!New Year Resolutions Graphic

Oct 17 2008   1:26AM GMT

Beware of E-Mail Scam Targeting Microsoft Customers

Posted by: Ken Harthun
Security, spam, email, Email security, Trojan, E-mail scam

The latest e-mail scam targeting Microsoft customers delivers the Backdoor:Win32/Haxdoor trojan as an attachment. The email looks like this:

Dear Microsoft Customer,

Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista.

Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.

Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.

As your computer is set to receive notifications when new updates are available, you have received this notice.

In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.

If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.

We apologize for any inconvenience this back order may be causing you.

Thank you,

Steve Lipner
Director of Security Assurance
Microsoft Corp.

Anyone reading this can spot the obvious grammar and punctuation mistakes, the first things that should alert them that this is a scam. But, as we know, users blindly click on anything and everything, especially links in official-looking messages.

Please advise your users to immediately delete this message if they receive it, and continue to advise them to NEVER click a link or open an email that they are not sure about. It’s better to err on the side of caution.

By the way, Consumer Reports has an Online Security Guide posted on their website. It’s well worth looking at and certainly good for your non-savvy users as it’s written for, well, consumers.

Jul 27 2008   4:09PM GMT

Nine Steps to System Security - 2008

Posted by: Ken Harthun
Firewalls, Security, Microsoft Windows, Routers, Browsers, Vulnerabilities, NAT, spam, Malware, Email security, Phishing, Anti-virus, Opinion, Rootkit, Anti-malware

It isn’t getting any better on The Wild, Wild Web, despite state and federal government attempts to arrest and prosecute those responsible for electronically-perpetrated criminal acts. Spyware and malware of all kinds are increasingly more stealthy and difficult to remove thanks to rootkit technology. With the advent of Web 2.0 and its emphasis on sharing and collaboration, web-based attacks are more prevalent than ever, especially those that rely on JavaScript and other scripting languages.

CAN-SPAM did little to deter or eliminate spammers, and today the spam problem is even worse thanks to huge botnets run by organized cyber-crime syndicates. Phishing attacks are harder to detect and more frequent. Recently, I spent the better part of two days cleaning up the aftermath of a mass mailer worm infection for one of our clients; their email is still being blocked by some servers. In its September 2005 issue, Consumer Reports said, “One Third Of Net Users Damaged By Malware.” Considering that article is three years old, I’d wager that the number of infected computers has doubled since then.

In my job as a systems engineer for Connective Computing, Inc., I deal with the effects of malware nearly every day. My previous releases of this article, “Seven Steps to System Security - 2004″ , and “Eight Steps to System Security – 2005“, listed the field-proven steps I recommend to everyone I know. It’s been nearly three years since I published the last guide, but those eight steps haven’t changed much; they just need to be brought up to date, and a new step involving disabling scripting in the browser has been added. Computer users still haven’t learned safe surfing practices, however (will they ever?), and must modify their on-line behavior–particularly by applying the first step–for rest of these steps to be truly effective.

Did I mention these things are proven? They are. These are practices have been protecting computer users in homes and businesses for as long as I’ve been using them. This is free advice that’s really worth something:

1. Repeat after me: I will NEVER, EVER click on any pop-up of any kind - NEVER, EVER. Not even on the “X” (it’s usually safe, but why take the chance?). Use the key combination Alt-F4 instead; it safely closes the current window. In the slimy world of sleaze-ware, “No” means yes, “Cancel” means yes, “Close” means yes - ANY click on a button means yes. So many times users ask, “How did I get that? I clicked ‘no’ when it asked me!” Well, sorry, but you clicked, so they got you. NEVER, EVER CLICK!
2. Although Internet Explorer 7.0 has enhanced security and has been detached somewhat from the Windows operating system, it is still too big a target. Crackers are still writing malware that exploits IE security flaws. I recommend you use Firefox or Opera to browse the Web. (Some web sites still require IE, so you’ll be forced to use it for those, but you should minimize its use otherwise.) Whatever browser you use, be sure you configure your preferences to block all unwanted pop-ups or install a pop-up killer like the Google Tool Bar. And while you’re at it, re-read #1!
3. Patch your system. If you’re still running XP, make sure you have at least service pack 2. If you’re a home user, install service pack 3. (I still see systems that are running XP with service pack 1 or 1a, probably because they turned off automatic updates. While some argue against it, I recommend you turn them on.) And be sure to install any recommended security updates and patches for ALL software on your system, - especially Microsoft Office - not just Windows. If you’re running Windows Vista, you benefit from its enhanced security, but you still need to keep ALL of your applications patched. Secunia’s Online Software Inspector is an excellent tool for scanning your system’s applications to discover those that need updates.
4. Besides installing a NAT router (see How to Secure Your Computer: Maxim #2), run a properly-configured, proven software firewall. Don’t rely only on Windows XP’s built-in firewall - it blocks inbound attacks only (see this article) and it has flaws of its own (see this article). It will not stop back-door trojans, adware, spyware, and the like from “phoning home” with your sensitive information. (See this article for more info.) While Vista’s firewall does offer outbound filtering, it isn’t much better (see this article for more information). My favorites are the Comodo Personal Firewall (free), and the Sunbelt Kerio Personal Firewall (full-featured for 30 days, then runs free in limited-feature mode, $19.95/yr for full version).
5. Run a good anti-virus program. Choices abound. I have used AntiVir Personal Edition (free) and Grisoft’s AVG (free). Other good ones are Avast! and Comodo AntiVirus.
6. Run multiple anti-spyware/anti-adware programs and keep them updated. I recommend: a. Spyware Blaster. This free program blocks adware and spyware from installing in the first place and is frequently updated; b. Ad-Aware. Scan weekly, more frequently if you are a heavy surfer; c. Spybot S&D. Run it on the same schedule as Ad-Aware; d. Microsoft’s Windows Defender is an excellent product and is installed by default in Windows Vista. Configure it for real time protection and automatic updates. One of the best commercial anti-spyware applications is Sunbelt Software’s CounterSpy. It is a PC World Best Buy award winner. Comodo BOClean:AntiMalware is also a good one and it’s free.
7. Run a spam blocker to isolate junk e-mail. Most malware and all phishing attempts rely on spam. You want to isolate this stuff and delete it. NEVER, I repeat, NEVER, EVER click on a link in any e-mail you are not absolutely certain is legitimate. And to be as safe as possible, always type in the address of your bank, credit card companies, and any other site that you want to keep secure. (See #1 above and apply that principle to links, too!) One of the best programs is Open Field Software’s ella for Spam Control. It uses wizards to “train” it to your personal specifications. There are free and paid versions that work with Outlook, Outlook Express. My clients swear by it. Another good program is Sunbelt Software’s iHate Spam.
8. On Windows XP, set up a restricted user account and use that for routine tasks. Only log on with administrative privileges when you need to install or configure software. This will prevent rogue programs from affecting your system - they won’t be able to install. You can activate the “run as” feature so you can do administrative tasks while logged in as a restricted user. Microsoft Knowledge Base article Q294676 explains how to activate and use this feature. If you are running Vista, you don’t have to worry about this step: User Access Control (UAC) takes care of it.
9. Finally, disable scripting in your browser. If you use IE (you probably shouldn’t, see Step 2), Tony Bradley gives you an excellent step-by-step procedure to accomplish this. Firefox users have a more elegant solution in the form of an add-on: NoScript. I use it on every PC. Scripts are blocked globally by default, but you can selectively activate them if you trust the site. For example, you can trust the main site’s scripts but keep blocking any advertising or other third party scripts with no ill effects.

While total immunity is impossible - new infections and variations on existing exploits appear daily - these nine steps will help prevent, catch, or clean 98 percent of the junkware out there. As for the other two percent - or if you are already badly infected - you’ll need to hire a geek like me.

Jul 25 2008   1:45AM GMT

Sure-fire Spam Zombie Killer

Posted by: Ken Harthun
Networking, Firewalls, Security, Routers, spam, email, Email security, Exchange

The other day, I got a call from one of my clients who said that their email was bouncing back from people they had always been able to send to. I investigated and found that the error message was to the effect of <hostname.domain #5.5.0 smtp;550 Blocked;Spam/Zombie address listed at spamhaus.org sbl-xbl>.

Well, that was odd, because the client is running a bona fide Exchange server and a check of the server revealed nothing wrong that I could see. Thinking that maybe an employee was infected with a mass-mailer trojan, I blocked all traffic on smtp port 25 from all addresses on the network except the Exchange server.

Running the netstat -an command on my client’s PC revealed 88 connections, all trying to send mail out on port 25, which the firewall was now blocking.

Certainly, you don’t want to get infected by a mass-mailer trojan, but blocking outbound traffic on port 25 from your network is a sure-fire spam zombie killer and will prevent your IP address from getting blacklisted if someone does get infected.Of course, you’ll want to clean up that infection as quickly as possible.

Jul 22 2008   12:26AM GMT

If Spam Has You Irate, Obfuscate!

Posted by: Ken Harthun
Security, Email security, Security maxim, Opinion

Spam email is not only a nuisance, it’s a security risk. Most of the viruses, worms, and trojans floating around these days are transmitted in one form or another via spam. The threat can be attached directly to the email or it can rely on some subterfuge to get a clueless victim to click on a link to a malicious website. No matter the method used, the bottom line is that if the spammer doesn’t have a proper email address, the spam won’t be delivered.

Spammers get email addresses in various ways, but the primary method is to use a web bot to scrape them from web sites. It’s not hard to do; the Web is called that because everything is tied together through various links. All the bot has to do is hop around the Web, collecting any email addresses it finds along the way. What the bot is looking for is text strings that take the form of  xxx at xxx.xxx. It can easily find those and store them in a database, but it can’t tell whether or not that string is a valid address. You can use this to your advantage; if you can prevent Internet criminals from getting your email address, you can stop them cold. How do you do this? Obfuscate! (Definition: make obscure or unclear.)

Bots can’t think; humans can. To you, the string “kengharthunatyahoodotcom” means something; most scraper bots would ignore it. Similarly, “no_spam_kengharthun@yahoo.com” is easily understood by a human; the bot would recognize it as an email address, but it’s not a valid one and any message sent to that address would bounce. This technique is a good way to post your email address in forums, social networking profiles, etc., but what about posting your email address on your home page or web site?

There are plenty of free tools on the Web to obfuscate a valid email address. This email obfuscator converts my Yahoo! email address to a meaningless (to most bots) string of characters (go try it and you’ll see what I mean). When properly entered into the html code of a web page, it looks like this: kengharthun@yahoo.com. Anyone clicking on the link will be able to send an email, but your average bot won’t be able to harvest it. This technique isn’t foolproof; more sophisticated bots may be able to figure it out. But it’s going to make it more difficult for them and you’ll be calmer and more secure as a result.

So, I leave you with Maxim #14 in the How to Secure Your Computer series of articles:

If your email address will be visible to the public, obfuscate it using one of the methods or tools above.

Ken is a Systems Engineer at Connective Computing, Inc. specializing in network and desktop security for small and medium businesses. Ken helps others through his Ask the Geek blog, is a regular contributor to Dave’s Computer Tips newsletter, and is currently working on his first consumer-oriented book on computer security.

May 29 2008   5:14PM GMT

Beware the Internet Criminals’ Latest Trick

Posted by: Ken Harthun
Security, Browsers, spam, Email security, Phishing, Opinion

Some spammers, phishers, and other Internet criminals have resorted to (mis)using the convenient service of tinyurl.com in order to disguise their web site addresses and entice you into clicking. Tinyurl.com takes those weird, long URLs and converts them into something smaller and more manageable. So, instead of a URL that might look like this, http://3468664375@3468664375/o%62s%63ur%65%2e%66t%6D (not a real address), you see one that looks like this: http://tinyurl.com/d99g5. That’s a bit less intimidating and you may be tempted to click on it. Don’t; you’ll be sorry.

Never, ever click on a link in an email unless you know and trust the sender. Never, ever click on a link in a website, blog post, online article, or what-have-you, unless you know the content is safe.