Virtu Email Encryption – Web based email can be easily encrypted

Since former NSA contractor Edward Snowden began divulging information on how vulnerable our personal digital data is – and how much of it security organizations have been helping themselves to – the average web surfer has begun to think a bit more cynically about cyber security. That newfound suspicion creates a headache and a PR-fiasco for the NSA but opens doors for entrepreneurs in the world of online privacy.

Two such entrepreneurs are brothers Will and John Ackerly. The Ackerlys and their startup venture, Washington D.C.-based Vitru, are two weeks into the launch of a product that lets internet users encrypt any and all of their emails for free. Unlike competitors, the service acts as an add-on to your web browser and does not require the email recipient to have signed up for the service. That feature alone makes Virtu notable.

What’s different from what a lot of encrypted communication tools is the integration of their encryption technology directly into Gmail, Yahoo, Outlook.com. They have created a simple system that required little technical know-how.

There is no shortage of privacy and security products out there but most users, while concerned about the privacy of their personal information, have not taken action because they don’t know where to go.

Here’s how it works:

Download Virtru as a Firefox add-on and a mobile app. On Firefox, each new email contains a small unobtrusive switch on the top right corner of the message window which turns encryption on (yes, it is opt in). Press “send” and Virtru encrypts the contents on your device with standard AES 256, then sends it to the recipient but separates the encryption key from the message. The recipient does not need to have downloaded Virtru to get the key but does need to confirm his or her identity by email address. Virtru holds the key to that decryption process and won’t fork it over without verification.  They also have a firewall that makes sure that every keystroke that you type inside the compose window never gets to the server. Normally every single keystroke is recorded and sent to Google servers when using Gmail.

On smartphone, the user can send out emails via the Virtru mail app that links to, say a Gmail app but only after verifying your identity on the device. Other free services include the ability to control whether your recipient can forward your message and the power to revoke access to the message after a chosen period of time.

Email encryption is free (“and it will always be free,” according to the company) but they have formulated a revenue model consisting of soon-to-come paid features like attachment security, domain-level enterprise data management platforms, as well as the licensing of their technology to organizations that want to manage their own security keys.  The fees themselves have yet to be determined but will be announced in the second quarter.

So far Virtru has launched its email privacy product as an add-on to Chrome, Firefox and iOS. In the coming weeks compatibility will spread to Internet Explorer, Safari and Android, as well as plugins for Outlook and Mac Mail.

How to blunt spear phishing attacks

According to the SANS Institute, 95% of all attacks on enterprise networks are the result of successful spear phishing. In other words, somebody received an email and either clicked on a link or opened a file that they weren’t supposed to.

For example, Chinese hackers successfully broke into computers at The New York Times through spear phishing. So, what are the steps that IT execs can take to protect enterprise networks from spear phishing?

Most spear phishing attacks take one of two tacks – they either appeal to human greed or fear. In other words, either they offer money, coupons, discounts or bargains that are too good to be true. Or they announce that your checking account or eBay account has been frozen and you need to re-enter your credentials, or some other scenario in which you are required to enter personal information….or else.

While regular phishing typically involves unsophisticated mass mailings, spear phishes can appear to come from your own IT department, from your own payroll department, from a friend or colleague.

Here are some tips on how to teach employees to avoid getting spear phished.

  1. Read the return url backwards, from right to left. The url might start out with “www.bankofamerica” but when it ends with 120 characters of jibberish, you might start to get suspicious. You can also place your cursor over a link in an email and will see the actual url it will take you to – DO NOT CLICK ON IT, you just hover over it to see if it matches www.bankofamerica.com.
  2. Don’t fall for what’s being called the “double-barreled phish,” in which you respond to the email with a question, such as “Is this really my buddy Jim.” Phishers are now clever enough to wait a while, in order to show that the response is not automated, and then reply with, “Yes, it’s me, Jim.” Of course, it isn’t Jim.
  3. Never open a PDF from someone you don’t know, since spear phishers are now hiding their malicious zip files inside seemingly innocuous PDFs.
  4. Never give out your password or other personal/sensitive information in response to an unsolicited query.
  5. IT managers should consider training classes targeted specifically at spear phishing.

PhishMe is one of several companies that offer a SaaS-based program whereby IT groups can send fake spear phishing emails to employees and then measure the failure rate.

PhishMe customers are often stunned to find failure rates – in other words, the percentage of end users who click on a spear phish and enter a password – in the 80% range.

The way PhishMe works, when an end user falls for a phish, a giant flash card appears on their screen announcing that they’ve been phished and detailing what they did wrong. The company offers pre-built phishing templates and customers can also customized their spear phishing emails.

Customers receive reports on the success of the spear phishing training program down to the individual end user. He says some companies might take punitive action against an employee who repeatedly clicks on fake phishes, while other companies are using gamification to reward good behavior and to keep people on their toes.

They also noticed when companies stop the training programs, employees revert back to their old behavior, so it makes sense for companies to make anti-spear phishing programs a way of life.

 

Goodbye Hotmail.com Hello Outlook.com

Microsoft on is replacing Hotmail, the company they bought over 15 years ago, as Outlook.com. Gone is the racy suggestive name hotmail and it is being replaced by the corporate look and feel of Outlook.

By the end of their first day, over 1 million people signed up for the service.

For Hotmail users, here are the most common answers to your questions:

I use Hotmail now. What happens to my email?

The next time you open Hotmail, you may see the new interface.   If you don’t, you can switch by choosing “Upgrade to Outlook.com” from the Options menu in the upper right when you’re at your inbox.

How do I get one of the new Outlook.com addresses?

For a brand new account, go to Outlook.com. (You may need to log out if you’ve already used the new site, then return to Outlook.com.) Start the process by clicking the “Sign up” button on the left. Fill in the form, which includes a field for your new xxxxxoutlook.com address, complete the CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart”) and click the “I accept” button at the bottom.

What does it look like?

Very Metro. The user interface (UI) has the same flattened, color-subdued look as a Metro app in Windows 8. By comparison, the traditional Hotmail UI looks like a carnival … busy, garish, loud, cheap.   Obviously, Outlook.com’s UI will mesh well with Windows 8. Depending on your opinion of that UI, however, it may seem jarring on older or non-Microsoft OSes, including Windows 7 and OS X.

Can I keep my old address and still use Outlook.com?

Yes, you can.   You can keep Microsoft-related addresses ending with hotmail.com, msn.com and live.com while switching to the new UI.

I want to ditch my hotmail.com address. How do I do that?

Start at Outlook.com. If you’re not automatically pushed to the new UI, switch by choosing “Upgrade to Outlook” from the Inbox’s Options menu — and select “More mail settings” from the gear icon’s menu. Click on “Rename your email address.”   Enter your existing hotmail.com address — the portion to the left of the @ character — and click Save while “outlook.com” is visible in the drop-down list. If the address is already taken, you’ll see a message to that effect.

Does Outlook.com show me ads?

Yes, it does. Text-based ads, to be specific.

Just how easy is it to become a spammer in 2012? Too easy to be true.

Especially in times when everything needed to become a spammer, starting for a managed spam appliance, DIY email harvesters, and millions of harvested emails, are available for sale within the cybercrime ecosystem. Despite the numerous botnet take downs we’ve seen in recent years, spam and phishing attacks continue plaguing millions of end and corporate users, potentially exposing them to malicious links, malicious payloads and fraudulent propositions.

In this post, I’ll profile a Russian managed spam service that’s been in operation for 5 years, allowing novice cybercriminals an easy entry into the world of spamming.

What’s particularly interesting about the service, is that it’s currently advertised at a dozen of cybercrime-friendly underground communities, in an attempt by its owners to increase the clients base.

How does the service differentiate itself from the rest of the propositions within the cybercrime ecosystem? By emphasizing on key core competencies such as managed QA (quality assurance) ensuring that the message about the get spammed will successfully bypass anti-spam  filters. Next to this option, the service also offers the availability of graphic designers capable of producing custom layouts on request. Not surprisingly, thanks to the fact that the service is build around the concept of anonymity, a customer could easily request the design of spam templates impersonating Google, Facebook, USPS, LinkedIn, U.S Airways, or Verizon Wireless.

Security tip: Since spammers constantly crawl the public Web looking for emails, including micro-blogging services as Twitter for instance, make sure that you’re not publicly sharing your email address in an easy to crawl way, if you don’t want to have it become part of a spammer’s arsenal.

For customers who don’t have their own databases of harvested emails, the managed spam service will gladly offer them to take advantage of  the already harvested databases of publicly obtainable emails.

Databases of harvested email addresses on a per country/industry/type of email basis is available at the following prices:

  • Moscow region – 3,200,000 harvested emails – Price: 8,000 rubles ($256)
  • Moscow organizations and manufacturers – 800,000 harvested emails. Price – 4,000 rubles ($128)
  • Moscow citizens – 2,450,000 harvested emails – Price 5,500 rubles ($177)
  • Russian organizations and manufacturers – 3,280,000 – Price 7500 rubles ($241)
  • Russian citizens – 10,000,000 harvested emails – Price 13,000 rubles ($419)
  • St. Petersburg organizations and manufacturers – 270,000 harvested emails – Price 3,300 rubles ($106)
  • Kiev based companies – 480,000 harvested emails – Price $150
  • Ukraine based emails – 1,500,000 harvested emails – Price 5,000 rubles ($161)
  • Austria based emails – 185,000 harvested emails – Price $100
  • United Kingdom based emails – 130,000 harvested emails – Price $100
  • Germany based emails – 300,000 harvested emails – Price $100
  • Italy based emails – 210,000 harvested emails – $100
  • Estonia based emails – 20,000 harvested emails – Price $100
  • and the list goes on and on….

Among the key differentiation factors used by this vendor of managed spam service, is the ability to send spam on fax numbers, with an already obtained database consisting of 98,000 fax numbers. This and the recently exposed capability of managed MMS spam sending, indicate the vendor’s ongoing customerization of their business model.

“Nitro” spear-phishers

Symantec has revealed that at least 50 companies, many of them in the defense and chemical industries, have been attacked in a spear-phishing attack aimed at stealing research and development data. The “Nitro” attacks, as Symantec called them, started in late July, and lasted through September, according to a Symantec report. But the infrastructure used for command and control and other aspects of the attacks were used in another, earlier wave dating at least back to April, which was focused on human rights groups.

There is no known connection to the phishing attacks on RSA earlier this year. And it remains unclear whether the attacks were made by a single individual or group, though it appears the attack came from China. Analysts traced the attack back to a $32-a-month virtual private server in the US, owned by a “20-something male located in the Hebei region of China,” and found traffic being sent back to the network from 52 different organizations in 20 countries, 12 of them based in the US.

Spear phishing is a form of e-mail based attack that is carefully tailored to individuals at the target organization, usually disguised as a file-attachment that appears to be from someone the individual knows. In the Nitro attacks, the attackers used several approaches, but relied largely on two types of phishing: posing as a known business partner and sending what appeared to be a meeting invitations, or hitting a larger number of targets with an email “purporting to be a security update,” according to Symantec’s Eric Chien and Gavin O’Gorman. The attacks included executable files that were disguised as text files, or as password-protected archives. In both cases, the file would execute when opened, installing a program called PoisonIvy—a backdoor developed by a “Chinese speaker,” according to the Symantec report.

The backdoor then sent back the IP address of the infected computer, the names of other computers visible in the Windows workgroup the computer was in, and Windows cached password hashes. This allowed the hackers to remotely control the system, possibly even downloading additional tools to attack from within the network, and infect other computers in an attempt to gain administrative credentials and access to servers containing sensitive data.

Email and the Post Office

You may blame the acceptance of email as a way to communicate on one reason the post office has seen its revenue drop. For an interesting video showing how the post office has expanded over time, this link is work watching. If nothing else, a great history lesson about the expansion of the population in this country – 1700-1900. Watch the visualizing US expansion through the post office video:

http://vimeo.com/derekwatkins/posted

IPv6 and what you need to do to prepare

As you may know, today is IPv6 day – where major technology players like Google, Facebook, Yahoo, YouTube, Cisco and others will take part in a 24-hour test flight of the next generation Internet protocol. This exercise is to gauge how smooth or pain-riddled the transition from IPv4 to IPv6 will be.

IP addresses are unique numbers received by every device that connects to the Internet (or a private network), so that those devices can communicate with other devices on the same network. Websites and email domains (for instance, the @example.com part of an email address) also have associated IP addresses.

This addressing system is known as Internet Protocol and is currently at version 4; hence IPv4. We’ve been using IPv4 addresses since the early 1980s. There was a finite amount of IPv4 addresses available, however, and they have now been exhausted.

IPv4 uses a system of numbers, typically separated by decimals, that even casual users of the Internet would probably recognize (if you are unsure, check your computer or phone’s network settings for numbers like “192.162.2.235”).IPv4 had about 4.3 billion addresses, which ran out more rapidly once mobile devices with Internet connections became commonplace.

Now all new Internet addresses will use IPv6, a system that has more numbers and characters, and is said to have enough spots for 340 trillion, trillion, trillion unique IP addresses. Equipment that uses IPv6 has been in use since 1999.

Although IPv6 has been available since the ’90s, not many companies, ISPs, or other organizations have implemented it. Most are still on IPv4. That is changing, though, as governments, corporations, ISP, and MSOs (Multiple System Operators) map out their plans to transition. Of course, the likely scenario is that many networks will run both IPv4 and IPv6 in tandem (called dual-stacking) for a while until IPv6 becomes the standard.

Home users and small business owners should not have too much to worry about: chances are your ISP or the provider hosting your Web site or domain will ensure your transition to IPv6 is fairly seamless—it’s the larger enterprises that have to be more proactive. No matter the size of your business, however, you should contact your ISP or Web-hosting service to find out what their plans are for IPv6.

While there should be no panic about the fact that the world has officially run out of IPv4 addresses, vigilance is a best practice, especially for small business owners. But even home users can take precautions to ensure that their home networks are ready for what is most likely to be a gradual transition.

There are three main areas a small business should focus on in preparing for IPv6: email, web servers and Domain Name Servers (DNS). Many small businesses are using hosted services for all three. If that is the case with your small business, check with your hosting provider to ensure they are IPv6 ready. Many of the larger hosting providers are participating in testing today, so follow-up with them to check their results.

For businesses that locally host and manage their email, web servers and DNS:

  • Adding native IPv6 to existing web servers: Configure IPv6 on the Web server itself (Apache, Microsoft’s IIS, and most other modern Web servers have supported IPv6 for several years) as well as on the load balancers. This is the clean and efficient way to do it, but some applications or scripts running on the Web servers may need some code change (notably if they use, manipulate, or store the remote IP address of their clients).
  • Adding IPv6 support to email: The sending and receiving of email over the Internet occurs through Simple Mail Transfer Protocol (SMTP) atop TCP. Most popular Mail Transfer Agents (MTAs) are fully capable of using IPv6. However, some of the support functions now common in these servers are not yet present for IPv6. This includes blacklisting and reputation services notably used for antispam. When more traffic, and hence more spam, moves to IPv6, these tools can be expected to become available. Check with the vendor of any of the security tools you use in conjunction with your email platform about their plans for support.
  • IPv6 information in DNS: Add the IPv6 addresses of all public servers in the DNS database. This is simply done by adding specific Resource Records (RRs) with the IPv6 address (those records are called AAAA). Cisco also advises adding the reverse mapping of IPv6 addresses to Fully Qualified Domain Names (FQDNs). For dual-stack servers, there are two RRs per FQDN: one IPv4 address (type A) and one IPv6 address (type AAAA). For organizations using major DNS server implementations which include ISC BIND, Cisco Network Registrar and Microsoft DNS Server, rest assured, these systems have supported IPv6 for several years.

During the next 6 months, we will start the process of instituting IPv6 on all our systems and our client’s systems.