Posted by admin on June 24, 2009 · Leave a Comment
An excellent article on a few “best practice” techniques for email. Of course running an anti-virus and not opening unexpected attachments,
no matter who they’re from, are
definitely first and
foremost in your arsenal of staying safe, but here are a few more tips for you:
#1: Never allow an e-mail client to fully render HTML or XHTML e-mails without careful thought. At the absolute most, if you have a mail client such as Microsoft Outlook or Mozilla Thunderbird that can render HTML e-mails, you should configure it to render only simplified HTML rather than rich HTML – or “Original HTML,” as some clients label the option. Even better is to configure it to render only plain text. When rendering HTML, you run the risk of identifying yourself as a valid recipient of spam or getting successfully phished by some malicious security cracker or identity
thief. My personal preference is, in fact, to use a mail user agent that is normally incapable of rendering HTML e-mail at all, showing everything as plain text instead.
#2: If the privacy of your data is important to you, use a local POP3 or IMAP client to retrieve e-mail. This means avoiding the use of Web-based e-mail services, such as Gmail, Hotmail, and Yahoo! Mail for e-mail you want to keep private for any reason. Even if your Webmail service provider’s policies seem sufficiently privacy-oriented to you, that doesn’t mean that employees won’t occasionally break the rules. Some providers are accused of selling e-mail addresses to spamming “partners.” Even supposedly security-oriented Webmail services, such as Hushmail, can often be less than diligent in providing security to their users’ e-mail.
#3: Ensure that your e-mail authentication process is encrypted, even if the e-mail itself is not. The reason for this is simple: You do not want some malicious security cracker listening in on your authentication session with the mail server. Someone who does this can then send e-mails as you, receive your e-mail, and generally cause all kinds of problems for you (including spammers). Check with your ISP’s policies to determine whether authentication is encrypted and even how it is encrypted (so you might be able to determine how trivial it is to crack the encryption scheme used).
#4: Digitally sign your e-mails. As long as you observe good security practices with e-mail in general, it is highly unlikely that anyone else will ever have the opportunity to usurp your identity for purposes of e-mail-but it is still a possibility. But if you use an encryption tool, such as PGP or GnuPG, to digitally sign your e-mails, recipients who have your public key will be able to determine that nobody could have sent the e-mail in question without having access to your private key-and you should definitely have a private key that is well protected.
#5: Avoid unsecured networks. If, for some reason, you absolutely positively must access an e-mail account that does not authorize over an encrypted connection, never access that account from a public or otherwise unsecured network. Ever. Under any circumstances. Be aware of both your virtual and physical surroundings when communicating via e-mail. Be careful. Trust no one that you do not absolutely have to trust, and recognize the dangers and potential consequences of that trust. Your e-mail security does not just affect you; it affects others, as well, if your e-mail account is compromised. Even if the e-mail account itself is not compromised, your computer may be if you do not take reasonable care with how you deal with e-mails – and that, in turn, can lead to affecting both you and others adversely as well.
Click
HERE to read the rest of the article and 5 more good email security tips.
Posted by admin on October 15, 2008 · Leave a Comment
I was reading this week about two new exploits that are possibly appearing in an inbox near you. They are both propagating through email, phishing as it is known, and they are both capable of doing some pretty serious damage. In fact, while they are not exactly the same, they do exploit users in similar ways: by duping the user into believing the email has come from a trusted source (on from LinkedIn and one from Microsoft) and executing an attachment included with the email. These tactics are pretty old school; however their effectiveness is clear; users continue to open these attachments and infecting themselves. The payload for both is to open up your computer to attack from the outside and stealing usernames and passwords from your computer.
Unfortunately, people rely far too much on their anti-virus, anti-spyware programs to protect them; blindly opening attachments without a thought to the consequence. As I have told clients time and time again: I would not run my computer without these programs but NOTHING is 100% effective and someone always has to be first in a new (or re-worked) exploit. I don’t want it to be you.
End users have to be very careful and responsible with any attachment, from any person or entity, at any time, for any reason. You have to examine the email content; you have to think about the likelihood that the promised information makes sense or was even requested. For instance, the exploit “from” LinkedIn contained wording in the email that the contact list “you requested” was attached. Somehow I doubt that everyone infected by this email requested a contact list-this is the first clue-if you did not request it, do not open it. The email “from” Microsoft was supposedly a security fix MS was emailing to you. So this one is two-fold easy to spot: 1) MS NEVER, EVER, emails security patches to you. Never. 2) If this exploit was to be believed, it would mean that Microsoft has the email address of every single Microsoft user everywhere. Now I realize people find Microsoft is far too powerful and all knowing, but this is a stretch.
I often hear from people that the reason they opened an attachment is because it came from someone they knew or trusted. Please be aware that this is one of the most common ways to get infected. Someone you know gets some malware and that malware emails itself to everyone in that address book. You always have to be on the lookout-even when it comes from Mom.
; ?>)
