La seguridad sí importa: Windows Live & IE9

Yes, Security is importantChema Alonsochema@informatica64.comhttp://twitter.com/chemaalonsohttp://www.elladodelmal.com

Youhavean e-mail
MX domain2.com?
SMTP
Domain1 outgoing e-mail Server
SmartHosts
List
user1@domain1.com
POP3
HTTP
MAPI
IMAP
RPC/HTTPS
DNS
Domain 2 incoming
e-mail Servers
user2@domain2.com

Spam
Security
Intelligence
Report volumen 9
1 in 47 e-mail messagesisnotspam

Spam Confidence Level
Identifies which is the probability of an e-mail message of being spam
0 – 3 Not spam -> Inbox folder
4 – 6 Probably Spam -> Junk folder
7 – 9 Is spam -> Delete
A lot of technics based on analyses message’s characteristics
Bayesian Filters
S.T.A.R. (SpammerTricks, Analysis and Response)
Only images
Hidden txt
Links pointing to different URLs
…

It´s not spam for everybody
Some users mark as spam messages from:
Newsletters they have been subscripted without been informed previously
Newsletters they were agree to be added but now they are boring of it, and don´t want to unsubscribe (Mark it as spam is easier)
Words in Bayesian filters can be spam for mostly of the people, but not for everybody

User Actions: Clean up the inbox
Sweeping options
Block senders forever
Spam & Clutter mails
Move/delete messages from senders:
One or more senders in a row

User Actions:Mark as Spam/Phishing/Secure

User Actions:Read, Response and/or delete e-mails
If a type of e-mail is always deleted without previously be opened
Analyzing sender and subject user is able to know that those e-mails are not useful for they -> SCL++
If a type of e-mail is always opened at first position, that means it´s important -> SCL --
If user search e-mails using a characteristic and then delete them
Etcetera…

Server ReputationLevel (SRL)
Reduces the impact of spamming servers.
Identifies server reputation based on the SCL obtained by the previous e-mails which it sent
SRL allows to quickly detect a new spamming server or an unsecure e-mail server which is being used to spam.

Microsoft SmartScreen
Evaluates message characteristics
SCL
Evaluates user opinions
SCL is interactive
Evaluates user actions
SCL is dynamic and customized
Evaluates server reputation
SCLs based on which is sending the message
Real-Time Black-hole Lists

My “own” spams

My “own” spams
They are coming from our contacts
The password has been stolen
There is a malware/Trojan/Bot in our contact’s machine
Solutions:
Antimalware
Microsoft Security Essentials 2.0
Improve protection of Windows Live account
Use SSL
Single-Use Codes
Password retrieval
Trusted PC
Mobile number

Steal of credentials

Microsoft Security Essentials 2.0
Free for home-users
Free for companies of 10 or less installations.
Automatic updates
Real-Time protection
It is the same antimalware engine which is currently in use in corporate solutions as:
Forefront Client Protection
Forefront Endpoint Protection 2010

IE9: DownloadReputation

DirtyDozen
http://www.bit9.com/company/news-release-details.php?id=175

Associated mobile number
It allows users to access to Single-Use Codes
It allows to quickly obtain a new password

Single-Use Codes
From a secure connection, users can request for a Single-Use Code.
Users can request as much codes as they think they will need.
Codes are sent to the mobile number associated to the Windows Live account.
Every code can be only used once.
If the user connects to Windows Live from an unsecure connection/computer and code is stolen, nothing happens.
Single-Use codes are useful after used.

Connect to Hotmail using Http-s

Windows Live Messenger
Chats are not encrypted
Microsoft Office Communications Server: encrypt, antimalware, corporate policy, etc…
There are a lot of partners with free/professionals add-ins to encrypt Windows Live Messenger messages. Ex: SecwaySimp Lite.

Multiple sessions alerts

Trusted PC
Windows Live allows users to mark a PC as trusted. This gives user the opportunity of:
Quickly retrieve the password from it.
Protect the account against DOS attacks

Identity impersonating
«Attackers» spoof the mail from field
E-mails are coming from servers which don´t belong to the domain in the sender address.
No digitally signed
Solutions?
Sender Policy Framework / SenderID
DKIM: DomainKey Identified Mail
Mutual TLS

SPF/Sender ID
Sender ID:
Need a TXT record in the DNS
Four operational modes:
spf2.0/mfrom
spf2.0/mfrom,pra
spf2.0/pra,mfrom
spf2.0/pra
-all -> fail
~all -> Softfail
?all -> Neutral
+all -> Pass
PRA: Purported Responsible Address
From
Sender
Resent-From
Resent-Sender
SPF:
Need a TXT record in the DNS
Check the IP of the server and the domain in the mail from field
It is configured as v=spf1
-all -> fail
~all -> Softfail
?all -> Neutral
+all -> Pass

Some SPF TXT Records

Youhaveane-mail with SPF record
MX domain2.com?
SMTP
Domain1 outgoing e-mail Server
user1@domain1.com
SmartHosts
List
POP3
HTTP
MAPI
IMAP
RPC/HTTPS
DNS
SPF domain1.com?
Domain 2 incoming e-mail Servers
user2@domain2.com

Gmailwith SPF

Hotmail.com withSenderID

Gmail: Resent email

Hotmail: Resent e-mail

DKIM & Mutual-TLS
DKIM: Pushed by CISCO, Google & Yahoo. Outgoing servers sign e-mails messages with a private key. Public key is in a TXT DNS record. It doesn´t warrant a spoofed e-mail and doesn´t sign the headers. Not so much used on the Internet. Yahoo is using it in test mode and Gmail hasn´t any policy about what to do with a non-signed e-mail from Gmail.
Mutual-TLS: Pushed by Microsoft, actually it is working in MS Exchange Servers (and Hotmail). It used a TLS channel between outgoing and incoming servers. Before that, servers authenticate each other using digital certificated. Messages are crypt and communication between servers signed.

Summary
Keep a system secure needs a constant effort.
Threats are changing quickly. Security protections for yesterday risks are not good for today’s ones.
Keep a safe and secure e-mail service depends on:
Domain owners
Server administrators
Users owning the inboxes

Questions?
Chema Alonso
chema@informatica64.com
http://www.elladodelmal.com
http://twitter.com/chemaalonso

http://www.elladodelmal.com	655
http://profeser12.blogspot.com	45
http://profeser12.blogspot.com.es	17
http://www.profeser12.blogspot.com	8
http://blogser11.blogspot.com	7
http://static.slidesharecdn.com	3
http://translate.googleusercontent.com	1
http://www.profeser12.blogspot.com.es	1

La seguridad sí importa: Windows Live & IE9

by Eventos Creativos on Feb 10, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

8 Embeds 737

Statistics

La seguridad sí importa: Windows Live & IE9 — Presentation Transcript