The event was very well attended and GFI were also present in booth #1915 with the theme ‘Fast and Easy Security’ with focus on Email Security and Endpoint Security featuring GFI MailEssentials Complete and GFI VIPRE Antivirus Business.  

The GFI team included a presenter who did 10 minute presentations alternating between GFI MailEssentials Complete and GFI VIPRE Antivirus Business and in typical altruistic GFI manner, T-shirts were given away as prizes while people were entered into our daily drawing to win an Xbox 360 with Kinnect.

The pictures show the daily drawings which definitely drew in the crowds!

62.4% of SMEs do not currently use a mail archiving solution – opening the door to a host of issues including: limited email backup and restore, which could lead to data loss; an inability to search for pertinent messages in the event of an audit or eDiscovery request – which could result in costly compliance violations or legal suits; strain on Exchange servers; and storage problems.

These were the results of an independent survey conducted by Opinion Matters, and commissioned by GFI Software, in which more than 200 U.S.-based IT decision makers participated.

The survey also revealed that greater than 38% of the 202 businesses polled do not have an archiving or backup solution of any kind in place, further exacerbating the chances that a network failure could result in a complete loss of critical data stored in email.

Additional results from the survey:

• Two-thirds (66.8%) of respondents were unfamiliar with U.S. regulatory compliance standards regarding email archiving. This number ballooned to over 90% in businesses that rely on only one IT professional.
• 37% said they are required to search for old or deleted emails on a monthly basis, if not more frequently, because of requests from end users, the need to meet compliance requirements, the need to provide copies of correspondence for a lawsuit or audit, or any other requirements.
• 31% of respondents said they would consider a hosted approach to email archiving.

Implementation of a mail archiving solution can enable several email-related necessities, including maintaining an archive of all corporate email correspondence, meeting the growing number of regulations for compliance, eDiscovery and other legislation, significantly reducing the demands on the Exchange server, and managing and reducing the company’s dependency on PST files.

“Email infrastructure is quickly becoming a complex beast, and IT administrators have more factors to consider than ever before – including an increasing level of compliance standards that many are apparently unaware of,” said Walter Scott, CEO, GFI Software. “As the survey clearly indicates, IT managers are routinely required to search for specific emails, and without the automated search capabilities that a mail archiving solution brings, they can take up valuable IT staff time to locate. Critical data stored in email needs to be easily retrievable and accessible, for both day-to-day business concerns as well as for good compliance. Finally, taking the risk of not backing up or archiving key data stored in email can be a very costly gamble depending on the type of data your business is dealing with.”

GFI Software offers both an on-premise solution and a hosted service for email archiving. GFI MailArchiver 2011 is the latest on-premise email archiving software from GFI and now offers automatic archive management and faster, richer search, which makes it even better positioned to tackle the pain points of ever-growing storage costs and email discovery. The recently introduced GFI MAX MailArchive, a hosted service sold through managed service providers, delivers a compliance and disaster recovery solution that requires no additional software installation and delivers a high level of resilience by providing geographic distribution of the message store.

Being so critical gives rise to the importance of email security and the significance it has in ensuring that malicious content coming through via email messages stay out of the organization. Typically, threats ‘from the outside’ include viruses, trojans, custom malicious executable files and embedded scripts within the body of an email.

It goes without saying that the repercussions of ignoring these threats could result in considerable damage, including data loss, productivity loss and a reduction in network resources due to consumed bandwidth – effectively all contributing to a hit on your bottom line.

The ‘here you have’ worm in September 2010, which spread via email and tried to trick people into visiting a link that hosted a malicious script, caused a brief yet substantial outbreak which was reported to have slowed down networks at organizations such as NASA, Disney and Proctor & Gamble.

Furthermore, Microsoft found that over 90% of the activity related to this worm came from business computers. To reduce the risk of your organization being affected by such an outbreak, you need – at minimum – a solution that offers multi-layered AV scanner protection (the reality is that one AV will react faster than the other in responding to new and emerging threats), attachment scanning (so that you can block certain files by type) and an HTML/script scanning feature that disables embedded scripts or suspiciously crafted HTML code. This, in addition to a respectable anti-spam filter that will remove email threats that are spread within SPAM, should help to keep the bad stuff out…

…but what’s helping to keep the good stuff in? Despite the numerous methods available to help prevent the incoming threat of malicious content via email, the insider threat is one we should take just as seriously.

The vast majority (if memory serves me well it is believed to be something like over 80%) of all security breaches come from the inside. How easy it is for someone in your organization to bring a USB drive into the office and execute a virus that spreads via email to people outside of the company walls? Imagine the embarrassment if your clients find that an email containing a virus that caused them downtime came from you; or the bad press the organization would get if this information was reported on in the media!

Do you have a mechanism in place to stop people from sending out sensitive documents, source code, trade secrets and so on via email? What reasons would people in your organization have for wanting to carry out such acts? Who is most likely to carry out such an act? What processes do you have in place to prevent or mitigate such attacks? These are all questions you need to think about when assessing insider email security threats.

In my opinion, there are a number of reasons why people on the inside might want to carry out such acts. Revenge would probably be at the top of the list; following a termination, redundancy or forced resignation, the employee may seek to ‘get his own back’ by leaking information, distributing a virus, or deleting emails from a shared mailbox they have access to.

Financial gain wouldn’t be far behind in the list of reasons; it involves a competitor engaging the employee to obtain information from the organization that would give the competitor an advantage over other companies (as such, they are essentially assisting the competitor in conducting industrial espionage).

Similarly, if the employee wanted to move to pastures new and start their own business, they would most likely have the intention of getting a head start by using the classified information they gained from their current employer.

In this case, reducing the insider threat requires a solution that implements a content checking module that you could use to check the outbound email for certain keywords or phrases within the email subject, body or attached document, an attachment checking module to block certain file types from leaving the organization’s email server, and a virus checking module that scans outbound emails.

I have spoken to a number of IT managers in the industry who said they turned outbound scanning off “because of the additional load it was adding to my email server” and because “we honestly thought it could never happen to us”, only for one of them to have fallen victim to an insider email security breach following the resignation of a member of staff who attempted to send himself some design documents related to a proprietary piece of software that was being built in-house. This person was only caught because of a routine email check of the email archives after they had left the company.

The bottom line is that it is essential that we do not underestimate the need for an email security solution that can block or quarantine suspicious emails being sent from the inside. Such a solution, along with an effective and well thought out IT security policy and user education offer a good starting level for 360 degree email security.

Below are 10 tips on how one can protect his email address to minimise the risk of getting spammed. Conveying these tips to all the users in your organization could help reduce the volume of spam received.

1. Spammers in most cases need to know your email address before they can spam you so keep your email address to yourself as much as possible and use it only for work purposes.
2. When posting on a forum do not include your email address as part of your signature.
3. Guest books are a prime source for the harvesting of email addresses that spammers use. Some guest books automatically hyperlink your email to your username; avoid posting in such forums and never include your email address in the post itself. Do not use your work email for this kind of personal use. If you do not have an alternative email address consider using free services such as Google mail, Yahoo! mail or Hotmail.
4. When signing up for forums, offers and other public services never use your work email address; if it doesn’t break the terms of use, consider using disposable email addresses. If terms prohibit the use of disposable email, use free email services that include spam filtering.
5. Never click on links in a spam email; in some cases clicking will result in you confirming to the spammer that the email address is valid and the user is likely to click on links thus making you a prime target for more spam and phishing attacks.
6. Always review the privacy terms on sites before registering. You need to know that whoever you’re signing up with will not give away your email address to third parties who might actually end up selling your email address for money.
7. If you use IRC and chatrooms ensure that you’re not displaying your email address publicly (some IRC clients do this by default).
8. If you have a personal website, do not publish your work or personal email on it. Spammers use scanners that harvest such emails as well. Use free email services for this purpose.
9. Do not use the unsubscribe links in spam emails, in some case that will actually confirm the email address is valid to the spammer.
10. Do not open attachments in spam, you could get infected with Trojans that will send your email contacts to a spammer as well as entrap you in a spammer distribution chain i.e. your computer might be the one that the spammer uses to send spam emails.

A researcher who managed to look at the 10,000 or so Hotmail, MSN and Live.com passwords published an analysis of the list and the strength of passwords used.

According to the analysis, one of the simplest passwords around, ‘123456’ appeared 64 times in the list. Undoubtedly, those account users would do well to change it as soon as possible but judging by people’s attitudes towards passwords, I doubt that many of those 64 account holders will choose anything more complex than adding an ‘a’ at the beginning.

Some of the other statistics are quite interesting. Forty-two percent of the passwords only use lowercase letters from ‘a to z’, while only 6% used mixed alpha-numeric and other characters.

The analysis shows that one-fifth of the passwords were only six characters long although the longest had 30 characters. The shortest was 1 character long.

A good number of passwords were formed using first names which is just as secure as having no password at all.

As Emmanuel Carabott explains, it is very important that people not only create strong passwords but they also change them regularly. Furthermore, it is good practice to use different passwords for different accounts so that if one is compromised, your other accounts or memberships will not be affected.

A lot of people are worried that if they use very strong or long passwords, they will forget them and not be able to access their email. While this is a valid point, it is possible to create a strong password that you can and will remember. For example, you can choose a phrase or a combination of words that are of particular significance: I love chocolate. By changing a few characters you can create a strong password:!loveCh0c0late.

Read the following Technet article for guidelines on choosing strong passwords.

There was an email being circulated about an update released by Microsoft for Outlook and Outlook Express. The email shown in Figure 1 looks pretty legitimate, showing a KB number which actually exists and is indeed an update for Microsoft Outlook. It also offers a hyperlink that seems to be pointing to update.microsoft.com which is the domain that one expects to go to for actual Microsoft patches. However despite looking pretty legitimate the email is fake and will instead download malware if the link is clicked.

 Figure 1

While this email looks pretty convincing there are a number of items that show it for what it really is. For starters we have the timing of it. Microsoft release patches on a specific schedule, mainly on the second Tuesday of the month, the so called Patch Tuesday. This email however shows that the publishing date is 24th June. Granted Microsoft do issue updates from time to time outside the  second Tuesday timeline but this happens in very urgent cases only and you can rest assured that you’ll hear about the issue long before you see the patch when that happens.

Another more revealing aspect of this deception is the Delivery vector. Unless one subscribes to updates notification, Microsoft will not know your email address and even if they did, you can rest assured that they will not email you without your permission. I  often see a lot of emails promising that Microsoft will pay 2c  each time an email is forwarded, and other types of emails which suggest that Microsoft is an all knowing, omnipotent entity and while they are indeed a big corporation, they aren’t all knowing (if they were would we have updates in the first place?) It is therefore easy to deduce that they do not in fact know everyone’s email address and so one should be very wary when confronted with an email which pretends to come from Microsoft or anyone else really, unless one has subscribed to such emails.

The third, and perhaps most revealing, clue is the investigation of the link itself. In HTML a link has two parts – the actual link and that which is displayed. In more technical terms a link in HTML (which is the language used to generate said email) looks as follows <a href=actual link”>link displayed</a>.  The actual link pointing to a resource and the text displayed describing said link can differ and the idea behind it was to have a system where people can display a simplified version of a link or even a title instead of the whole complex link. Unfortunately this can also be used to manipulate people into believing that they are actually going to a particular link when in fact they are going to another. 

If we analyze the link in this email we see that this is the case here: <a href=”http://update.microsoft.com.il1ilf.com.mx/microsoftofficeupdate/…”>

http://update.microsoft.com/microsoftofficeupdate/…</a>.

What does this tell us? The malicious person wanted us to believe that the link points to update.microsoft.com when in fact it is pointing to update.microsoft.com.il1ilf.com.mx. Clearly a fake.

Luckily most email systems as well as browsers have long realized this deception vector and so generally if you hover over the link without clicking, the real link will be displayed as a hint or in the task bar like it is shown in Figure 2. 

Figure 2

So what happens if one were to click on the link? The link will download a malicious file of 81kb. The malware in question was submitted to virustotal for analysis and the results are shown here http://www.virustotal.com/analisis/988e317ff5b4698910d80369472ac922752636de136a040a4a6e25fc0fdaa2e8-1245699634

The malware seems to be a Zbot Variant. What does this mean? Zbot is a Trojan and as such it’s mostly used to steal login details and passwords including banking details. It can also offer full control of a system to the perpetrator who can then further compromise your system and possibly gain access to the rest of the network using the compromised system as a stepping stone.

What can be done to reduce the risk posed by these attacks?

First and foremost ensure that your network is protected against viruses and Trojans. This is achieved by having email solutions that detect these malicious emails and blocking them thus preventing them from reaching the users. Next in line would be to educate users by having policies in place about software installation. This should also include patches and updates. Finally it is important that your work stations are protected by using antivirus solutions. This is your last line of defense, because if the email does reach the end user, and s/he clicks on it and tries to install the malware then you certainly want an antivirus solution to detect that and stop it.

As with everything in security, it’s always a decision based on how well you want to secure yourself. The above is what I would personally consider to be the bare minimum. Further steps would include a disaster recovery plan in place that deals with Trojan / virus infections. An effective backup strategy and a centralized storage system for documents and source code would also ensure a higher degree of safety by allowing an infected machine to be reinstalled instead of trying to salvage data and thus increasing exposure. And finally storing images of work stations can have a system up and running quite quickly too.

In conclusion, policies and user education as well as appropriate antivirus protection can help in preventing these type of dangers and as with everything else prevention is better than cure.

Visiting capturedright.com (do not visit this website) one can notice that there is no Viagra, weight loss pills or berries for sale. Only a very simple and small ‘opt-out’ form with the words “Remove me:”

The innocent victims of spam would be tempted to insert their email addresses to ‘opt-out’ of the spamming list. In reality, this is very similar to a phishing attack. The spammer would be harvesting the email addresses. The benefit to the spammer is that there is a very high probability that the email addresses being harvested are valid.

Innocent looking opt-out form at capturedright.com

It is costly to send SPAM and according to recent studies, the profit spammers make is not as big as it was thought in the past. Hence, it is in the interest of the spammer that the mailing list being used is kept clean of invalid email addresses. As soon as a victim places an email address in the ‘opt-out’ form, the email address is confirmed as a valid address to target spam since there was a manual process of inserting the email address in the form.

Confirmation of ‘removal’ of email address. DO NOT TRY THIS!

The intent of this current trend of SPAM is not to sell or promote a product but more to create and harvest better mailing lists for spamming activities in the near future. In addition to anti-spam products, the best weapon in such cases is the education of end users.