Dark Reading: Cloud Email Filtering Bypass Attack Works 80% of the Time

A majority of enterprises that employ cloud-based email spam filtering services are potentially at risk, thanks to a rampant tendency to misconfigure them.

Computer scientists have uncovered a shockingly prevalent misconfiguration in popular enterprise cloud-based email spam filtering services, along with an exploit for taking advantage of it. The findings reveal that organizations are far more open to email-borne cyber threats than they know, and will be presented at a conference in May. My post for Dark Reading explains the situation.

SiliconANGLE: Fixing 25 years of email insecurity

I have been writing about email security for nearly 25 years (or more, depending on how you count things). Back in 1998, when Marshall Rose and I wrote our landmark book “Internet Messaging,” we said that the state of secure Internet email standards and products is best described as a sucking chest wound.” We had the publisher print a blank page in the book to signify how bad email security was. Well, perhaps we are still the walking wounded, although at least today we have better tools.

Most recently, I wrote a piece for SilconANGLE entitled, Fixing email security: It’s still a rocky road ahead. It begins:

The foundational protocols for making email more secure and less of a threat have been in place for almost a decade, yet they remain mostly unused, poorly implemented and largely ineffective. A recent report from Sendlayer shows just how much of a problem that is.

40 Years of Email

Email and my own working life have been closely intertwined. I started using email in 1983 and over the years I have used more than three dozen different systems and sent thousands of messages and probably deleted millions of questionable ones too. So I thought I would put together some important milestones of my own usage, mapped against some significant historical email developments and show you how email has changed from those early days.

For the first 15 or so years, email use in business was a rarity. Few companies had any external connectivity, which meant users had to connect via modems back to the main office. Now we take internet and Wifi for granted.

  • 1983: Started using both MCIMail, one of the first global systems that was available to the public (the Internet was not yet available to the average worker) and a conferencing system called EIES. One job I had back then was to write automated scripts for processing messages between the two at a small software firm.
  • 1984: At an insurance company, I used an IBM mainframe email product called DISOSS for internal communications.
  • 1986: Used 3Com’s 3+Mail for internal communications at PC Week. This was one of the early LAN-based email programs. We thought we were hot stuff because we could hook up our remote offices around the country to it, something now taken for granted.
  • 1987: Wrote my first column for PC Week about hotels, modems, and email. Today the problem still remains, just replace Wifi and VPNs for the modems.
  • 1988: Managed my first remote team with editors reporting to me from California, Denver, Texas and other places. Email connectivity made this all possible.
  • 1989: Covered the launch of Lotus Notes, one of the first collaborative software tools, and lobbied Ziff Davis, where I worked, to start using it in place of 3+. They eventually did a few years’ later. Compuserve and MCIMail begin offering Internet gateways to their users on an experimental basis.
  • 1990: I started Network Computing magazine, where we routinely used Internet email addresses for our writers in their bylines. We used Network Courier LAN-based email, which was the precursor to Microsoft Exchange and Outlook. This was also my first entry into Internet-based email: we were able to communicate with anyone using a gateway that was maintained by UCLA.
  • 1991: Began to chart ways to send emails between two formerly disparate  systems, using various gateways. The rise of Soft-Switch, which at its height could connect more than 50 different systems. They were eventually acquired by Lotus. Again, something taken for granted now. Also the year that Phil Zimmermann released PGP for email encryption. To get around US security laws, he soon published its source code as a printed book.
  • 1992: I was one of the first wireless email users of a product called RadioMail, which File:RadioMail HP100 Setup circa 1995.jpg - Wikimedia Commonseventually became the BlackBerry. It worked with a one-pound radio and a one pound HP palmtop.
  • 1993: Obtained my first Internet domain name, strom.com, for free from Network Solutions by requesting it from them via email. Before then, private businesses couldn’t really become masters of their own domains easily.
  • 1994: Groupware was the big deal back then, and Novell’s Groupwise was one of the best. Too bad that it withered away, along with the rest of Novell. This was also the year that AOL began offering an Internet gateway so its users could communicate with each other. It was far from perfect: for example, the early Mac AOL clients couldn’t read attachments from Internet senders.
  • 1995: Began the first of a series of weekly email newsletters called Web Informantusing a collection of Unix scripts. Still writing them, using a hosted Mailman server by Pair.
  • 1996: Experimented with Intermind’s push technology for notifications instead of sending emails for my newsletter. Didn’t last very long. Push pooped out quickly.
  • 1997: Gave up my laptop and used borrowed computers when traveling. That didn’t last very long either. Did have the very early smartphone from AT&T that used broadband (well, it wasn’t all that broad) cellular data called CDPD, the precursor to what we all use today on our phones. This was the year that Apple acquired NeXT and incorporated its email software into various Apple operating systems.
  • 1998: This was an important year for me and was the year that I co-wrote my email book with Marshall Rose, the inventor of the POP protocols. The book covered the more popular email programs at the time, which included Lotus cc:Mail (extinct), Netscape Messenger (extinct but replaced by Thunderbird you could say), Eudora Pro (still very much alive with this open source project),  Compuserve (not extinct but should be), AOL (ditto), and Microsoft’s Outlook Express (which has gone through various evolutions and still exists with its Office/365 products). Penn Jillette, of Penn and Teller fame and an early email user, wrote our forward to our book. Out of that research is this Web page that I haven’t touched since then that shows the state of email encryption interoperability. Luckily, it has gotten better, sort of.
  • 2001: Was a regular user of Lotus Notes, which by then had been purchased by IBM, while working back at CMP.
  • 2002: Wrote about Michael Dell’s bandwidth separation anxiety here, probably one of the first of many popular instances of cutting off email.
  • 2004: At the annual VIP economic forum love fest gathering in Davos, Bill Gates proclaimed: “Two years from now, spam will be solved.” Right. Not even close on that one Bill.
  • 2005: Began using Mozilla’s ThunderBird as my regular email client. Here is a story about the trials then.
  • 2006: Switched hosting my various email domains over to Google Apps. For free. Began using Gmail as my regular email client, although it wouldn’t talk IMAP for another year. Also the year that the concept of “email inbox zero” was introduced.
  • 2008: Reminisced about ten years after my email book in my post here. Vint Cerf wrote this then too about ten years of using the Internet.
  • 2009: First of many “email is dead” articles in WSJ and elsewhere analyzed here.
  • 2011: The latest in a series of days without email proposed to make some obscure point.
  • 2017: Better email authentication protocols (DKIM, SPF, DMARC) come into wider use. As I wrote about at the time, becoming master of your email domain is incredibly difficult to implement, still true to this day.
  • 2018: IBM sells off Lotus Notes to an Indian conglomerate. That link will take you to why Notes was so significant in its heyday.
  • 2019-2022: Helm is released, an interesting dedicated email server appliance. It closed its doors at the end of 2022, victim to supply chain issues and IMHO, a bad collection of features.
  • 2022: Google begins charging me for my domain for the first time since I began using their email service.
  • 2023: Yes, I still try to have less than ten messages at the end of each day in my inbox. Encrypted email remains for the most part ignored by the general public, even as phishing continues to rise. Some things never change.

Do you need a disposable email address

How many times a day are you asked to provide your email address for something that just generates more inbox junk and adds you to some marketer’s list? If you are getting tired of these email come-ons, you need a disposable email address. The idea is simple: instead of providing your “real” email, you create something that will still forward messages, but gives you some control over how these messages appear in your inbox.

Now, you could use the email filtering feature of your mail software to prevent these messages from ever darkening your inbox, but a more elegant way is to make use of one of the “disposal email service providers” (as I call them) to help you out. The way these providers work is that you set up an account on their service, and start using a special alias to flag the origin of the mail.Before you dive into this product category, realize that there are dozens of semi-shady providers, such as Emailondeck or E4ward.com. These have lots of limitations, such as only offering a single alias with very short forwarding lifetimes (such as an hour, which renders them useless for newsletter subscriptions), or don’t allow you to create your own alias, or have paid accounts that only accept BTC. The ideal provider allows you to set up your own alias and keeps the mail flowing as long as the company is in business. Also, some providers don’t protect any replies to the forwarded email, so your real underlying address is now available.

Here are three providers you should check out: DuckDuckGo’s @duck.com, 33Mail.com, and Yahoo.com. All three are available for free (and the latter two also offer paid plans) and work reasonably well. My favorite is 33Mail, which I have been an avid user of their free account for many years now and have set up dozens of aliases. The setup process is nothing: you just start using “something@youraccount.33mail.com” and the service takes care of getting the message forwarded to your real email. The forever free version has unlimited aliases, which is handy because it shows you the alias used at the top of your message, in case you want to send all inbound mail using that alias to the bit bucket. You can sign into the web portal of your account and view the transaction log shown here as well as the status of the various aliases that have been used to forward mail to you, and those emails that you have blocked. The free account does come with bandwidth limits, which I have never come close to reaching. There are several pricing tiers that remove this along with other restrictions and support other customizable settings.

DuckDuckGo takes a somewhat different tack from 33Mail — they do their work inside a browser extension and they support a wide range of them, including Brave, Chrome and Edge. You’ll need that extension to manage the various configuration features. If you are already using DDG as your search engine or for its other privacy-enhanced tools, then it is worth checking this tool out. Here is a list of its features and FAQs. One downside of DDG is that it doesn’t use aliases, which means you have to filter messages on your own.

Finally, there is Yahoo. Remember them? Remember both of their massive data breaches back in the day? Well, it has been years since I used them for anything other than a spam collector, and the free version immediately begins placing ads in the form of a rolling series of messages at the top of your inbox. (You can remove these if you upgrade to a paid plan.) You can setup three aliases (what Yahoo calls “keywords”) on your account, using this menu shown here. It isn’t as convenient as 33Mail, and of course you need a Yahoo email address for this to work.

CSOonline: 9 cloud and on-premises email security suites compared

Email remains the soft underbelly of enterprise security because it is the most tempting target for hackers. They just need one victim to succumb to a phishing lure to enter your network. Phishing (in all its forms) is just one of many attacks that can leverage a poorly protected email infrastructure. Account takeovers (due to reused passwords), business email compromises, payment fraud, specialized mobile malware, and spam messages that contain hidden malware or poisoned web links. That places a heavy burden on any email security solution.

I have been testing and writing about these products for decades and in this roundup I touch on some of the latest integrations and innovations with nine security suites:

  • Abnormal Security’s Integrated Cloud Email Security
  • Area 1’s Horizon
  • Barracuda Email Protection
  • Cisco Secure Email
  • FireEye Email Security
  • Voltage SecureMail
  • Mimecast Email Security
  • Trustifi
  • Zix Secure Cloud Email Security Suite

As what seems like the usual operating procedure, figuring out the pricing for the numerous configurations can be vexing, with one vendor (FireEye) not providing pricing, and several other vendors who declined to participate entirely.

You can read my full roundup for CSOonline here.

Network Solutions blog: Mastering Email Security with DMARC, SPF and DKIM

We all know that phishing and email spam are the biggest opportunity for hackers to enter our networks.  If a single user clicks on some malicious email attachment, it can compromise an entire enterprise with ransomware, cryptojacking, data leakages or privilege escalation exploits. Over the years a number of security protocols have been invented to try to reduce these opportunities. This is especially needed today, as more of us are working from home and need all the email protection we can muster. In my latest post for Network Solutions blog, I discuss the trio of email protective technologies that can be deployed to make your email more secure.

FIR B2B podcast #119: Our favorite email newsletter tips

Paul Gillin and I are old hands at email newsletters. Paul had his own for several years and has produced several for his clients. I currently publish two: my own Web Informant, which I have been doing almost weekly since 2003, and Inside Security which is part of a group of newsletters. We share a few tips from our years of experience.

The first is to know your audience and segment them for best results. This post in Marketing Week documents how marketers are segmenting the audiences at a much finer level than they previously did thanks to an explosion in behavioral data from third parties. One bottled water vendor was able to dramatically boost the response rate of its YouTube ads with an email newsletter sliced by 16 different segments. The survey found that behavior and location are the most effective segmentation methods, with the old stalwarts like age and gender being the least effective.

We discuss how to craft your subject line and choose a coherent theme as well as how to pick the optimal length and number of hyperlinks to include. If you do use links, beware of URL shortening services, since many as spam filters block them. There’s also the question of whether to make your newsletters text-only or to go the HTML route. If you choose the latter, be sure to test each newsletter with different browsers and different screen depths. Finally, we cover how to choose the right tool for the mailings. We’ve used a variety of them over the years, and each has different strengths and weaknesses. Some of these topics are mentioned in this piece for Marketing360.

We’d love to hear from you about your favorite email newsletters and tips for creating your own. You can listen to our 16 min. podcast here:

Dealing with CEO Phishing Fraud

When we get emails from our CEO or other corporate officers, many of us don’t closely scrutinize their contents. Phishers count on this for their exploits. The messages often come around quitting time, so there is some sense of urgency so we will act before thinking through the consequences. 

Here is an example of a series of emails between “the boss” (in reality, the phisher) and his subordinate that happened in November 2017. You can see the growing sense of urgency to make a funds transfer happen, which is the phisher’s stock in trade. According to FBI statistics, this type of fraud is now a $12 billion scam. And yes, the money was actually sent to this attacker.

KnowBe4, which sells phishing training services, categorizes the scam into two separate actions:

  1. First is the phishing attempt itself. It is usually called spear phishing, meaning that the attacker has studied the corporate organization chart and targeted specific individuals. The attacker has also examined who has fiduciary responsibility to perform the actual funds transfer, because at the heart of this scam it is all about the money that they can steal from your business.
  2. Next is all about social engineering. The attacker has to appear to be convincing and act like the boss. Often, the targeted employee is tricked into divulging confidential information, such as bank accounts or passwords. Many times they use social media sources to amplify their message and make it seem  more legit.

The blog post mentions several different situations that are common with this type of fraud:

  1. Business working with a foreign supplier.
  2. Business receiving or initiating a wire transfer request.
  3. Business contacts receiving fraudulent correspondence.
  4. Executive and attorney impersonations.
  5. Confidential data theft.

A new blog post by Richard DeVere here provides some good suggestions on how to be more vigilant and skeptical with these emails. 

  • Examine the tone and phrasing of the email. One time a very brusque CEO — who was known for this style — supposedly sent a very polite email. The recipient flagged it as a potential phish because of this difference.
  • Have shared authority on money transfers. Two heads are better than one.
  •  As Reagan has said, trust but verify. Ask your boss (perhaps by calling directly) if this email really originated from him or her before acting on it. Phone calls and texts can be spoofed from your boss’ number. As the illustration above shows, this is quite common. Take a moment to process what is being asked of you.
  • Report the scammer to the right authorities inside and outside your company.

The bottom line: be wary and take a breath when you get one of these emails.

Helm Email Server: secure and stylish, but has issues

I had an opportunity to test drive the Helm personal email server over the past couple of months. I give them an A for effort, and a C+ for execution. It is a smallish pyramid that can be used to self-host your own email domain.

It has some great ideas and tries hard to be a secure email server that is easy to setup. And its packaging and reviewer’s guide is a design delight, as you can see from the photo below. But it has a few major drawbacks, especially for users that want to do more than protect their email correspondence.

If you want to read a more thorough test, check out Lee Hutchinson’s Ars review here. While I didn’t test it as thoroughly or write about it as much as he did, I did try it out in two different modes: first, as a server on a test account that Helm reserved for me. Then I reset the unit and tried it to serve up email on one of my existing domains. I will get to an issue with that latter configuration in a moment.

My biggest issue is its lack of support for webmail clients. I understand why this was done, but I still don’t like it. I have been using webmail exclusively for my desktop and laptop email usage for more than 10 years, and only use the iPhone Mail app when I am on the phone. Certainly, that leaves me open for exposure, man-in-the-middle, etc. But I am not sure I am willing to give up that flexibility for better security, which is really at the center of the debate.

Brian Krebs blogged that users can pick two of security, privacy and convenience, but only two. That is the rub.

If you are concerned about privacy first and foremost, you are likely to want to use encryption on all of your emails. That is probably for very few folks. Even with zero-trust encryption, this isn’t easy. Helm doesn’t support any encryption such as PGP, so this audience is off the table.

If you are concerned with convenience, you are probably going to stick with webmailers for the time being. So this audience is off the table too.

If you are concerned with security first, maybe you will consider Helm. But it is a big maybe. If you already use a corporate email server and your company has hundreds of mailboxes, I don’t think any IT manager is going to want to have a tiny box like Helm at the center of their email infrastructure. And if you are a SMB that has < 100 mailboxes, perhaps you might move from GSuite or O365, but it will take some work. Certainly, the pricing tipping point is around a dozen mailboxes, depending on the various options that you choose for these SaaS emailers.

Hutchinson’s piece in Ars says, “Helm aims to give you the best of both worlds—the assurance of having a device filled with sensitive information physically under your control, but with almost all of the heavy sysadmin lifting done for you. If you’re looking to kick Google or Microsoft to the curb and claw back control of your email, this is in my opinion the best and easiest way to do it.” I would agree with him.

However, the issue for this last group isn’t the email, but the other things that depend on email that they already use seamlessly: calendars, contacts, and email notifications. Setting up calendars and contacts will take some careful study before you actually configure them. This is because you have to read and understand the web-based support portal pages so that you know what the steps are before you do the configuration. I ended up creating several device profiles before I got all this together, because I couldn’t access the existing details to set up the servers etc. (I understand why you are doing this, but still calling them “device profiles” is confusing.) And then I still had issues with getting things setup for my calendar and contacts. The pretty reviewer’s guide really falls down in this area.

One plus for the security audience is that it supports DMARC/SPF/DKIM with no extra effort. (See the screenshot below.) They don’t make a big deal of this, other than a brief nod to it in the support pages here. My report from mail-tester can be found here, showing that this was implemented correctly.

Another sticking point for me is the use of the smartphone app for configuration and reporting. I have had problems with other consumer-grade products that do this – such as most smart home devices, the Bitdefender Box (I did an early review of this for Tom’s Hardware but haven’t looked at it for a while since then), and some SMB router/firewalls. The problem is that your screen real estate is very limited, forcing you to make some bad UI tradeoffs. For example, a notification alert comes up on my phone during certain times.

One issue that Hutchinson also had is that if you use Helm to serve up your own domain, it needs to take control over your domain’s DNS settings. You can use its smartphone app to add your own custom DNS records, but it isn’t as flexible as say the average ISP DNS web-based management screens. Speaking of DNS, Helm doesn’t support DNSSEC because of the way it moves your email traffic through its AWS infrastructure.

Finally, the backup process didn’t work for my pre-configured unit and I never got a successful backup, even after initiating several of them. It worked fine for my hosted domain. There is no phone message notification of either success or failure: you have to check the app, which also seems like a major omission.

If you aren’t happy with the security implications of Microsoft/Googleplex owning your messages and are a small business that doesn’t use much webmail, then Helm should be a great solution. It costs $500 initially, with $100 annually for a support contract.

 

The end of IBM/Lotus Notes

Last week, IBM sold off its Domino/Notes software business unit to HCL. While you probably haven’t heard of them, they are a billion dollar Indian tech conglomerate. Sadly, this represents the end of one era for Notes. It certainly has had a long and significant life span.

 

“Notes’ longevity is amazing,” says David DeJean, who co-wrote one of the first books about it back in 1991. “What other corporate software product has had that kind of run? Notes’ success started with its chameleon-like ability to go into a company and work the way the company worked. It let companies computerize their operations at their own pace. Other software packages have been the software of “No” where Notes was almost always the software of ‘Sure.’”

I was present at its conception in the late 1980s, when Ray Ozzie had the idea for what was then an unknown software category that was labeled at the time as groupware. It was the first time that a PC software program could be used to connect multiple computers in a meaningful way, and be used to create applications that leveraged the group. DeJean recalled that these apps were at the heart of what made Notes work: “During a crucial moment in the computerization of the enterprise in the 1990s, Notes applications proliferated like rabbits. It was very easy for companies to get into Notes, and very hard to get out.”

When Notes came out. I was working as an editor at PC Week. My colleague Sam Whitmore told me that “it took us a while to get our brains around the idea of its replication feature. Most of us found it redundant to email.” That was its biggest challenge, and well into its middle age Notes’ biggest competitor continued to be ordinary email. Many of my press colleagues carried a long-standing hatred for it. Nevertheless, Whitmore also recalls that “Lotus appreciated how technical we were, that we understood what Ray Ozzie was bringing to the world. Perhaps because of this, Lotus offered PC Week a lot of money to produce a special report on Notes.”

I had first-hand experience using Notes when I worked at CMP in the early 2000’s when I was an editor at VAR Business and also at EETimes. The CMP IT department had written quite a few Notes applications for various editorial and sales tracking purposes, again showing how extensible it could be.

This is something that many of its critics didn’t really understand, both then and now. One of its earliest customers was  PriceWaterhouse, now PwC. Sheldon Laube was running the IT operation there and made the decision to purchase 10,000 copies of Notes back in 1990. He told me that this “started a transformation at the firm. Notes was truly the first personal computer software product that changed the nature of how people used PCs. Until Notes came along, PCs were personal productivity tools, with the majority of uses being spreadsheets, word processing and presentations. Notes created a social use for personal computers and enabled teams of people, spread across geographies, to communicate, collaborate and share information in a way which was not possible previously. It was the tool that moved PCs and networks onto every desk in every office of PW around the world.”

This is an important point, and one that I didn’t think much about until I started corresponding recently with Laube. If you credit Notes as being the first social software tool, it actually predates Facebook by more than a decade. Even MySpace, which was the largest social network for a few years (and had more traffic than Google too), was created in the early 2000s.

Notes was also ahead of its time in another area. “Notes was a precursor to both the web and social media,” says Laube. “It was all about easily publishing and sharing information in a managed way suited to business use. It is the ease of management and the ability to control information access within Notes securely which allowed its rapid adoption by business.” Laube reminded me that back then, information security was barely recognized as necessary by IT departments.

This isn’t completely an accurate picture, mainly because Notes was focused on the enterprise, not the consumer. Notes “mixed email with databases with insanely secure data replication and custom apps,” said David Gewirtz in his column this week for ZDnet. He was an early advocate of Notes and wrote numerous books and edited many newsletters about its enterprise use. “It was enterprise software before enterprise software was cool.” He wrote about how Notes had elements of Salesforce, Dropbox, Atlassian, Zendesk and ServiceNow — years before any of these products were even invented. Another aspect of Notes that doesn’t get much attention is its integrated group calendars and contacts. Now we take these elements for granted — until they don’t work — and expect them in many communications tools. Back in the early 1990s, this was a rare feature. Scott Mace, who runs the site CalendarSwamp, remembers complaining about how hard shared calendars were back in the late 1990s, and how Notes was an early standout then.

Notes has gone through many transitions in its long life: After IBM acquired it, Big Blue extended the software to Domino, which combined Notes with web services and eventually was used to provide a managed hosting solution as well. Ozzie told me that  Notes was in essence an amazingly powerful applications server with captive clients. This differed from the web model, where web clients were free and Netscape and others made money from selling their own application servers. IBM added the web server because they had to: Ozzie said if they hadn’t, Notes would have died quickly in the web era. Instead, it still flourishes.

Another thing that doesn’t get much attention is that IBM believed so much in Notes that it made it its corporate communications standard for many years. One of their reasons — and a major motivation for many other customers — is that Notes offered an end-to-end encrypted email system, something that wasn’t common at the time.

Even so, IBM was a poor fit for Notes because it was too slow to innovate. While having a web front-end solved one big problem for Notes (its very thick client software), it wasn’t enough to compete against the world of open source and the rich software development of the web. As the web took over the software world, Notes became more of an anachronism, and more nimble solutions (including one product called Nimble, btw) became more attractive to corporate software developers. Ozzie said, “Shame on IBM for losing the corporate email market” to Microsoft and then Google. He reminded me that back then, we had different email systems that couldn’t connect with each other, even within the same office.

Betsy Kosheff, who did PR for Lotus back when it was sold to IBM, told me, “IBM had no business doing software innovation. That point was very obvious right from the acquisition. It’s not their fault – IBM is just not designed that way. I imagine their India-based buyer will be looking for more operational efficiencies. They’re probably not looking for the next big idea, which is what was so much fun about Notes and being part of that product in the early days. I’m not saying you can’t possibly create an entrepreneurial division with exciting innovations from within a larger company. I’m just saying they didn’t do it at IBM and probably not at any other billion dollar IT company.”

Ozzie reminded me that when Lotus was sold to IBM, they were in a head-to-head battle with Exchange. Microsoft had the edge because they owned the operating system and had majority share with office applications. IBM could offer a broader software portfolio that could attract customers.

Was Notes too early for its time? Ozzie says no: “I am just pleased that things have continued to evolve in collaboration tools.There are still things related to human interaction, such as distributed trust and managing overload that we first learned in Notes that have yet to be embraced by anything in the enterprise social world.”