[Owasp-alabama] [Bham_InfraGard] Email Research posted today

owasp-alabama at lists.owasp.org owasp-alabama at lists.owasp.org
Mon Oct 26 11:44:42 EDT 2009


Yes..

SPF was in place on a couple targets, and linkedin.com uses SPF.  As you
know, it won't work unless both parties use SPF and its configured
correctly. 

Something to keep in mind-  with client side exploiting the targeted user
does not have to submit any credentials.  All they have to do is enable HTML
preview or visit the phishing site and there is a great chance of being
compromised, Much like malicious adware etc.  Most cases, the attack will
know the OS/Browser that is common inside a targeted organization because
this is passed in the UserAgent each time they visit a website.

So all of this greatly increases the chance of a successful exploit being
delivered. 

The point I want to make is this-

If an remote attacker is targeting an organization, they have 3 main areas
of attack
1) Network
2) Applications
3) Users  (email, phone, snail mail)

Right now, most companies have DMZ/ACL's/IPS to protect the network.
Applications are also being protected, as most every company performs
application security assessments, and works to implement secure code and
deploy WAFs to stop the attacks.

So when we look at network/application protection, it is quite easy to
identify and respond to attacks in most cases. If you look at targeted
phishing attacks, (since they can spoof from:) email security is not
alerting, stopping, or protecting users against these attacks.  So Admins
are not getting alarms or alerts to know if your being targeted. The only
hope is that an educated user will pick up on the attack, and report it.

Plus it takes a lower skill level (Html, scripting) to send a email based
attack. 

So think like a bad guy for a minute.. why would you want to go after the
network/application layers if there is a good chance of being caught or
triggering alarms? Why not go after users directly? After all, they are
holding access to all the protected data and email security is not going to
identify your attacks from a technology perspective. 

JP





-----Original Message-----
From: birmingham_chapter-bounces at listserv.infragard.org
[mailto:birmingham_chapter-bounces at listserv.infragard.org] On Behalf Of
David.R.Wharton at regions.com
Sent: Monday, October 26, 2009 10:22 AM
To: Joshua Perrymon
Cc: birmingham_chapter at infragard.org; owasp-alabama at lists.owasp.org;
birmingham_chapter-bounces at listserv.infragard.org
Subject: Re: [Bham_InfraGard] Email Research posted today

If the "latest/greatest" email protection was implemented, did this 
include SPF/DKIM?  Of course, in order for that to be effective, the 
receiving MTA must support and honor it but a lot of them do.  I would 
certainly consider SPF/DKIM to be part of the "latest and greatest" email 
spoofing and SPAM countermeasures.

Also, you may want to look in to publishing a SPF record for 
packetfocus.com.

-David Wharton




Joshua Perrymon <josh at packetfocus.com> 
Sent by: birmingham_chapter-bounces at listserv.infragard.org
10/26/2009 10:07 AM
Please respond to
josh at packetfocus.com


To
David.R.Wharton at regions.com, 'Chad Holmes' <cholmes24 at gmail.com>
cc
birmingham_chapter at infragard.org, owasp-alabama at lists.owasp.org, 
birmingham_chapter-bounces at listserv.infragard.org
Subject
Re: [Bham_InfraGard] Email Research posted today






It's not the 80's anymore. :)

Companies tested had the latest/greatest email protection available from
vendors. So what are companies supposed to do??  Just say that it is too
hard to stop it using technology?
We all know how had user security awareness really is.. 

I do this on a daily basis for our clients, so I see how devastating this
type of attack is.  I agree that it is an issue with SMTP, but if users 
are
targeted, and technology can't stop it or at least move certain emails 
into
a "Junk/Phishing" folder then there is a big issue. If it looks half way
legit, they are going to click on it and attackers are going to get their
credentials or exploit their browser. 

JP

-----Original Message-----
From: David.R.Wharton at regions.com [mailto:David.R.Wharton at regions.com] 
Sent: Monday, October 26, 2009 9:53 AM
To: Chad Holmes
Cc: birmingham_chapter at infragard.org;
birmingham_chapter-bounces at listserv.infragard.org; josh at packetfocus.com;
owasp-alabama at lists.owasp.org
Subject: Re: [Bham_InfraGard] Email Research posted today

So email can be spoofed and the "From:" domain doesn't have to match up 
with the MTA domain.  Welcome to the 1980's.  This isn't a vendor issue, 
it is how the protocol works.  Personally, I prefer it this way so I can 
have my own domain-specific email addresses but relay mail thru my ISP.

-David Wharton

P.S. Apparently UDP packets can be spoofed too.  Who knew? ;)




Chad Holmes <cholmes24 at gmail.com> 
Sent by: birmingham_chapter-bounces at listserv.infragard.org
10/22/2009 05:38 PM

To
josh at packetfocus.com
cc
birmingham_chapter at infragard.org, owasp-alabama at lists.owasp.org
Subject
Re: [Bham_InfraGard] Email Research posted today






Nice work Josh,


On Thu, Oct 22, 2009 at 2:07 PM, Joshua Perrymon <josh at packetfocus.com> 
wrote:
> http://www.darkreading.com/story/showArticle.jhtml?articleID=220900191
>
>
>
>
>
> Joshua Perrymon, CEH, OPST, OPSA
>
> CEO PacketFocus LLC
>
> Josh at packetfocus.com
>
> 1.877.PKT.FOCUS
>
> 1.205.994.6573
>
> Fax: (877) 218-4030
>
> www.packetfocus.com
>
>
>
> President Alabama OWASP Chapter www.owasp.org
>
> Selected for ?Top 5 Coolest hacks of 2007? Dark Reading/ Forbes.com
>
> www.linkedin.com/in/packetfocus
>
> Follow PacketFocus  on Twitter:  http://twitter.com/packetfocus
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Birmingham_chapter mailing list
> Birmingham_chapter at listserv.infragard.org
> http://listserv.infragard.org:8080/mailman/listinfo/birmingham_chapter
>
>



-- 
Thanks,

Chad Holmes

http://www.linkedin.com/in/chadholmes
_______________________________________________
Birmingham_chapter mailing list
Birmingham_chapter at listserv.infragard.org
http://listserv.infragard.org:8080/mailman/listinfo/birmingham_chapter



_______________________________________________
Birmingham_chapter mailing list
Birmingham_chapter at listserv.infragard.org
http://listserv.infragard.org:8080/mailman/listinfo/birmingham_chapter


_______________________________________________
Birmingham_chapter mailing list
Birmingham_chapter at listserv.infragard.org
http://listserv.infragard.org:8080/mailman/listinfo/birmingham_chapter



More information about the Owasp-alabama mailing list