[Owasp-leaders] Email Security Research

McGovern, James F. (eBusiness) James.McGovern at thehartford.com
Wed Oct 14 15:04:20 EDT 2009


Is there merit in also talking about email from a development
perspective? For example, many email's are sent using HTML email? Would
Outlook be subject to XSS? Sometimes folks also like to put a one-pixel
image in an email that makes an HTTP call to an application for tracking
purposes which would "correlate" the email to a known identity. Could
this style "leak" information?

________________________________

From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Joshua
Perrymon
Sent: Wednesday, October 14, 2009 12:44 PM
To: owasp-leaders at lists.owasp.org
Subject: [Owasp-leaders] Email Security Research



I did a talk yesterday on phishing, and I walked the crowd through an
attack on a domain I own.   For this domain, the email is hosted and I
just use POP or IMAP to get it.   On a separate client laptop, I had 4
client email programs running

 

1)      Outlook 2007

2)      Microsoft Mail (VISTA)

3)      Thunderbird

4)      Opera Mail Client.

 

At the end of the demo, we determined that hosted email provided little
or no protection against targeted (Non-blacklisted) phishing attacks,
other than Microsoft clients not allowing IP addresses in links or email
body. None of the clients kept track of attempts, meaning that you could
send a "good" email from the same address, right after sending an email
that got caught in a phishing filter.

 

I would also like to note, that my new PALM PRE never Identified a
single phishing email, no matter what was in the body or subject.

 

Industry Questions:

 

1)      So now, I'm trying to decide at what point does a company start
hosting email internally?

 

2)      Would you think that a large number of companies use hosted
email?

 

3)      Do clients use Email Security (Hardware) when using remote email
hosting?

 

4)      If clients have email hosted internally, what security controls
are applied to identify email attacks?

 

o   Inbound SMTP scanning?

o   Email Security Hardware?

o   Email Relay Scanning?

o   Email Server Hardening/Configuration/Security

o   Client Level Controls 

 

 

 

I will be writing an OWASP paper on this topic, and keeping track with
the results.   I'm just trying to understand what email security fails
on so many levels.  I understand that there are a lot of dumb users, but
technology should do a better job at identifying attacks.

 

 

 

Joshua Perrymon, CEH, OPST, OPSA

CEO PacketFocus LLC

Josh at packetfocus.com <mailto:Josh at packetfocus.com> 

1.877.PKT.FOCUS

1.205.994.6573

Fax: (877) 218-4030

www.packetfocus.com <http://www.packetfocus.com/> 

 

President Alabama OWASP Chapter www.owasp.org <http://www.owasp.org/> 

Selected for "Top 5 Coolest hacks of 2007" Dark Reading/ Forbes.com

www.linkedin.com/in/packetfocus

 

 

 

************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20091014/ab145d03/attachment-0001.html 


More information about the OWASP-Leaders mailing list