firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Securing email by inhibiting urls (Jean-Denis Gorin)
2. Re: Securing email by inhibiting urls (Chris)
3. Re: Securing email by inhibiting urls (Marcus Ranum)
----------------------------------------------------------------------
Message: 1
Date: Fri, 12 Aug 2011 12:15:51 +0200 (CEST)
From: Jean-Denis Gorin <jdg.ieee@free.fr>
Subject: Re: [fw-wiz] Securing email by inhibiting urls
To: firewall-wizards@listserv.cybertrust.com
Message-ID:
<222875950.2698751313144151629.JavaMail.root@zimbra27-e5.priv.proxad.net>
Content-Type: text/plain; charset=utf-8
----- Marcus Ranum <mjr@ranum.com> a ?crit :
> Chris wrote:
> >
> > Until I can disable a users ability to click a url in an email that appears
> > to come from a trusted source, I'm fighting constant infection. We
> > regularly spot infections (read WE, not our security systems), that are
> > resident in our network and have been there days/weeks/months. We currently
> > have at least one that we are watching to see what it is trying to do before
> > shutting it down....
> >
> >
>
> Stupid users, too much connectivity, good security - you can have
> any two.
>
> I'm guessing that when you say "trusted source" what you mean
> is "apparently trustworthy source" - not that you actually have a
> list somewhere of trusted sources. If you had a list of trusted
> sources then you could put in a firewall that did URL filtering
> then have 2 group policies: "users who click on bad URLs"
> and "users who are careful what they click on" Only allow
> "users who click on bad URLs" to go to the trusted destinations
> and deny everything else.
>
> But it sounds like you've got an impossible problem: you're
> being asked to solve end-user trust with technology and still
> maintain a fairly open network. That's not going to happen,
> though surely you can thrash painfully about playing network
> whac-a-mole.
There might be a way *evil grin*
1- convert ALL incoming email to text/plain format (all those HTML formated emails from outside are bullshit: SPAM, commercials from vendors, invitations to shiny conferences, etc.)
2- substitute ALL URL with 'that link was removed for security reason [*]', with [*] stating: 'if access to that link is needed, please contact the sender of the message'
If that email was the vessel of an attack, the sender is fake. So no point trying to contact it.
If the sender is contacted, and resent the URL, the same filtering wil apply (it's evil, isn't it :) )
If you don't want the filtering to be as evil as described, you can amend the note like this: 'if access to that link is needed, please contact the sender of the message and'
Option 1: 'request him to send you that link address through another channel'
Option 2: 'request him to send you that link address embedded in a text file attachement'
The other way is to teach your users to NOT CLICK LINKS IN EMAIL, EVER.
Good luck!
JDG
------------------------------
Message: 2
Date: Thu, 11 Aug 2011 23:37:26 -0400
From: "Chris" <chughes@l8c.com>
Subject: Re: [fw-wiz] Securing email by inhibiting urls
To: "'Mark E. Donaldson'" <markee@bandwidthco.com>, "'Firewall Wizards
Security Mailing List'" <firewall-wizards@listserv.cybertrust.com>
Message-ID: <008001cc58a1$2834f540$789edfc0$@com>
Content-Type: text/plain; charset="us-ascii"
Thanks for the response.
1. We block china but that doesnt stop mail being sourced from a
hacked American company
2. We don't allow any webmail access from our site. For business
reasons we are not allowed to block mail from anything but "freemail" sites
like gmail, hotmail etc.
3. We have Brightmail, Juniper IDS, ISS IDS and Symantec Antivirus
protecting all mail servers.
We don't have issues with executables etc in mail as attachments. We mostly
see encrypted .zip or Ms Excel/Word attachments in emails made to look like
they are coming from someone friendly. The well trained employee with a
short memory or bad recall clicks the attachment or url linked to a file and
game is over. These are zero day payloads that are not detected by anyone.
We have spent lots of money getting them reverse engineered and the security
firms are impressed. We can block all attachments but that doesn't stop a
user clicking a link to a hacked ford.com page that delivers payload (making
this up but its not far from true). With business constraints etc, our best
option now is to strip/modify urls/links in emails but our current systems
don't have that feature.
From: Mark E. Donaldson [mailto:markee@bandwidthco.com]
Sent: Thursday, August 11, 2011 8:51 PM
To: chughes@l8c.com; Firewall Wizards Security Mailing List
Subject: RE: [fw-wiz] Securing email by inhibiting urls
You need to re-think how you handle mail. Two things:
1. Take out all Chinese IP addresses at the firewall. Nothing of value
comes out of China. 99% of it is toxic. Why let them even have a chance?
2. Direct webmail over the internet is dangerous at best. You need to
set up an SMTP mail proxy on your system that receives, processes, and
either accepts or rejects all incoming email. Use Sendmail + MailScanner +
SpamAssassin + Clamav. Won't cost you a cent and will take all bad stuff out
as you instruct it to do.
3. Mail that makes it through the proxy should then be directed to the
webmail server. It will be safe and clean.
From: firewall-wizards-bounces@listserv.cybertrust.com
[mailto:firewall-wizards-bounces@listserv.cybertrust.com] On Behalf Of Chris
Sent: Monday, August 01, 2011 11:47 AM
To: firewall-wizards@listserv.cybertrust.com
Subject: [fw-wiz] Securing email by inhibiting urls
A company I work for has been having great difficulty in securing against
email attacks. So far we have disabled access to webmail, implemented
rules and processes to block freemail services like hotmail etc until the
sender registers the address and of course a spam filter (BrightMail).
Attachment filtering is pretty strict as well.
The threat that presents the biggest challenge is url links in emails. The
common method of attack is an email from somedomain.com where they change
one character or otherwise make the address look valid (ie:
joe@s0medomain.com or j0e@somedomain.com etc).
I was looking for a way to spot and block hyperlinks but it looks like the
only option I have is to filter on these and send them to a spam bin. I'd
rather yank the offending hyperlink and replace it with a message of some
sort. Unfortunately BrightMail doesn't offer that capability.
Any products that do this or ideas on a solution?
Thanks
--
This message has been scanned for viruses and dangerous
content by <http://www.mailscanner.info/> MailScanner, and is believed to
be clean.
MailScanner at <http://www.bandwidthco.com/> Bandwidthco Computer Security
is for your absolute protection.
--
This message has been scanned for viruses and dangerous
content by <http://www.mailscanner.info/> MailScanner, and is believed to
be clean.
MailScanner at <http://www.bandwidthco.com/> Bandwidthco Computer Security
is for your absolute protection.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20110811/b8192350/attachment-0001.html>
------------------------------
Message: 3
Date: Fri, 12 Aug 2011 16:52:14 -0400
From: Marcus Ranum <mjr@ranum.com>
Subject: Re: [fw-wiz] Securing email by inhibiting urls
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <4E45927E.8090106@ranum.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Jean-Denis Gorin writes:
> 1- convert ALL incoming email to text/plain format (all those HTML formated emails from outside are bullshit: SPAM, commercials from vendors, invitations to shiny conferences, etc.)
> 2- substitute ALL URL with 'that link was removed for security reason [*]', with [*] stating: 'if access to that link is needed, please contact the sender of the message'
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
I saw a company that did that, years ago. They had all incoming mail go
through
mimedefang and all URLs got converted to https:-URL pointing to their proxy
server, which required a login. They also had a whitelist ruleset in the
rewrite,
so that some URLs didn't get rewritten on a case-by-case basis. Anything
with
metacharacters or on a blacklist got rewritten to a warning. That was
the first
layer.
The other thing they did was all attachments got stripped, and decoded and
stored in a queue area on their IMAP server, where it was accessible over
https: and the URLs to the attachment were injected back into the message.
So if you got a jpeg, you got
(jpg annakournikova.jpg is accessible here:
https://popserver.company.com/attachments/mjr/xfaa837-annakournikova.jpg )
instead of the inlined data. As you can imagine that was unpopular with some
people because there were then very good logs of who was accessing what
and when and why. The other thing they did that was extremely cute was the
queue folders were remote-mounted from a windows box using smbmount,
and the windows box had a variety of antivirus products installed on it, so
when something got spooled to a user's queue, if it set of the A/V, it would
just delete the file and if the user clicked on it they got a 404. Otherwise
they got their data. They had some admin foo where any administrator
could flag an attachment as bad, and it'd automatically delete any other
copies
of it (this was back when all versions of a piece of malware were the
same - 1999!) in the queue area. They also did other nice stuff like block
any HTML email that had operators that weren't on a small white-list.
I thought it was pretty cool, and it took their admin a couple days to
set up
using basic open source tools. It scaled really well, too. Of course the
users
moaned and whined - but it was a security consultancy that was under a
fairly high level of attack and they were able to actually overrule the
users
for a change. Those days are probably over now that facebook is a
"mission critical app" for so many companies.*
mjr.
--
Marcus J. Ranum CSO, Tenable Network Security, Inc.
http://www.tenable.com
(* that was sarcasm)
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 61, Issue 6
***********************************************
No comments:
Post a Comment