Outbound Spam Filtering

Posted: 12th October 2014 by Josh in Uncategorized
Tags: , ,

One configuration setup that I have run into a a number of times is the lack of outbound Spam/Anti-Virus filtering.  The organization in question has their inbound mail queue running through their Anti-Spam/AV filter, but they do not have their outbound mail going through it. When asked about it, typically the response has been, “Never thought about it. We are really only concerned about inbound spam and viruses.” 

Here is my typical response:

When a corporate mailbox is compromised and is used in a spam campaign, how will you know? When the user of the compromised account complains to the helpdesk because of the glut of bounced messages in his inbox? By that time, possibly your only static public IP has been listed on a number of Real-time Blackhole Lists (RBL).

Filtering outbound messages for Spam/Malware helps you detect internal compromised accounts/computers faster than waiting for the user or RBL to alert you.  Just be sure to tweak alerts to get the right kind of alerts when they are needed, so that you don’t fall into alert fatigue.




I have just finished a short paper on Duty of Care, and how some aspects of it applies to the digital world. For instance, consider the following:

A staff member is traveling to a region of the world that is currently embroiled in factional warfare, and there is a higher than average risk of kidnappings. The staff member wants to share about her trip with her online following, and posts to her social media accounts a photo of her (detailed) itinerary for the ten day trip.

A staff member is traveling internationally and stops by an Internet cafe to catch up on business and personal correspondence. Unbeknownst to her, she has exposed herself to a high risk of identity theft because the Internet cafe computers were compromised with keyloggers and other malware

If the staff member’s organization did not have sufficient training to help them understand the risks of social media when traveling and basic computing security, they have opened themselves up to a duty of care negligence case.

You can read more about these issues in the paper, found here. [pdf]

Please feel free to contact me with any questions or comments that you may have.


New CS-RC Report – TrueCrypt, June 2014

Posted: 17th June 2014 by Josh in Uncategorized
Tags: ,

The Polder Consortium Computer Security Response Community (CompSec RC) has published a report that provides analysis of the situation and guidance for IT decision makers.

The IT Security community was bewildered by the May 28, 2014 announcement on the TrueCrypt website declaring “WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues”. The website furthermore directs users to migrate data from disks, volumes and containers previously encrypted with TrueCrypt to “encrypted disks or virtual disk images supported on your platform”.

The situation is made much more difficult by the fact that the TrueCrypt developers have maintained anonymity over the ten year life-cycle of this product. Thus there have been no interviews with the developers and as a result, a lot of conjecture has arisen regarding the mysterious manner in which they terminated the project.

Based on our analysis of this situation we are recommending the following action steps:

  1. It is considered safe (with caveats) to continue using the latest working version (7.1a) but only for the short-term, i.e., the next 6 months. Please do not take this as an endorsement that users should continue using TrueCrypt!
  2. TrueCrypt is no longer a viable option for long-term strategic initiatives. We highly recommend organizations develop a migration plan for transitioning away from TrueCrypt. We may have more specific recommendations at a later date but for guidance see the full report.
  3. We further recommend that users no longer download TrueCrypt or install it on client machines. In particular we recommend against downloading the latest TrueCrypt version 7.2 because there is some (unverified) risk that the TrueCrypt 7.2 install files are compromised. Individuals having TrueCrypt encrypted volumes but not having TrueCrypt already installed should download version 7.1a from GRC’s TrueCrypt? Final Release Repository for the purpose of accessing those files and migrating them to a secure encryption platform.

See the full report here CS-RC Report – TrueCrypt, June 2014.

As a side note, I was the lead contributor for this report.