I was reading about email hack attacks advisory by FINRA and it shows what I'm constantly stress in my education talks about email service: It is very insecure service in general and it shouldn't be used for anything serious. What is not clear is why it is necessary to hack someone's mail account in order to spoof a message. I suppose that the reason is some secret code (i.e. password) that is necessary to provide within mail message in order to prove message authenticity? In any case, email is insecure and that's it. Yeah, I know, there are S/MIME and PGP, but they are still not used much!
But, there is always but, and it is the case when the correspondence is internal to an organization. That case can be treated as a more trustworthy for a simple reason that the messages are passing through mail server, and in general through network infrastructure, under the local control (e.g. some company). Of course, this assumes that the network of that company is sufficiently secure, or that a threat of unauthorized access to a network is sufficiently small.
Now I here you saying that there is a problem: someone from the outside can falsify a message so that it looks like it originates from some internal users. Basically, this is not a problem for users that know where to look (i.e. headers), but for the majority, and those that don't look offten headers, this is indeed a problem. Still, I think, there are two possible solutions. The first one is for mail server (actually spam filter) to reject messages claiming to originate from some internal user and coming from the outside. The second one is via some plugin for mail client (which doesn't exist yet as far as I know) that would analyze From and Received attributes in a message header and in case they match (mail originating IP address is internal and From field is internal mail address) it would show a message in a green color, otherwise in a red color, signalizing to a user that something is strange with this message.
For the end of the post, here is a link to educational games I found during search for a original advisory from FINRA. Namely, the article I first encountered about email attacks didn't provide its source, so I googled for it and in due course I found those games which I think are interesting!
Showing posts with label mail. Show all posts
Showing posts with label mail. Show all posts
Thursday, February 16, 2012
Friday, December 9, 2011
Evolution & Thunderbird
I can not describe how much Evolution annoys me! I'm using it for years, maybe 10 or so by now, and I can say with quite a bit of a confidence that it's full of bugs, at least on Fedora, and there was no release in past few years that didn't have some quirks that made me go mad! And today, it happened that it didn't want to create a meeting within a Google calendar with a usual unhelpful error message about failed authentication. To make things even more weird, it did show my available calendars on Google, and that requires authentication so it should work! After some searching on the Internet I found workaround that includes removing calendars from Evolution and re-adding them back again. This, by itself, made me closer to look for an alternative and to switch. Anyway, I started to remove all Google calendars from Evolution, but then, removing some didn't work!? The ones that were turned off because I didn't provide password for them. Even restarting Evolution didn't help. What helped in the end was that I changed username and afterward removal was successful!
The reason I'm using Evolution for so many years was that it had integrated calendar with mail client, todo lists and memos. I need at least calendar function along with a mail client. I'm already using Thunderbird but as a secondary mail client for some unimportant mail accounts and I know that it progressed quite nicely, and more importantly, it has Calendar extension. So, I started contemplating about switching mail client NOW! Well, everything OK except that I have huge mail archives stored in Evolution and I have to import them into Thunderbird. It turns out there is no migration wizard and that it has to be done manually. Then, it turned out that Thunderbird uses Mbox format, while Evolution uses Maildir format (it also used Mailbox until a year or so ago).
In essence, Mbox uses one file for all mail messages, while maildir uses one file per message. Maildir has many advantages over Mailbox and thus has become preffered way of storing mail messages on a file system. One reason I want maildir is that I'm doing backups and when one mail message is stored in a mbox (which by itself is huge file containing many messages) backup process will copy the whole file again.
Anyway, judging from the information I found on the Internet this is a long requested feature in Thunderbird. Thunderbird supports pluggable mail stores since version 3.1, but maildir format is not planned before version 11. In the end, I decided to wait a bit more and then to switch to Thunderbird.
Update
I forgot to mention one more bug. When I try to save existing calendar into ical file the evolution simply crashes, and this is 100% repeatable. I discovered this when I decided to clean up all the old calendars from evolution, but first I wanted to save them, just in case.
The reason I'm using Evolution for so many years was that it had integrated calendar with mail client, todo lists and memos. I need at least calendar function along with a mail client. I'm already using Thunderbird but as a secondary mail client for some unimportant mail accounts and I know that it progressed quite nicely, and more importantly, it has Calendar extension. So, I started contemplating about switching mail client NOW! Well, everything OK except that I have huge mail archives stored in Evolution and I have to import them into Thunderbird. It turns out there is no migration wizard and that it has to be done manually. Then, it turned out that Thunderbird uses Mbox format, while Evolution uses Maildir format (it also used Mailbox until a year or so ago).
In essence, Mbox uses one file for all mail messages, while maildir uses one file per message. Maildir has many advantages over Mailbox and thus has become preffered way of storing mail messages on a file system. One reason I want maildir is that I'm doing backups and when one mail message is stored in a mbox (which by itself is huge file containing many messages) backup process will copy the whole file again.
Anyway, judging from the information I found on the Internet this is a long requested feature in Thunderbird. Thunderbird supports pluggable mail stores since version 3.1, but maildir format is not planned before version 11. In the end, I decided to wait a bit more and then to switch to Thunderbird.
Update
I forgot to mention one more bug. When I try to save existing calendar into ical file the evolution simply crashes, and this is 100% repeatable. I discovered this when I decided to clean up all the old calendars from evolution, but first I wanted to save them, just in case.
Tuesday, September 20, 2011
OpenSSH and how to get around port 25 filters on local networks...
OpenSSH is a very capable tool and I'm using it for years. And even though I don't consider myself a beginner user, but rather an advanced one, every now and then I learn something new about this great tool. Here are two links to such sites that I found to be very interesting:
Be sure to also read comments there because they are useful too.
What I'm going to describe is how I'm using ssh tunneling capabilities to send email via remote server when local network blocks port 25 outside of the local network. Blocking port 25 is quite a frequent scenario, and useful security practice, to prevent, or at least lower the quantity of, outgoing spam from local network. Probably it was massively introduced during Slammer worm or somewhere around that time. Anyway, for an easier understanding here is a figure that tries to illustrate this particular scenario:
In the given figure I'm using laptop computer and what I want to do is to send an email message using MY HOME MAIL SERVER as outgoing mail server. But, the exit router (or firewall) on LAN1 where I'm attached blocks any access to port 25 anywhere outside of the LAN1. In the same time, it allows outgoing ssh connections.
The general idea is to redirect mail client to connect to a localhost on port 25 and using ssh transfer this conection to remote mail host' local port 25. Note that, in order for this scenario to work you are not allowed to run local mail server, or, you have to redirect local mail client. The next premise is that the remote server allows ssh access. If it doesn't, then you have to find a host that allows. I'll deal with that scenario later, let us first go through this simpler scenario first.
To create tunnel that will transfer local connection to remote host run the following command as root user:
ssh -L 25:127.0.0.1:25 MY_HOME_MAIL_SERVER
What this command does is that it binds to a local port 25 (protocol tcp) and anything that connects to that address is forwarded to the other side where it connects to IP address 127.0.0.1 and port 25, i.e. to a local instance of mail server on MY HOME MAIL SERVER. You need to run this command as a root because of the local bind to privileged port (25).
One more thing you need to do is to trick your mail client to connect to localhost instead to MY_HOME_MAIL_SERVER. How to do this depends on how you configured your mail client. In case you entered symbolic name of MY_HOME_MAIL_SERVER into mail client then you can change it to 127.0.0.1, or better, change /etc/hosts and put there the following line:
127.0.0.1 MY_HOME_MAIL_SERVER
Don't forget to remove this line once you are finished. Otherwise, when you remove ssh tunnel you want be able to send mail any more!
Let me try to visualise what you did. Some time later I'll draw a figure, but now let me try with a words. With ssh you created a pipe that goes from the laptop to the MY_HOME_MAIL_SERVER. At the start of that pipe, on laptop, it is listening to port 25 at local addres. At the end, this pipe whatever comes, simply hands to the localhost and port 25, i.e. to a mail process running on the MY_HOME_MAIL_SERVER.
Finally, I what if you don't have ssh access to a MY_HOME_MAIL_SERVER? Well, in that case you have to find some computer to which you can ssh, and which can connect to port 25 of MY_HOME_MAIL_SERVER. Note that it can be any server on the Internet. To make things work now, you use almost the same ssh command, but with a little different arguments:
ssh -L 25:MY_HOME_MAIL_SERVER:25 YOUR_SSH_SERVER
Note that MY_HOME_MAIL_SERVER is IP adress or DNS name of your mail server, while YOUR_SSH_SERVER is IP address or DNS name of a server you use as a middle hop.
And that's it. :) Actually, very simple. But, personally I'm not satisfied with visualization so I'll improve it when I find more time and inspiration. :)
Be sure to also read comments there because they are useful too.
What I'm going to describe is how I'm using ssh tunneling capabilities to send email via remote server when local network blocks port 25 outside of the local network. Blocking port 25 is quite a frequent scenario, and useful security practice, to prevent, or at least lower the quantity of, outgoing spam from local network. Probably it was massively introduced during Slammer worm or somewhere around that time. Anyway, for an easier understanding here is a figure that tries to illustrate this particular scenario:
 |
| Network topology |
The general idea is to redirect mail client to connect to a localhost on port 25 and using ssh transfer this conection to remote mail host' local port 25. Note that, in order for this scenario to work you are not allowed to run local mail server, or, you have to redirect local mail client. The next premise is that the remote server allows ssh access. If it doesn't, then you have to find a host that allows. I'll deal with that scenario later, let us first go through this simpler scenario first.
To create tunnel that will transfer local connection to remote host run the following command as root user:
ssh -L 25:127.0.0.1:25 MY_HOME_MAIL_SERVER
What this command does is that it binds to a local port 25 (protocol tcp) and anything that connects to that address is forwarded to the other side where it connects to IP address 127.0.0.1 and port 25, i.e. to a local instance of mail server on MY HOME MAIL SERVER. You need to run this command as a root because of the local bind to privileged port (25).
One more thing you need to do is to trick your mail client to connect to localhost instead to MY_HOME_MAIL_SERVER. How to do this depends on how you configured your mail client. In case you entered symbolic name of MY_HOME_MAIL_SERVER into mail client then you can change it to 127.0.0.1, or better, change /etc/hosts and put there the following line:
127.0.0.1 MY_HOME_MAIL_SERVER
Don't forget to remove this line once you are finished. Otherwise, when you remove ssh tunnel you want be able to send mail any more!
Let me try to visualise what you did. Some time later I'll draw a figure, but now let me try with a words. With ssh you created a pipe that goes from the laptop to the MY_HOME_MAIL_SERVER. At the start of that pipe, on laptop, it is listening to port 25 at local addres. At the end, this pipe whatever comes, simply hands to the localhost and port 25, i.e. to a mail process running on the MY_HOME_MAIL_SERVER.
Finally, I what if you don't have ssh access to a MY_HOME_MAIL_SERVER? Well, in that case you have to find some computer to which you can ssh, and which can connect to port 25 of MY_HOME_MAIL_SERVER. Note that it can be any server on the Internet. To make things work now, you use almost the same ssh command, but with a little different arguments:
ssh -L 25:MY_HOME_MAIL_SERVER:25 YOUR_SSH_SERVER
Note that MY_HOME_MAIL_SERVER is IP adress or DNS name of your mail server, while YOUR_SSH_SERVER is IP address or DNS name of a server you use as a middle hop.
And that's it. :) Actually, very simple. But, personally I'm not satisfied with visualization so I'll improve it when I find more time and inspiration. :)
Subscribe to:
Posts (Atom)