dW Podcast RSS feed | dW iTunes channel
Stories about recent spear phishing attacks:
Policy control: Separation of work and personal.
discuss the difficulty in remembering this policy when the work is
initiated by others. the fake email always looks urgent, no one wants to
be the hold up on getting work done.
Suresh discusses the advantages of keeping separate personal and work devices as well.
Password Change Policies
discuss the fact that google does not force people to change passwords
on a regular basis. While changing passowrds could not have helped in
these particular attacks, they can help limit damage when credentials
Google Two Factor Authentication
the victims had been using Google's two factor authentication, it would
have reduced, but not eliminated the window of opportunity the
attackers had to take advantage of the compromised credentials.
Sender Policy Framework (SPF)
the machines that can access a mail server to only a limited set of IP
addresses. Not much used anymore because there are so many examples of
legitimate email originating from alternate sources using alternat
servers. This worked OK back in the days where people sat at the same
desk every day and send all their email from the same machine.
Domain Key Identified Mail (DKIM)
DKIM Project Page
a sending email domain to sign a subset of the headers in the mail to
"claim responsibility" for the mail going through the server. Coupled
with the Author Domain Signing Practices (ADSP), enables receiving domains to throw away all mail that isn't DKIM signed.
problem is that in large environments, it's very difficult to control
all of the outbound mail and ensure that it is always signed by a DKIM
problem is that the protocol is deliberately "policy neutral" so
there's no interpretation about what it means to "take responsibility"
for mail passing through a server. It does not imply that the sending
server knows the identity of the sender nor does it imply that the mail
is not spam, that it doesn't contain malware or anything in particular
at all. All it means is that the server saw the mail pass through.
SMIME, and PGP signing and other mail signing technologies. First
there's the key management overhead Second, end users will never accept
an email infrastructure that only allows signed mail to come through.
End users always want to accept unsigned mail
problem with email signing is that it is an authentication technique.
Unless it is coupled with a reputation system associated with the key
management system, it does not couch for the contents or safety of the
mail. Strong vetting and credential issuance procedures are needed to
complement the strong credentials used in email signing in order for
them to have any hope of helping end users detect spear phishing
Mail Content Scanners
Lotus Protector for Mail Security
tools like it perform a wide variety of types of content analysis,
attachment scanning, URL filtering, etc. But they only work if the end
users will respect and pay attention to the assessments. Typically end
users will no tolerate a mail scanner that throws away mail. They will
tolerate mail getting routed to spam folders or otherwise flagged. But
they insist on having the final say when it comes to the decision to
is similar to flagging mail as being suspect. But instead of just
raising alerts, the email client will disable active content in the mail
and hide/make unclickable suspect links in the mail.
favors this approach to prevent end users from mindlessly clicking links
in a mail before thinking. Rewriting the link to redirect the end user
to a warning page which requires the end user to take some very explicit
action before getting to the real URL is a good trade-off between
convenience and safety.
didn't come to a conclusive list of recommended and not recommended
controls. Obviously, the separation of work and personal policy is a
very strong control if you can get people to really follow it. Suresh
suggested the "driving safety class" approach, which is to show end
users horror stories of what has happened to victims in the past in
order to keep the concepts fresh in their mind.
favors 2 Factor authentication on personal accounts. The enterprise
can't force people to use Google's strong sign-in, but it can be
encouraged using the "driving safety class" approach as listed above.
that, mail scanning systems combined with "defanging" technology at the
client probably represents a good tradeoff between safety and
The opinions expressed on this podcast are only those of the participants and not necessarily of IBM.
The grackle photo used on the blog and in the podcast is by Laura Gooch
The call of the grackle was recorded by G. McGrane