(e)Mail Insecurity

Site Sections

• Home
• Contact
• Syndication
• Login

Posts

254

Comments

120

Trackbacks

120

September 2006 Entries

How I Spent My Summer Vacation: perspectives on Gone Phishing

Today, 3Sharp announced the release of our report Gone Phishing: Evaluating Anti-Phishing Tools for Windows. Paul's already posted a great FAQ that answers a lot of the common questions on our report. If you have any questions or comments, please, let us know about them!

As one of the researchers and authors of the study, I wanted to make a few more personal comments about the results. Going into the project, we knew that the very fact we were commissioned by Microsoft was automatically going to cause some members of the community to view our results with suspicion -- especially if the Microsoft products came out well. To combat that perception, we meticulously documented every step of our process and every bit of data we used. I can't speak for anyone else, but I confess to being extremely (pleasantly) surprised by the results. Quite frankly, I was expecting IE7 to get p0wned (as Paul would say).

When we started the study, I was a die-hard Firefox user. I'd been using Firefox as my primary browser well before the 1.0 release, relegating IE6 to only the necessary sites -- Exchange Outlook Web Access, SharePoint sites, and other such IE-centric sites I needed to visit in the course of my daily duties. I'd heard that IE7 had included some nifty features, but like many others I dismissed them as playing catch-up. Even when Firefox 1.5 came out and I noticed a bit of a slowdown and slight loss of stability, I still used it faithfully. During the testing, I obviously had to get familiar with IE7 (first beta 2, then beta 3, the version we tested for the final results). While it was nice (and somewhat mind-blowing) to have tabbed browsing under IE, I still used it as a secondary browser.

For those of you who haven't tried to do any anti-phish testing before, one of the biggest difficulties you're going to have is trying to get a large enough quantity of phish. Every day, we would have to sift through many thousands of messages to find a lucky few that a) still pointed to a live site and b) hadn't already been seen by us. By this time, I'd installed IE7beta3 as the primary browser on one of the laptops I was using, and I pretty quickly realized that IE7 was already a much better browser than IE6. In fact, when we finished the testing and crunched the final numbers, I went ahead and put IE7 on all of my computers at home and work, and I'm even mostly switched off of Firefox as my default browser.

Why would I switch?

• The anti-phishing protection is a big one. Not so important for me or my wife (who helped us with the screening and thus got far more familiar with phish than she'd ever wanted), but very important for our kids' computer. This computer also gets used by a lot of our houseguests, most of whom are not that tech-savvy.
• The system-integrated RSS feed reading capabilities. I've got a ton of blogs I read, and for the most part I've been reading them in a web browser. With IE7's RSS features, integrated with Outlook 2007, I can see the same list of feeds in both the browser and the mail client.
• I have to say that I really like IE7's tabbed browsing handling just a touch better than Firefox's. I still get my right-click "Open in new tab/window" choices, but I also can quickly open a new tab with a single click on IE7's New Tab icon (as well as the Ctrl-T keyboard shortcut, as in Firefox). In Firefox, I'd have to right-click on my tab bar, then select New Tab. Most of all, though, each tab in IE has its own close button; Firefox requires me to click on the Close button to the right of all the tabs.

So in the end, don't take our word for it (or anyone else's). If you're really curious about how well IE7 will protect you from phish, go download it and install it. Trawl through your spam filter and click on links; see where it gets you. Make the decision about whether the product will work for you.

posted @ Thursday, September 28, 2006 12:30 PM | Feedback (0)

Word 2007 Open XML bug or feature?

For a recent project, I've been working a bit with the new Open XML file format (to the point of having to actually write some Java code to manipulate native Office 2007 documents, if you can believe it). I dsicovered some interesting file handling behavior in Word 2007 that I'd like to share.

There are actually two new Word document types -- the .docx and .docm files. Both of them are Open XML -- the difference is that the .docm extension indicates that this file is allowed to have macro content. If you take a Word document with existing macro content and save it as a .docx, Word will literally strip out the macro content as it saves the file, leaving you a nice macro-free document. Pretty nifty.

Likewise, if you take a .docm file and simply rename it as .docx, Word will refuse to open the file (as it sees the verboten macro content). I personally think it would be more useful to just ignore that content, but this is an arguably correct behavior.

Where the weirdness comes in is that you can rename that Open XML Word file to be some other extension. Since an Open XML document is basically a collection of parts (XML files) in a package (ZIP archive), I quickly found (thanks to Peter) that Word will happily attempt to open a .zip file (and will successfully do it if it's actually an Open XML package). So for fun, I just took a .docm with a live macro, renamed it to .zip, and tried to open it in Word. It opened up with no problems; the macro content was recognized (and had it been signed by a Trusted Publisher or been in a Trusted Location, I wouldn't have even gotten the normal security warning).

So, this is my question: is this a feature or a bug? Me, I tend to think it's a bug. Perhaps this is my UNIX background showing, but to me, if you're going to insist on parsing file types by their file extension (which leads to a whole lot of extra programming and drudgery attempting to keep users from doing stupid/malicious things like I just did), then you'd better be strict about it. If the .docm feature is intended to be a strong feature, Word should, IMHO, only honor macro content in a file with a .docm extension.

I saw this behavior with Office 2007 Beta 2 Technical Refresh; I don't know if it's limited to Word or whether Excel and PowerPoint do it as well.

posted @ Wednesday, September 27, 2006 11:58 PM | Feedback (0)

Tips for a single-server upgrade from Exchange 2003 to Exchange 2007

Wow. Long blogging break! My apologies for letting time go by; we've been busy.

As we've been getting hands-on experience with Exchange 2007, I've discovered a couple of tips that might be waiting to ambush unsuspecting single-system Exchange administrators. Without further ado, here's some crunchy Exchange 2007 goodness.

Tip #1: Make sure you have an SMTP connector defined on your Exchange 2003 server.

By default, Exchange 2000 and Exchange 2003 don't configure an SMTP connector, and many single-server/single-site admins don't bother to create an SMTP connector. You don't need one in order to send mail to the Internet; by default, every Exchange 2000/2003 SMTP virtual server will do the necessary DNS lookups to deliver extra-organizational mail directly, unless an SMTP connector with the appropriate address space and scope exists. So far, so good, right? Well, Exchange 2007 is a bit different. Thanks to its new role-based architecture, the Hub Transport role does all the message routing inside of the organization.

When you install a new HT role (and for a single-server upgrade, you'll probably have the Mailbox, Hub Transport, and Client Access roles on your single server), it comes out of the box with a minimal set of SMTP connectors -- just enough to send and receive authenticated SMTP from other Exchange 2007 servers in the organization. Since you can't do an in-place upgrade from Exchange 2003 to Exchange 2007, you have to deploy Exchange 2007 on a separate box, and then you have to define a Routing Group connector between your Exchange 2007 server and your Exchange 2003 server. And once you do, you may find that suddenly you're not sending any mail outside of your organization any more.

What happened?

Let's follow the chain of events:

1. The existing Exchange 2003 server is in its own administrative group and routing group. With no SMTP connector in the org, it sends outbound mail according to the configuration of the SMTP virtual server (which uses DNS by default).
2. The new Exchange 2007 server installs into a new administrative group and routing group. (These groups are used by all further Exchange 2007 servers, but since we're not installing any, that's a moot point.)
3. The new Exchange 207 Hub Transport role has a default SMTP receive connector and a default SMTP send connector, both of which are set to only exchange SMTP traffic with other authenticated Exchange 2007 servers in the org.
4. You create, according to the docs, a Routing Group Connector between the Exchange 2003 server/RG and the Exchange 2007 server/RG.
5. Now, suddenly, the Exchange 2003 server has a routable SMTP connector with the default address space ("*") in the org. It therefore follows designed behavior and stops sending external message directly, instead queuing them up through the RGC to the new Exchange 2007 server. Since the new server isn't configured to send external mail directly yet, the messages start piling up in its queues.

The fix is simple: either create the outbound SMTP send connector on the Exchange 2007 server before you create the RGC, or create an SMTP connector on your Exchange 2003 server before you create the RGC. Which option you pick depends on what you're trying to accomplish.

Tip #2: If you are using HTTP, IMAP, or POP3 protocol access in Exchange 2003, you will suddenly be in a FE/BE situation when you install Exchange 2007.

A single-server Exchange 2003 box can easily server out RPC over HTTPS, OWA, Exchange ActiveSync, and other client protocols without requiring you to have a separate front-end server. But once you introduce that Exchange 2007 Client Access Server role, you've unknowingly switched to an effective FE/BE architecture. If you're planning on having the two versions co-exist for a while, you'll have to make the corresponding changes to your Exchange 2003 machine.

What kind of changes am I talking about? Well, take HTTP protocol access -- OWA, EAS, RPC over HTTPS. You've been a good admin and deployed them under SSL. Now you've got an Exchange 2007 server for a time of co-existence, and you'd probably like to continue to have a single defined set of URLs until you've moved all the mailboxes off of Exchange 2003. It's not simply a matter of migrating certificates and re-pointing your publishing rules, because while an Exchange 2007 CAS can talk to Exchange 2003 BE servers, an Exchange 2003 FE cannot talk to Exchange 2007 mailbox servers. If you want one machine to handle all incoming traffic, it has to be the Exchange 2007 machine

While the Exchange 2007 CAS role seems to be just a new name for a front-end server, that's not really the case. The FE server architecture in Exchange 2000/2003 was never a required configuration; it was there to make your life as an admin easier by reducing the number of Exchange servers that had to be directly exposed to incoming connections from the Internet (this is in the pre-ISA days). The FE/BE architecture gives you URL consolidation, as well as performance wins and an easier path to hardening. The Exchange 2007 CAS, though, is a required part of the 2007 architecture. It handles a lot of key pieces of functionality, and while it can do the FE job when talking to an Exchange 2003 mailbox server, it isn't "just" a front-end server.

So, the minute you decide to use the Exchange 2007 CAS role to access your Exchange 2003 mailboxes, you now have a problem. Exchange 2007 is going to mimic the functionality of a FE server -- and one of the big limitations in the FE/BE architecture is that you can't use SSL to secure FE/BE communications. Your single Exchange 2003 server is blithely running along using SSL. In order to get it working with the Exchange 2007 CAS, you have to disable SSL on the Exchange 2003 server.

posted @ Wednesday, September 27, 2006 11:42 PM | Feedback (5)

News

Devin has moved on
to new adventures.
This blog is preserved
for historical purposes.

Please follow his
personal blog at:
Devin on Earth

---

Article Categories

• 3Sharp

Archives

• October, 2009 (2)
• August, 2009 (3)
• July, 2009 (3)
• April, 2009 (3)
• March, 2009 (3)
• February, 2009 (2)
• January, 2009 (1)
• November, 2008 (1)
• October, 2008 (3)
• September, 2008 (1)
• August, 2008 (2)
• July, 2008 (3)
• June, 2008 (13)
• May, 2008 (5)
• April, 2008 (4)
• March, 2008 (4)
• February, 2008 (12)
• January, 2008 (1)
• November, 2007 (4)
• October, 2007 (2)
• September, 2007 (7)
• July, 2007 (3)
• June, 2007 (1)
• April, 2007 (4)
• March, 2007 (4)
• February, 2007 (10)
• January, 2007 (17)
• December, 2006 (22)
• November, 2006 (9)
• October, 2006 (11)
• September, 2006 (3)
• August, 2006 (14)
• July, 2006 (7)
• June, 2006 (1)
• May, 2006 (1)
• April, 2006 (5)
• March, 2006 (9)
• February, 2006 (4)
• January, 2006 (2)
• December, 2005 (9)
• November, 2005 (5)
• October, 2005 (7)
• September, 2005 (1)
• August, 2005 (2)
• July, 2005 (1)
• June, 2005 (4)
• May, 2005 (5)
• April, 2005 (5)
• March, 2005 (5)
• February, 2005 (2)
• January, 2005 (1)
• October, 2004 (1)

Post Categories

• Exchange
• DPM
• DCAR
• PowerShell
• OCS
• 3Sharp

Data Protection

• All Backed Up
• Ctrl P - The Data Protection Manager Blog

DCAR

• Archiving101.com
• Regulatory Complance blog [MSFT]
• Secguide blog [MSFT]

Exchange

• Ben Winzenz's blog [MSFT]
• Jim McBee's blog [MVP]
• Josh Maher's blog
• MS Exchange Blog
• Paul Robichaux's blog [MVP]
• You Had Me at EHLO

Other

• 3Sharp
• 3Sharp Blogs
• The Master Blog

Security

• Jesper Johansson's blog
• Protect Your Windows Network
• Steve Riley's blog [MSFT]

Unified Communications

• Communified.net
• OCS Team Blog

Windows