CTO Tech Blog

Wouldn’t it be great if all unsolicited commercial email, or spam as it’s more commonly known, came with a tag in the subject line that identified it as spam?  Not surprisingly, the people who send spam don’t see the value in that idea.  The job of defending networks and users against spam is on the shoulders of network administrators and users.  Understanding what defences are available and how they work will help users and network administrators choose the best solution for their environment.

Spam filtering can be done in any of four points in the path of an email; as it is sent, before it reaches the destination server, on the destination server, or at the end client.  Checking for spam as it is sent seems, on the outside, to be futile since someone intending to broadcast spam would certainly not do it.  In fact, a large portion of spam is sent using malware that is unknowingly installed on end user hosts.  Checking for spam leaving a host would identify that there is a problem which could then be corrected using malware tools.  Companies that host their own mail servers, as well as many hosted servers check email for spam as it arrives or while it is being processed by the mail server.  Filtering spam before it arrives at the server reduces network traffic and isolates the server from malware that may be contained in spam, but often limits the ability for users to allow email that may appear to be spam from people or businesses that are known.  This is called white listing a sender or email domain.  Moving the spam filter to the mail server often adds simpler configuration tools to allow administrators or users to adjust the white list (desired) and blacklist (malicious) settings either on a global or per user basis.  Client based filtering allows users to individually decide how to identify spam and how to act on each message based on the rules that they configure.  Any or all of these types of filtering can be used depending on how much control a network administrator wants to retain or offload to users and most solutions are a hybrid mix.

Regardless of what stage on the email flow a filter is testing for spam, the same criteria can be used.  Most spam filters use a number of tests in a certain order with specific settings for action and logging for each test.  The best filter will allow all desirable mail through and block all spam, but since the spammers are constantly fighting the filters, new rules must constantly be implemented.  Having a subscription with the spam filter vendor allows the filter to be updated with defences against new spamming methods very soon after they are discovered.  Here are some of the more common methods included in spam filters to detect and protect against spam.

Heuristics/Bayesian analysis – These intelligent filters learn and use statistics to determine if a message is spam.

Reputation – Most anti-spam vendors keep databases of known spammers and tag any mail from their domain or IP address as spam.

Phishing – The scan engine looks for links in emails to known phishing sites and tags them.

RBL – Realtime or Relay blacklist – These are third party lists of reported spammers on the Internet.  These blacklists often list IPs and domains that have temporary issues with malware, or are part of a large range of addresses.

Header checking – The scan engine compares the SMTP and MIME email addresses in the message header to make sure they match as well as other header anomalies.  Email clients set the MIME address, while the server sets the SMTP address.  Spammers use this to mask the origin of an email.

Directory harvesting – Emails sent to multiple non-existent accounts in an email domain are marked as spam.  The term directory harvesting is used because by sending large lists of names to a mail server, most will bounce back as failed, but some may not.  Eventually the sender can, by process of elimination, build a list of valid email addresses on the domain.

SPF – Sender Policy Framework – A relatively new DNS record type that defines domain names and hosts that are authorized to send email on a given domain.  Although not widely used initially this method of protecting a domain has become more common.

rDNS – Reverse Domain Name Service – Where DNS takes a domain name and translates it to an IP address, rDNS looks at the IP address and ensures that the domain name in the email header matches the domain name that points to the IP.  This identifies servers that are relaying mail for other, typically unauthorized, domains.

Blacklist – A list on the anti-spam server that is generated automatically or by user intervention that identifies domains or IP addresses that users have reported as spam.

Keyword checking – A list generated automatically or by user intervention or words that are in undesirable emails.  These words could be profanity, pornographic, pharmaceutical, or any other s.

Regardless of which type of spam filtering is used and which tests are implemented, all but the most expensive appliances require configuration and some amount of learning.  Don’t expect a product to stop all spam right out of the box.  With some adjustments and ongoing updates they are great tools to keep users productive.

These days we seem to need a PIN or a password for just about everything.  If you follow everyone's recommendations, you'll end up with countless sets of random characters that you are expected to memorize and change on a regular basis.  That seems a little unreasonable for all but the few people who have perfect recall.  While I agree that these rules are important to keep your personal information and finances secure, I think there needs to be a happy medium where the risk matches the required effort.  It's a little risky for me to make suggestions about password security, so please remember that anything short of a completely random mix of characters that only you have memorized is at some level a security risk.

Good security involves three components; something you have, something you know, and something you are.  The something you have may be a bank card, security card, or key fob.  Something you know would be a PIN or password, and something you are is typically a biometric like a fingerprint or retina scan.

PIN numbers (Yes, I do know that the N in PIN stands for number, but it flows better) are used widely in the financial arena to verify that the holder of the card is actually the person authorized to use it.  The weaknesses are that the third component, something you are, is still missing and the other two can be stolen or copied.  Bank cards go missing all the time, but fortunately most do not have the owner's PIN printed on the back.  If a card is stolen by someone who really wants to gain access your best protection is a hard to guess PIN.  Obviously birthdates and anniversaries are not good options as are easy to spot numbers like 5555.  Choose a PIN that is random, then come up with a way to remember it.  For example 4516 could be remembered by the word "deaf" which is made up of the 4th, 5th, 1st and 6th letters of the alphabet.  Patterns on the keypad as you punch the numbers in are sometimes helpful too. One financial institution uses a combination of a couple of passwords for online banking, but only asks for certain characters each time you connect, so the entire password is never typed in a single session.

Email passwords and web site passwords use only one of the three components of good security; something you know.  These passwords are usually at more risk because most information passed over the Internet can be seen by malicious people with basic hacking skills.  Emails are sent in clear text, which means they should never contain passwords, credit card numbers or other important information.  If you're like me, you probably have a number of email addresses and access to many password protected web sites.  My memory is pretty good, but there's no way I could memorize random characters for over 100 accounts and change them on a regular basis.  My solution has been to categorize the email accounts and web sites according to their importance and risk to me.  Some accounts have a unique password, but others are in a category that contains a number of accounts with the same password.  I also use variations of a password in some cases so that I can remember them while maintaining a good level of security.  Newer computers often come with fingerprint readers and password "vaults" where you can store a number of passwords and only access them with a combination of a fingerprint and a password.  Since someone you are is the most secure of the three components of good security, this combination is a good option for keeping your information secure.  I would, however, advise that you keep a list in a safe deposit box as well since hardware can fail or be stolen and you may lose access yourself.

There are many technologies that have been in use for years that are now coming into every day use, as well as improvements on the forefront, such as biometrics in payment cards.  As with any security, the best defence is always knowledge.  If you know what's risky you can avoid it.  With that in mind, I have a few copies of a security reference handbook written by Symantec that I will make available to the first three people who post comments.  Follow up with an email directly to me at gsiverns@basicbusiness.com with your address so I can send you the booklet.

One of my earliest blogs was about security and I made a point of deterring people from going to web sites other than the big name, well known sites.  I was a little surprised that I didn’t get many emails telling me that I was being overcautious.  I did get one message pointing out that a large part of the value of surfing the net is finding new sites with new information.  I agree.  Is that contradictory?

I’m guilty of doing exactly what I said shouldn’t be done.  When I search for information I frequently click on links to sites that I’ve never been to belonging to companies I’ve never heard of.  I’m not immune to malware, but I do have a few tricks and tools up my sleeve to help make sure I’m protected.  The first and most important tool is education.  I’ve spent a great deal of time since I started this career learning about the methods that hackers use to attack computers.  This knowledge has helped me to develop habits that make me a less likely target for hackers.  While I believe that nothing will completely protect someone from malware and security breaches, I’ll share some tricks and tips that will certainly help.

First of all, any computer connected to the Internet should be fully patched and protected by firewalls.  Yes, that was plural.  Data travels between computers and the Internet in two directions.  Home and small business routers by default block all traffic coming in, but allow all traffic outbound.  They can typically be changed to block all but the necessary outbound traffic, but this requires quite a bit of knowledge and management to implement and maintain.  For outbound traffic I recommend a personal firewall such as the firewall built into recent versions of Microsoft Windows.  This firewall will typically prompt you if a port or program is blocked so that you can consent to allowing access.  If you don’t know what’s asking for access it’s best to say no.  My experience is mainly with Microsoft products, but patching applies to every operating system available today.  For Microsoft Windows, I recommend turning on automatic updates and checking to make sure that updates have been applied at least once a month.   Of course all computers should have up to date antivirus software installed as well.

Once you have this basic protection in place you’re ready to open a web browser.  If you’re searching for information there are many search engines available.  I like Google, but feel that it’s a personal preference, not because of any technological advantage.  When you get your results, look at the URL that is linked.  Most North American domains have a .com, .net, .org or .ca although there are some other new ones gaining popularity.  Phishing and hacking sites are often hosted in countries where law enforcement is not as likely to catch them, so unless you’re looking for something specifically in China, avoid domains ending with .cn for example.  Once you’ve clicked the link, if you see a lot of pop-ups or the page is not what you expected; leave.  Close your browser and any pop-ups.  It may already be too late, but there is a chance you’ve been quick enough to avoid a “drive by download”.

The Internet is a wonderful tool, but like anything popular it attracts people who hope to profit from people who don’t know how to protect themselves.  If you leave your purse on your car seat and your windows down, chances are that it will be stolen.  Basic protection will help avoid the majority of threats.

Basic Business Systems entered the internet backup market about four years ago.  At that time most companies relied on magnetic tape to backup their data and home users either didn’t backup at all or just burned important files to CDs on a regular basis.  Our experience has been that tape backups can be very unreliable for a number of reasons.  Probably the biggest problem with tapes is that someone has to put them in the tape drive every day.  We found that in some cases people didn’t realize they should be doing that or just became complacent and eventually forgot about it.  The other big issue was reliability.  Tapes have a finite life and because they have to move to work they and the tape drives are subject to wear and contamination.  Backups should be checked every day to ensure that they were successful and they really should be tested regularly to verify that the data can actually be restored.  On more than one occasion we were called in to help a company that had a drive fail only to find out that their backups were either very old or non-existent.

Internet backups have helped address most of the challenges we faced, but also presented a few new ones of their own.  The first step to simplifying and increasing the reliability of backups was to remove the human factor for our clients.  Internet backups, or remote backups, store the data on a remote server that is always available eliminating the need to change something such as a tape.  By hosting a number of clients on a single server we were able to build in redundancy that would not have been cost effective for any one client.  This meant that there was clearly a need to encrypt the data to protect it from being accessed by someone other than the owner.  Even transporting the data across the Internet would require encryption to protect it from being read while in transit.  Our approach was to set everything up then allow our clients to set their own password to generate the encryption key.  The encryption key was then used at the source to modify the data to an undecipherable state to be transported and stored on the remote server.  In the event that they needed to restore data, the encrypted files would be copied back to the client’s server and unencrypted using the same key.  Although remote backups are substantially more reliable than tape, they are not infallible.  They do have an advantage over many backup solutions in that they can notify someone if there is a problem.  This could be anything from a corrupt file to an internet connection failure.

For most people, the speed of their Internet connection has increased substantially over the past few years.  Even with the new technologies and lower costs it can still take many days to backup an entire file server to the Internet.  It is not difficult to backup the server to a portable hard disk and ship it to the backup host in many cases, but you would still be faced with getting all of that data back locally in the event of a major failure.  My recommendation would be to keep a copy of the server backup in a safe location which can be restored as needed, then updated with current data from the online backup.  For home users, it may make more sense to keep important files like family photos on CDs or DVDs in a safe deposit box and only backup current data to the Internet.  This makes sure that your backup is as current as possible while keeping the cost more manageable.

Even if you feel that Internet backup is not for you, please check your tapes!

Have you ever tried to connect to a wireless network and noticed how often you see a network called Linksys or netgear?  Businesses and homes are connecting to the Internet with many devices in addition to computers.  In homes we often see game systems, security systems, and even appliances connecting to transmit grocery lists.  While some newer homes are wired for computer connections throughout, older homes are not which leaves you restricted to where and what you can connect.  The most common solution to this problem is the addition of a wireless access point (WAP) or wireless router.  These devices are easy to install and can be up and running with default settings in a matter of a few minutes.  Unfortunately the default settings on these devices are well known and have no security.  Without security on a WAP any user can connect and use your network.  This is commonly referred to as hijacking.  While you may not see any immediate harm in this, there are risks.  At the very least the hijacker could use your connection do download from the Internet, possibly causing excess usage charges being levied against the owner.  At the more extreme end of the spectrum, the hijacker could possibly access personal information stored on other computers in the network or use the connection for illegal activity that could leave the network owner liable in some manner.

All of these devices do have a number of security features available that simply need to be turned on and configured.  With a little understanding of some of the features and terminology anyone can close the security holes to help thwart would be hijackers.  The first step in securing a wireless device is to set a password on the admin account that is difficult to guess without being so complex that the owner can’t access it.  Now that only the owner of the device can access the configuration you can change some settings for how devices can connect and even restrict what devices can connect.  When you first try to connect to a wireless network you see a name (or in many cases a list of network names in your area) which is called the service set identifier or SSID.  Typically you would set this to something more descriptive of the network so that it is clear to people looking for it.  Changing the SSID is similar to painting your house.  It personalizes it, but doesn’t effectively change its function.  To add security you can actually tell the WAP not to broadcast the SSID, which means that people looking for wireless networks will not see this one.  The next step is to add wireless security in the form of an access password and/or encryption.  You will probably see a number of security options such as WEP and WPA listed in your device and a number of options within each of these.  Wired equivalent privacy (WEP) was the original standard for wireless security and may have to be used if there are older devices connecting that don’t support newer standards.  A better option, if it is supported by all devices that you want to use wireless, is Wi-fi protected access (WPA or WPA2).  This newer standard is more secure without adding complexity.  Detailed explanations of each of the options within the encryption families is beyond the scope of this blog, but suffice it to say that any setting on the WAP must match a setting on the device that is connecting.  One further layer of security is MAC authentication.  Media access control (MAC) addresses are distinct numbers assigned to any device that can connect to a network.  MAC authentication allows a WAP to keep a list of MAC addresses that it will allow to connect to itself.  You typically need to manually enter the address of each device that connects on the WAP in addition to any other security settings you have implemented.

The best security settings for wireless networks would mean that a potential hijacker would have to know your SSID, your encryption scheme, the security passphrase or key, and have the ability to determine and spoof (the computer term for forgery) an authorized MAC address.