10 very practical suggestions for choosing an email archiving solution

What makes a good archiving solution? Count 1 to 10:

 

1- No vendor lock-in

email archiver dashboard

Dashboard

Archiving email is a long term commitment, you need to think long term and make sure that you will be able, in 10 or 20 years from now, to autonomously, easily and reliably make use of your email archive.

If the data is stored in a proprietary format you will not be able to move it to a different archiving solution, you may not be able to even read it without the software provided by the vendor, who may not be around anymore at that time.

This is why it is important that your emails are stored in an open format, a format that you can read with open tools and without any special knowledge: your current staff may not be around at the time you will need to recover the archive.

In 10 or 20 years from now any proprietary tool may not work anymore on whatever will be a current operating system, if it does you may encounter technical issues for which you need the support of a vendor who does not exist anymore. When it will happen you will probably be in a hurry and will find out that everything is much more complicated, expensive and time consuming than you expected.

Having all the archive in an open and standard format, that you can easily recover without any specialized tool is crucial. The best solution allows you to retrieve the email you are searching for with the bare minimum of the tools: a file manager.

Our email archiver stores plain EML files inside Zip files, one Zip file per day or every 4000 email. The filename of the zipfile clearly tells the archive date so that the minimum tool you need to search and recover email is a filemanager.

Why this choice? The Zip file is a standard format, supported now and tomorrow by a big number of open tools. It provides compression, de-duplication and state-of-the-art encryption (AES256). There is no need to re-invent the wheel, unless you are aiming to lock your customers in a proprietary format.

 

2- Legal validity

RFC3161 certified timestamps

Certified timestamps

It is important that your stored email can be used as a legal evidence, should you need it. This means being able to legally prove that:

  1. the email has been received and archived at a specific time
  2. it has not been modified afterwards

There is a standard, formalized in RFC3161, called “certified time-stamping”. This is an open an documented standard, supported by many open tools that can be used for the verification of authenticity.

Our archiver ships with an embedded certification authority that certifies every single email that is stored. This is done automatically out of the box, no configuration is needed.

Whenever an email is retrieved from the archive, the archiver also automatically verifies its integrity.

Legal value should just be, without any configuration burden, and this is the way we designed it.

 

3- Multiple copies

email archiver volumes

Volumes

Storing all of your stuff in a single place is not wise. This applies to backups and especially to email archiving, which is much more than a set of backups. You must be able to store multiple copies of your archive in multiple locations, automatically and continuously.

Our archiver supports an unlimited number of volumes of different types: local disks, LAN drives, object storage (supporting virtually all providers and protocols), ftp and sftp.

Email is automatically stored in multiple copies on different volumes which can exist in many different geographical locations (archives are encrypted with AES256). You can also define different retention times for different volumes. For example you can decide that a local volume stores the last 5 years while a remote object storage volume stores the last 20 years worth of email.

 

4- Usability

email archiver outlook addin

Outlook Addin

Email archiving is not just for compliance, it’s also a tool to improve the productivity of the company. Users should be able to use it for retrieving their own archived email. In order for this to be achieved, the user interaction must be straightforward.

We provide an outlook plugin (it works also in OWA and O365) which can be automatically deployed, an iOS and an Android app, a webapp. Users can not only work with their own email archive: delegation is supported and saved searches can be shared with other users providing an easy way to delegate access to a well specified subset of email.

Slow mail server? The archiver can automatically delete old email from your mailserver, after having verified that it is safely stored in the archive.

The archiver provides a full-text search engine that is much faster than any mailserver. In terms of user interactions the standard definition of what is perceived as “instantaneous” is below 100ms and this is the response time of a standard search query on a big archive of millions of email messages on our archiver.

 

5- Privacy

Privacy management

OPT request for privacy access

Of course you need to make sure that privacy is properly enforced, that email can be seen only by the legit owners and that nobody else, including administrators if that’s your policy, can read it.

On our archiver a tenant can be protected by a privacy officer, which means that also the administrator must ask for authorization in order to access email contents.

The authorization process is fast and straightforward: time-based OTP (think Google Authenticator). Six digits that can easily be dictated over the phone for a lean but strong privacy enforcement. Once obtained the authorization everything is logged and reported back to the privacy officer.

 

6- Flexible ingestion

Ingestion options

Ingestion options

The email archive will follow you over time. The archiver system must be very flexible in terms of ingestion so that you can easily move to different email systems, migrate to or from the cloud, without having to re-think your archiving strategy.

Supported ingestion methods must include SMTP journaling, SMTP forwarding, IMAP, POP3, native O365 and Exchange connectors.

Import of PST or EML archives should be supported as well as exporting to the same formats.

We’ve also implemented batch import for a painless bootstrap: you can provide entire disks full of PSTs or EML archives and they will be imported automatically no matter how big they are.

 

7- Integration

API documentation

API documentation

A full API is important when you need to make some integrations with your infrastructure, especially if you are an ISP or an MSP and you want to integrate the email archiving service with your existing web panels.

All the features that our archiver provides are available through a complete REST API. It is so complete that all of our front-ends (web-app, the mobile apps and the outlook plugin) only interact with the archiver through the API, so all functionalities are naturally exposed via API.

You can use the archiver in complete headless mode if you want, you can perform any integration you will ever need.

 

8- Ease of deployment

Current version

Current version

Cloud? On-prem? That should all be covered. Who knows how your infrastructure will evolve in 10 or 20 years.

A virtual appliance provides the maximum flexibility: you can run it in the cloud, on premise, you can easily migrate it around and increase resources over time, you have no proprietary hardware to replace, move around or repair.

The virtual app automatically updates itself, new features are automatically installed.

 

9- Archiving flexibility

Archiving rules

Archiving rules

You should be able to choose what you want to archive and what you don’t want to archive. You should be able to choose different retention times for different emails: newsletters? One year may be enough. Lawyer? 10 years minimum. And so on.

Talking about lawyers: legal hold is the capability of locking some email (for example related to a legal case) until a specified date. This is what you need to make sure that absolutely nothing happens to it until the case is over.

Archiving rules, retention rules, legal hold: all of these are covered by our archiver and can be configured with high precision and granularity taking advantage of an advanced graphical query builder.

 

10- Granular permissions

Granular role management

Granular role management

Who can do what? You should get to choose, without any limitation. The permission system must adapt to your current and future policies, not the other way around.

Besides the “standard” roles of admin, auditor and user, on our archiver you can create custom roles in a very granular way. A role is basically a collection of capabilities and there are about 80 different capabilities that you can assign to any role you need.

 

Phishing campaign uses Google reCAPTCHA to avoid Sandbox detection

Recent email phishing campaigns are using Google reCAPTCHA as part of their efforts to bypass click-time protection sandboxing, requiring user interaction before delivering the actual contents of the phishing page.

We have seen two different instances of such campaigns, both are targeting Office 365 users in order to collect their credentials. Implementation details suggest that the two campaigns are not coming from the same actors.

In both instances, as soon as the user clicks on the link contained in the email and the browser lands on the page, a Google reCAPTCHA is displayed in an otherwise empty page:

This is intended to act as a barrier for automated scanning services, letting only humans go through this first step.

The phishing web application is built using React, a widely used javascript framework. The level of skills required is well above the average for such phishing campaigns.

The source code of the reactjs phishing application

After the reCAPTCHA has successfully confirmed that the visit comes from a human, then the real phishing page is displayed:

Phishing campaigns keep improving. Evading the inspection from bots increases the longevity of the phishing site by delaying the moment the website is blacklisted and browsers start displaying red warnings to users visiting it. In this case the phishing site is still online and not blacklisted after more than 5 days at the following domain infiniteaudiovisual[.]com.

Here is a video of the whole process:

 

URL sandboxing services like Libraesva URLSand, by visiting the page at click-time, can afford to make deeper checks on the contents of the website and on it’s behavior in reaction to real clicks originated from real phishing emails.

Besides searching for phishing toolkits and patterns, besides semantic analysis and heuristics, besides reputation checks and machine learning, our URLSand actively seeks for evasion and obfuscation attempts.

Evading detection is crucial but it provides useful signals to the expert analysis of specialized automated security systems which are continuously kept up to date by our Esvalabs team.

This is the approach that allows our URLSand to block this and similar threats.

 

 

What is the Libraesva QuickSand Sandbox

The Libraesva Quicksand Sandbox is a security service that protects the Libraesva customers from malicious active content in Microsoft Office and PDF Files.

  • What is active content?

Active content is any executable code embedded in a document, like macros, JavaScript code and ActiveX applications.

Quicksand runs on our Email Security Gateway, for free, meaning that files never leave the gateway.

As the name suggests, the sandbox is very quick and efficient, the attachments are analysed at the same time as the generic email analysis with no delays and isn’t vulnerable to traditional sandbox evasion techniques.

Quicksand identifies active content inside documents and classifies it based on the behaviour, these categories of behaviour are categorised as:

  • Safe: Active content is present and it does not perform any critical operation in respect to security
  • Suspicious: Potentially critical actions are performed by the active content like downloading data from the internet, launching programs, performing actions on the file system and so on
  • Indeterminate: Active content is present but for technical reasons it’s behaviour cannot be categorised with enough accuracy
  • Encrypted: The document is encrypted and therefore it is not possible to tell whether there is active content inside

For each of these categories, you can choose what to do with the file:

  • Deliver: deliver the file as is
  • Sanitize and deliver: disarm the active content and deliver the disarmed document
  • Block: do not deliver the file, it will be removed from the email

Not all of the actions are available for all of the categories, for safety reasons. You can also define fallback actions in case the document cannot be sanitised for technical reasons.

Hopefully this blog post helped you understand a bit more behind our key product feature QuickSand. Please contact us if you need any additional information, or follow this URL here

Which will showcase the feature in a bit more technical depth.

Whaling, Business Email Compromise and CEO Fraud

Whaling, Business Email Compromise and CEO Fraud

You’re probably familiar with Whaling and Phishing attacks by now, the simple fact that you either are a security professional or work in the cyber sector probably means you are actively facing this threat day in, day out. We at Libraesva fancy shedding a little light as to what makes whaling… whaling.

Let’s start with why, why are these attacks happening, well the first reason is because they are pretty easy to do, simply spoofing the email address is one way of attack, impersonation can be done using a wide range of techniques both technical and social. With name similarities, domain similarities, social engineering and so on. This type of attack can be devastating for organizations and quite lucrative for the attacker with little to no effort needed on the bad guy’s part.

The attack usually starts with a brief email pretending to come from a C-level executive. “Are you in the office?” is a typical approach. If the victim replies, then the attacker knows that his email slipped through the defenses and that the victim didn’t spot the scam. The attack can now proceed toward the final target: a wire transfer or divulging sensitive data.

From an email security perspective, this kind of attack is particularly difficult to block because the emails do not have links or attachments, they are brief, the messages use a type of language that is common in business emails.

The number of these attacks is quickly rising, and it is reaching companies of all sizes. It is also being semi-automated, at least for the initial email approach. Huge losses have been caused by these types of targeted attacks.

Libraesva designed a specific engine in order to intercept these attacks. The required configuration is minimal: the names and the legit email addresses of the company executives. Email addresses on external email providers are supported if the emails are DKIM-signed in order to protect against spoofing. Knowing the legitimate names and email addresses of the C-level executives, the engine can perform deep content analysis that would not be feasible to be performed on all messages.

 

Outlook comments abused to deliver malware

It’s no secret that Microsoft’s Office features are so nice and powerful that attract the attention of the bad guys, always trying new ways to get into your data.

Getting an email to look good with Microsoft Outlook, with it’s terrible CSS support, can be difficult at the best of times, unless you take advantage of Microsoft’s Conditional Tags!

All you need is to insert a special HTML comment that Microsoft’s client can decode and execute:

This code will simply  be ignored by other email clients, as it’s a comment by definition. Simple and powerful!

So powerful that the bad guys already exploited this feature, coding the malware link into HTML comments that are ignored by many email security gateways as well, so passing through the filters.

Let’s see an example to make it clear how it works:

In the above example the link has been defined inside an HTML comment. Should be accordingly ignored by all HTML rendering engines, but as said Microsoft Outlook client (all Windows versions) is an exception.

This is how the email is visualized on a generic email client (Mozilla Thunderbird):

 

And this is how the email is rendered to a Microsoft Outlook user:

 

 

The above link could be used to drive the user to a phishing or malware website!

This is a real life example of what we see in our labs on a daily basis, malware guys are always trying different technics to evade detection.

How to be protected against this attack?

A good Email Security Gateway should be able to disarm HTML comments in email!

Unsure if you are protected?

You can safely and easily run our Libraesva Email Security Test that will simulate most common email threats, including this one!

 

 

Ramnit apparently still spreading after 9 years

It might be a targeted attack, given that we detected it only in one organization, or it might just be an ancient infection still attempting to propagate. In both cases it is an interesting case.

The attack is coming via email, which is interesting given that it is a vbscript attack. Here is how the email looks like:

The email has a spoofed envelope-from and header-from: [email protected] (the mispelling is original)

The email contains vbscript code that creates a file named svchost.exe and executes it:

The variable WriteData is 174592 characters long and contains the payload that will be written to a file named svchost.exe and then executed. The final binary file is 56320 bytes long and it’s sha265 hash is
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320.

It is a well know trojan, first detected in 2010.
Here is what virustotal knows about it:
https://www.virustotal.com/#/file/fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320/details
And here is the analysis performed by the sandbox at hybrid-analysis:
https://www.hybrid-analysis.com/sample/fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320?environmentId=110

Interestingly, the text-only entity of the email also contains the part of the script that is in the html commented area:

This is likely due to a sloppy auto-generation of the text entity that greatly increases the email size for no reason.

Our systems detected this attack yesterday in a single organization in the UK, making us wonder whether this is a targeted attack.
But, really, a targeted attack using a 9 year old malware?
It looks quite strange especially considering that the payload is delivered through a vbscript embedded in the html entity of the email, which is something that virtually every email security solution detects and disarms.

Curious things happen. If you detected something similar recently, feel free to get in touch with me.

If this is a 9 year old infection still propagating, it is by itself worth of some thoughts.

How your email credentials end up in the wrong hands and how they are monetized

Anything can be monetized online, especially the credentials of your email account. Here is how they are abused.

Botnets are one of the main distribution channels for malware and phishing email. A botnet can be composed of hundreds of thousands of compromised devices (increasingly IoT devices) and the command-and-control (C&C) center coordinates the activity of all these devices.

Once upon a time the bots connected directly to the destination mail server in order to attempt the delivery of a malicious email but ISP firewalls and reputation data easily could identify and block these attempts. Sending malicious email from legit email accounts is much more effective: reputation is good (email is coming from big players like Google or Microsoft), malicious email is technically identical to legit email and this makes life harder for spam filters, they have higher chances to end up in the inbox of the recipient.

The C&C periodically distributes to the bots fresh valid credentials to be abused and send bad stuff in the name of the legit email account owner, but how to they get the credentials of your email account?

The first source of valid email credentials are data breaches. There are lots of data breaches, more than you can imagine. I had to unsubscribe from the privacyrights.org data breach notification service because of the flooding: 828 databases became public in 2018 for a total of over 1.3 billion records. On average 2.2 breaches per day. Lots of data.

Data breaches contain credentials, which are usually an email address and a password. Lots of users re-use the same password on many services and this means that a lot of these breached records contain valid credentials for email accounts, ready to be abused. The C&C collects and dispatches these credentials to the bots.

What about the email accounts for which the breached password is not valid? You can always guess it.

Many users use passwords that are really simple: the most used password on the planet is “123456”, followed by “password”, on the 3rd place we have the slightly more complex “123456789”, then “12345678” and so on. In the 8th position we find “sunshine”, followed by “querty”, then “iloveyou”, “princess” and so on. Lots of passwords are present in dictionaries, lots are first names, dates, combinations of those and simple variations like “monkey2018”.

You don’t need to make a lot of attempts to guess the password of many email accounts, with a few thousand attempts you get lots of them and if you have a botnet you can make hundreds of thousands of attempts all at once, each one from a different IP address, without triggering rate-limiting protections.

Got it?

Now, what can you do to prevent this and relax?

First: use a different password for each service. Data beaches happen all the time, if you go on haveibeenpwned.com an enter your email address you will probably find out that your credentials are already public. If you use the same password everywhere a single data breach compromises all of your accounts, so don’t do it. Use a different password for each service.

You may now be tempted to choose a “smart” technique to generate different passwords from the same root. For example monkey_linkedin, monkey_facebook_2019 and so on.

Not so smart. These variations are easily guessed if you can perform hundreds of thousands of authentication attempts at once. Most of these passwords can be found easily. Don’t think you can easily outsmart brute-force attempts with your limited memory resources.

Entropy is the keyword here. I will tell you something that you won’t like: if you can memorize it, it is low-entropy and if it is low-entropy it can be easily guessed. This means that if you can memorize it, it’s not strong enough. That’s it.

The only way to have passwords that cannot be easily guessed is to have high-entropy passwords which means that you cannot memorize them. Sorry, someone had to tell you.

A password manager is the best way to go today: with a minimal effort you can manage hundreds of un-guessable high-entropy passwords that are all different.

I can understand that a password manager can be a huge obstacle for your aunt and (I don’t want to open a hot debate here) I personally think that for some people a decent fallback is to write passwords on paper. Yes, they are more vulnerable but they are offline and in the end it is much better than having a weak password.

Security means compromise. Choose your compromise but don’t ignore this: if you can memorize it, then it’s not strong enough.

 

Rodolfo Saccani
Security R&D Manager at Libraesva

 

Ricatto sessuale: ecco i numeri del business

L’ultima moda messa a punto dai Cyber criminali è quella della frode online attraverso l’invio di email in cui lo sfortunato destinatario viene ricattato per aver visitato siti pornografici ed essere stato ripreso in atteggiamenti osè. Una mail breve, di solo testo, in cui si dice che è stato installato un programma trojan sul pc in grado di attivare la webcam, registrando così un ipotetico comportamento di masturbazione dell’utente nel visionare alcuni filmati pornografici. Per rendere più credibile il ricatto l’attaccante sostiene di aver preso il controllo della casella di posta dell’utente, impersonando la vittima come mittente della stessa missiva, grazie allo spoofing dell’indirizzo di posta.

La domanda che molti si fanno, riferendosi a noi come interlocutori privilegiati in quanto esperti di posta elettronica, è se questo genere di ricatti hanno effettivamente successo. Quanti sono infatti i destinatari che dovrebbero essere preoccupati da un simile ricatto e pagare 300 dollari in Bitcoin (con tutta la trafila necessaria per procurarsi la cryptovaluta!) per mettere tutto a tacere?! Sono sicuro che la maggior parte di voi risponderebbe: nessuno! .. o quasi…

Ecco che allora abbiamo voluto approfondire la questione, partendo dall’indirizzo del portafoglio BitCoin indicato nella mail. Nel parlare di BitCoin e cryptovalute in genere si fa spesso molta confusione tra tracciabilità e anonimato. Se infatti è assolutamente vero che il portafoglio bitcoin non è associato ad alcuna persona fisica o identità, garantendo quindi l’anonimato, questo non significa che le transazioni effettuate in cryptovaluta non siano tracciabili. Al contrario la blockchain è tracciabile per definizione.

Siamo quindi andati a controllare le transazioni avvenute sull’indirizzo bitcoin indicato nella mail, collegandoci al sito:

https://www.blockchain.com/btc/address/1CSsVgPgwTNLGgQCHRBPa7ZNH7oxK9cf2k

Dal libro mastro della blockchain si vede come il portafoglio abbia ricevuto pagamenti dal 13 Settembre 2018 (la mail è del 12 Settembre 2018), e come gli importi ricevuti siano stati trasferiti su altri 4 portafogli in due diversi momenti.

A questo punto lo scopo del cyber criminale è quello di nascondere e disperdere le proprie tracce, dividendo i pagamenti in tantissimi piccoli trasferimenti su moltissimi portafogli bitcoin in modo da far perdere le proprie tracce, riducendo le transazioni ad importi di piccola entità.

Seguendo il primo trasferimento di “soli” 1.9462419 BTC (circa $12.000 !) si aprono le transazioni del secondo portafoglio bitcoin e poi ancora di un terzo, ma sono già moltissimi i portafogli su cui sono stati divisi gli importi.

Seguendo un paio di ulteriori passaggi come meglio illustrato nell’immagine sopra siamo arrivati ad un portafoglio abbastanza interessante: l’ammontare degli importi ricevuti è di ben 224 BTC, ossia 1,4 milioni di dollari circa!!

Ci siamo fermati qui, essendo di fatto impossibile seguire le migliaia di transazioni in ingresso e in uscita di ogni singolo portafoglio coinvolto, ma credo questo basti a rendere l’idea di quanto redditizio sia il business della Cyber Criminalità !

Credo che questo esempio risponda appieno a coloro che chiedono perchè investire in Cyber Sicurezza, e perchè proteggere la propria mail con una soluzione all’avanguardia quale appunto Libra ESVA!

 

 

 

Tracking pixels can be used to compromise enterprise security

Tracking pixels, or beacons, are widely used in email advertising, but a more subtle and dangerous use is possible.

Tracking pixels are basically very small images (usually invisible to the human) embedded in the email, whose content is loaded from a server when the email is opened.

When your email client loads this image from the server, the server knows that you opened the email. In email marketing this is used to get an approximate count of the open rate of an advertising campaign (how many recipients opened the email) and to keep track of “active” recipients, recipients who receive emails in the inbox and open them.

There are other more subtle uses of the information that tracking pixels leak. When the email client (or the browser) loads the email, the following information can be collected by the server:

  • Identity of the recipient opening the email (at least the email address the email has been sent to)
  • Time and day
  • IP address
  • Information about the mail client or browser and the operating system (or device)

This information is not valuable only for marketing purposes but it can be very valuable also for malicious uses, like targeted phishing attacks.

Let’s make an example: by sending an email to your company’s CEO and getting the email beacon at 8:12 AM from the IP address of a hotel in eastern Europe, the attacker knows that the CEO is currently on a business trip in this place.

At this point a Business Email Compromise (BEC, or Whaling) attack can be performed by sending an email back to the office, impersonating the CEO and requesting an urgent money transfer or a classified internal document related to the trip. The knowledge of these details can make the phishing message quite credible and effective.

With tracking pixels the attacker can gather information about movements of executives, habits of employees, about who is on holiday and who isn’t and, with some additional intelligence, can infer company strategies and secrets: a meeting at a lawyers office or with a specific partner can reveal the progress status of a secret negotiation or deal.

Many email clients don’t open images by default but the user can be easily tricked into displaying images. The best defense is to disarm such beacons before the email is delivered, which is what Libra Esva does.

 

Targeted attacks through mobileconfig attachments

We spotted an instance of what appears to be a targeted attack through a phishing email delivering a .mobileconfig file. This is a file format used to deliver configurations to iphones.

The attack originates from domain that appears to have been created just for this purpose.

This is how the email appears to the recipient:

The attachment of course is not an order but the mobileconfig file.

Here are the email source headers of this email coming from the domain jimgyow.com, I’ve redacted the information about the recipient:

 

The attachment is a file named [email protected] whose content is displayed in the following image:

Once opened, the file will automatically configure, on the victim’s iphone, a new email account for the address [email protected]. The configuration file does not provide the password, which will then be prompted to the user and submitted to the mail server controlled by the attacker.

The configuration file is signed with a valid certificate issued to jimgyow.com:

If you have information about other uses of this attack vector, we’d be happy to hear from you. Just use the “contact us” form on this website.

 

 

Rodolfo Saccani, security R&D manager at Libra Esva