Your Unencrypted Data is a Gold Mine for Hackers

How often have you heard someone say “If you’re not doing anything illegal, then you have nothing to hide?” When asked this, I tend to respond with, “OK, then how about you give me the login credentials for all of your email accounts, including the ones you use for personal use?” I think of this as analogous to allowing a stranger to walk around in your house. Hey, it’s OK as long as you’ve got nothing to hide, right? The point is that, no matter what is contained in our electronic data, most of us want peace of mind in knowing that it isn’t being accessed by unauthorized individuals.

This concern for privacy doesn’t just apply to individuals. It applies to businesses as well. Businesses rely on electronic communication to send sensitive information such as invoices, employee records, financial reports, and other confidential data. In fact, businesses currently send more than 100 billion emails each day, and that number is projected to skyrocket to almost 140 billion emails a day in another year. If this information gets into the wrong hands, it can lead to devastating losses for the company, as well as damage to its reputation. For example, in 2013 and 2014, Target suffered breaches of approximately 110 million customer records in two separate attacks. Earlier last year, a security expert discovered that 272.3 million accounts had been stolen from Google, Yahoo, Microsoft, and Mail.ru (Russia’s most popular email service). In 2013, Yahoo suffered a breach that is believed to have impacted over 1 billion users. In September of 2016, at least 500 million Yahoo user accounts were compromised in a massive data breach that may have included names, email addresses, phone numbers, birthdates, and hashed passwords. In 2012, 165 million LinkedIn accounts were compromised. Though different attack vectors may have been used in each of these cases, the targeted information could have been safeguarded if it had been encrypted. Moreover, all it takes is for one host to be infected with malware to allow the interception and eavesdropping of confidential email content.

Breaches perpetrated by hackers aren’t the only threat to a company’s data. User error also poses a significant threat. According to the whitepaper “Content Encryption – Key Issues to Consider” from Osterman Research, these examples of users mistakenly sending unencrypted content were cited:

  • An employee at Nationstar Mortgage mistakenly emailed copies of customers’ W-2 forms to an employee at Greenlight Mortgage, revealing Social Security numbers, names, addresses and other sensitive information.
  • 845 patients of Tulare County Health received information on how to access protected health information (PHI) via the administration’s medical portal due to an employee mistake.
  • Graduate students at the South Dakota School of Mines and Technology were inadvertently sent an email attachment that included the student identification numbers, grade point averages and other information of about 350 fellow students.

The costs of not sufficiently protecting your data are high. The findings from a study conducted by the Ponemon Institute show that the average cost of a security breach in the United States was $201 per compromised data record – $32 for detecting the breach and notifying the affected individuals, $55 for damage control costs including legal fees, investigations, fines and remediation, and $114 in loss of business due to customer abandonment. Regulated industries such as healthcare and financial services have the most costly data breaches due to fines and the higher than average rate of lost business and customers. In addition to financial losses, companies may also suffer damage to their reputation.

How could these incidents have been prevented? If these businesses had encrypted their data, they could have prevented unauthorized access to confidential information in the event of a breach. Encryption helps protect corporate and financial data of companies, as well as the personal data of their employees and customers. When data is encrypted, even if a user’s account has been hacked, the data would still be unreadable. Encryption also helps companies meet strict regulations such as FERPA, GLBA, and PCI compliance. Encryption solutions also offer the benefit of proof of identity when email messages are digitally signed, ensuring that the message is authentic and verified as having been sent from the purported sender.

A common misconception about email encryption is that it is only needed for larger businesses; however, small and medium size businesses are targeted just as frequently as large ones, and often can be affected much more severely in the event of an email hack. While a larger company may be able to financially survive a breach (but still at significant loss), a severe data breach could put a small company out of business. This is just one of many reasons why encryption is so important.

One of the most common challenges for email encryption is that it has had a reputation of being difficult to use, often requiring cumbersome key exchanges and extensive configuration. MDaemon’s client-side encryption feature (via Virtru) and server-side encryption (via OpenPGP) were designed for convenience and ease of use.

Virtru’s client-side encryption service is built into WorldClient, MDaemon’s webmail client. Setup is as easy as checking a box and verifying your identity. Once enabled, you can simply follow the steps outlined on this page to encrypt your messages. For server-side encryption, MDaemon’s OpenPGP settings make it easy to automate encryption of messages as they pass through the server. Administrators can follow steps outlined in this knowledge base article to enable OpenPGP, configure who can use it, and create keys for their users. This post includes a tutorial video on how to use the OpenPGP features in MDaemon, including how to encrypt an email message using special commands in the subject line, as well as how to automate the encryption process using the content filter.

No business is too small to protect its sensitive data from theft. If you’d like to ensure your company’s emails and attachments are safe, you should always encrypt. A few extra steps now can safe a great deal of headache later.

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  

Happy New Year 2017

187567849

2016 was an exciting year for Alt-N Technologies as it marked the 20th anniversary of the MDaemon email server for Windows and our ongoing efforts to bring affordable, secure, and reliable email and email security software to the small-to-medium business segment. And as many of you know, a lot has changed in the last 20 years. One thing that hasn’t changed over the years is the ongoing threat of people trying to use email as the primary method to attack an organization or steal personal information.

Like any form of communication, it can be used for good or bad. Unfortunately, when email was initially developed, its creators didn’t anticipate the ways bad actors would exploit the technology through methods like phishing, hacking, and launching disabling applications like ransomware, Trojans, etc.

On this front, Alt-N will continue its efforts to improve the security and privacy of email with features like the ones we added in 2016, such as two-factor authentication, client and server-side encryption, and others.

2016 also reflected changes the industry continues to see in the area of deployment options. We saw some resellers and customers turning over the management of their email to MSPs (Managed Service Provider) or other third-party providers. The driver for this behavior varied by customer and industry but can be summarized by the desire to move hardware and software costs from capital expenditures (CAPex) to operational expenditures (OPex), with pros and cons to each approach. Alt-N worked with many existing and new channel partners to see MDaemon Private Cloud hosted email services introduced into new markets like Africa, Asia Pacific, and Latin America with continued growth in existing markets like North America and Europe.

With regards to hosted email services, we also received growing requests from direct customers asking Alt-N to manage their email. In response, Alt-N launched its own service using the MDaemon Private Cloud version of the software by introducing WorldClient Private Email for Business. With this new service offer, we have been able to meet the needs of direct customers who want us to manage their email, such as a 600-user customer who chose our service and support after having a large Office365 reseller attempt to convert them away from MDaemon!

For 2017, we will look for sales growth in new and emerging markets while working hard to earn and retain the loyalty and support of our existing customers. We will continue our efforts to add valuable features to MDaemon and SecurityGateway for Email Servers as those products remain the focus of our development efforts. We will be working on improving features that support cloud-based deployments while keeping a close eye on the needs of customers who want the control of on-premise and hybrid environments. And we will continue to look for new ways to enhance and bring value through our partnerships with complimentary vendors like MailStore, as well as seek out new technologies and vendors to make integration with our software simple and easy to use.

As we begin 2017, we want to express our sincere gratitude to those customers and channel partners who have helped Alt-N Technologies grow these past 20 years. We also look forward to earning the business of new customers and partners as we work toward a successful 2017.

As always, we invite you to tell us what you think by sending us your feedback. You can reach me directly at kevin(dot)beatty(at)altn(dot)com.

Happy New Year,

Kevin

 

 

 

Kevin Beatty
VP, Marketing & Business Development

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  

Get Aggressive at Fighting Spam by Re-training the Bayesian Learning Process in MDaemon

Fight spam with Bayesian Learning in MDaemon

In certain situations, it may be necessary to retrain your Bayesian Learning database. This can be necessary when spam messages are inadvertently placed in the Bayes non-spam folder, or when non-spam messages are placed in the Bayes spam folder.

To reset your Bayesian Learning and start training it again from scratch, you can perform the following steps:

1. Stop the MDaemon service.
2. Verify that the MDaemon executables (MDaemon.exe, CFEngine.exe, MDSpamD.exe, WorldClient.exe) have all exited memory using Windows task manager.
3. Rename the folder “/MDaemon/SpamAssassin/Bayes/” to”/MDaemon/SpamAssassin/Bayes.old/”
4. Re-launch MDaemon.
5. Go to Security | Spam Filter | Bayesian Classification, then click on the Learn button.

At this point, MDaemon recognizes that the Bayes folder isn’t there when the learn process is triggered, so it builds a new Bayes folder.

You will then need to feed Bayesian learning at least 200 spam and 200 non-spam messages (although the more the better) to start the Bayesian learning process again. Here is a knowledge base article on training the Bayesian learning process in MDaemon.

The Bayesian learning engine won’t process new messages until the administrator has taught it 200 spam and 200 non-spam messages. So even if an administrator were to manually press the Learn button OR have MDaemon learn automatically at midnight, the Bayesian engine  wouldn’t apply itself to new messages even though the new folder is created.

Once MDaemon recognizes that Bayesian learning has learned more than 200 spam and 200 non-spam messages, it will start applying what it has learned to new messages.

You can run a script to determine how many messages the Bayesian filter has learned from. This will come in handy for administrators who need to know how many more messages to feed the Bayesian filter. This process is explained in this knowledge base article.

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  

Beware of New Amazon.com Phishing Scam

Scam AlertThe holidays are upon us, and with all of the giving and sharing come scams aimed at exploiting human nature and stealing our personal information, such as names, addresses and credit card numbers. This year, the scammers are at it again, with a phishing scam designed to look like an email from Amazon.com claiming that there is a problem processing your order. The scam asks you to click on a link to verify your personal information. A good example of this scam email is described on the AARP blog.

As a reminder, here are a few tips to avoid falling victim to phishing scams.

  • Never click on unfamiliar or suspicious links. If a link claims to refer to a familiar website, then manually enter the web address in the address bar.
  • Hover your mouse over images & links to review the URL they refer to.
  • Beware of “Unsubscribe” links in phishing emails. When clicked, these links can let the spammer know that your address is valid, which often leads to more spam.
  • Never reply to spam or unsolicited messages.

For more tips on how to avoid these & other scams, click here to review our post on protecting your email privacy, and stay safe this holiday season!

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  

Teach SecurityGateway to Recognize Spam

Recently, I wrote a post about teaching your MDaemon Inbox to recognize spam using the Bayesian learning feature. This feature helps to train the spam filter to be more accurate over time by feeding it samples of spam and non-spam messages. SecurityGateway also includes Bayesian learning features (in addition to many other security features designed to keep spam, viruses, malware and phishing attacks from hitting your mail server). Today, I’ll be explaining how to use these features to teach SecurityGateway how to get better at recognizing spam (false negatives – spam messages that were not filtered out) and non-spam (false positives – legitimate messages that were marked as spam).

Administrator Instructions

Administrators must first enable and configure Bayesian learning in SecurityGateway before users will be able to use it. Follow these steps to enable and configure Bayesian learning.

  1. Click on the Security tab, and then click on Heuristics & Bayesian under the Anti-Spam section.
  2. Make sure the first box, “Use heuristic rules and Bayesian classification to analyze messages” is checked. This setting basically turns the spam filter on and is enabled by default.
  3. Under “Location (all domains),” click on the link to configure SGSpamD. You can optionally select a domain in the drop-down menu at the top to configure these settings for a specific domain.

    Enable SGSpamD
    Enable SGSpamD
  4. Under the “Bayesian Classification” section, check the first box to enable Bayesian classification.

    Enable Bayesian Classification
    Enable Bayesian Classification
  5. By default, 200 samples of spam and 200 samples of non-spam are needed before Bayesian learning can take place. You can adjust this number in the blanks provided, but in most cases, this will not be necessary.
  6. By default, Bayesian learning takes place at midnight each night. You can select the second option under the “Bayesian Learning” section if you’d like to schedule Bayesian learning more frequently, at regular intervals. This is useful if you have a larger number of messages to learn from. You can also select the third option if you do not want Bayesian learning to run automatically based on a schedule. When this option is selected, you can use the link at the bottom of the Bayesian Learning section to perform Bayesian learning as needed.

    Bayes Schedule
    Bayes Schedule
  7. SecurityGateway needs to know where to find messages to be fed to the Bayesian learning engine. By default, messages are  placed inside the C:/Program Files/Alt-N technologies/SecurityGateway/BayesSpam and BayesHam directories. You can optionally use a different path mapped to a different drive to improve performance.

    Known Spam Directory
    Known Spam Directory
  8. In the following two blanks, enter the Spam and Non-Spam forwarding addresses. The default addresses are spamlearn and hamlearn, so if your domain is example.com, users can forward spam messages (as an attachment) to spamlearn@example.com to feed these messages to the Bayesian learning engine. This procedure is explained in greater detail later when we discuss how end users can submit spam and non-spam messages to the Bayesian learning engine.

    Spam Forwarding Addresses
    Spam Forwarding Addresses
  9. Most spam messages are relatively small, thus, you can place a size limit on messages to learn from by checking the box “Don’t learn from messages larger than” and entering a value (in bytes) in the blank blow. Placing a size limit on messages to learn from helps improve the performance of the Bayesian learning engine.

    Bayes Size Limit
    Bayes Size Limit
  10. You can automate the Bayesian learning process by enabling Automatic Bayesian Learning. By default, messages that score less than 0.1 are considered to be legitimate and only messages that score a 12.0 or above are considered to be spam for purposes of automatic Bayesian learning. Before enabling automatic Bayesian learning, I would recommend reviewing your message logs for false negatives and false positives and use their spam scores as guidelines for populating the spam and non-spam scoring thresholds. You can also optionally check the boxes to only learn non-spam messages from domain mail servers and authenticated sessions, and only learn spam from inbound messages.

    Bayes Automatic Learning
    Bayes Automatic Learning
  11. Before I explain the next setting, I want to explain the concept of “tokens.” When the Bayesian learning feature “learns” from a message, it takes snippets of information from the message, such as words or phrases, and uses this information to create tokens. These tokens are accumulated and when a new message is scanned by Bayesian learning, its contents are compared to these tokens to look for similarities. Under the Bayesian Database section, check the box to enable Bayesian automatic token expiration. This helps to limit the token database to a manageable size, expiring old tokens and replacing them with new ones when the maximum number of Bayesian database tokens (specified in the blank below) has been reached. When this number of tokens is reached, the Bayesian system removes the oldest, reducing the number to 75% of this value or 100,000 tokens, whichever is higher. 150,000 tokens make up about 8MB of data.
  12. Click Save and Close to save your changes.

End User Instructions

Now that SecurityGateway has been configured properly on the server, users can start feeding samples of spam and non-spam to the Bayesian learning engine.

There are two methods users can use to submit samples of spam and non-spam to the Bayesian learning engine in SecurityGateway. The first (and easier) way is to use the thumbs-up and thumbs-down icons in the SecurityGateway interface. The second way is by forwarding spam and non-spam messages (as attachments) to designated email addresses.

To mark messages as spam or non-spam using the SecurityGateway interface, follow these steps:

  1. Log into SecurityGateway.
  2. Click on My Message Log. This brings up a list of all of your inbound and outbound messages.
  3. Click on the message you wish to mark as spam or non-spam, and then click on the Thumbs-up button to mark the message as non-spam, or the thumbs-down button to mark the message as spam.
    Mark Message as Spam
    Mark Message as Spam

    You will receive confirmation that the message was marked as spam.

    Marked as Spam Confirmation
    Marked as Spam Confirmation

To feed messages to the Bayesian learning engine by forwarding them as attachments, simply attach the message to an email addressed to the designated hamlearn@ or spamlearn@ address for your domain (example: spamlearn@example.com). Note: SMTP authentication must be used.

If you are using WorldClient, you can right-click on the message and select “Forward as Attachment.” Then, populate the To: field with the spamlearn@ or hamlearn@ address and simply send the message.

Forward as Attachment
Forward as Attachment

When used properly, Bayesian Learning is a powerful tool for reducing spam and ensuring legitimate messages are not blocked by the spam filter. More information can be found in this knowledge base article.

Don’t let spam ruin your day. These tips can help you keep the bad stuff out of your Inbox so you can focus on your business!

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  

Using DKIM, SPF & DMARC to Protect your Brand and Customers from Spear Phishing

Introduction

Scammers use a variety of tactics to get users to give out personal information. One very common tactic is known as phishing. Phishing is a scam where tech-savvy con artists use spam and malicious websites to deliver malware, or to trick people into giving them personal information such as social security numbers, bank account numbers, and credit card information. A more targeted (and often more dangerous) type of phishing is known as spear phishing.

What is Spear Phishing?

Spear phishing is a targeted attack that’s usually addressed to a specific individual. With spear phishing, the perpetrator knows something personal about you. He may know your name, email address, or the name of a friend, or he may have information about a recent online purchase you made. While most phishing emails will have a generic greeting such as “Dear Sir or Madam,” a spear phishing email may address you by name, such as “Hello John.” It may also appear to come from someone you know.

According to Allen Paller, director of research at the SANS Institute, 95% of all attacks on enterprise networks are the result of spear phishing attacks. Earlier this year, Symantec issued a warning about an ongoing spear phishing attack targeting small and midsize businesses in the United States, India, and the UK that infects users with a remote access Trojan (RAT). A RAT gives an attacker remote access to a machine & can lead to disclosure of sensitive information and financial losses. Based on campaigns run by Symantec’s Phishing Readiness technology, on average, employees are susceptible to email-based attacks 18 percent of the time.

How can You Protect Yourself & Your Business?

Protecting your company from spear phishing attacks is the responsibility of employees as well as the mail server administrator. For employees, user education is key. This post contains helpful email safety tips for end users. For the administrator, implementing DKIM, SPF and DMARC can help reduce data breaches, financial losses, and other threats to your business. These three methods are described in greater detail below.

How DKIM Works

DKIM (DomainKeys Identified Mail) is a cryptographic email verification system that can be used to prevent spoofing. It can also be used to ensure message integrity, or to ensure that the message has not been altered between the time it left the sending mail server and the time it arrived at yours. Here’s how DKIM works:

  • An encrypted public key is published to the sending server’s DNS records.
  • Each outgoing message is signed by the server using the corresponding encrypted private key.
  • For incoming messages, when the receiving server sees that a message has been signed by DKIM, it will retrieve the public key from the sending server’s DNS records and then compare that key with the message’s cryptographic signature to determine its validity.
  • If the incoming message cannot be verified then the receiving server knows it contains a spoofed address or has been tampered with or changed. A failed message can then be rejected, or it can be accepted but have its spam score adjusted.

You can refer to the following knowledge base article for DKIM setup instructions in MDaemon:

How to enable DKIM signing and configure records

You can refer to this knowledge base article for DKIM setup instructions in SecurityGateway:

http://www.altn.com/Support/KnowledgeBase/KnowledgeBaseResults/?Number=496

How SPF Works

Another technique to help prevent spoofing is known as SPF. SPF (Sender Policy Framework) allows domain owners to publish DNS records (SPF records) to identify those locations authorized to send messages for their domain. By performing an SPF lookup on incoming messages, you can attempt to determine whether or not the sending server is permitted to deliver mail for the purported sending domain, and consequently determine whether or not the sender’s address may have been forged or spoofed.

MDaemon’s SPF settings are located under Security | Security Settings | Sender Authentication | SPF Verification. This screenshot displays the recommended settings.

SPF Settings in MDaemon
Recommended Sender Policy Framework Settings

Recommended SPF settings for SecurityGateway are outlined in this knowledge base article:

http://www.altn.com/Support/KnowledgeBase/KnowledgeBaseResults/?Number=497

These are the recommended settings for verifying SPF records of other domains. To help protect against spear phishing attacks that spoof your own domain, you should set up an SPF record in DNS. You can find helpful information on SPF record syntax and deployment at www.openspf.org.

DMARC (Domain-Based Message Authentication, Reporting & Conformance)

When a message fails DKIM or SPF, it is up to the receiving mail server’s administrator as to how to handle the message. The problem with this is that if DKIM or SPF is not set up properly, it can lead to problems. DMARC (Domain-based Message Authentication, Reporting and Conformance) takes out the guesswork on how to handle messages from a domain that are not properly aligned with DKIM or SPF.

DMARC defines a scalable mechanism by which a mail sender can express, using DNS records (DMARC records), domain level policies governing how messages claiming to come from his or her domain should be handled when they do not fully align with DKIM and SPF lookup results. In other words, if you perform SPF, DKIM and DMARC record lookups on a message claiming to come from my domain (example.com), and it does not align with SPF, DKIM, or both, my DMARC record can tell you how I want you to handle messages that are unaligned with SPF & DKIM. My DMARC record can specify whether I want you to accept, quarantine, or reject unaligned messages, and I can even go a step further and specify what percentage of unaligned messages I want you to reject or quarantine based on my policy preferences. This is useful when first deploying DMARC, as it allows you to be more lenient with rejection of unaligned messages until you’re sure DKIM & SPF are configured properly.

You can view the following recorded webinar for a more in-depth overview of DMARC, including examples and syntax of DMARC records and deployment strategy.

https://youtu.be/vrMMKmxCmqs?list=PLt-aAHf-ocsYYmpXFABce39b_CgJXXubp

This knowledge base article will also be useful:

How to Enable DMARC and Configure Records

Conclusion

While we must be vigilant against spoofing and phishing attacks, we must also acknowledge that cautious, informed users and properly implemented SPF, DKIM and DMARC policies are the best defense against cybercriminals who are intent on stealing your data and damaging your brand.

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  

SSL & TLS Best Practices

You may have heard the terms SSL and TLS, but do you know what they are and how they’re different?

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are methods of securing (encrypting) the connection between a mail client and mail server (Outlook and MDaemon, for example) or between mail servers (MDaemon and another mail server, for example). They are also methods for securing communications between websites and your browser. In this post, we’ll focus on its uses for encrypting email connections.

Without SSL or TLS, data sent between mail clients and servers would be sent in plain text. This potentially opens up your business to theft of confidential information, credentials being stolen and accounts being used to send spam. SSL and TLS can be used to help protect that data. SSL and TLS allow users to securely transmit sensitive information such as social security numbers, credit card numbers, or medical information via email.

How do SSL and TLS work?

In order to use SSL or TLS, you’ll need an SSL certificate to establish an SSL/TLS connection. SSL certificates use a key pair (a public and private key) to establish a secure connection. When a mail client or server wants to connect to another server using SSL, an SSL connection is established using what’s known as an “SSL handshake.” During this process, three keys are used to establish an SSL connection – a public key, a private key, and a session key. Data encrypted with the public key can only be decrypted with the corresponding private key, and vice-versa. Encryption via the public & private keys only takes place during the SSL handshake to create a symmetric session key. Once the secure connection is made, all transmitted data is encrypted with the session key.

This diagram provides a simplified overview of how an SSL connection is established.

How SSL & TLS workBoth SSL and TLS protect data privacy through data-in-motion encryption, provide server-side and (optionally) client-side encryption of the communication channel, and help ensure message integrity.

POP, IMAP and SMTP traffic are transmitted over designated ports. By default, IMAP uses port 143, POP uses port 110, and SMTP uses port 25. IMAP over SSL/TLS uses port 993. POP over SSL/TLS uses port 995, and SMTP over SSL/TLS uses port 465. For SSL to take place over these connection types, the mail client and mail server must both be configured to use the proper ports, and a valid SSL certificate must be installed on the server.

What are the Differences between SSL and TLS?

So what are the differences between SSL and TLS? TLS is the successor to SSL. It was introduced in 1999 as an upgrade to SSL 3.0, so TLS 1.0 is most similar to SSL 3.0 & is sometimes referred to as SSL 3.1, though TLS is not compatible with SSL 3.0. The version numbers for SSL are 1.0, 2.0 and 3.0, while TLS uses a different numbering pattern – 1.0, 1.1, 1.2.

Because TLS is incompatible with SSL 3.0, the client and server must agree on which protocol to use. This is accomplished via what’s known as a “handshake.” If TLS cannot be used, the connection may fall back to SSL 3.0.

Without getting too technical (there are plenty of online resources that explain the technical differences between SSL and TLS), here are some of the differences between SSL and TLS:

TLS has more alert descriptions – When a problem is encountered with an SSL or TLS connection, the party who encountered the problem would send an alert message.

SSL had the following 12 alert messages:

  • Close Notify
  • Unexpected Message
  • Bad Record MAC
  • Decompression Failure
  • Handshake Failure
  • No Certificate
  • Bad Certificate
  • Unsupported Certificate
  • Certificate Revoked
  • Certificate Expired
  • Certificate Unknown
  • Illegal Parameter

TLS has the following additional alert messages:

  • Decryption Failed
  • Record Overflow
  • Unknown CA (Certificate Authority)
  • Access Denied
  • Decode Error
  • Decrypt Error
  • Export Restriction
  • Protocol Version
  • Insufficient Security
  • Internal Error
  • User Canceled
  • No Renegotiation
  • Unsupported Extension
  • Certificate Unobtainable
  • Unrecognized Name
  • Bad Certificate Status Response
  • Bad Certificate Hash Value
  • Unknown PSK
  • No Application Protocol

TLS uses HMAC for message authentication – SSL verifies message integrity (to determine whether a message has been altered) using Message Authentication Codes (MACs) that use either MD5 or SHA. TLS, on the other hand, uses HMAC, allowing it to work with a wider variety of hash functions – not just MD5 and SHA.

TLS uses a different set of cipher suites.

A cipher suite is basically a combination of authentication, encryption, message authentication code (MAC) and key exchange algorithms used to negotiate security settings for a network connection. More information can be found here: https://en.wikipedia.org/wiki/Cipher_suite

Why are SSL and TLS Important?

Businesses have a responsibility to protect financial data such as credit card information, and consumer records such as names, addresses, phone numbers, and medical information. Without some form of encryption, whether via an encrypted connection using SSL & TLS, or by encrypting the message itself using Virtru or OpenPGP, sensitive data may be vulnerable to hackers & other forms of unauthorized access.

Which method is recommended?

SSL 3.0 suffers from a well-known vulnerability called the POODLE vulnerability. POODLE stands for Padding Oracle On Downgraded Legacy Encryption. Click here for a thorough overview of this vulnerability and recommended actions.  One workaround recommended in the overview is to completely disable the SSL 3.0 protocol on the mail client and server. This might not be practical, as it may affect legacy systems that are still using SSL 3.0.

We recommend using TLS whenever possible. TLS 1.2 is currently the best version for security, but it is not yet universally supported. TLS 1.1+ support was not added until Windows 7 and Server 2008 R2, in 2009.

The encryption protocol and cipher used by MDaemon and SecurityGateway depend on the operating system and can be configured via the registry. You can use the free IIS Crypto tool to set the appropriate registry keys. More information can be found here:
https://www.nartac.com/Products/IISCrypto

I hope this information helps clarify any questions about SSL and TLS, and which encryption method is recommended. As always, if you have questions or comments, let us know!

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  

Encrypting vs. Signing with OpenPGP. What’s the Difference?

Many businesses are responsible for maintaining large amounts of confidential data, including customer records, medical records, financial reports, legal documents, and much more. It’s very common for these types of information to be transmitted via email. So how can you ensure confidential data transmitted via email is kept private? How can you ensure the integrity of transmitted data and that a message actually came from its purported sender?

Businesses need to ensure confidentiality, data integrity, message authentication (proof of origin), and non-repudiation (proof of content and its origin). These goals can be accomplished using MDaemon’s OpenPGP message encryption and signing services. Read on to learn more about the differences between encrypting and signing, and when each is used.

The Need for Encryption

 Businesses need to protect sensitive data and preserve confidentiality and privacy. Whether you work in healthcare, finance, legal, HR or education, chances are you’re familiar with the terms HIPAA or FERPA (among others). Businesses that fail to meet these regulations risk data breaches that can lead to lost revenue or legal action. To address these issues, businesses can use encryption to make their sensitive data unreadable to unauthorized parties.

The Need for Signing

In addition to data privacy, businesses may need to ensure that a message was not altered during transit, and that it actually came from the purported sender. These tasks are accomplished with message signing (adding a digital signature) using OpenPGP. Much like your handwritten signature, a digital signature can be used for authentication purposes, but also cannot be forged.

Signing a message helps ensure the following:

  • Data Integrity – That the message was not altered from its original form.
  • Message Authentication (Proof of Origin) – That the message actually came from the purported sender.
  • Non-repudiation – That the sender cannot deny the authenticity of the message they sent and signed with OpenPGP.

Encrypting vs. Signing – What’s the Difference?

So what are the differences between encrypting & signing? Let’s discuss each.

What is Encryption?

Encryption is the act of converting plain text to cipher text. Cipher text is basically text that has been scrambled into non-readable format using an algorithm – called a cipher. MDaemon’s implementation of OpenPGP encryption uses public key encryption (also known as asymmetric key encryption) to encrypt email messages and attachments.

So How Does Public Key Encryption Work?

Public key encryption uses public/private key pairs. If you want me to send you an encrypted message, you send me your public key, which I import into my encryption software (using the OpenPGP configuration screen in MDaemon, in this case). I encrypt the message with your public key. When you receive the message, you decrypt it with your private key. Even though your public key can be freely distributed and used to encrypt messages addressed to you, these encrypted messages can only be decrypted with your own private key. This private key must always be kept secret. Data encrypted with the public key can only be decrypted with its corresponding private key; conversely, data encrypted with the private key can only be decrypted with its corresponding public key. We’ll talk about why you would encrypt a message with your own private key in the next section when we discuss message signing.

Encrypting email with OpenPGP
Encrypting email with OpenPGP

Encrypting a message helps ensure that the message is kept confidential. The message remains in its encrypted format until it is decrypted with the recipient’s private key.

What is Message Signing with OpenPGP?

As I mentioned above, messages are encrypted with the message recipient’s public key and decrypted with the corresponding private key. Message signing, on the other hand, uses the sender’s private key to sign (encrypt) the message, and his public key is used to read the signature (decrypt). Message signing binds the identity of the message source to the message. This helps ensure data integrity, message authentication, and non-repudiation.

For example, if John wants to digitally sign a message to Michelle, he uses his private key to encrypt the message, and sends it (along with his public key if it hasn’t already been sent) to Michelle. Since John’s public key is the only key that can decrypt the message, the digital signature is verified by simply decrypting the message with John’s public key.

Signing with OpenPGP
Signing an Email Message with OpenPGP

Signing a message with OpenPGP ensures that the message was not altered in transit, that it did in fact come from the purported sender, and that the sender cannot deny the authenticity of the message they sent and signed with OpenPGP.

Message encryption & key management are explained in this tutorial video:
https://youtu.be/2fjyAAcHpMs?list=PLt-aAHf-ocsb0xDLb930tnPZZ9A1J19VG

More information on using MDaemon’s PGP encryption & signing features can be found in the following knowledge base article:

How to enable MDaemon PGP, configure who can use MDPGP, and create keys for specific users

http://www.altn.com/Support/KnowledgeBase/KnowledgeBaseResults/?Number=1087

Do you have questions? Let us know in the Comments section below!

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  

Stop Spam & Malware with SecurityGateway – New SlideShare Presentation

Can you imagine what life would be like if we didn’t have anti-spam and anti-virus protection on our email servers and gateways? Users would be so flooded with spam, phishing attempts and malware that they’d have to scroll through many pages of email messages before finding a message that’s legitimate. A good anti-spam/anti-virus mail server or gateway will filter out the vast majority of this nonsense so that the end user can focus on his job.

Most mail servers have some form of built-in spam protection, however, administrators are often faced with these challenges

  • Not enough security features on the mail server to catch many of today’s evolving threats
  • The need for an extra layer of defense between the mail server and the internet
  • Lack of reporting features, which can be used to assess the effectiveness of your email security solution
  • Cumbersome configuration & confusing settings

SecurityGateway was created to address these issues. Many small-to-medium businesses trust  SecurityGateway to protect their inbound and outbound email from spam, phishing attempts, and malware.

The following is a brief presentation that describes SecurityGateway’s features.

 

Would you like to learn more about SecurityGateway? Click here to visit the SecurityGateway overview page, or click here to download your free trial.

 

 

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  

Quarantine Management with WorldClient Private Email

WorldClient Private Email makes spam management easy by providing users with the email and collaboration features found in WorldClient, MDaemon’s webmail client, and the security and spam filtering features found in SecurityGateway. This tutorial video covers the following topics:

  • How to allow users to manage their own quarantines in SecurityGateway
  • Quarantine management via the Quarantine Summary Email, and how often this email is sent to users
  • When to whitelist or blacklist the sender, and when & how to release a message from quarantine
  • Quarantine management via the SecurityGateway interface
  • Feeding the Bayesian spam and non-spam database – to improve the spam filter’s accuracy

Spam doesn’t have to be an overwhelming nuisance. When these practices are followed, spam is kept under control so you can spend less time dealing with spam and more time focusing on your business.

If you are interested in our WorldClient Private Email hosted email service, click here for pricing and features, or click here to sign up!

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •