[chort@email-sec ~]$ cat News/*

12/26/06 18:00 PST
IBM delivers Notes on Linux. Will this help slow the exodus from Notes/Domino to Outlook/Exchange? Time will tell...

12/04/06 12:08 PST
Not much to say, other than WOO HOO! The site is finally back up.

11/13/04 02:26 PST
Based on the number of referrer entries in my httpd log that have "directory harvest" in the search string, I noticed that many of you visitors are looking for information on preventing Directory Harvesting Attacks (or DHA). This is not surprising, since large or well-known domains are being subjected to increasingly aggressive and sophisticated attempts to harvest their directories, some times even leading to specifically targeted phishing attacks.

The bad news is that it's now probably a lot easier to harvest directories than it was a few years ago, because many of the e-mail security gateways that have been implemented in the last few years have instant recipient verification via LDAP. While that cuts down on the number of messages that you handle for non-existent addresses, it directly leads to trivial and extremly straight-forward directory harvesting tactics (because the attacker receives an immediate response in the SMTP session, rather than having to wait for a bounced message to cycle back and then parse it).

The good news is that there are some more intelligent solutions on the way. In the last week I've noticed that a few anti-spam vendors have added "edge defense" features into their products. Edge defense refers to filtering techniques that operate at the network or session layer rather than waiting for a message to be queued and than scanning it.

I find this recent activity interesting, because back in August, we at Tumbleweed quietly started shipping a product that solves many of these edge defense problems, such as DoS attacks and DHA. We haven't officially launched the product from marketing yet, so I can't give out much information as of yet. One thing I did want to point out though is that the techniques used are real-time technologies that don't rely on external queries to some vaguely defined "reputation service". Rather than waiting for some kind of concenus from a central network, our product actually blocks attacks as they happen to you. Other vendors brag about shaving hours off of anti-virus reaction time, but what if your reaction was down to seconds? Well now it can be.

All this might seem surprisingly biased for me, considering most of my information is completely vendor-neutral. In this case I broke with tradition because a) I helped design it based on ideas that I have already posted on this site, but which few (if any) vendors had actually implemented until now, and b) it's really amazingly cool technology--it's too exciting to keep a secret!

10/03/04 01:21 PDT
How time flies when you're too busy to think! As everyone now knows, I'm now employeed by Tumbleweed Communications. I had a great run at CipherTrust and it was time to move on. Naturally, Tumbleweed have all kinds of e-mail security products in various shapes and sizes, and also products for secure file transfers and PKI integration. As you can imagine, that's a lot of products to keep track of and part of the reason for the lack of updates around here is because I was learning as many of those products as I could!

Any way, on to the good stuff! I recently attended the toorcon security conference in sunny San Diego. I saw an amazing amount of creative security ideas and met lots of very kool people, such as Jose Nazario of Arbor Networks and the co-author of Secure Architectures with OpenBSD. Thanks to toorcon, I've added a few more links to my page, such as Unicornscan and there are probably a few more yet to come as I go through my notes and the helpful CD the con' organizers provided (boy, did I feel silly after typing out all those notes).

06/07/04 16:05 PDT
As some of you may know, today is (apparently) my last day at CipherTrust. I've resigned to take a position at another security company. I say "apparently" last day, because they initially indicated that I would serve out part of my two weeks notice, but today abruptly terminated my access and I'm now receiving "good bye" messages from colleagues.

I will still be available for speaking appointments (sorry, I've been neglecting to update the Events section, I've actually spoken at several more groups), although I'll need to work out details with the PR department of my new employer.

Farewell to all my friends and of course you can reach me by e-mail at:

06/05/04 18:30 PDT
My apologies for the recent down time. I had a small mishap and in an attempt to fix it, I accidentally overwrote my httpd.conf file that had some extensive customization. At least it was a good excuse for a crash-course in file system forensics! Things are "mostly" back in order now, although some "weirdness" may persist.

04/16/04 22:57 PDT
First, I want to thank everyone who attended the SDLUG meeting yesterday. I realize it was late notice, and on tax day no less, but people came and I had a great time. Thanks for inviting me!

Next, I wanted to point out that I posted a link to an excellent analysis of a new phishing attack in my Links section. The facinating (and frightening) thing about this new attack is that it takes screen shots of the victim's on-line banking sessions and transmits them back to the attacker. This is a huge step for phishermen in defeating what was previously considered an almost unbeatable authentication system used by the bank that is targeted.

04/04/04 23:02 PDT
I finally finished reading Security Warrior and published my long over-due review. You can find it in the Papers section.

03/11/04 17:09 PST
As you may have noticed, I've added copyright notices to this website. You can find more information about what this applies to in my "About Me" section. I needed to add these notices because, unfortunately a less-than-honorable competitor of my employer has been stealing my work and attempting to gain access to restricted areas of this site. Don't do that; I actually read my log files.

I shouldn't have to remind anyone that the act of publishing a work grants the author of said work exclusive copyright. I also shouldn't need to point out that attempting to gain unauthorized access to a restricted site may be a violation of the Federal Computer Fraud and Abuse Act and may be punishable by fines and prison sentences.

I provide this site free, with no strings attached for the usage and education of the general population. Until now I have never restricted any person or entity from accessing my site, not even competitors of my employer. If you're not republishing the information, or using it for commercial competitive purposes, you're welcome to visit my site (the sections that aren't password-restricted, of course). Don't spoil the fun for everyone.

03/05/04 16:19 PST
I see the latest anti-spam proposal from Microsoft has hit the presses, and you can color me unimpressed. In fact, you can color my highly skeptical of their motives. I've writen a lengthy reponse to this nonsense that can be found in the Papers section.

In other news, I apologize for the down-time this morning. Long story short, I had an unplanned reboot and I used the opportunity to update to OpenBSD 3.5-beta. In case you're wondering, normal maintenance usually occurrs "some time" over the weekend, often early Saturday or Sunday morning. I'll probably rebuild OpenBSD again tonight since the release I installed this morning was built a couple weeks ago.

02/29/04 04:11 PST
Well I guess it's about time I posted something about RSA. Overall, I would say it was a lot of fun. There were noticably many more people wandering the exhibit floor (where I spent most of my time) than last year. There was a huge up-tick in the amount of people seriously asking about e-mail security. Even a lot of competitors of my employer stopped by the booth (you know who you are) trying to figure out just how to handle e-mail security, so not only are users interested, but vendors realize they need to put more effort into securing e-mail as well.

Personally, I got to see a few people I knew from previous conferences and security association meetings, which was fun. Unfortunately I was so busy answering questions, I didn't get to catch up with a lot of folks. There were even some hackers (the real kind) making their rounds, whom I had a chance to talk to.

It was nice seeing everyone again, and hopefully I'll see you all at the USENIX Security Symposium in San Diego later this year (if not before).

02/23/04 14:37 PST
Don't forget, the RSA show starts in San Francisco tonight!

In other e-mail security news, it seems that a rather critical vulnerability as been discovered in the Proofpoint Protection Server software. If you're running this software in your organization, you should check with the vendor immediately for a patch.

02/17/04 00:33 PST
This site should now be reachable via www.smtps.net/email-sec/ Please try it out and update your bookmarks, since the amaunetsgothique.com site is temporary. If you're already using smtps.net, sorry, I'm too lazy to setup some referrer detection magic right now.

See you in San Diego (right?)!

02/16/04 18:48 PST
For all the new viewers coming in, most of the interesting information is in the Threats section. That's where I outline many of the common problems facing Internet Messaging teams and some of the steps you can take to address them. This includes such good stuff as general recommendations for decreasing your exposure to spam, how to reduce the likelihood that your users will get socially engineered, special e-mail considerations for WiFi, and how to design an infrastructure that is resistent to mailbombs and spamfloods (among lots of other interesting topics).

Also, I have posted a response to Richard Forno regarding his opinions on the Anti-Virus industry as posted on The Register and SecurityFocus. I believe his remarks are inaccurate and not well informed. Read my response to see why.

02/16/04 01:39 PST
Finally! Well after three months, I finally completed the threats section. Just added: Harvesting, Sniffing, WiFi, Shoulder Surfing, and Kiosks. That means the only section without content is the newly added Recommend Reading section. Look for updates on that soon (hopefully today, if I get some sleep).

02/15/04 22:08 PST
I totally forgot, I'm going to be making two appearences in the San Diego area this week talking about e-mail security. If you're going to be in the neighborhood, I invite you to drop by and check it out. Links may be found in the Events section

I also forgot that I added a write-up on DDoS attacks in the Papers section

02/15/04 21:37 PST
Wow, a glance through my Apache logs has been quite revealing. I had no idea so many folks were ending up on my site as a result of Google searches. I did a few searches myself and was astonished to see my site show up on the first page of results frequently. What can I say? I'm flattered.

With that in mind, I've redone the layout (if you can call it that) of my threats pages a little so hopefully they'll be a little more descriptive when they show up in Google results. I've also taken note of some of the more frequently searched terms and I'm planning on adding more content to address those questions and link to other resources as well. Stay tuned for some major updates.

Also, when revisiting my pages please make sure to refresh your browser. I didn't have any anti-cache control before and you may have a very stale version of the pages cached. I've added a lot of content lately and I'd hate for anyone to miss out.

Finally, I added the Joe Job threat today and I've set the ambitious goal of having the treats section completely finished before I leave for San Diego on Tuesday morning.

02/15/04 01:53 PST
I finally finished the Obfuscated Content section (there are some really interesting bits!). I also completed the Social Engineering Content and DDoS sections as well. More on the way, soon!

01/17/04 02:43 PST
Well I admit, I've been slacking from updates quite a bit recently. I've assumed a new role at work and I'm in the middle of training my replacement and doing the new duties at the same time. OK, enough of the whining. I finished Proprietary Content for now and I'm starting on Obfuscated Content (which is a fairly involved subject). Hopefully I'll get to a couple more sections this weekend.

12/06/03 07:22 PST
Added comprehensive description of rogue Mail eXchangers.

11/30/03 01:33 PST
You may have noticed more links have been added, and I've made the first pass at viruses, Worms, and Spam threats.

11/09/03 19:55 PST
The links section is filling out nicely.

11/09/03 13:08 PST
Added aboutme section.

11/09/03 02:07 PST
This site was created. Thank you for your interest in e-mail security and please continue to check back for updates. I'm intending for this site to be a nexus of information pertaining to securing modern messaging systems and networks. This will consist of article authored by myself and others, FAQs, HOW-TOs, emerging trends, links to useful sites and software, etc.