U.K. orders Apple to let it spy on users’ encrypted accounts

Secret back-doors never remain secret, and they are often exploited by threat actors. just look at the recent issues with Chinese state actors utilizing the secret backdoors in the US telecoms networks.

https://archive.is/EzboV

If Apple is being asked to do this, then so will all other major cloud storage vendors.

Of major concern is that many authenicator apps store their data in a user's Onedrive/G-Drive/iCloud account (as do many password managers).
If these accounts are compromised by adversaries (including nation states, competitors, and general ne'er do wells) then the implications are significant.

Beware Zero-Width Characters

This morning I spotted a message that was flagged as suspicious by Mail Aegis from a well known Cyber Security company - that was pretty unusual, especially when I saw that it had been flagged as containing zero-width spaces. Upon reading the message it was immediately apparent as to why this rule had triggered - it referenced this article ( https://isc.sans.edu/diary/An+unusual+shy+zwasp+phishing/31626/?is=dc8443240cfd5d91e014cdfac5cd6fd93d12ee66d3e23affe2dd4845ca06d8a2 ) regarding zero-width space usage in phishing emails to trick content filters…
This isn't a common attack technique, but it has been in use for about 15 years, but Mail Aegis ( cyberwarden.io/services/aegis ) is certainly protecting our customers against it.

Read the article linked above - it's quite informative on the attack, and how those not protected by Mail Aegis can identify the attack (if they're aware of it, and are suspicious of the message received)

Dear Web Dedelopers & Hosters

Many of you are disgusting.

Why?

Because you hijack your customer's DNS, meaning that they have no control over it.
It also raises the risk associated with doing business with you just because you want a little convenience.

If your cloudflare account is compromised (that's where many of you move the NS records to), then multiple customers will be affected, and could result in a massive compromise.
Not only web servers require DNS records - A correctly configured mail service requires a bunch of records, including SPF, DomainKeys (Multiple), DMARC, MTA-STS (Multiple), TLS-RPT. There is also a need for the customer to add authentication TXT records among other things from time to time.

Just stop it.

Why Google's push for DMARC is flawed

OK - I'll start this off with some admiration for Google & Yahoo pretty much mandating that mail sent to them (including GWS hosted domains) has a DMARC policy configured.

For the uninitiated, DMARC is a policy configured in a DNS record for your domain that instructs receivers of email claiming to be from your domain on what to do if the message fails validation from Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM).
SPF validates which servers are allowed to send mail from your domain, and DKIM validates the message with a digital signature.
By default, a failure of either or both of these validations (depending on the recipient's mail provider) doesn't mean that the message won't be delivered to the recipient, and the recipient may not be warned about these failures either, as neither of these validations are included in the SMTP mail standard.
Your DMARC policy tells the recipient's mail provider what to do if validation of the message via SPF & DKIM fails. There are three actins that can be defined in the policy:

  • None - Do nothing and let the message pass
  • Quarantine - Quarantine the message, and don't forward it to the recipient
  • Reject - Reject the message outright

In reality, Quarantine and Reject policies are essentially the same thing - the (fake) message from you isn't delivered to the recipient.
The None policy tells the recipient's mail provider "even though you know the message is fake, send it to the recipient's mailbox anyway, as if there is nothing wrong with it"

The None policy is intended only for short term testing (along with monitoring enabled by the RUA & RUF parameters in the DMARC policy) so that you can see if you've not configured your SPF & DKIM records correctly (it's common that people forget about their web server that sends messages on their behalf, or forgetting about a mass-mailing service that they use for marketing) or if your sending server isn't signing the outbound messages with a valid DomainKey.

Here's where we get to the root of the problem with Google/Yahoo's recommendation. Their recommendation is to set the DMARC policy to None, and they don't recommend configuring any of the other essential parameters, such as RUA or RUF.

If you're going to set your DMARC policy to None and leave it at that, then you have next to zero protection against Spoofing, where threat actors send emails that claim to be from you to (for example) your customers and suppliers with fake invoices, or notification of a change in bank details. They often also send malware via attachments or links to the same people as part of a targeted phishing campaign (remember that the recipient thinks the message from you, so trusts it). This is a supply chain attack.
Another scenario is that the attacker uses spoofing to gain access to a legitimate email account by tricking your internal IT support to reset a password (it's trivial to set a different reply-to address in a spoofed email - in fact, many marketing mass mailers use this technique)

So what should you do?

There are a number of recommendations:
  • Correctly configure your DMARC record with a reject policy and appropriate RUA and RUF parameters
  • Do some reconnaissance on your supply chain, checking that your suppliers in particular have a robust DMARC configuration
  • Educate your end-users on Spoofing & Phishing
  • Have a comprehensive set of policies regarding what to do when a
  • Implement strong authentication, such as an MFA authenticator app or better still, implement phishing resistant authentication like PassKeys, which don't use passwords at all (your users will thank you).
  • Utilize a good inbound mail filtering service

Remember that email is the key to your kingdom - you need to protect it at all costs.

Here's the good news - we at Cyber Warden can do all this (and much more!) with our Mail Aegis service quickly, inexpensively, and with minimal hassle.

cyberwarden.io/services/aegis

Not all cloud backup services are equal

When selecting a cloud backup service for your Microsoft 365 (M365) or Google Workspace (GWS) data, a lot of companies look purely at price. These typically range in price from 3-5 USD/user/month.
What is often not considered is WHERE and HOW that data is stored.
Some services offer storage in just one location, others offer a choice between Europe and the US, which works for most companies located in the US or the EU, but if you're located elsewhere, what are the regulations for data sovereignty? What are the regulations for data retention? Do those services meet those regulations?
What happens if an attacker gets access to your backup portal as part of a ransomware attack and deletes all your backups?
Which software does the backup provider use?

Oh my…

A cloud backup provider that provides:
  • Data Sovereignty in the location of your choice
  • Immutable Backups (can't be deleted or changed)
  • Retention Policies of your choice
  • Encryption of the backups
  • Fully managed service (not every company has a backup specialist)
  • Named top tier software on the back-end
  • Pooled capacity between users (some users have more data than others)
  • M365 (including Teams, OneDrive and Sharepoint) and GWS support

That has to be expensive and complicated, right?

Maybe, if you did it yourself, and then on top of the software cost, you'd have to pay someone to implement, maintain and operate the platform…

What if there was a better way?

Well you're in luck. We partner with Assured Data Protection (Rubrik Global MSP Partner of the year 2023) to provide a fully managed, Rubrik based platform with all the features listed above for USD 3.00/user/month (even less if you are a Mail Aegis Gold customer, which bundles this service).

So yeah, not only do we (in our opinion) have the best (price AND performance) mail security platform on the market, but we offer the best (price AND features) disaster recovery platform on the market.

What are you waiting for?

Contact us at cyberwarden.io/contact