An Introduction To Email Security Using SPF, DKIM, and DMARC

Gmail

Email continues to be an excellent vector for cyber criminals to distribute malware, as well as links to unsuspecting victims. Email is a frequently misconfigured, and very misunderstood service that is being used to perform tasks that it was never designed to do. Not securely anyway. Thankfully, the Domain Name Service (DNS) has come up with several mechanisms for reducing the risk of receiving spam, and other potentially malicious messages.

What Is SPF?

The Sender Policy Framework (SPF) is an authentication method that is designed to detect when an email sender has sent an email from a server that isn’t approved to send email for the domain name of the sender email. The Sender Policy Framework provides the receiving email server a way of seeing what servers are approved to email. This occurs every time an email is received, if SPF is available. SPF is configured by adding a TXT record to your domain name’s DNS record with a string value consisting of various details, including approved sending servers.

The SPF Record

An SPF Record is a TXT DNS record that contains a list of IP addresses and domain names that are approved to send email using the domain name that the DNS record exists on. An SPF record may look something like this:

TYPE  HOST  VALUE                                                                          TTL
TXT   @     "v=spf1 ip4:24.242.244.422 include:domainname.com include:ses.amazon.com ~all" 1800

The SPF string always starts with the version of SPF, followed by various mechanisms including those that define approved IP addresses and domain names (which can be resolved back to an IP address), and finally the ALL mechanism is included with a qualifier in front of it to determine how the receiving email server should read the record.

The “all” mechanism needs a qualifier, however, qualifiers can be used in front of other mechanisms to setup any number of different configurations.

Four qualifiers exist: question mark (?), tilde (~), dash (-), and plus (+).

QualifierExplanationIntention
+ (Pass)Host or IP allowed to sendaccept email
– (Fail)Host or IP NOT allowed to sendreject email
~ (SoftFail)Host or IP NOT allowed to send, but is in testingaccept email, but mark it
? (Neutral)Nothing to be said about Host or IPaccept email
SPF Qualifiers

Check your domain name’s SPF record at MX Toolbox

What Is DKIM?

DomainKeys Identified Mail (DKIM), like SPF, is an authentication mechanism designed to detect when an email is being sent by a server approved by the domain owner. Unlike SPF, DKIM uses digital signatures that are setup by the mail server, referenced in your domain’s DNS record, and attached to every outbound message. DKIM adds to SPF by using cryptography to sign the message. This means that DKIM isn’t just verifying the sending server, but it also verifies the integrity of the message to ensure that contents of the email, including any possible attachments, hasn’t been altered in transit.

The DKIM Record

DNS TXT records are also used in the implementation of DKIM but look a little different. More specifically they use a different set of key/value pairs that supply a receiving server with information required to verify the authentication and integrity of inbound email. Here is what a DKIM record might look like:

TYPE  HOST  VALUE                                                                                         TTL
TXT   @     "DKIM-Signature: v=1; a=rsa-sha256; d=domainname.com; s=selector; c=relaxed/simple; q=dns/txt; t=1117574938;x=1118006938;h=from:to:subject:date:keywords:keywords;bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=;b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZVoG4ZHRNiYzR                                   1800

There are a number of tags available,

TagExplanationTagExplanation
vversionasigning algorithm
ddomainsselector
ccanonicalization algorithm(s)qquery method
tsignature timestampxexpiry
hheader fieldsbhbody hash
bsignature of headers and body

Since DKIM is a digital signature, it uses public-key encryption. When the receiving server looks up the DKIM DNS record for the domain name, it receives a response that contains the domain name’s public key and other key=value pairs that tell the server how to use it.

"k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDmzRmJRQxLEuyYiyMg4suA2Sy
MwR5MGHpP9diNT1hRiwUd/mZp1ro7kIDTKS8ktkI6z6eTRW9e9dDOxzSxNuXmume60Cjbu08gOyhPG3
GfWdg7QkdN66R4V75MFlw624VY35DaXBvnlfJTgRg/EW72O1DiYVThkyCgpSYS8nmEQIDAQAB"

Another aspect of DKIM is that is provides non-repudiation. Non-reputability is a situation whereby the authorship of an assertion/statement made by an individual, cannot be disputed. In the case of DKIM, only the sending server should have the private key that was used to encrypt the email message. Thus, if the public key that we received is able to successfully decrypt the message, we can be certain where it came from.

Check out your domain name’s DKIM record at MX Toolbox

What Is DMARC?

DMARC, or Domain-based Message Authentication Reporting and Conformance, is the third and final email authentication mechanism that we’ll be looking at today. DMARC was created to extend both SPF and DKIM protocols and provide incoming email authentication by providing instructions to a receiving email server on the policies surrounding both DKIM and SPF. The DMARC policy also informs the receiving server how it should handle emails that fail SPF checks, DKIM checks, or both.

DMARC Record

The DMARC record is created with a subdomain label of _dmarc (i.e. _dmarc.roguesecurity.ca), and exists as a TXT record. Let’s take a look at what a DMARC record looks like:

TYPE  HOST                    VALUE                                                                       TTL
TXT   _dmarc.domainname.com.  "v=DMARC1;p=none;sp=quarantine;pct=100;rua=mailto:dmarcreports@domainname.com;"  1800

The only required tags in your DMARC record are the ‘v’ and ‘p’ tags.

TagExplanation
vDMARC version
pctPercentage of messages subjected to filtering
pPolicy for domain
spPolicy for subdomains of 'p'
ruaReporting URI for aggregate reports
rufReporting URI for forensics reports
adkimAlignment mode for DKIM
aspfAlignment mode for SPF
foFailure reporting options (will be ignored if ‘ruf’ is missing)
rfFormat to be used for message-specific failure reports
riInterval between aggregate reports

DMARC also adds the capability of reporting in the form of aggregate reports and forensic reports. The reports are XML formatted files that are issued by the recipient servers, and can be quite large if your organization sends a lot of email.

Check out your domain name’s DMARC record at MX Toolbox

Conclusion

SPF, DKIM, and DMARC are email authentication mechanisms that can help with anti-phishing, non-repudiation, spam prevention, and message integrity. Although the implementation can be very complex when more then one domains are involved, the benefits of SPF, DKIM, and DMARC far out weigh the amount of time that they may require to configure properly.

(ISC)2 Offering Free Ransomware Training Until July 31, 2021

If you’re a regular visitor to roguesecurity.ca then you’ve probably heard of (ISC)2. (ISC)2 is an international, non-profit organization that provides certifications, networking, and continuing education for security professionals. (ISC)2 is the organisation responsible for some of the most popular certifications in the information security industry including the CISSP (Certified Information Systems Security Professional).

Until July 31st, 2021, (ISC)2 is offering their Ransomware: Identify, Protect, Detect, Recover course completely free to the general public, not just members! Courses available from (ISC)2 are always available for free to members, but is normally a cost of $649 USD / year for complete access to all PDI courses.

Ransomware: Identify, Protect, Detect, Recover is a 2-hour course, with over 40 security expert instructors. Those who successful complete the course are able to claim a 25% discount on future training!

During this 2-hour course, you will learn the major distinctions between ransomware and malware, the key characteristics of ransomware attacks, and the protection strategies and remediation plans for ransomware attacks that should be in place ahead of time.

Ransomware: Identify, Protect, Detect, Recover Course Outline

Indicators of Compromise (IOC) and How Security Professionals use them to defend against threats

If you’ve been in a security field that involves incident response/threat hunting, you’ve probably heard of the term “indicator of compromise” (IOC). In computer forensics, an IOC is an artifact that can be observed on a network or a host that indicates, with a relatively high level of confidence, a computer intrusion.

Not all artifacts from a cyber event will be considered an IOC. Artifacts that are left during an attempted, but perhaps not successful, intrusion are known as precursors. While an IOC can help to identify an intrusion that may have already occurred, a precursor can help to identify when an intrusion may be in the process of occurring.

What Do We Consider An Indicator of Compromise?

Indicators of compromise can range from a simple string to a series of actions performed in a certain order. Here is a comprehensive list of examples of different types of IOCs.

  • IP Address
  • Domain Name
  • URL
  • Website Name
  • File Hash
  • User/Account Name
  • Service and Process Names
  • Registry Key, Path, and Value
  • Directory Path
  • Virus Signature
  • “Strings” within a file
  • DNS txt record abnormalities
  • Files referencing /etc
  • System API Call

While those pieces of data can be easily found using a variety of security tools, there are also a number of behaviours that may indicate an instrusion.

  • Unusual/Unaccounted for outbound traffic
  • Unusual/Unaccounted for traffic between client networks (subnets)
  • Privileged account anomalous usage
  • User account active from anomalous IPs
  • Excessive failed logins
  • Activity from unexpected geographic regions
  • Increased traffic to specific resource
  • Baseline changes in RDBMS activity
  • Change in web browsing requests / request habits
  • Well known port vs. application usage
  • Encryption should be used over normally encrypted ports
  • Unexplainable Registry and File system changes
  • Malformed, overy short, and anomalous DNS requests
  • Patching that didn’t follow the official Change Management schedule
  • Changes to mobile platforms
  • Unexplained file creation
  • Web Browsing spikes and anomalous traffic patterns during irregular times
  • Service changes
  • Anomalous account management activity
  • Anomalous firetransfers
  • Changes to file permissions
  • Changes outside of normal maintenance hours
  • Access to URLs outside of the Alexa Top 1 Million
  • High CPU usage

There are a number of other behaviours that I’m sure you can think of that may also be an indicator of compromise. One of the best sources for techniques that that can be used to build a larger list of behaviours is the Mitre ATT&CK Enterprise Techniques matrix.

How Is This Information Valuable to a Security Professional?

Security monitoring is not a perfect science and relies on security professionals to create, tune, and update the various security tools that are used to detect information security threats, including a tool known as the Security Information and Event Management (SIEM) system. A SIEM is a key tool for Security Operations teams that ingests, manipulates, and displays logs from various services and provides security professionals a perfect tool for investigating security incidents.

Security professionals in the monitoring and detection role can use an indicator of compromise to build alerts and detection content based on real-world events and detections. This is an essential part within any SOC program, and is a proactive approach to cyber defense. Using IOCs in your environment is also a reactive approach to cyber defense, but can help to identify threats in your environment that may have been missed initially. For example:

A security professional will take a list of IOCs related to a recent data breach performed by Darkside, and investigated by FireEye. FireEye, like many security companies, publish intelligence data for use by others.

The security professional will take that list and not only include those IOCs within existing detection content, but they'll also review historical logs for the aforementioned IOCs which can give the security team a limited amount of certainty that the environment wasn't previously impacted by a newly detectable threat.

IOC Standards

IOCs are a type of open source intelligence (OSINT) and are available from many sources in many formats. You may get something as simple as a list of IP Addresses, however, there has been some work over the years to create a standard way of creating, storing, and sharing indicators of compromise.

STIX (Structured Threat Information eXpression)
TAXII (Trusted Automated eXchange of Intelligence Information)

Essentially, both STIX and TAXI offer the same results; they just do it in different ways. STIX uses relationships between objects to build intelligence, while TAXII utilizes collections within a more standard client-server distribution model. Many SIEM tools can ingest both STIX and TAXII feeds for automated intelligence gathering and for updating IOC block lists.

Addressing Cybersecurity Skills Gap Through Neurodiversity

Originally posted to Social Media in response to, “Addressing the cybersecurity skills gap through neurodiversity“, posted at TechCrunch.com

You don’t need to tell us the power of being neurodivergent. Did you know that Rogue Security’s owner/operator, Justin Robinson, has Attention Deficit Hyperactivity Disorder (ADHD)?

Given a comfortable and supportive environment, as well as a topic that interests us (Cybersecurity); and what happens is that the behaviours that are frequently called “symptoms” of our disorders, are experienced less often, or even completely flip!

“My inattention becomes hyperfocus, my random thoughts become a brainstorm for the ages, and what you think is procrastination is actually extremely well-tuned mental preparation. And oh boy am I passionate!” ~ Justin Robinson

Given an uncomfortable environment, like anyone, we will be frustrated, depressed, anxious, and even bored! Our needs are simply different, and in some cases may seem unnecessary for an adult. Our comforts are different too, and our discomforts occur more often. Give us a break on that last one, we simultaneously hate change in routine, but love experiencing different things and can become bored when doing the same thing over and over again.

“Neurodiverse minds are usually great at finding the needle in the haystack, the small red flags and minute details that are critical for hunting down and analyzing potential threats. Other strengths include pattern recognition, thinking outside the box, attention to detail, a keen sense of focus, methodical thinking and integrity.” ~ Referenced from article

Rogue Security Social Media Posting

Security Insights on The PEI Pass: From a Security Professional and Islander

We’re closer and closer to the end of Covid-19 restrictions and we’re heading to point in this pandemic that privacy and security experts have been fearing for quite some time. It was only a matter of time before Covid-19 vaccination became everyone’s answer for getting back to a normal(-ish) life. The challenge was always going to be in creating a process whereby everyone can provide evidence of vaccination, without breaching anyone’s right to privacy.

I was reading this article this morning on CBC, “Cybersecurity expert warns P.E.I. Pass website is ‘hotspot’ for hackers”, and was expecting to read something substantial about the security of the platform, and was honestly pretty disappointed. In my opinion, this article does nothing but erode more trust in our institutions. It lacks the details necessary for an article with such a title, and could stoke a decrease in use and trust of other online government platforms.

What Is The PEI Pass?

The PEI Pass is a document given by the Government of Prince Edward Island that verifies an individual has been either fully or partially vaccinated, plus an additional 21 days. If you have this document then you are not required to self-isolate for 14-days when entering P.E.I. The PEI Pass is available to almost anyone given they meet one of the 4 requirement categories. Each category has a different set of requirements including differing documentation needs. Categories:

  • Permanent P.E.I. residents
  • Permanent residents of N.S., N.B., N.L, or Magdalen Islands
  • Other Individuals who have been in an Atlantic province for a minimum of 14-consecutive days, not including Magdalen Islands.
  • Non-P.E.I. residents who came to P.E.I. through a Pre-Travel Approval and are currently in PEI

Security Vs Privacy

There are two different concepts being discussed here. Security and privacy are not the same thing. The privacy of the data may depend on factors that include, security.

Privacy Concerns

Although it’s easiest as a Permanent P.E.I. resident, all four requirement categories require you to upload documents or enter information that may not be relevant to the PEI Pass application.

As a Prince Edward Island resident, the government already knows this information about me, which is why they’ve made it easier by being able to lookup my records in the PEI COVID Immunization Registry. For me, I’m not concerned about uploading my driver’s license either, as the government has that too.

Non-permanent residents will be experiencing the most risk to privacy. Especially, with a data breach in P.E.I.’s not too distant past. Any time you give your information and data to an organization or government that didn’t previously have it, you’re increasing the risk of that information being stolen. That’s a risk calculation that you’ll need to make yourself.

Security Concerns

I wasn’t able to find any information on how the Government of Prince Edward Island is securing the transmission and the storage of information being supplied.

The PEI Pass application itself is protected by a valid SSL Certificate, which tells us that the data is being transmitted (data in transit) from your browser to the website server securely.

The unknowns don’t come into play until we attempt to identify what security controls are put into place to protect the data in storage (data at rest), nor do we know if the data is stored on the same server as the website. Unfortunately, outside of the privacy commissioner giving her go ahead, I can’t find any reports on it.

Conclusion

The PEI Pass application process asks not just for personal information, but also for personal documentation. This can lead to you releasing much more personal information then you may have wanted to. Photocopy your documents and use a dark marker to eliminate any information on them that isn’t relevant to the request. Then send the modified photocopy. The Government of Prince Edward Island provides a similar note on their website:

Will Applying To The PEI Pass Be a Risk To My Privacy?

Any time that you provide personal information to a third-party that didn’t have information before, you are compromising your privacy. Sometimes it’s good, sometimes it’s bad. That’s where laws like PIPEDA come in.

Will Applying To The PEI Pass Be a Risk To My Data Security?

Without knowing what security controls are in place, there is simply no way of knowing if applying for the PEI Pass will compromise your data security.

Is The PEI Pass Website a Hotspot for hackers?

No.

An Introduction to Automating Open Source Intelligence Using SpiderFoot

SpiderFoot - An Open Source Intelligence Tool

What Is OSINT?

Open Source Intelligence (OSINT) is a methodology for collecting, analyzing, and decision-making using publicly available sources of data. According the Wikipedia, OSINT sources can be devided into te following categories:

  • Media, print newspapers, magazines, radio, television
  • Internet, online publications, blogs, discussion groups, citizen media
  • Public government data, public government reports, budgets, hearings, telephone directories, press conferences, websites, speaches
  • Professional and academic publications, information acquired from journals, conferences, symposia, academic papers, dissertations, theses
  • Commercial data, commercial imagery, financial and industrial assessments, and databases
  • Grey literature, technical reports, preprints, patents, working papers, business documents, unpublished works, newsletters

The purpose of OSINT is to create a tailored level of knowledge (or intelligence) for supporting individuals and groups in making decisions.

A vast amount of information is available publicly. OSINT Framework provides a hierarchical view of hundreds of OSINT resources broken down by a variety of indicators.

What Is SpiderFoot?

SpiderFoot is an open source tool, built in Python, that can query a large number of data sources (over 100 according the website) to gather information on a number of different targets including ip addresses, domain names, and even bitcoin addresses.

SpiderFoot Scan Target Panel

The power of SpiderFoot comes from Modules. Modules are how SpiderFoot organizes data into containers. Some Modules like those that integrate with Shodan, AlienVault OTX, and HaveIBeenPwned, required an API key from those individual services. API Keys can be imported/exported as needed. Approximately 60 services that require API’s are available via SpiderFoot.

Scanning in SpiderFoot is as simple as giving the scan a title, a target, and then by selecting the Use Case, Required Data, or Modules that you’d like to use. Scans can be as detailed or as broad as you’d like.

SpiderFoot Scan Settings Panel

Results are available via several dashboards including the Summary visual below. You can also browse the data in a table, and exclude duplicates, as well as view the data in a graph showing you the connections between data points.

Spiderfoot Scan Summary Panel

In summary, SpiderFoot is a web-based tool for collecting, analyzing and storing OSINT data, and is completely open source. It has its limits, like only being able to complete one scan at a time. However, it’s so easy to setup and can be virtualized using Python Virtual Environments, that analysts can easily have their own instances.

A Beginner’s Guide to TLS/SSL Certificates and Website Security

Raise your hand if the company that you work for has a website, or you, yourself, run a website. That’s a lot of hands!

What Is TLS/SSL?

We often talk as if Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are the same thing, however, their more like successor and predecessor. Both are cryptographic protocols that are designed for secure communications. The last version of the SSL protocol was 3.0 and was published by the IETF in 1996. A major vulnerability, given the name POODLE, was disclosed in 2014, which essentially brought an end to SSL.

TLS 1.0 was defined as an upgrade to SSL in a request for comments (RFC) in 1999. The protocols aren’t substantially different, and the name change had more to do with the fact that the IETF wanted to ensure that it was apparent that this was a fork of the protocol.

Regardless of whether we say SSL Certificates or TLS Certificates, we’re almost certainly using the TLS protocol.

Website TLS/SSL Certificates

A TLS/SSL Certificate is a pair of files where one file contains a private key that only the server knows, and a public key that is used to create a trusted relationship. A process known as a “handshake” occurs when you visit a website that uses an SSL certificate. This handshake can be a little confusing, but the below diagram does a pretty good job.

Source: https://www.entrust.com/resources/certificate-solutions/learn/how-does-ssl-work

How TLS/SSL Protects Your Website

The purpose of a TLS/SSL Certificate is to create a trusted relationship between your computer’s web browser, and the server hosting the website. Once this relationship is created, any communication between these two points, your browser and the website server, is encrypted using the private key that only the server has knowledge of. This is how TLS/SSL protects a website visitor’s financial information, such as credit card number, when they enter it into a form on your website.

Along with Encryption, the TLS/SSL protocol are ensuring a form of Authentication and Integrity. Once the relationship is established you can be sure that the communications being exchanged aren’t being manipulated and are being sent and received by the same two parties.

TLS/SSL Testing

Not all TLS/SSL Certificates are the same, and not all website servers implement these certificates in the same way. Implementing TLS/SSL incorrectly, or not configuring the web server with the appropriate settings, can lead to insecurities. Testing your TLS/SSL should be added to your annual checklist and can ensure that your TLS/SSL Certificates are in tip-top shape.

Here are some resources that you can use to easily test your websites.

  • SSL Labs by Qualys – One of our favourites; allows you to hide the results from their community boards for added privacy.
  • Mozilla Observatory – Choose to not show up in public results, and even not get scanned by third-party scanners. Observatory not only scans for TLS/SSL issues, but also for HTTP and SSH issues.
  • Wormly – Wormly gives you a simple TLS/SSL health check report.
  • CryptCheck – Something a little more technical; CryptCheck also runs tests on SSH, SMTP and XMPP.
  • SSL Checker – Visualize and verify the certificate chain.
  • TLS Version Check by Geekflare – Quickly check if your web server uses a deprecated version of TLS.
  • How’s My SSL? – They really mean, “TLS”. How’s My SSL gives you a simple report and rating on your TLS certificate. It also offers an API.
  • Digicert SSL Installation Diagnostics Tools – Diagnostics tool that also allows you to check for common vulnerabilities.
  • SSL Checker – SSL Shopper providers another tools for verifying your TLS/SSL certificate install.

Other Resources

The Mozilla wiki has a great resource that includes details on TLS cipher suites and other TLS configurations to help you improve web server security. I’d be remiss if I didn’t mention the Mozilla Developer Network (MDN) Web Docs which is rife with articles, references, and guides for better web development.

Insider Threats and Reducing Risk

According to the 2020 Cost Of Insider Threats Global Report study presented by Ponemon Institute and sponsored by ObserveIT and Proofpoint, insider threat related incidents are averaging a 12-month cost of $11.45M for those organisations polled. You might be thinking that you’re just a small business and you know that known of your employees would be party to a cyber attack, you may want to reconsider.

What is an Insider Threat?

An insider threat isn’t just an employee who wishes to do damage to their company. An insider threat can also be defined as a careless employee, or contractor, as well as any form of credential theft. More generally, an insider threat is any threat that is performed by anyone associated with your organizations who may have inside information (non-public information) regarding your organization’s policies, security practices, data, systems, and even people.

Types Of Insider Threats’ 1

An insider threat goes beyond intentionally taking advantage of access that was legitimately given. Insider threats are broken down into the following three categories:

Negligent InsidersMalicious InsidersInfiltrators
Current or former employees, contractors, or business partners who unknowingly or carelessly make errors, and disregard policies. Current or former employees, contractors or business partners who knowingly disregard policies. and attempt to inflict harm to an organization using the information and access they have available to them. External threat actors who obtain legitimate access to an organization.

Negligent and malicious insiders are more common than infiltrators, however, infiltrators are apt to do much more damage.

Reducing The Risk Of Insider Threats

Insider threats are a risk that your organization can reduce without necessarily spending additional money on security controls. The one commonality between the different categories of insider threats, is people. There are a number of administrative and technical security controls that you can implement today.

Employee Hiring/Termination and Awareness Procedures

  • Have appropriate employee screening during the hiring process for persons who handle sensitive or proprietary data, such as background and credit checks.
  • Processes and procedures for employee termination and offboarding including roles and responsibilities for those involved.
  • Raise awareness to the various types of insider threats to both new and tenured employees.

Access Control

  • Having an appropriate access control strategy documented and reviewed annually, is essential for any information security program, but can also reduce the risk of experiencing an insider threat.
  • Principle of Least Privilege states that each user should only have access to the accounts and services that they need to do their jobs, day-to-day.
  • Separation of Duties is an important concept that encourages the act of access separations based on duties. An example of this is a Desktop Support Analyst having two corporate accounts (joe.analyst & joe.analyst-admin), one account for standard use and the other for elevated/administrator needs.

Device Management

  • Policies and procedures for the appropriate use of company devices and BYOD devices.
  • Ensure that employee devices are keeping logs if audits are needed.
  • Endpoint monitoring or data loss prevention (DLP) technical controls can detect and prevent various insider threat actions.

Third-Party Risk Management

  • Third-party vendors, consultants and clients must not only follow any outlined security policies within your organization, but should also have policies and procedures of their own surrounding insider threats.

1 https://en.wikipedia.org/wiki/Insider_threat