Friday, February 27, 2015

What’s your email? Let me guess…

Recently, a friend asked me for the email of one of my colleagues. I told him I can’t give it to him, but he can easily guess it, because almost every company in the world uses one (or more) of the 3 algorithms. These are [first letter of first name]+[last name], [first name]+[first letter of last name] and [first name].[last name]. My friend said that this wasn’t true, because his own email was somewhat different. So I showed him how a simple 7-line script can dump every reasonable permutation of his name, and with a simple CDO.Message function, can even send out a message to all of them (then, by comparing the list to the bounce emails, you can easily figure out the right email even if he didn’t respond).

My buddy, who works for a security company, was sure this kind of approach wouldn’t work, and that their security monitoring team would detect and block this, but, as I was able to prove a few seconds later (when he got my email), this is virtually impossible. A well-staffed security team could detect a major enumeration attack, but there’s no practical way to detect someone sending a few dozen wrong emails. During this little experiment, we also learned that his company was supporting the [first name].[last name] algorithm in addition, so guessing an employee’s email is even simpler.

Add to that other easy ways of finding an email, such as doing a simple web search for [first name] [last name] *@[], and it’s pretty much impossible to hide. For example:


By the way, when I ran my script, it produced 20 permutations on my friends’ name, with one of them actually being the email of someone else…who was all but happy to provide me with the person’s correct email. That would classify this as “Social Engineering”, which could be slow, but just as effective.

So, if you ever wondered how is it that you are finding so much spam in your inbox even though you never put your email anywhere, this is it. Spammers simply run enumeration scripts that send random emails to various combinations of well-known names and last names, and then mark as “good” any email that didn’t bounce. Some mail servers have the ability to detect a massive influx of bad emails, but if the spammer sets their attempt-rate to low enough, it’s virtually impossible to detect.

The biggest question is, of course, what can we do about it? The answer is simple. When provisioning users, simply avoid the classic algorithms. For example, add a random high number at the end of the address (jsmith78), or some character like an underscore (jsmith_ ). If you want to preserve an easy to remember structure, you could use two underscores in the separator (john__smith) instead of a single dot or underscore, or add the middle initial (john.j.smith). Regardless, check if your email server has a feature to detect and alert on a large number of bounced emails. If not, you can write a script to go over the list of bounced emails, and alert if something is wrong (for example, if the number changes drastically from one period to another, or if many bounces are coming from a specific IP).

Friday, January 23, 2015

WHAT on earth do you mean? (Cryptography concepts and protocols)

When working with SSL and cryptography in general, there are a LOT of concepts and protocols flying around. When reading Netmon traces, I often found myself not being sure what a certain acronym refers to or where it belongs. To make life a little easier, I created this infographic poster, which covers this, as well as some interesting tidbits about important topics in cryptography.

You can download this version as a wallpaper, or the PDF below to print and hang on your wall (It’s optimized for a 20x30” print, which Costco does for less than $10).

Hope you like it!

Cryptographic Protocols and concepts poster 012015 Wallpaperjpg

Download the high-res PDF: