Educational CyberPlayGround ®

Email SECURITY

EMAIL Authenticity: A SPAMMER IS
SPOOFING MY EMAIL ADDRESS
WHAT CAN I DO?

DKIM key Cryptographic Security

Massive Net Security Hole: Have you ever wondered if the e-mail you are reading might have been spoofed?

LEARN ALL ABOUT EMAIL

2016 US government updates secure email guide for first time in a decade. NIST provides 81 pages of practical advice. The National Institute of Standards and Technology (NIST)guide[PDF] is 81 pages long and provides a surprisingly useful rundown on what to do to get your email secure.

10minutemail.com
Beat spam with the best disposable e-mail service. Through this service, you can create e-mail for ten minutes. But if you want to subscribe on any website and later to avoid waste or spam emails from them and you can create temporary e-mail on this website. After 10 minutes, all your emails will automatically expire.

2016 A SPAMMER IS SPOOFING MY EMAIL ADDRESS - WHAT CAN I DO?

For your private and anonymous email needs. Remember, do not trust any service, do encrypt all your communications.

WEB BASED PGP ENCRYPTION AND DECRYPTION - GENERATE PGP KEYS

Use simple and secure online system to create new PGP key pairs, and to encrypt and decrypt messages. JavaScript must be enabled for these PGP tools to function.

Need help to choose a password? Try a nice password generator.

 

5/12/14 What the Most Secure Email in the Universe Would Look Like Say you wanted to send an email more secure than any message that had ever been transmitted in human history, a message with absolutely no chance of being intercepted. How would you do it?
You may have encrypted your message according to the highest standards, but encryption doesn't guarantee secrecy. The fact that you sent it is still detectable. An intercepting party in possession of just a few clues such as your identity, the receiver's identify, the time of the message, surrounding incidents and the like can infer a great deal about the content of the message in the same way that the NSA can use your metadata to make inferences about your personality. You need to conceal not just what's in the message but its very existence. The answer? Make your message literally impossible to detect. A team of researchers from the University of Massachusetts at Amherst and Raytheon BBN Technologies led by Boulat A. Bash have created a method for doing just that, cloaking electronic communications so that the communication can't be seen. They explain it in a paper titled Covert Optical Communication. The breakthrough shows that it is possible to send a message that can't be intercepted, no matter how determined the National Security Agency is to intercept it.

 

Chutzba:
Many companies (sender domains) set their keys once and then forget about them, despite advances in cryptographic breakthroughs that make their keys obsolete! You can't just install a private key, or select a hash algorithm, and expect it to be good forever! Companies who use cryptographic tools need to realize that local configurations need to be maintained just like software updates need to be maintained.

A cryptographic key is used to certify to recipients that its correspondence came from a legitimate domain. Anyone who cracks the key could use it to impersonate an e-mail sender from the domain - and not be a real email.

The problem lay with the DKIM key (DomainKeys Identified Mail) DKIM involves a cryptographic key that domains use to sign e-mail originating from them - or passing through them - to validate to a recipient that the header information on an e-mail is correct and that the correspondence indeed came from the stated domain. When e-mail arrives at its destination, the receiving server can look up the public key through the sender's DNS records and verify the validity of the signature.

For security reasons, the DKIM standard calls for using keys that are at least 1,024 bits in length. But if the domain in question is using a 512-bit key - it could be easily cracked with a little cloud-computing help.

Vulnerabilty in their own domains

 

There are three classes of key lengths used by vulnerable domains - 384 bits, 512 bits, and 768 bits.

  • You can factor A 384-bit key on your laptop in 24 hours.
  • In 1998 it was an academic breakthrough of great concerted effort to crack a 512 bit key. In 2012 512-bit keys can be factored in about 72 hours using Amazon Web Services for $75.
  • 768-bit keys are not factorable by a normal person, but the government of Iran probably could, or a large group with sufficient computing resources could.
  • Google, eBay, Yahoo, Twitter and Amazon were all using 512-bit keys.
  • PayPal, LinkedIn, US Bank and HSBC were using 768-bit keys.

They really should have been at 1024

DKIM keys used by Google, RSA, PayPal, Yahoo, Amazon, eBay, Apple, Dell, LinkedIn, Twitter, SBCGlobal, US Bank, HP, Match.com and HSBC have all used inferior email cryptography leading to spear-phishing attacks that involve targeting specific people at a company by sending them a malicious e-mail that appears to come from a trusted colleague or source, in order to trick the recipient into visiting a compromised website where malware is downloaded to their machine. A spoofed e-mail that is actually signed with a company's DKIM key can help attackers get their phishing attacks past filters set up to detect them.

All these companies should revoke the keys for all of its affected domains and re-issued new ones that are greater than 1,024 bits. The fix is easy - companies simply need to generate a new key at the stronger length and place it in their DNS records. But they also need to remember to revoke their old key.

Receiving Domains also created vulnerabilities by accepting DKIM keys that were clearly marked as tests. The senders are having these testing keys that they're leaving in DNS records long after the period of testing is completed, and then the verifiers are ignoring the testing flag.

HACKED RDP SERVER

Spam and Malware Hosting

 

Email Security - HACKED RDP SERVER - Spam and Malware Hosting

Fortune 500 companies have corporate networks of 17,000 machines anyone of which could be hacked and rented out to online miscreants. All of the machines for sale have been set up by their legitimate owners. The Windows Server 2003 system uses Microsoft's Remote Desktop Protocol so it can be remotely accessed by anyone with the login credentials.
Businesses turn on RDP for server and desktop systems that they wish to use remotely, but if they do so using a username and password that is easily guessed, those systems will soon wind up for sale on services like Dedicatexpress.com, a service from Russia that allows anyone in the world to access hacked computers at specific organizations, Dedicatexpress works directly with hackers who earn commissions for selling the RDP machines to the service. Dedicatexpress.com advertises hacked RDP servers on several forums. Access is granted to new customers who contact the service's owner via instant message and pay a $20 registration fee via WebMoney, a virtual currency. The service allows users to search for hacked RDP servers by entering an Internet address range, an option that comes in handy if you are looking for computers inside of specific organizations.