web analytics

Out of Office

Jun 30

Are out of office (OOF) messages a security risk?   (Microsoft uses the acronym OOF for Out of Facilitiey.   I’ll be using that rather than OoO for out of office).

I’ve felt that the anti-OOF forces are the kind of ludite people who still agitate for a return to text only email. Maybe I should reconsider.

Out of office messages could inadvertantly disclose information.  “I’m out of the office, check with Joe at 555-12324.   Now the bad guy has another contact name.   In this era of LinkedIn, I’m not sure how big a disclosure this would be.  You decide for your environment.

OOF messages could verify your email address to spammers.
 Your spam product and Mail server should be blocking directory harvest attacks at the gateway. I wonder if its still true that “verified” email address are more value to attackers. Either way, my spam filter prevents spam from reaching my inbox any way.

OOF messages could help an attacker engage in social engineering
Now that the bad guy knows Joe is the backup, they know he may not know procedure as well. “Roger let me do that”. Personally I think that is a problem with training not OOF.

OOF messages could alert an attacker that its time to break into your home.
While there are stories about burglaries when someone posted their vacation schedule on Twitter, that is often neighborhood kids and people you know. Not using an OOF doesn’t exactly help there. 

Now that we’ve gone through some OOF FUD, how can you OOF safely?
1.  If you’re running Exchange 2007 or later you have the ability to use a different message for internal senders and contacts versus external senders.

2.  Sign off of any mailing lists or set them to “no mail” where possible. You don’t need to be annoying the list with your out of office notes.   I think this is the real root of the anti-OOF forces, annoyance with mailing list OOF backscatter.

3.  The less said the better.

At work, you kind of need to let people know you wont be getting back to them for a while.   There may be a few businesses (e.g. financial) where the risk does outway the courtesy.   But for most of us I think a OOF on the work email account isn’t the end of the world.

Like most security policies there is no such thing as a best practice. There is a reasoned consideration of the risks compared with the business need or desired outcome.


Go to Source

Read More

Extended Validation Certificate

Jun 19

Extended Validation Certificate

Extended Validation Certificates

Guys, Sorry its been too long since I last posted hear. I was busy dealing with some security related issues, Specially PCI Compliance.

Today, I am going to share my knowledge about Extended Validation Certificates.

I will discuss following things:

  1. What is Extended Validation Certificate?
  2. How Extended Validation Certificate works?
  3. Why online business require EV Certificate?
  4. Who are Providers of EV certificates?
  5. What documents are require?

What is Extended Validation Certificate?

Answer: Extended Validation Certificates (EV) are very special X.509 certificate which requires more extensive investigation of the requesting entity by the certificate authority (CA) before being issued. In normal terms Extended Validation is new generation of certificate which intended to user to give more confidence on website where they are using/providing their personal or financial information. It also assure end user that you legal identity which is verified by certificate authority.

How Extended Validation Certificate works?

Answer: High Security Browser like latest version of Internet Explorer, Firefox checks in background when an SSL certificate has been authenticated using Extended Validation. It will also check about https in web address with pad lock, browser web address bar turns address bar in GREEN. You can also notice legal identity name to which the Extended Validation Certificate has been issued.

Why online business require EV Certificate?

Answer: Do you own website where users are providing their sensible financial as well as personal information? If yes, you must use Extended Validation Certificate. It helps your user to confidence in your website. They know you are what you are claiming. You are not any phishing site identical like your website. They knows about your organization and validate your information.  Please check my previous blog for phishing

Who are Providers of EV certificates?

Answer: There couple of providers of Extended Validation Certificate. Following are provider of EV Certificate:

  1. DIGICERT’S EV CERTIFICATE
  2. SWISSSIGN’S SSL GOLD EV CERTIFICATE
  3. ENTRUST’S EV CERTIFICATE
  4. TRUSTWAVE’S PREMIUM EV SSL
  5. NETWORK SOLUTIONS’ SITESAFE SSL EXTENDED VALIDATION
  6. VERISIGN’S SECURE SITE WITH EV
  7. VERISIGN’S SECURE SITE PRO WITH EV
  8. GLOBALSIGN’S EXTENDEDSSL
  9. GODADDY’S PREMIUM (EV) CERTIFICATE
  10. GEOTRUST’S TRUE BUSINESSID WITH EV
  11. COMODO’S EV SSL
  12. COMODO’S EV SGC
  13. THAWTE’S SSL WEB SERVER CERTIFICATE WITH EV

What documents are require to get your self Extended Validation Certificate?

Answer: As per CA/Browser Forum. It also include that Certificate Authority may require more document if they are not satisfied with documents provided to them.  Following Information/Documents are required for Extended Validation Certificate:

Applicant information SHALL include, but not be limited to, the following information:

  • Organization Name: The Applicant’s formal legal organization name to be included in the EV Certificate, as recorded with the Incorporating or Registration Agency in the Applicant’s Jurisdiction of Incorporation or Registration (for Private Organizations), or as specified in the law of the political subdivision in which the Government Entity operates (for Government Entities), or as registered with the government business Registration Agency (for Business Entities);
  • Assumed Name (Optional): The Applicant’s assumed name (e.g., DBA name) to be included in the EV Certificate, as recorded in the jurisdiction of the Applicant’s Place of Business, if requested by the Applicant;
  • Domain Name: The Applicant’s Domain Name(s) to be included in the EV Certificate;
  • Jurisdiction of Incorporation or Registration: The Applicant’s Jurisdiction of Incorporation or Registration to be included in the EV Certificate, and consisting of:

1)       City or town (if any),

2)      State or province (if any), and

3)      Country.

  • Incorporating or Registration Agency: The name of the Applicant’s Incorporating or Registration Agency;
  • Registration Number: The Registration Number assigned to the Applicant by the Incorporating or Registration Agency in the Applicant’s Jurisdiction of Incorporation or Registration and to be included in the EV Certificate. If the Incorporating or Registration Agency does not issue Registration Numbers, then the date of Incorporation or Registration SHALL be collected;
  • Applicant Address: The address of the Applicant’s Place of Business, including –

(A)   Building number and street,

(B)   City or town,

(C)   State or province (if any),

(D)  Country,

(E)   Postal code, and

(F)   Main telephone number.

Note :  I found really helpful link which compares them and providing really good information about it. Extended Validation Comparition.

Read More