October 25, 2016

In brief: New version of popular Exim mail server plugs remote code execution flaw

(LiveHacking.Com) – A new version of the popular Exim mail server has been released to plug a critical  remote code execution flaw exposed when built with DKIM support, which is the default. Exim 4.80.2 is identical to 4.80 except for the fixes required to plug the security hole.

According to a posting made on the exim-announce mailing list, the issue (CVE-2012-5671) was found during an internal code review of an area of the Exim codebase relevant to another issue, namely DKIM signing and verification, which has been the subject of US-CERT VU#268267 and Common Weakness identifiers CWE-347 and CWE-326.

The security vulnerability can be exploited by anyone who can send email from a domain for which they control the DNS. The class of attack is known as a “heap-based buffer overflow”.

Builds of Exim which used the DISABLE_DKIM option are not vulnerable. The Exim team are confident that the next release of Exim will, eventually, be 4.82, and should include the various improvements made since 4.80. However that release will use the normal release candidate baking process.

The release is now available from the primary ftp sites:

South Carolina Supreme Court says web based emails aren’t protected by the Stored Communications Act

(LiveHacking.Com) – A South Carolina Supreme Court has ruled that emails stored in the cloud, on services like Google and Yahoo, aren’t classified as “electronic storage”. This means that reading someone’e online email without their permission or knowledge isn’t an offense under the Stored Communications Act (SCA).

According to the act, it is criminal behavior for anyone to “intentionally accesses without authorization a facility through which an electronic communication service is provided or… intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorize access to a wire or electronic communication while it is in electronic storage in such system.”

The problem is that the act defines electric storage as “any storage of such communication by an electronic communication service for the purposes of backup protection of such communication.” And the judges have ruled that since emails in Gmail or Yahoo aren’t backups, but the actual originals of the messages, then web based emails aren’t covered.

According to a report by Sophos, earlier court rulings found that the cloud based emails were in “electronic storage”, thus protected under the SCA. Last week’s ruling reversed that decision, saying that earlier court decisions had misunderstood the definition of “electronic storage” under the Act and incorrectly concluded the e-mails had been stored for the purpose of backup protection.

“All of the discussions regarding backups, temporary copies, and the read/unread distinction seem to have very little to do with the way that most people perceive their use of e-mail” said Woodrow Hartzog, a professor at the Cumberland School of Law at Stanford University.

However, Hartzog did point out that there could still be federal liability under the Computer Fraud and Abuse Act.

12 Reasons to Deploy Email Monitoring

(LiveHacking.Com) – With all of the effort email administrators put into monitoring their email servers for utilization, disk space, and error logs, they may be overlooking some of the most important information they can get out of their email system – how it’s actually being used. Companies that implement email monitoring quickly find a wealth of useful information about how employees are actually using email to perform their jobs, or in some cases, instead of performing their jobs. Using email monitoring is much like using web monitoring. It provides insight into patterns and behaviors, identifies trends and issues, and can even support compliance efforts.12 Reasons to Deploy Email Monitoring

Here are 12 important reasons why you should deploy email monitoring on your network:

  1. See who users email the most time to identify patterns and efficiencies.
    This will let you know who communicates with whom, to ensure the right people are interacting with one another.
  2. Learn who the key contacts are for each user or role.
    If a job transitions to another user, it can help them quickly get up to speed on the primary contacts they will have.
  3. Discover which customers or vendors need the most attention.
    This is a great way to head off customer satisfaction issues early.
  4. Identify the customers most likely to provide good referrals to others.
    Those who receive the best communications are likely to be the most satisfied.
  5. Identify the users spending excessive time on personal email.
    Sending emails to traditional personal accounts (Hotmail, Gmail, Yahoo, etc.) is a pretty good indication that they are not communicating with your customers unless you are a consumer-focused business.
  6. Measure response times to customer emails to be sure they are getting answers when they should.
    You should have standards for response times, and this will let you confirm your employees are meeting those commitments.
  7. Confirm that the help desk is replying to users within their SLAs.
    Users tend to call the help desk because they don’t get responses to emails quickly enough. Knowing just how long it takes to get a response helps identify staffing or performance issues.
  8. Find the mail hoarders so you can work with them to purge email, or charge them for the excessive space.
    Disk space is a limited commodity, and departments that use excessive amounts either need to be brought into compliance, or charged for the usage.
  9. Ensure that your email system isn’t being used as a file server, and that attachments are business-related.
    Email is a convenient way to trade files between users, but it places increased demands on server resources. See just how much space is being used, and ensure it’s not for MP3s and videos.
  10. Make sure customers aren’t emailing inactive or deleted accounts so you don’t miss any opportunities or leave customers thinking they are being ignored.
    An unanswered email is a good reason for a customer to contact your competition next. Identifying inactive accounts that customers still email makes sure someone responds.
  11. Ensure email communications use professional and appropriate language.
    Every email an employee sends represents your organization, so you want to be sure communications are sent in a professional manner without profanity or slang.
  12. Make sure users aren’t forwarding emails to personal accounts or the competition.
    Finding emails going to competitors helps stop the loss of intellectual property.

An email monitoring solution will show you how your users actually use your email system, where communications channels exist, and whether or not any compliance issues exist. It’s the next level of email management and an extremely valuable source of information.

Editor Note: This guest post was provided by Christina Goggi on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Learn more about the benefits of using email monitoring.

Disclaimer: All product and company names herein may be trademarks of their respective owners.