Expertise

If we want to teach people to be cyber aware, they need expertise. But how much is enough? Do we want people to become security experts? Or just good enough to resist most types of scams?

In other fields, experts are able to process information differently than novices. In fact, they have a whole bunch of abilities:

1. Experts have acquired a great deal of content knowledge that is organized in ways that reflect a deep understanding of their subject matter.
   
   
2. Experts notice features and meaningful patterns of information that are not noticed by novices.
   
   
3. Experts are able to flexibly retrieve important aspects of their knowledge with little attentional effort.
   
   
4. Experts have varying levels of flexibility in their approach to new situations.

This expertise is important because it is a powerful tool against scams. In order for us humans to make decisions that act contrary to our own best interest, our emotions must be invoked. At low and intermediate levels, our emotions act in an advisory role. But at higher levels, we make decisions that we would not normally make.

The way to combat this is to increase the decision maker’s level of vigilance. If a person can recognize that a message is a scam they will not fall for it. How can they recognize that a message is a scam? They have a lot of content knowledge and have seen plenty of scams in the past. They can detect features in scams that a novice would not normally notice and can retrieve key aspects of that knowledge with little effort. Almost automatically, they can retrieve those key bits that were scammy before and see them now. Furthermore, when a new scam arrives, they are flexible enough to apply those experiences from before to this new experience.

An expert can recognize scams because they know what scams look like.

How do we teach people to become experts?

People are not born experts. There is no such thing as innate talent where a person has a natural instinct for almost any ability. The way to transform a person from a novice into an expert is through an activity called Deliberate Practice. Deliberate Practice is different from regular practice in a number of important ways:

1. It deliberately works in improving key skills.
   
   
2. It receives consistent feedback.
   
   
3. It can be repeated a lot.
   
   
4. It isn’t much fun.

Researchers have found that the amount of time required to become an expert in any particular field requires 10,000 hours of deliberate practice. If we work 2000 hours per year at our jobs, that’s 5 years to become an expert. It is unrealistic to expect people to become experts at computer security because no one can put in that much time to learning how to use the Internet.

If we can’t get the public to become experts, then we can at least bring up their level of awareness to “good enough” and leverage the key principles of developing expertise.

In order for the general public to gain sufficient expertise in cyber awareness, they must have a level of competence that is more than just cursory. When experts think about a subject, they have a deep foundation of knowledge to draw from. They don’t know a lot about one narrow band of subject but instead know a lot about a lot of related subjects as well.

Experts do not just know a lot about different subjects, they are able to organize that knowledge so that they can retrieve it quickly. The knowledge is not random, either. It is relevant to what they need to understand.

For example, given a chessboard of an actual game, expert chess players can look at the board for a few seconds and then place twenty or so pieces based upon memory, whereas novice players can only place five or six. However, when given chess boards of randomly placed pieces, both experts and novices could only place a few pieces. This shows that chess experts recall relevant information – a random chessboard doesn’t occur in real life, but an actual game could because both players implement strategies that could lead to that particular board.

For cyber security, people need to understand a wide variety of tactics that hackers use to steal information as well as a wide variety of defenses. It is not enough to say “Do this to protect from spam” but instead we must look at where spam comes from, how spammers try to trick the public and what countermeasures users can take. By looking at the problem from multiple angles, users gain a much deeper level of understanding.

But the security industry has a heavy responsibility. It is not up to the user to figure out what they need to know, the security must deliberately outline the relevant principles and organize them in a way that users can understand them. A bullet list of do’s and don’ts is not enough to guard against scams because users will not be able to recall them. Experts start from abstract concepts (be cautious) and then build out techniques (hovering a mouse over a link verify that it goes to the page it says it is going to).

The security industry must target the principles that are important and present them in a way such that people retain them.

Whenever people learn new information, they do it in a way that fits in to their current experiences of how they view the world. There is a children’s book called Fish is Fish. The book is about a fish who lives in the ocean and wants to see the rest of the world, so he asks his friend Frog to venture out on land and report back to him. Frog agrees and goes to see the rest of the world.

A couple of days later he comes back and tells Fish what the world is like. When Frog returns, he tells Fish about all of things he saw. He saw birds in the air, dogs on the ground running around, and large buildings where people would go into and out of. Fish, however, imagines these things according to his own experiences. A bird is a fish with wings, a dog is a fish with feet and buildings are large rocks that fish normally dart in and out of. Fish models this new world after the world he is familiar with.

Similarly, for children, their model of the world is that the world is flat. When told that the earth is round, they picture that it is round like a disc. When told that it is round like a sphere, they picture a disc within a sphere. The children are not stupid, only ignorant. They do not have the knowledge to be able to change their model of the world, but instead fit this new knowledge according to what they do know.

People’s minds are like a ball of yarn and their existing ideas are like the strands of yarn, some unconnected, some loosely interwoven. Instruction is like helping students unravel individual strands, labeling them and then weaving them back into a fabric so that the understanding is more complete. Later understanding is built upon earlier beliefs. While new strands of belief are introduced, rarely is an earlier belief pulled out and replaced. Instead of denying existing beliefs, teachers need to differentiate them from actual beliefs and integrate them into more conceptual beliefs.

In the classroom, if prior beliefs are not engaged, people revert back to their preconceptions after the test has been taken. An experiment was performed where the subject was tested on memorizing long strings of random numbers. At first, the student could only remember about seven numbers, but over time managed to get to 70 or more. He did this by breaking down the numbers into chunks (give example). However, after the researchers tried to get him remember letters, he reverted back to only being able to remember about 7 characters.

This demonstrates why random password advice is next to useless. People can only remember about 7 random characters, and nobody in real life has to remember random strings of anything. The things we do remember are song lyrics, names of people, events, television shows, comedy patter, and so forth. They are things that have emotional meaning to us, and therefore we can better remember them. They are not random characters but instead are characters (words) that hold meaning and therefore can be recalled.

It also explains why people fall for fake A/V software. People are used to being told by the industry that they need it. They already have an existing level of trust built up with the software industry about security practices. We can tell them that they shouldn’t click on pop up links or be suspicious about adverts for A/V software. They might say “Yes, I will be careful in the future” but we haven’t engaged their prior beliefs that:

1. They need A/V, and
   
   
2. That they trust us to tell them the truth.

When a scam crosses their eyes they revert back to the belief that they need A/V, the person behind the scam is telling them the truth, and they click to install it.

Instead of preaching to users that they have to be careful about scams, we should integrate it into the message that we already teach – they need A/V software and they should only ever get it from trustworthy sources. This uses beliefs they already have (I need A/V) and adds a new strand of yarn (get it from a place I trust). We then must educate users about who is trustworthy.

Students remember more abstract concepts better than a contextualized one. We must teach that users must only download A/V software from trustworthy sites. We do not necessarily start off by saying “Look for the https” or “Is it from a site I recognize?” Those concepts come later. The expert is able to take the more general concept and then find the specifics. In this case, the expertise we want the user to acquire is to first stop and think “Is the site I am downloading this from trustworthy?” What comes next to the expert is the question “How do I tell that this site is trustworthy? Oh, it says https://avg.com! I know that the ‘s’ means that it is secure, and I have heard of AVG!”

This relates to my previous point about expertise. An expert can draw from large bodies of information and they are able to recall organized knowledge and apply it to new situations. Someone who has learned about fake A/V could now see a pharmacy site. They have learned to ask the question “Is this Internet site trustworthy?” A user would look for signs to see if the site is to be trusted or not. Does it use https? Do they recognize any logos or the URL? Their preconception in this case is that the Internet is a place to buy things. But they have learned that they should only buy things from trustworthy sources, otherwise don’t do it. The abstract concept was added to the ball of yarn and is applied to the new scam.

When we engage pre-existing beliefs, we improve transfer.

Metacognition

A third technique that supports transfer is teaching methods that incorporate metacognition. Metacognition is “thinking about thinking” – understanding the reason behind a concept. For example, we all know that the North Pole is cold. Why is it cold? Because it receives less direct sunlight than the equator. Is the South Pole warm or cold? Well, since the South Pole receives less sunlight than the equator, it too must be cold.

Metacognitive approaches helps students take control of their learning and organize their knowledge. For many of us, history is a boring list of names, dates and events. But one public schoolteacher was determined to change that. Rather than telling the class about the events of the American Revolution, she assigned students the roles of the loyalists and another group the role of the rebels.

The class gathered one day not to recite dates and names, but to debate the merits and detriments of the colonies’ rule by the British. The rebels’ first speaker begins[1]:

England says she keeps troops here for our own protection. On face value, this seems reasonable enough, but there is really no substance to their claims. First of all, who do they think they are protecting us from? The French? Quoting from our friend Mr. Bailey on page 54, ‘By the settlement in Paris in 1763, French power was thrown completely off the continent of North America.’

Clearly not the French then. Maybe they need to protect us from the Spanish? Yet the same war also subdued the Spanish, so they are no real worry either. In fact, the only threat to our order is the Indians . . . but . . . we have a decent militia of our own. . . . So why are they putting troops here? The only possible reason is to keep us in line. With more and more troops coming over, soon every freedom we hold dear will be stripped away. The great irony is that Britain expects us to pay for these vicious troops, these British squelchers of colonial justice.

The loyalists respond:

We moved here, we are paying less taxes than we did for two generations in England, and you complain? Let’s look at why we are being taxed— the main reason is probably because England has a debt of £140,000,000. . . . This sounds a little greedy, I mean what right do they have to take our money simply because they have the power over us.

But did you know that over one-half of their war debt was caused by defending us in the French and Indian War. . . . Taxation without representation isn’t fair. Indeed, it’s tyranny. Yet virtual representation makes this whining of yours an untruth. Every British citizen, whether he had a right to vote or not, is represented in Parliament. Why does this representation not extend to America?

Students then argued amongst themselves regarding the role of paying taxes to the Crown and the benefits they receive. The teacher interrupted the internal debate, and they continued onward, but the point is made – understanding the rationale for both positions strengthens the understanding of the events leading up to the Declaration of Independence. History is no longer names and dates. There is meaning to it. When history comes alive, students retain the information and can transfer names, dates and the rationale behind the American Revolution. The learning sticks.

When it comes to cyber security, we need to take a similar approach. We often give users advice on how not to fall for phishing scams. Your bank will never ask you to log in to their site with your username and password otherwise you will be locked out, or respond back with your username and password in an email. So, don’t do it. But why won’t your bank ever do this?

We must tell users why the bank won’t do this: their employees are never allowed access to their users’ accounts, only bad guys ask for passwords. They don’t lock users out of their accounts because they would lose customers due to bad customer service. And so forth. Users must be made aware of the rationale behind this.

How could we go about teaching users to do this?

We could start by writing training programs that shows what it is like on the other side. Imagine a computer program where the user gets to play the part of the hacker:

As the hacker, you are given a scenario wherein your goal is to figure out a way to trick the user into giving up his username and password. The user then gets points when they succeed in doing nefarious things.

The next level would be that you get to play the part of a bank trying to teach its users to be secure, so what could you do to prevent users from losing their passwords, while still keeping things easy (you know, which is pretty much exactly what cyber experts do in real life). The gamer gets points when they pick actual cyber strategies.

Obviously, this would just be a game, but by seeing what it is like to be on the other side of the computer, users are better prepared for when they themselves are targeted. Thinking about both sides reinforces what people learn and subsequently transfer. By learning how to extract underlying themes and principles from their learning exercises, people learn how to apply that knowledge to new situations.

Part 1 – Introduction
Part 2 – Expertise
Part 3 – Experience
Part 4 – Metacognition
Part 5 – What should we teach?
Part 6 – Bringing it all together 

[1] These excerpts are taken from How People Learn: Brain, Mind, Experience and School; National Academy of Sciences, 2004.

What concepts should we teach?

What topics are the most important ones for users to learn? There are so many possibilities that it is hard to narrow down to only a handful. If we only got to pick three, here are the three I would choose:

• The Internet is fun but only deal with trustworthy sources.
  
  This is the most important piece of advice we can give users because it is an abstract concept. All other pieces of advice derive from this. You can buy antivirus software online but make sure you buy it from a website you trust. You can shop for pharmaceuticals but you must only buy them from a source you trust.
  
  By teaching people an underlying abstract concept, other security countermeasures emerge out of this. It is abstract concepts that support transfer, not contextualized advice. Once users get the idea that they should only deal with trustworthy sources, their behavior changes. They know to login to secure sites because those ones can be trusted. They use different passwords with different websites because they don’t know if some of them can be trusted to keep their information secure, and so forth.
  
  
  
  
• Keep your software up-to-date
  
  This is the most important piece of contextualized advice we can give users. In order to make sure that people remember it, we should build upon experiences that they already know and do every day.
  One activity that everyone in the west knows about is brushing their teeth. We do it in order to prevent our teeth from decaying and falling out. Tooth pain is very painful and brushing helps prevent that.
  
  Furthermore, brushing our teeth is something that we have to do every single day, even twice a day. It is not something that we do once and forget about, it’s daily maintenance and we have to do it every day for the rest of our lives. If we don’t, our teeth go bad.
  
  Keeping our software up-to-date is like brushing our teeth:
  
  - It’s good for our health.
  - If we don’t do it there are bad consequences.
  - We have to do it every day (or at least regularly) for the rest of our lives.

Once we have built the necessary foundational knowledge for users, and once they understand that they need to stay up-to-date, software must make it easy for users to stay up-to-date. Microsoft Windows should have automatic updates enabled by default, and so should web browsers. There must be an easy way for users to see if their software is configured to update automatically, and they need to know how to check to see what the settings are.     

• Learn to recognize scams.
  
  Next to keeping your computer up-to-date, the ability to recognize a scam is the most important thing. Criminals do not need to exploit vulnerabilities in computers to cause harm, they only need to trick the user into doing something like sending them money or handing over their username and password.
  
  Experts are able to transfer information that they learned in one context and apply it to another. If someone is going to recognize a computer scam then it will be much easier if they borrow from pre-existing knowledge and apply it to computers. For example, many parents will know when their children are trying to manipulate them. If they have two kids and come home one day and find that the cookie jar is empty or worse yet, has been knocked over and is broken, and then both kids deny it, something is wrong. Parents often rely on cues their kids gave them in response to their answers to detect deception, such as averting their eyes, inconsistent or evasive answers or turning their bodies away from direct questioning.
  
  When teaching people to recognize phishing, a connection should be made by linking a broken cookie jar to a bank telling someone to log in to their account and update their information. Parents already know how to tell if something is wrong in their house and if the emotional connection can be made between that and something with their email notifications, then rather than fear being invoked, suspicion is aroused. If suspicion is aroused, then fear is only a low level intensity emotion and acts in an advisory role. If people think through what they are doing and equate cyber scams with real life ones then they are less likely to fall for them.
  
  
  
  

How young to start?

Where should we teach cyber security? Should it be something that people learn on their own time? Or is it something that should be included into formal education?

Paypal recently (when I first wrote this paper) released a whitepaper on combating cybercime. In it, the authors assert that today’s educational efforts are good but do not scale to the required level of millions of computer users and requires significant investment by the government and private industry. Significantly more funding is needed.

The advantages of formally incorporating cyber awareness into the education system are clear:

By starting early, students have more time to gain exposure to a wide range of topics. This helps them build the level of deep expertise needed to bring together knowledge from different sources. With a formal curriculum in place, educators could organize the relevant knowledge organized to make it easier to absorb and recall.

1. Formal education about a topic at an early age creates the early experiences that people build upon. Whereas educators must address students’ pre-existing experience to get them to learn about a topic, setting the foundation early means that there will be fewer pre-experiences to overcome later on.
   
   
2. Assignments could leverage metacognition. When students have to think about why they are doing something, it helps learning and transfer. Home assignments could include teaching their parents about cyber security and what they learned. This helps reinforce what the students learn and there’s an added bonus – the government gets to use the students for free to teach their parents! That’s like getting two for the price of one!
   

On the other hand, creation of a cyber security curriculum in school is a major undertaking. It requires collaboration between industry and government and the knowledge is very specialized. Most adults today understand basic arithmetic, writing skills, reading skills, and social studies. Nearly all teachers are capable of teaching other subjects if they had to. However, expertise in computer security is not widespread. How many people in the world are experts on botnets? Malware? Hacking? Worse yet, how many people in the security industry have a background in education, teaching, and organizing their knowledge? The people who are good at teaching don’t know the subject, and the subject matter experts can’t teach it [1].

This is not an insurmountable problem but it would require a significant investment from both the private and public sector.

The Security Industry’s Responsibility

Software companies are not off the hook. Not only do we have a responsibility to educate the public, but we have a responsibility to write software in a way that makes it easy for users to be secure. We can achieve this by using a mechanism called “Choice Architecture.”

Choice Architecture is a principle that influences people’s decisions based upon the way that options are presented. People’s decisions can be swayed by a number of influences including ordering, peer pressure, and default choices.

For example, in a restaurant fast-food menu where people have lots of choices, most people will choose the first item. The public school system has experimented with this. Rather than placing unhealthy selections like French fries and hamburgers at the top, they put healthier selections like vegetables and yogurt at the top of the menu. The result? Students make more healthy selections than when the unhealthy choices are presented first. The same items are on the menu but the ordering influences their decisions.

A more powerful influence is the power of the default choice. Many employers today offer their workers a savings plan for retirement, such as a 401(k) or 403(b). This is where employees contribute to a plan, and frequently the employer also contributes. It’s almost “free money” for the employee if they are part of the plan. When employees by default are not opted into the plan and need to enroll themselves, enrollment is low – less than 50%. However, when their employer opts them into the plan by default and the employee must opt out in order to not participate, compliance is very high – over 90%.

The “power of default” is one of the most powerful tools that the security industry can use. Whatever the default setting is for a piece of software, the vast majority of users will stick with that. It doesn’t matter how much we tell users to switch to another setting, the “stickiness” of the default is what will remain. To use this, security vendors should make their software secure by default. In real terms, this means that software is set to update automatically and the user must opt out of downloading and installing the updates.

Modern software does this – Microsoft Windows has Windows Update, and Adobe regularly updates Adobe Acrobat; it prompts users if it wants to install after it has already updated. However, other pieces of software such as Internet browsers do not update by default. The browser is particularly vulnerable because it is the hacker’s weapon of choice for creating malware. These should be set up so that automatic updates are enabled upon installation and prompt the user to install when they are ready.

Although some browsers upgrade by default or prompt the user to update by default, not every piece of software upgrades by default. In my Firefox browser, I am running several plugins – Adobe Flash, Java, Shockwave, Quicktime, Silverlight and Media Player. Honestly, some of those plugins I use so rarely that I would never think to update them. However, a browser plugin called BrowserCheck from Qualys lets you scan your browser and tell you if any of the pieces are out of date. If so, there is a link that you can click on that will take you to the latest version:

I had to go and install this Qualys plugin myself, it wasn’t preconfigured on my browser. However, it should be. It’s useful because it consolidates a whole bunch of disparate plugins so I don’t need to keep track of them myself. Plugins like BrowserCheck should be standard on every browser, and there should be some sort of notification to let the user know when one of their plugins is out of date. Having a browser plugin checker installed by default forces users to be notified of security problems… and thereby help reduce the risk from one of the biggest attack vectors today.

Conclusion

In this series, I have looked at the problem of how to educate the public to become more aware of cyber security. I looked at why people don’t retain the message (because our teaching methods are poor) and how we can improve upon those.

However, I only looked at a small fraction of better educational teaching techniques; the subject is too vast for me to cover in 6000 words. What is encouraging about this is that because so much research has been done into formal learning, we know what works and what doesn’t:

1. Students need to know a lot of stuff, and organize it well, in order that stuff to become useful to real life.
   
   
2. Students take new knowledge and weave it into their pre-existing knowledge. Teachers need to know their students’ prior beliefs.
   
   
3. Students retain knowledge when they have to think about why they are learning something, and why things are the way they are.

There is no shortcut to being aware of the Internet threat landscape and giving people the skills they need to traverse it. But we do have a responsibility to tell users what they have to do and we also have a responsibility to ensure that they are learning, retaining, and using what we tell them. We do that by looking at ourselves and seeing what we can do to help.

And then, maybe one day, the cyber security industry won’t have such a big problem.

[1] If we knew how to teach it I wouldn’t be writing this article.

I thought I’d round out the year with a summary of Randy Abrams’ talk from Virus Bulletin entitled Teaching Consumers Security Habits from this past year’s 2012 Virus Bulletin Conference in Dallas, TX. I wanted to write about it long ago but I wanted to post my series Practical Cybersecurity first. The two topics naturally fit together.

Abrams began his talk by saying that technology is not the only solution to the security problem even though we in the security industry think so. This is despite years of evidence that contradicts this belief.

Think about it for a second. If the way we have always done things is best, then why are some of the best universities giving away their courses? Our education system uses 300 year old principles that developed because books were rare and the professor essentially read the contents. However, this is 2012 (or 2013, which is when you’re probably reading this). We're wired. We can do better.

Researchers have known for a long time that breaking a video lecture into small chunks helps students retain information better. Embedded quizzes keep them focused. Drawings appeal to the visual learner. This is evident with Khan Academy.

What can we learn from behavioral researchers? How can we use what users naturally do to form good security habits?

We need to understand The Habit Loop. This was first written up in the book The Power and Habit Charles Duhigg.

What is The Habit Loop? It is the following sequence of events:

1. Trigger
2. Routine
3. Reward

Knowing something like this, a retailer (Target) might know a woman was pregnant before her family did by monitoring her shopping habits.

How do we change a habit (such as a poor security habit like using the same password everywhere)? Well, as it turns out, a brain doesn’t forget a habit. The only way to break a habit is to change the routine.

Studies have shown that when we continue doing the same thing (well, running a mouse through a maze which acts as a proxy for “us”), brain activity goes down and mouse isn't thinking about running a maze anymore. A habit is like a subroutine so we can do things and our brains can think about other things.

However, there is a pleasure spike with the activity. But in a habit it moves the reward trigger to when a habit has kicked off, instead of at the end of the action like the first time when you first started doing the habit. That is, when we do things for the first time we go through the activity and then at the end there is a reward. But in a habit, as soon as we decide to do the activity, the reward is then, even before we have completed the activity.

First time: Action. . . . . . . . . . . . .Activity. . . . . . . . . . . Reward
Habit: Action. . . . Reward. . . . . Activity. . . . . . . .. . . . Smaller reward

The reward reinforces the activity. If your friend sends you funny videos in email, when you click the first time you get a reward from it (laughing at the funny video). The next time this occurs, the habit of clicking is in your brain because your brain remembers.

As habits form, the brain stops participating in decision making. The pattern unfolds automatically unless you deliberately fight it.
   
Habit routines must be replaced. Some common habits:

• Stress -> Cigarette –> Satisfaction
• Stress -> Exercise –> Satisfaction
• Email -> Click -> Funny Video
• Email -> THINK –> Reward. this is the part that has to change; we have to teach users to THINK first and break that habit.   
  

Are there any examples of this working in real life on a large scale? Absolutely. We have an example of changing social habits. This example involves lowering the infant mortality rate in the rural United States during the 1950’s and 1960’s which was much higher than urban areas.
   
To change this, researchers identified the major sources and the major causes. The solution was social change. This is documented by Paul O'Neill: biology became part of the core curriculum; to talk about proper nutrition which cut down on malnutrition, and infant mortality dropped by 62%. 62%!

This sounds like great news! The problem is that for students and education, it will take at least two generations. Ouch.

What sorts of real things can we do to teach consumers security habits:

1. We can create games that teach the proper concepts. If they are fun, people will remember them better because it binds emotions to actions.
   
   
2. Examples where people get to see which phishing attacks are most useful at working in real life.
   
   
3. Weak passwords: Security professionals can't just explain why passwords are weak because everyone nods their heads without really understanding... but put their passwords through a password cracker to see how quickly it can be broken (someone guessing vs. machine breaking) and that underscores the reality of weak passwords.

So, to conclude, we have to teach consumers security habits in a smarter way. The current methods are not working, and using only technology won’t work either. We have to fight habits with habit remediation, and we have to fight ignorance with education.

And then maybe one day, we in the security industry won’t have such a big problem.

I’m out of the office for a while so there won’t be many updates to this blog in January, 2013. See you when I return!

If you’re wondering where I am, here’s a clue:

Yes, experts all say that you shouldn’t tell others you’re gone when you’re gone. Well, I have virtually nothing of value back in my home anyhow. Meh.

A reader sent me the following infographic detailing how phishing works. Check it out:

• It contains statistics on the prevalence of phishing
• Some characteristics of phishing messages, and
• Some advice on how to protect yourself

Good stuff.

Source: Phishing advisory infographic by Lifelock.com

For the last bit of December 2012 and the first part of January 2013, my wife and I were traveling in Argentina and Chile in Patagonia, the southern part of the country. The final two days were spent in Buenos Aires, the capital of Argentina.

I didn’t have many expectations of the place before I got there, I just knew that it was a large city (11 million, one of the top three in South America depending on how you count it, after Rio de Janeiro and Sao Paolo). But the city is amazing!

Buenos Aires is like a European city with the ridiculous expense of Europe (i.e., everything costs almost double what it costs in North America). Instead, the costs in Buenos Aires are slightly less than North America for some things (restaurants) and much less for others (hostels and the subway).

To give you an idea of the architecture, below is the Casa Rosada which is where the main parliament of the country takes place. It’s located in Plaza de Mayo (that’s may be wrong but I can’t be bothered to look it up right now) which is the main political square of the country, where mass protests regularly take place. There are tours during the day on weekends but since we were there on a Friday, we couldn’t go inside.

The statues in front like this is reminiscent of Spain or Italy:

Another section of the city houses the Palacio de las Aguas Corrientes (literally: Palace of Water Flows, according to Bing Translator). For some reason, at first I thought it was called Palacio de las Aguas Calientes, or Hot Water Palace. That made me think it was an engineering facility for the city’s water flow.

I was thinking to myself “Man, that is the nicest public works building in history! Nothing even comes close to it!” It was only later that I discovered my pronunciation was wrong and that it is now a museum. But according to Wikipedia, it originally was built to accommodate supply tanks of running water for the city in the late 19th century.

I don’t know if the story is true or not, but one of the locals told us that the building was designed in Belgium and shipped to Buenos Aires where it was reconstructed locally. If so, that’s amazing. And a lot of effort.

Whenever I’m in South America (and Europe), I like to check out the Catholic churches. I do it because the architecture and art within them is so much nicer than in Protestant churches in the United States and Canada. I may not be Catholic but their churches are way nicer everywhere in the world. Even the Church of England buildings in the UK, which are very nice (Westminster Abbey, St. Paul’s Cathedral) were originally Catholic.

This church is located near the Casa Rosada on the other side of the square. In the picture below you can see me waltzing around acting like such a tourist, snapping photos:

But my favorite part of the city’s various amusements is the Necropolis – the Recoleta Cemetery. It is a huge square encompassed by high walls and takes up many city blocks. Inside are large graves belonging to very important people within the city – presidents, generals, nobles, and high ranking officials. It takes forever to walk around the place:

If you’re not thinking “Wow, some of those graves are pretty big!” you should be. I calculated that a few of them were larger than our two-bedroom condos.

And many of them were nicer than our two-bedroom condos. How is it possible that dead people have a better place to live than me?

Along the way I found a lazy cat just kind of lying around. Unlike my cat at home, this one was pretty skinny:

It took us two days to walk around Buenos Aires and we probably could have easily spent a couple more. It was very hot those two days and that contributed to draining us of energy.

But I liked the city.

And that’s my story of our time sightseeing in Buenos Aires.

As I wrote about a week and a half ago, I haven’t written a lot about antispam and security so far in 2013. But I haven’t been idle.

No, instead I have been working on another project – launching a project on Kickstarter!

And my app is going to be awesome! I’m combining great writing, visual aesthetics along with a solid user experience (intuitive, easy to use and never crashes). Trust me, you’ll all like it.

You see, I’ve been able to travel a fair amount in my time, especially over the past few years. I also like to write; I always have. When I was in junior high and high school, I was good at math and science but my highest grades were in Language Arts. When I go back and read some of my old journals, I am impressed by what I wrote way back then.

I decided to combine my two hobbies into an app for iOS and call it Go Somewhere. I wanted my app to have a tactile experience. Not just a website but an app where I can control how the user interacts with it.

It’s kind of like a travel book except I find that travel books have too much information. I just skim it. And they also aren’t personalized enough whereas I like to write in editorial style (the way I do on this blog).

I checked out a couple of apps in the Apple store last year and downloaded them. My favorite is National Geographic’s 50 Places of a Lifetime. I liked the way it went through and talked about all the places in the world and what was neat about them. However, I thought I could do it better:

1. I could build a better way to navigate through the various places.
   
   
2. The descriptions were good, but not “deep” enough. I wanted to go a bit deeper in each place. For example, for Peru, I wanted to write 6-8 things about Machu Picchu instead of National Geographic’s short blurb.
   
   
3. I also wanted to write about interesting socio-cultural facts such as conditions that led to the downfall of the Incas. Education + Entertainment.
   
   
4. I wanted my writing style to be funnier (you know, like the knee-slapper that is this blog).

I found a couple of other apps like Amazing Earth and Beautiful Planet. The pictures in them are good but the descriptions are too short.

The above icon represents the spirit of Go Somewhere: a silhouette looking out into the background. Where do I (that is, you) want to go next?

The below is the splash screen when you open the app:

You can navigate through the app with a bunch of countries and places using a map:

I’m not going to go through the full set of features because you can read about it at the Kickstarter link for Go Somewhere.

I’ve designed most of the app and written or edited all of the little blurbs (so far over 400, with two more places to go before launch, and two more to come by the end of the year). However, I outsourced the development and I didn’t get the quality I needed so I’ve decided to start over.

I’ve gotten some other quotes and they are expensive. I can’t keep putting more money into this without a good understanding of whether or not I’ll see a return (my wife wouldn’t stand for it). So to that end, I’m getting funding on Kickstarter!

Or trying to, anyhow.

I figure this represents a good proxy for whether or not there’d be any demand. If I can raise funds to develop a polished app, then I figure there’s a good chance that this will “sell” (that is, be downloaded. The app is free with some free content and you can purchase to unlock additional content for a low, low price).

So check out Go Somewhere on Kickstarter! And if you feel like it, kick in a little bit of money.

Today’s post is a guest post from Megan Horner, Social Media Manager & Marketing Coordinator of trainACE. It is regarding a recent security report issued by Mandiant, entitled APT1: Exposing One of China’s Cyber Security Units.

Megan, take it away!

Lessons Learned From the Mandiant Report 

Recently, security company Mandiant released a report detailing the size and scope of Chinese hacking efforts, and there are two main takeaways from it: First, the sheer scale of the hacking as part of an effort backed by the Chinese government was eye-opening. Second, Mandiant provided an impressive level of detail, both in its description of the attacks and in its identification of the perpetrators, whose efforts, according to Mandiant, could largely be traced to a single army unit working in a single building just outside Shanghai.

Security professionals can take several lessons from the report, but the lessons are not as much about threats of unprecedented technical sophistication – although these threats are by no means crude – as they are about the scale of the attacks, their persistence and the level of organization behind them.

In fact, the report tells of story of an effort that could serve as the very definition of an Advanced Persistent Threat (APT) and Mandiant itself refers to one of the more than 20 groups allegedly involved as APT1.

One advanced aspect of the threat is its location within the Chinese government, where it emanates from a unit of the People’s Liberation Army called Unit 61398. As a military unit, this is a group with access to enormous resources. It is blessed with its own special link to government-owned China Telecom, although this relationship is cloaked in its general classification as a part of generic “national defense.”

APT1 alone may employ hundreds of individuals and, according to Mandiant, it certainly deploys more than 1,000 servers in its mission. This is not a small-scale, back-room operation run by a few hackers who do business on a hit-or-miss basis. If you’re wondering about its targets, one clue is that APT1 recruits only people who speak English. Clearly, the United States is at the top of the group’s hit list, and Mandiant’s findings bear that out, with the bulk of the attacks targeted at the English-speaking world.

Mandiant claims that APT1 alone has accessed no fewer than 141 companies in 20 different industries, and the group is not content to hack once and move on. Once visited, an organization can expect to see APT1 again every few months. One organization, the report says, has seen some 6.5 terabytes of data go out the door. This is a textbook example of a threat that is persistent.

There is more than enough bad news in the Mandiant report to keep security professionals awake at night.

First of all, these hackers are completely at home in the cloud and they are adept at concealing their origins and identities. The use Dynamic DNS to avail themselves of U.S. names that look completely innocent to ordinary users.

They use proxies and hundreds of Yahoo and Gmail accounts that look equally innocent, a means of disguise aided and abetted by their fluency in English. They use Google services and the Google App Engine for their exploits. Gone are the days when an administrator could feel safe after blocking suspect IPs in bulk. The hackers at APT1 are largely indistinguishable from ordinary users going about their harmless daily business.

If all that is not enough to give security professionals some sleepless nights, don’t forget that these hackers are equipped with the latest, best and least-detectable malware out there, and that if existing products fail to do the job, they’re more than capable of writing highly effective malware of their own.

The Department of Defense recently announced a new cyber-defense initiative. While welcome, that kind of initiative takes time to have an impact. For now, the best approach may be, sadly, an increased level of paranoia in the cyber security ranks. User education needs additional attention and administrative vigilance must be constant and unflagging. Remember that the hackers at APT1 are nothing if not persistent: If they’ve visited once, they’ll be back, just waiting for you to relax your guard.

About the Author

This is a guest post from Megan Horner, Marketing Coordinator at TrainACE. TrainACE offers cyber security classes from baseline to advanced, including CompTIA Security+ all the way to Advanced Exploit Development.

It’s been a long time since I have written anything on this blog. I haven’t been idle, though. I’ve been doing several things that I have prioritized over blogging. Here's a summary:

1. Trying to get an iPad app developed
   
   As I wrote about in February, I launched a Kickstarter project to create a travel-themed app for iOS. I needed about $25,000 to fund its development to do a quality job, but unfortunately my fundraising goal fell short. The iOS app is dead, it's too expensive to create.
   
   However, I re-incarnated it as an HTML5/CSS3 web page. I'm working on it when I have time. I first have to learn HTML5 and CSS, not to mention javascript, and I was doing that for part of February and much of March. One of the most difficult parts is creating the theme of the webpage; my graphic design skills are very weak.
   
    
2. Supporting unauthenticated email over IPv6
   
   In February, we received a request from one of our customers that they wanted to receive unauthenticated email over IPv6. "Unauthenticated" means:
   
   a) Senders must not need to getwhitelisted ahead of time before sending email to the receiver. This renders my previous plan for IPv6 useless (for more details of that plan, see my post A Plan for Email over IPv6, part 1). 
   
   b) Receivers must not require an SMTP transaction over TLS in order to accept email over IPv6 (which is something we already do today).
   
   By combining both of these two requirements, we were going to have to come up with a solution that scaled in IPv6. To figure this out, I had a series of discussions with people smarter than myself - both within the company and requesting help from people outside of it. I learned about how various email receivers are dealing with this problem and decided to align ourselves with them. The result is that we have a workable IPv6 plan. I will describe this in more detail in a series of posts in the future.
   
    
3. Reading other books not related to spam or security 
   
   In addition to working a regular day job, I like reading books about neuro-science (how our brains work) and behavioral economics (how we really behave, vs. how rational economics predict we will behave). But I also like reading books on anthropology (the study of human development over the course of history). These are the same area-of-interest in my articles on Practical Cybersecurity.
   
   I started reading more and more books on my Kindle devices. Most people I talk to about this say they prefer books, and I like physical books, too. However, the ease at which I can go online and download a Kindle book... the instant gratification is too strong to resist! Anyhow, here are a few books I have read over the past few months that fall into this field:
   
   - The World Until Yesterday, by Jared Diamond. For much of our existence as a species, we humans were hunters-and-gatherers. It is only in the last 10,000 years since the agricultural revolution that we settled in large groups. In evolutionary terms, this is only around 0.1% of development. In this book, Diamond looks at the last remaining hunting-and-gathering tribes left in the world and compares how they live to how we live, how we all may have lived only a few tens of thousands of years ago, and what lessons we can draw from it.
   
   - The Signal and the Noise, by Nate Silver. In 2008, Nate Silver of the FiveThirtyEight blog rose to fame by correctly predicting the outcome of 49 out of 50 states in the US Presidential Election. In 2012, he predicted all 50 of 50 states. In this book, Silver looks at why we are so bad at forecasting (for example, elections, the weather and earthquakes) but also goes over how much our forecasting has improved over the past thirty years (for example, earthquakes and the weather, but not the economy or elections).
   
   - Predictably Irrational, and currently reading The Upside of Irrationality, by Dan Ariely. Dan Ariely is a professor of Behavioral Economics. In his two books, he describes how we as humans do things that are counter-intuitive and not always in our best interests (contrary to what rational economists predict), but that these counter-intuitive behaviors are predictable and can be used for improving performance. As an industry, computer security can probably learn from these.
   
   - The Honest Truth About Dishonesty, by Dan Ariely. Why are we as people so dishonest? What factors influence us to cause us to become more dishonest? What factors influence us to become more honest? Did you know that the probability of getting caught doesn't really affect it one way or the other? I didn't. It's one of the things I learned from reading this book.
   
   - You are not so Smart, by David McRaney. This book goes into all the cognitive biases that we as humans have. After identifying these behaviors in myself, it's a wonder that I ever get anything done. 
   
   - The Wheel of Time Series, by Robert Jordan. When I went to Argentina, I took along a couple of fiction books. I've been reading these books of Robert Jordan's fantasy series off-and-on for the past couple of months and I am enjoying them.
   
    
4. Trying to exercise more
   
   Perhaps this is TMI, but it's my blog and I can write about what I want. As a computer guy, I don't get enough exercise. This is especially bad because I sit down a lot all day, and sitting is terrible for your health. It wreaks havoc on your lower back and hips. While my back is still fine, I have had problems with my hips for years. I need to exercise to get the health benefits because I do feel better after I go, move around and stretch.
   
   I have a gym membership but I don't go as often as I could or should. To motivate myself to go more often, I decided to apply something I learned from the above books on behavioral economics. We, as humans, will feel the pain of a loss far more than we feel the joy of a gain. We also feel the effects of short term behaviors (I don't want to go to the gym tonight since I am too tired) more strongly than long term ones (going to the gym to stave off the effects of a sedentary lifestyle). This is known as hyperbolic discounting.
   
   To combat my lackadaisical approach to exercise, I told my wife "If I don't go to the gym at least 8 times in the month of March - which is twice per week - I will give a friend of mine $250." $250 is a painful amount; enough to hurt if I don't comply but reasonable enough for me to follow through and not write it off.
   
   And it worked in March - I went to the gym 7 times and went hiking twice (a hike counts as a gym session because I typically go for several miles up a couple thousand feet of elevation gain). I'm currently behind in April but I am working on catching up.

I thought I would do a few posts on email authentication, specifically, how to ensure that you have good sending reputation and the proper way to set up your SPF records. In future posts, I plan to get into how to set up your DKIM records as well as your DMARC records in the case that you are an organization, or even a small sender, who wants to have others send on behalf of you.

What do I mean by this?

Suppose you are a large airline, OceanicAirlines.com.

You regularly communicate with your customer base when they purchase tickets from your website and they get an email confirmation, or send them an email alert the day before their flight leaves about online check-in.

However, you also want to send marketing email to your customers. You do this on a regular basis in order to advertise that you have a deal upcoming for nationwide flights to Salt Lake City, or about last minute holiday deals.

However, OceanicAirlines.com knows that sending bulk email is difficult:

1. It has to process complaints.
2. It has to constantly maintain its IP reputation.
3. It has to constantly process bounce messages.

These are just some of the things it has to do when sending bulk email. Oceanic decides to outsource its advertising email campaigns to Big Communications, Inc. They specialize in sending bulk email; they are good at it. You just give them a list of recipients and craft the email, and they will take care of the rest. If you’re a bad sender, they’ll kick you off their list.

Okay. So Oceanic is outsourcing its email campaigns to Big Communications. How does each party set up its SPF records so that they pass SPF checks?

The short answer is: It’s really easy.

The longer answer is: It’s really easy if you just want to pass SPF. It’s more complicated if you also want to pass SenderID.

To pass an SPF check, remember that in email, there are two From: addresses:

1. The SMTP MAIL FROM, otherwise known as the RFC5321.From. This is the email address that is used to do SPF checks, and if the mail cannot be delivered, the path where the bounced message is delivered to. It is this email address that goes into the Return-Path in the message headers.
   
   
2. The From: address in the message headers, otherwise known as the RFC5322.From. This is the email address that is displayed in the mail client.

Frequently the 5321.From and 5322.From are the same, but not always. They can be different, depending on the circumstances.

To pass the SPF check, BigCommunications.com picks a name associated with Oceanic Airlines. This can be descriptive, like oceanic.airlines@bigcommunications.com, or it can be more cryptic, like email-bounces-10ask213@bigcommunications.com. This email address goes into the RFC5321.From.

HELO mail.bigcommunication.com
MAIL FROM: oceanic.airlines@bigcommunications.com
RCPT TO: user@example.com
DATA
Subject: Discover Ireland from $768* RT
From: Oceanic Airlines <oceanic@news.oceanicairlines.com>
<Everything else in the email>
.
QUIT

If you look at the message below, you can see that the From: address in my email client shows the RFC5322.From address. This is exactly what Oceanic wanted.

See? It’s easy to pass an SPF check this way! But it’s not the end of the story. We still have to deal with the SenderID, DKIM, DMARC, and the potential problem of abuse.

In my previous post, I discussed how to structure email such that if it comes from a 3rd party on behalf of you, it will pass an SPF check.

But what about passing a SenderID check?

To solve this, we first have to remind ourselves what SenderID is. Let’s go back to the previous post where BigCommunications.com was sending on behalf of Oceanic Airlines (sample email here). Below was the email transaction:

To pass an SPF check, the connecting IP address is checked against the domain in the RFC5321.From address, in this case bigcommunications.com. Suppose that the connecting IP is 1.2.3.4 and the SPF record for bigcommunications.com is the following:

bigcommunications.com
”v=spf1 ip4:1.2.3.0/24 –all”

Because 1.2.3.4 is in 1.2.3.0/24, the SPF check passes.

SenderID is different. The process of extracting which domain to check is paraphrased (for simplicity) as follows:

1. Check to see if the Sender: field exists. If so, use the domain in this field.
   
   
2. If not, use the domain in the From: field.

In the above example, since there is no Sender: field, the domain in the From: field is news.oceanicairlines.com.

SenderID next checks the SenderID record in DNS. If it does not exist, it falls back to the SPF record.

In the above example, suppose that news.oceanicairlines.com does not publish SenderID records. But it does publish SPF records, per the following:

news.oceanicairlines.com
v=spf1 225.18.0.128/25 –all

Because the connecting IP of 1.2.3.4 is not in the range 225.18.0.128/25, this message will fail a SenderID check. Furthermore, it hard fails a SenderID check which weights heavily in spam filters to mark a message a spam and go to the junk mail folder.

How can we fix this?

The first option is to not fix it.

SenderID is a standard proposed by Microsoft which protects against spoofing the RFC5322.From address, the one that the user sees in their email client. However, SenderID does not have the same level of widespread industry deployment that SPF or DKIM do.

SenderID was primarily used in Hotmail and on-premise Exchange servers deployed locally within organizations. However, during the past year, Hotmail has stopped checking SenderID and starting checking SPF as that is what is what is required by DMARC. This leaves only on-premise Exchange servers.

The Exchange server MTA has its own built-in spam filter, Smartscreen. However, it is not dynamically updated the way that other services do (like Hotmail, Yahoo, Gmail, or our own service Forefront Online/Exchange Online). Therefore, most on-premise Exchange deployments will probably augment their filtering with another service that updates regularly. The reliance upon SenderID is then diminished since the other spam filter will already catch most of the spam. Therefore, many Exchange administrators may not even have the SenderID agent enabled, although others may enable it as a fail-safe against spoofed email.

But if SenderID is not used by Hotmail and may or may not be used by on-premise Exchange installations, senders may decide that it is not worthwhile complying with SenderID because the potential fallout is small.

The second option is to create SenderID records in DNS.

You may decide that creating SenderID records is worthwhile. There are advantages to doing it:

1. You will ensure that you do not fail when delivering to email servers protected by Exchange.
   
   
2. It’s good practice for passing DMARC.

To comply with SenderID:

1. First, you should separate out your corporate email from bulk-advertised email. That is, if you send email from corporate users, send it from user@oceanicAirlines.com. For mail that comes from a third party, delegate a subdomain like news.oceanicairlines.com. These should be kept separate.
   
   This can even be taken a step further, and specialized messages like flight confirmations and alerts can be sent from alerts.oceanicAirlines.com, or confirmations.oceanicAirlines.com. This separates out subdomains by specialized function.
   
   But the key is to delegate a subdomain for mail sent by 3rd parties.
   
   
2. Second, publish a SenderID record for this subdomain that contains the SPF record for this 3rd party. You can either put their IPs in there directly, or better yet, include them in the SenderID record. For example:
   
   news.oceanicairlines.com
   ”v=spf2.0/pra include:1.2.3.0/24 –all”
   
   OR
   
news.oceanicairlines.com
”v=spf2.0/pra include:bigcommunications.com –all”

The spf2.0/pra means “This is a SenderID record. The PRA means to apply this to the domain in the Purported Responsible Address, which is either the domain in the Sender: (rarely) or RFC5322.From (usually).”

That’s it. That’s how you comply with SenderID. It does mean that you must create and delegate a subdomain for 3rd parties to send on behalf of you and publish their SPF records in that subdomain’s SenderID record. If you ever change 3rd parties, you must update this SenderID record. And if this 3rd party ever starts sending spam using your subdomain, it will pass a SenderID check (it can also pass an SPF check).

However, even if it does go rogue, it can only pass a SenderID check for this delegated subdomain. In this example, it can only SenderID pass news.oceanicairlines.com. It will not pass oceanicairlines.com, confirmations.oceanicairlines.com, and so forth. The damage is contained (and can be revoked by unpublishing the IPs from the SenderID record).

Let’s go back to the original example:

For a machine that is checking SenderID, it extracts the domain in the From: field, news.oceanicairlines.com. It then takes the sending IP, 1.2.3.4 and does a SenderID lookup:

news.oceanicairlines.com
”v=spf2.0/pra include:bigcommunications.com –all”

The “include” says to do a SenderID lookup for bigcommunications.com:

bigcommunications.com
”v=spf1 ip4:1.2.3.0/24 –all”

SenderID looks for the spf2.0 syntax. Since it doesn’t see it, it falls back to spf1 syntax. It then compares 1.2.3.4 against 1.2.3.0/24, sees that the IP is in the range, and passes the SenderID check.

Success!

And we have an added bonus – the SPF check will also pass. So, whether an email receiver checks SPF or SenderID, this outsourced email will pass either one of them.

It’s a bit more work to set up SenderID, but not too bad. And you’ll have to do something similar anyway if you want to be DMARC compliant. But more on that in a future post.

In my last two posts on outsourcing your email, I explained how to set up your SPF records if you are outsourcing your advertising email, and how to set up your SenderID records if you are outsourcing it.

Next up is how to set up your DomainKeys Identified Mail, or DKIM, records if you are outsourcing your email.

Why DKIM?

First of all, why DKIM? I am going to assume you have a basically familiarity with DKIM; if not, it is defined in RFC 6376 or at DKIM.org. But to summarize it, DKIM is a way of cryptographically signing a message so that whoever receives it can verify that it both came from the sender it claims to come from, and that the message content has not been modified in transit.

[This is not exactly how DKIM works. Technically, DKIM allows the receiver to validate that the signing domain sent (or is responsible for) the message. The sender (the domain in the From: address) is frequently, but not always the sender.

Second, DKIM doesn’t strictly require that the message has not been modified in transit, but only the parts of the message thathave been signedhave not been modified in transit. Usually, all of the important parts have been signed and that’s what a receiver cares about, but not always.

But receivers frequently approximate it as verifying that the email really did come from the sender and it hasn’t been tampered with.]

How it works (the short version)

DKIM uses public-key encryption to sign a message from a particular domain (e.g., “from” example.com), and this signature is (mostly) tamper-proof. Receivers can trust the signer. However, the reverse is not true; lack of a DKIM signature or failure of validation does not mean you must distrust the message.

How it works (the slightly longer version)

The below diagram is how digital signatures work:

DKIM works by including a digital signature in the message. This digital signature is a string of text that the sender signs with a private key. The receiver can take this signed piece of text, query DNS for the public key, and sign the content with that public key. The receiver then verifies that the original digital signature matches this newly signed content with the public key. If so, then DKIM verifies and the message really did come from the signing domain. If not, then you can make no assertion either way.

This is not the same as saying that the message did not come from the signing domain.

1. It could be that a spammer is spoofing the message, or…
   
   
2. It could be that the message was modified in transit (perhaps line wraps were folded or characters added in content conversion), or…
   
   
3. It could be that the message came from a server where DKIM-signing was disabled, or…
   
   
4. It could be something else.

Advantages of signing with DKIM

Why sign with DKIM? There are a couple of reasons:

1. DKIM has path independence 
   
   DKIM is independent of its path. In SPF, whenever you change IP addresses, you have to update the SPF records with those new IP addresses. DKIM doesn’t care what IP addresses it came from, it only cares where the public and private keys are stored.
   
   This is very powerful flexibility and is easier to manage (in some ways).
   
   
2. DKIM is a much stronger statement about identity than SPF 
   
   SPF is about IP addresses. Unfortunately, if you sent out email from behind a shared IP service (such as an ISP, or an email cloud filtering service), others will also use those same set of IPs. This means that if others cause that IP reputation to degrade, your IP reputation degrades along with it. If they start spoofing you, other 3rd parties will pass that SPF check since both of you have the same set of IPs in your SPF records (I wrote about this here).
   
   DKIM is resistant to this since each domain signs with its own key. Thus, when you build domain reputation, you are building reputation on your owndomain instead of everyone’s domain the way you would if you were sharing IP space.
   
   
3. Signing with DKIM tells receivers that you are taking responsibility for the email 
   
   Because DKIM is largely spoof resistant, email receivers can look at the signing domain and determine who is responsible for the email. The sender is not spoofed, and therefore you are building a greater degree of trust.
   
   But beware! Signing with DKIM allows email receivers to trust you, but just because you sign with DKIM doesn’t automatically mean they will trust you. You still need to build your reputation. Signing with DKIM makes it easier.
   
   If you sign with DKIM but send spam, or users complain loudly about the email you sent, DKIM will not help you. But if you send email users want, then it does.
   
   
   
   
   
4. The cool kids sign with DKIM
   
   We all want to be part of the cool kids.

How to sign with DKIM

If you are going to sign with DKIM (and you do), and you are outsourcing your email, then it is easy to sign with DKIM. Simply find a bulk emailer that will sign with DKIM, and they will do all the work for you.

Let’s go back to our example sender – Oceanic Airlines. They contract out BigCommunications.com to send their marketing email. Oceanic wants the message to pass DKIM. What does that look like?

1. First, BigCommunications.com agrees that it will be the one who will DKIM sign the message. They will pick something called a “selector.” The selector is a subdomain they will publish the public DKIM key to in their own DNS zone.
   
   In our example, they pick s1024_oceanicairlines. They pick this because the public key is unique to Oceanic Airlines, and the key length is 1024 bits. They like using this type of nomenclature because it’s easy to keep track of keys at a glance.
   
   
2. Second, they publish the public key to their own DNS records at:
   
   s1024_oceanicairlines._domainkey.bigcommunications.com.
   
   Oceanic Airlines doesn’t have to publish anything.
   
   
3. Third, when BigCommunications sends out the email communication, they use the “relaxed” header canonicalization algorithm, and the “relaxed” body canonicalization algorithm before DKIM-signing the message. They do this because there are some MTAs out in the wild that will reformat messages such as folding line wraps if it exceeds too many characters. If line wraps are folded after the message is DKIM signed, but not unfolded before the DKIM signature is verified, the DKIM signature will not validate.
   
   
4. Fourth, BigCommunications picks the headers they are going to hash and sign. The choice of this is somewhat arbitrary, but BigCommunications picks the RFC5322.From, RFC5322.To, Message-ID, Subject, Content-Type and Date.
   
   
5. Fifth, BigCommunications signs with the rsa-sha256 algorithm because it is more secure.
   
   
6. Sixth, BigCommunications also ensures that the message passes an SPF check. They do all the same things we talked about in my previous post. SPF and DKIM are independent of each other. Setting up one does not affect the other.
   

HELO mail.bigcommunications.com
MAIL FROM: oceanic.airlines@bigcommunications.com
RCPT TO: <recipient>
DATA
Subject: Discover Ireland from $768* RT
From: Oceanic Airlines <oceanic@news.oceanicairlines.com>
To: Me
Content-Type: multipart/alternative;
    boundary="----=_Part_8280486_25400197.1366674040595"
Date: April 26, 2013, 4:30 PM PST
Message-ID: <04262013_0163013@bigcommunications.com>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=s1024_oceanicairlines;
d=bigcommunications.com; h=Message-ID:Date:Content-Type:From:To:Subject;
bh=<hash>;
b=<hash>

<Everything else in the email>
.
QUIT

Quick Navigation

• How to setup your DMARC records if you are outsourcing some, or all, of your email – Part 2
  
  
• How to setup your DMARC records if you are outsourcing some, or all, of your email – Part 1
  
  
• How to setup your DKIM records if you are outsourcing some, or all, of your email and still build your own reputation
  
  
• How to setup your DKIM records if you are outsourcing some, or all, of your email
  
  
• How to setup your SenderID records if you are outsourcing some, or all, of your email
  
  
• How to setup your SPF records if you are outsourcing some, or all, of your email

In my previous post, I described how you can set up DKIM records if you are outsourcing your advertising email to a 3rd party.

In summary: You don’t have to do anything.

However, this comes at the cost of not being able to generate your own domain-reputation. You may care about generating reputation. After all, you want to be seen as a good and responsible email sender. This will help get email delivered to the inbox, and prevent getting added to IP blocklists or throttling lists. As spam filters move to domain-reputation, you want to be ahead of the game.

So how do you keep your own reputation when you outsource your email?

Let’s go back to the SMTP transaction from the previous example where Oceanic Airlines is outsourcing their bulk email to BigCommunications:

HELO mail.bigcommunications.com
MAIL FROM: oceanic.airlines@bigcommunications.com
RCPT TO: <recipient>
DATA
Subject: Discover Ireland from $768* RT
From: Oceanic Airlines <oceanic@news.oceanicairlines.com>
To: Me
Content-Type: multipart/alternative;
    boundary="----=_Part_8280486_25400197.1366674040595"
Date: April 26, 2013, 4:30 PM PST
Message-ID: <04262013_0163013@bigcommunications.com>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=s1024_oceanicairlines;
d=bigcommunications.com; h=Message-ID:Date:Content-Type:From:To:Subject;
bh=<hash>;
b=<hash>
<Everything else in the email>
.
QUIT

This sounds pretty good.All you need to do is generate a public/private key pair and publish one to DNS and give the other to the 3rd party. Easy!

But there is no free lunch.

First, there’s the hassle of maintenance:

1. it’s not as easy as just getting the 3rd party to do it all themselves. You can “set it and forget it.” It is not the case with this set up.
   
   
2. If you aren’t a DNS expert, you may have a tough time managing it. The key goes where…? The DKIM record looks like what…?
   
   
3. You will also have to rotate the keys every so often, and ownership of maintenance of those records will get lost if you are in a large organization and the keys don’t change very often. The people who are responsible for setting this up change positions and forget to hand it off to the next guy. This becomes challenging if there are a lot of domains to manage.
   

HELO mail.bigcommunications.com
MAIL FROM: oceanic.airlines@bigcommunications.com
RCPT TO: <recipient>
DATA
Subject: WIN A *** FREE *** TRIP TO WINNIPEG!!!
From: Oceanic Airlines <oceanic@news.oceanicairlines.com>
To: Me
Content-Type: multipart/alternative;
    boundary="----=_Part_8280486_25400197.1366674040595"
Date: April 26, 2013, 4:30 PM PST
Message-ID: <04262013_0163013@bigcommunications.com>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=s1024_oceanicairlines;
d=oceanicairlines.com; h=Message-ID:Date:Content-Type:From:To:Subject;
bh=<hash>;
b=<hash>
<Everything else in the email>
.
QUIT

Now, as we all know, Winnipeg is a very enticing place and many of Oceanic’s customers want to go there.

However, it is not Oceanic that has sent the message, but a spammer that has broken into BigCommunications, compromised the system and is sending out spam with malicious links. People all around the Internet – in a frenzied desire to go to Winnipeg – start clicking on them.

What happens?

Everyone starts complaining that they are getting spam in their inboxes “from” oceanicairlines.com. Oceanicairlines.com will see its reputation degrade. Some spam traps will harvest the sending domain (especially because it is signed with DKIM) and start adding them to domain blocklists. Some email receivers will do deeper forensics, but not all.

When Oceanic tries to send out its next legitimate email campaign, filters all around the world reject it because they got so much spam from Oceanic in the past. This is all because some spammer broke into someone else’s house where you store your stuff.

Worse yet, Oceanic’s corporate domain, oceanicairlines.com, is also blocked. Their users can’t send email to its regular customer base, or people they regularly communicate with, because so many spam filters have their domain listed on a domain blocklist.

When you let someone else sign email as your own domain, you are at the mercy of their security practices. You may have good corporate security, but necessarily others who can impact your reputation.

So how can you prevent this?

First, if you discover that your domain is being abused, immediately revoke the DKIM record. It’s published in your own DNS zone, so you can take action to delete the record. When that happens, the spam messages will no longer authenticate with DKIM and instead will “only” pass SPF. But the good news is that email receivers will look to the domain in the SPF record as the one responsible – BigCommunications.com.

Second, you may decide you want to do this key-publishing trick but you want to mitigate the risk of a rogue 3rd party sending as you. To do this, you delegate a subdomain to this 3rd party, very similar to what was done for passing SenderID.

In our example, Oceanic delegates news.oceanicairlines.com. This way, if the 3rd party ever sends out spam, the “only” domain that is compromised is the one for bulk advertising. You can still send out email from your main domain.

Let’s review. Below is the SMTP transaction:

First, this message passes an SPF check because it is sent from bigcommunications.com’s IPs, and it contains their domain in the RFC5321.From.

Second, this message passes a DKIM check on news.oceanicairlines.com because Oceanic has generated a public/private key pair and given BigCommunications the private key to sign with.

Third, Oceanic delegated news.oceanicairlines.com specifically for sending outsourced email. If BigCommunications ever goes rogue, that is the only subdomain that should be affected.

Fourth, Oceanic is building reputation on its subdomain news.oceanicairlines.com. This is not quite as good as building it on its parent domain oceanicairlines.com, but it’s the next best thing. Besides which, Oceanic DKIM signs its email from @oceanicairlines.com coming out of its own email servers, so it is generating reputation that domain, too.

This is a good state of affairs.

We now have a comprehensive guide to outsourcing email so that it passes SPF, SPF + SenderID, and SPF + DKIM.

There is still one more type of authentication left: DMARC. Passing DMARC will require all of our previous knowledge, and also allows us to pass SPF + SenderID + DKIM if we choose.

Quick Navigation

• How to setup your DMARC records if you are outsourcing some, or all, of your email – Part 2
  
  
• How to setup your DMARC records if you are outsourcing some, or all, of your email – Part 1
  
  
• How to setup your DKIM records if you are outsourcing some, or all, of your email and still build your own reputation
  
  
• How to setup your DKIM records if you are outsourcing some, or all, of your email
  
  
• How to setup your SenderID records if you are outsourcing some, or all, of your email
  
  
• How to setup your SPF records if you are outsourcing some, or all, of your email

In my previous posts, I discussed how to set up your SPF, SenderID, and DKIM records if you are an organization that outsources some of its email to a 3rd party, such as advertising. For example, an airline might send out its flight confirmations from its own email servers and infrastructure, but contract out a 3rd party to send out advertising such as a sale on upcoming flights to Europe.

So far we’ve learned the following for the organization that is doing the outsourcing:

1. Complying with SPF is easy.
   
   
2. Complying with SenderID is more difficult because you have to delegate a subdomain that 3rd parties can use, and then publish their SPF information in that subdomain’s SenderID record.
   
   
3. Complying with DKIM is easy if you don’t mind not building your own reputation (that is, the 3rd party builds reputation and not you).
   
   However, if you want your own domain to build reputation using DKIM, you have to delegate a subdomain to that 3rd party (the same as SenderID) and then either generate a public/private key pair and give the 3rd party the private key and publish the public key into that subdomain’s DKIM record, or have the 3rd party generate the keys and then you publish the public key into that subdomain’s DKIM record.

The next step is DMARC. I am going to assume you have a basic familiarity with DMARC. If not, you can view more details at http://dmarc.org. It’s not that difficult to understand, here’s a recap:

1. DMARC is an anti-spoofing technology
   
   DMARC ensures that the email you receive in your inbox is authenticated.
   For example, below is a message from Geico. The email address in my email client, the RFC 5322.From, is geico @ email1.geico.com.
   
   [For the sake of this discussion, I am going to change some of the details of this message. Geico does not actually do what I am about to describe, they just happened to be in my inbox.]
   
   The domain in the d= field in the DKIM signature is campaigns.geico.com, and it passes a DKIM check.
   
   The domain in the RFC 5321.From (which does the SPF check) is bounces.email1.bigcommunications.com, and it passes an SPF check.
   
   Both the DKIM signature and the SPF check pass. This is part 1 what DMARC requires – the message must pass an SPF check or a DKIM check.
   
   
   
   
   
   
2. DMARC is a “what you see is what you authenticate” technology
   
   DMARC is designed to ensure that the sender you see that is rendered in your email client is the same as the one that is authenticated.
   
   In the above example, there are three domains: email1.geico.com (which is displayed to the end-user), campaigns.geico.com (which is validated with DKIM), andbounces.email1.bigcommunications.com (which is authenticated with SPF).
   
   Even though two domains are authenticated, this is transparent to the end-user. There is nothing in SMTP that says the RFC 5322.From domain couldn’t be “security @ paypal.com”. The email is authenticated (with SPF or DKIM) but the user still sees that the mail came “from” Paypal. A spammer can use this to send a spam blitz (by sending from an authenticated domain that the user never sees) in hopes they can trick users before spam filters catch up.
   
   DMARC combats this by requiring the RFC 5322.From address to be the same as the one that was authenticated, either with SPF or DKIM. This means that in the example above, even though the message was authenticated twice, it did not pass DMARC.
   
   Strict Mode
   
   Thus, in order for the above message to be DMARC compliant, the message must be one of the following (in DMARC “strict” mode):
   
   RFC 5322.From: email1.geico.com (the one the user sees)
   d= field in DKIM signature: email1.geico.com
   RFC 5321.From: This can be anything(the one used for SPF but not shown to the end user)
   
   OR
   
   RFC 5322.From: email1.geico.com (the one the user sees)
   d= field in DKIM signature: This can be anything
   RFC 5321.From: email1.geico.com (the one used for SPF)
   
   OR
   
   RFC 5322.From: email1.geico.com (the one the user sees)
   d= field in DKIM signature: email1.geico.com
   RFC 5321.From: email1.geico.com (the one used for SPF)
   
   In the last version, there is identifier alignment between the RFC 5322.From and the DKIM field and the SPF identifier but you don’t get any extra points for this. You only need two out of the three.
   
   
   Relaxed Mode

DMARC also has “relaxed” mode for DKIM and SPF. This means that the RFC 5322.From and the domain in the d= field or RFC 5321.From can be sub-domains of each other. For example:

RFC 5322.From: geico.com (the one the user sees)
d= field in DKIM signature: email1.geico.com
RFC 5321.From: This can be anything(the one used for SPF but not shown to the end user)

OR

RFC 5322.From: geico.com (the one the user sees)
d= field in DKIM signature: This can be anything
RFC 5321.From: email1.geico.com (the one used for SPF)

OR

RFC 5322.From: geico.com (the one the user sees)
d= field in DKIM signature: campaigns.geico.com
RFC 5321.From: email1.geico.com (the one used for SPF)

Since geico.com is a subdomain of email1.geico.com, this passes “relaxed” DMARC identifier alignment.

Okay, we’ve now seen how DMARC works. What the user sees is what is authenticated. This is easy to do when the domain that is sending the email directly transmits the messages from its email infrastructure directly. But what about for outsourced email?

This is something we have already encountered, and is the subject of my next post.

Quick Navigation

• How to setup your DMARC records if you are outsourcing some, or all, of your email – Part 2
  
  
• How to setup your DMARC records if you are outsourcing some, or all, of your email – Part 1
  
  
• How to setup your DKIM records if you are outsourcing some, or all, of your email and still build your own reputation
  
  
• How to setup your DKIM records if you are outsourcing some, or all, of your email
  
  
• How to setup your SenderID records if you are outsourcing some, or all, of your email
  
  
• How to setup your SPF records if you are outsourcing some, or all, of your email

Continuing on in our series on authenticating outsourced email, how do we outsource our email such that we also pass a DMARC check?

First, decide if you want DMARC to pass via an SPF check or a DKIM validation, or both.

Second, delegate a subdomain for the 3rd party to send email “as your authenticating domain.” If Oceanic Airlines wants BigCommunications.com to send its email, it might pick news.oceanicairlines.com.

Third:

1. if Oceanic wants to pass DMARC with SPF, it must include BigCommunication.com’s IP addresses in its SPF record for news.oceanic.com, or include it. This is exactly the same as setting up SenderID records except that Oceanic uses syntax for SPF, not SenderID.
   
   
2. If Oceanic wants to pass DMARC with DKIM, it must publish a public/private key pair as described in outsourcing your email but still passing DKIM and building reputation on your domain.
   
   
3. If Oceanic wants to pass DMARC with both SPF or DKIM, it must do both #1 and #2.

Fourth, Oceanic must publish DMARC records in oceanic.com with “relaxed” SPF and DKIM policies. Since “relaxed” is the default, they don’t have to publish anything special.

Fifth, and this is outside of how to send your email but still required for DMARC, Oceanic needs to specify an “rua” address for authentication reports. An “rua” address is an email address that 3rd parties will send rolled up, aggregated reports to when the DMARC record fails.

That is, if a spammer spoofs OceanicAirlines.com, this will fail a DMARC check since it will not pass an SPF check nor a DKIM check. The email receiver will send a rolled up report to this “rua” address. However, if BigCommunications.com messed up their configuration and sent email with the wrong RFC 5321.From or wrong DKIM private key, this also fails DMARC and the email receiver will send a rolled up report.

For these cases, Oceanic can go through them to verify (a) spammers are spoofing their domains, let’s take action against them, or (b) BigCommunications is authenticating wrong, let’s use this to identify it and fix it.

That’s outside of the scope of this discussion, but it is one of DMARC’s most useful features.

Yesterday, while reading a book on my Kindle app (on my PC), I got an email from American Express with the subject line “Fraud Protection Alert.”

“Fraud protection?” I said (out loud, to no one in particular, except for possibly my cat who did not respond).

Yes, fraud protection. In the email message, it had the last 5-digits of my account number so I knew it was probably my card and then it had the name of a merchant – Shell Canada – and a charge of $20.00 Cdn funds.

I racked my brain. Did anyone I know have my credit card in Canada at the moment? No, they don’t. I looked at the contact information and gave Amex a call where I subsequently reversed the charges, got the card cancelled and got a new one.

I don’t know how this card could have been breached. It is my corporate credit card, and I use it very rarely – only to travel on business. It stays with me at all times. How did some scammer steal it and use it?

I started making a paper trail in my head. Since nobody had physical access to my card, I could only assume that it was a breach – some hacker broke in to a business I had used and leaked all the credit card data, probably pasting it online somewhere. Some other scammer (or possibly the same one) used that leak to buy gasoline.

Working my way backwards, my theory is that the probable source of the leak is proportional to how recently I used the card. That is, if the last time I used the card was May 1, then that is the most likely source of the leak. If the second last time I used the card was April 28, then that is the second most likely source.

Now, you may not agree with this theory; however, because I use this card so rarely and the time space between major transactions is weeks (or months), it’s a good place to start for my usage-pattern.

Using this as a starting point, I started thinking about what I’ve purchased in the past two months:

1. Airline tickets
2. Booked a hotel

Well, that doesn’t help much. Either the airline leaked it, or the hotel leaked it. If I were to guess, I’d guess the hotel leaked it since they are tempting targets for identity thieves because of their clientele (business travelers) and hotels don’t always have the same safeguards that banks do (airlines are under more scrutiny).

I called up my credit card company and canceled the card. They sent me a new one and it arrived today. Upon checking my account, I discovered that said thief charged three different purchases at a gas station in Montreal.

I am no closer to figuring out where this leak may have happened.

* * * * * * * * * * * * *

Fast forward to today, and I got a letter from my bank. I opened it up and inside is a new debit card. For you see, while they were doing routine fraud detection, they discovered some fraudulent activity on my card and sent me a new one.

What in the world?

First my credit card, now my debit card?

As disconcerting as this is to lose two cards in a week, it also potentially helps narrow down the target. Where did I use my debit card and credit card in the same place?

I went to my credit card website and made a list of all purchases from the start of the year. I figured that a likely suspect was this past February while I was at the MAAWG conference in San Francisco. That’s when I would use my corporate credit card.

Next, I checked my debit card purchases during that same time frame, looking to see if there were any vendors that were in common.

There was: the Buckhorn Grill in San Francisco. One day I went there because I was there on business, but I stayed an extra day in San Francisco and paid for it myself.

Two cards in one place.

Both cards leaked this week.

This could be a coincidence, but I don’t think so. I think that’s where the data leak occurred. I don’t remember much about the transaction, but either the card information wasn’t encoded and someone wrote down the number, or they had a breach.

My theory about the “recentcy” effect was right, but I didn’t go back far enough. I had to go back 3 months in time rather than a few weeks.

While I don’t like getting my data exposed, it does make me feel better to engage in this detective work and figure out a likely place of origin.