I was reading in the New York Times the other day an article entitled Snowden Defends Query to Putin on Surveillance. The article references a question-and-answer session with Russian President Vladimir Putin. In the interview, Snowden shows up unexpectedly and asks President Putin and asks him whether or not Russia engages in the same sort of unlawful surveillance that the NSA participates in.

Putin jockeys with him jokingly for a bit, saying that they’re both intelligence agents, and then denies it. They don’t have the money to do it, and their intelligence gathering is governed by society and by law. In other words, Russian intelligence agencies are more ethical than US intelligence agencies.

American journalists were quick to criticize Snowden. Just how, exactly, did he manage to conveniently show up on this telethon to ask President Putin these questions? The underlying message is that Snowden is being used as a propaganda piece for the Russian government, willingly or unknowingly. While pointing his arrows at the US for intelligence gathering practices he finds unethical (and the morality of which is still ambiguous, at least in the United States [you may disagree with my assessment but there is not universal condemnation]), how can he clearly miss the unethical actions that Russia is taking in Ukraine, first by annexing Crimea and then threatening to invade Ukraine, or at least causing unrest?

In other words, the criticism is that Snowden is picking-and-choosing at whom he feels outrage; it is hypocritical to give the Russian government a chance to showcase their moral superiority at the expense of the US, while ignoring the Russian government’s current transgressions.

Snowden disagrees with this. He flat out denies it:

Calling Mr. Putin’s answer evasive, Mr. Snowden wrote that he was “surprised that people who witnessed me risk my life to expose the intelligence practices of my own country could not believe that I might criticize the surveillance policies of Russia, a country to which I have shown no allegiance, without ulterior motive.”

He also noted that a Russian investigative journalist, Andrei Soldatov, “perhaps the single most prominent critic of Russia’s surveillance apparatus” described his question as “extremely important for Russia.”

As soon as I read this, many red flags went up in my mind.

For you see, a few years ago I started studying up on deception – how humans do it and how to detect it. There’s no sure-fire way to tell when someone is lying, but with training you can get it right 80-90% of the time (without training you can get it right 53% of the time, roughly equal to a coin flip).

People don’t like to be labeled as deceivers. We have a great need to feel consistent and will often explain things to ourselves in order to convince ourselves of our actions to make that cognitive dissonance go away.

I am not an expert in detecting deception, nor am I a trained analyst. But I have read many books and Snowden’s answers jumped out at me with their obviousness.

What follows is what I think:

1. The first red flag – Look at the past good things I have done!
   
   When someone is accused of something and they change the subject by bringing up past examples of good behavior, that is suspicious. This is known as a “convincing statement.”
   
   For example, suppose the police were interrogating a suspect about breaking-and-entering and he says “You know, this past weekend I was helping out at the homeless shelter.” The idea is to deflect suspicion by creating a halo effect – the tendency for us to believe that good characteristics about a person spills over into all traits about that person. Surely someone who helps out selflessly to assist the homeless would not commit a crime! But that this person helps the homeless does not mean they could not break-and-enter.
   
   Look at Snowden’s response: he risked his life to expose the intelligence practices of his own country. That was a very ethical thing to do, so why would he do such an unethical thing and appear as a propaganda piece for the Russian government now?
   
   
2. The second red flag – you haven’t seen me do anything
   
   Snowden issued a non-specific denial: Russia is a country to which he has shown no allegiance. If the “no” statement is delivered in a way that’s open ended but overly specific, that can be a sign of deception. Snowden said he has not shown any allegiance, without ulterior motive. That is subtle; it doesn’t mean he has none, nor has no ulterior motive, only that others can’t see it.
   
   
3. The third red flag - Turning around the accusations
   
   When someone is caught in a lie, they will often flip around the question and attack the accuser. In this case, Snowden expresses surprise that people who saw him do such a heroic action now can’t believe that he would break from his past ethical actions. In other words, they should be ashamed of themselves for not trusting his character.
   
   
4. The fourth red flag – Redirection with an appeal to authority
   
   This one is not as strong, but Snowden dismisses the attack against him by appealing to another journalist who has similarly criticized Russia’s surveillance state, and this journalist says that Snowden’s question is very important.
   
   Snowden’s question is important, yes, but that is not what we are discussing; we are discussing whether or not this question-and-answer session was staged and whether or not Snowden is being used by the Russian government to further its own public relations.

Regardless of what you think of Snowden – that he’s a hero for exposing a corrupt government or that he is a traitor for giving away trade secrets – my view is that his most recent critics for this Putin Q&A session struck a nerve that he had to defend himself. But the way he phrased it indicates to me that he is hiding something. Maybe he realizes now that he initially thought he was asking Putin a hard question but upon further reflection, that he was used to further the Russian agenda and now has to rationalize what he did… but can’t admit it.

Or perhaps I am wrong and he actually means what he says and the red flags I detected are false positives.

I guess that depends on what I want to believe.

This post probably contains more information than you wanted to know.

My wife last week was out of town, and during the week we had our windows replaced from single-pane to double-pane. Single-pane windows are very cold in the winter, the heat just gets sucked right out of them.

The window guys came by in the morning on Wednesday. I asked them to do what they needed to do, lock the doors when they leave and just exit out the garage. They just needed to push the garage door opener by the exit when they were done. It’s a bit of a security risk leaving them alone, but I didn’t have much choice because I had to run down into the city later in the day and couldn’t come back in time to see them off.

Well, fast forward to the evening. I came home and everything was intact. About 75% of the windows were replaced, I didn’t notice any issues at all. The cat didn’t enjoy being locked in the bathroom all day but she got over it.

Later that evening, I took the trash out. I walked out my front door and put the trash in the garbage can and took it to the curb. I walked back from the curb to the front door and press the door handle.

The door wouldn’t open.

“What the—?” I said.

I then used my tried-and-true strategy for getting into locked doors that failed the first time: I tried opening it again. And once again, it wouldn’t open.

“WHAT THE—!” I shouted. How did this door lock?

I have a deadbolt. The only way to lock the door is to physically turn it from the inside, or insert the key into the outside lock and turn it physically. Ergo, it is impossible to lock myself out. I like it that way otherwise I’d lock myself out all the time (something I did a couple of times while I lived in England).

How in the world did I lock myself out? That’s not possible!

I had no keys, no jacket, no wallet, no phone. All of it was indoors. Furthermore, all the windows had just been replaced so I couldn’t break any of them (well, technically, I guess I could have). But the back doors were now secure as they had just been replaced a few hours earlier.

Bottom line: I had no way to get back into my house. And no idea how I got locked out.

I went around the house looking for ways to get in, knowing that I couldn’t. I tried each window and each of the back sliding glass doors. No luck. I tried lifting up the garage door, also without success.

My brain started to race a bit. What was I going to do?

I walked to my neighbor’s place and asked for help. We’ve chatted several times in the past and know each other. I knocked on his door and explained my situation.

I asked to borrow his phone and the first thing I did was call the wife. For you see, there are some friends of her parents who have a spare key, but I can’t remember exactly were they live. I also don’t know their phone number. And even if I did know where they lived, there’s no guarantee they would even be home.

Unfortunately, the wife didn’t answer her phone. I had no other option, I had to call a locksmith.

I waited about 30 minutes at the neighbor’s for the locksmith to arrive. He proceeded to try to pick the lock but it didn’t work. The lock is a newer lock and is resistant to picking. There was no way to get inside short of brute force.

Fortunately, I had a backup plan. That day I drove to work, but I walked home. On days where I drive, I like to get exercise if I can. At work, I had the garage door opener inside my car. Since the door inside the garage leading to the house was unlocked, as long as I opened the garage, I could get inside the house. And, getting into my car is much easier than getting into the house. Experienced people can into my locked car in under a minute, they’ve done it before, and they did it this time.

We drove to work, got into my car, I retrieved the garage door opener, returned home, I opened the garage, and got inside.

Success!

But why did my front door lock me out? That made no sense!

I inspected further. The deadbolt was not engaged. Instead, the window people when they were locking up flipped a switch on the doorknob. By doing that, the front door handle does not engage by turning the knob when you press down on it. In this mode, it only opens if you have the key to unlock the deadbolt. They flipped this switch earlier and when I closed the door behind me later that evening, I had no way to get back inside since pressing the handle would not actually turn the knob. We never use this setting so I never would have thought to check this.

Anyhow, I paid the locksmith $153 for his time: a service call, labor, and getting into the car. Yeesh.

After I was back inside, I started thinking about how I got back into my house. I didn’t use brute force to break in, and I didn’t pick the lock, either. The lock and structural integrity was in place the entire time. Instead, I used a “weakness” to get into the building.

This reminded me (loosely) of how the NSA “breaks” encryption. Ever since the Snowden story broke, people have been wondering “Does the NSA have a way to break encryption?” The collective seems to be “No, so long as you use the right algorithms. However, the NSA usually goes around the encryption.”

I’m not sure what that means exactly (I haven’t read up on the finer points), but just as I could have used brute force to break into my house but didn’t, the NSA could use brute force to break encryption but doesn’t (or rather, cannot). But just as I didn’t need to break in, the NSA doesn’t need to break encryption, either. They can go around by getting the encryption keys, getting access to data unencrypted, or just observing patterns.

In other words, what I can do in terms of physical security, professionals can do in terms of cyber security. There are multiple other ways to compromise the perimeter other than doing it in the most obvious way.

Anyhow, that’s what went through my head.

I had a magic performance a couple of weeks ago and I decided to develop a new routine. I have never before performed this trick before. I like it because it is very heavy in sleight-of-hand and misdirection which are some of my specialties.

Enjoy!

(Clicking image takes you to YouTube, does not play inline… blame this blog software, not me personally!)

This past Monday evening, Microsoft corporation for the domain microsoft.com changed its SPF record from soft fail to hard fail.

There are many ways that receivers can use SPF hard fail – some mark it as spam outright, some use it as a heavy weight in their spam filter, some use it as a light weight, and some even do nothing with it. However any other receiver uses it, publishing a hard fail allows some receivers to discard unauthenticated-SPF mail from Microsoft.

I personally led the effort to update the SPF record. Because Microsoft is such a large company with so many teams sending email in so many different ways, it took a long time to inventory everyone and get it under control.

But, we finally get it done. It’s something I will be talking about at the upcoming Virus Bulletin conference in Seattle this September.

DMARC - how to use it to improve your email reputation.

A week and a half ago, I “celebrated” my 10th year fighting spam. I originally joined Frontbridge in July 2004, and 10 years later I am still with Frontbridge after it was acquired by Microsoft. Since that time, it has been known as:

• Frontbridge (how almost everyone in the email filtering community still knows us)
• Exchange Hosted Services (EHF)
• Exchange Hosted Filtering (EHS)
• Forefront Online Security for Exchange (FOSE)
• Forefront Online Protection for Exchange (FOPE)
• Exchange Online (ExO) and Exchange Online Protection (EOP)
• Office 365 (used interchangeably by me along with the previous bullet point)

I was going to discuss all the changes I’ve seen in spam filtering during the past 10 years. But that would be a really long post and I don’t have the patience to write those anymore.

Instead, I will discuss the three biggest innovations that I have seen in the past three years specifically with regards to anti-phishing (something I have been working on lately):

1. DMARC
   
   DMARC is a major revolution in spam filtering because it combines both authentication and a feedback loop to help senders improve their authentication practices.  But it also was a major step forward in terms of the amount of cross-organization collaboration to come up with a common protocol, and then have everyone implement it. I’ll have more to say about DMARC in a future post.
   
   DMARC is not the silver bullet for phishing, but what it does, it does very well.
   
   
2. Advanced Threat Detection I – Attachment Detonation
   
   If you’re not familiar with attachment detonation, it’s because it is relatively new on the scene and it is more for enterprise consumers of spam filters.
   
   We’re all familiar with traditional Antivirus defenses – they match a file in an attachment against a known corpus of malware using signature-based analysis and also apply some heuristics. This is a reactive technology with a little bit of prediction.
   
   Attachment detonation takes the attached file and actually opens it up and executes it during the filtering stage. It does not rely upon signatures. Instead, it uses a series of algorithms to look for suspicious behavior commonly found in malware. Did it change the registry? Does it access the memory? Does it install a rootkit? If so, the attachment is malware. It does this by emulating multiple versions of software where the vulnerability or exploit may exist (e.g., Windows XP, Windows XP SP 1, Windows 7 RTM, Windows 7 RTM fully patched, etc).
   
   This is substantially different than traditional A/V. While A/V vendors use this technology internally to identify malware, Attachment Detonation is turning that internal technology into an actual product.
   
   
3. Advanced Threat Detection II – Time-of-Click Protection
   
   When I get spam in my inbox or even my junk mail folder, sometimes I click on the link to see where it goes (for research purposes). This goes through our corporate router and proxy and if the URL is bad, I get a message saying “This website is not allowed because it is malicious!” displayed on my screen.
   
   But what if I clicked on that message on my phone while reading the email at the airport?
   
   Time-of-click protection is a technology that is designed to proxy a user’s clicks through a service that inspects the contents of the URL and if it is bad, display a message indicating it is malicious. In other words, it does the work of your web browser which has safe browsing built in.
   
   But not every browser does, especially on a mobile device. Time-of-click protection has multiple uses, but mobile devices that are unprotected, or URLs that turn bad after delivery, are two uses of time-of-click. This is a departure from time-of-scan protection wherein most filters compare any URL within a message against a reputation list. Time-of-click is basically time-travelling where you can update a decision.

Those are the three biggest changes I have seen in the past two years. Who knows what I’ll see in the next two?

If you haven’t noticed the various posts on my Facebook feed, we now have a mural on our wall next to the dining room. It’s a picture of the Charles St Bridge in Prague in the Czech Republic.

I really liked the city of Prague – I was intrigued by its multiple types of architecture: Renaissance, Gothic, and Baroque. In the picture above, you can clearly make out Gothic and Baroque.

What’s the difference? Well, Baroque devices from the French term “tromp l’oeil” which means to “trick the eye.” That style is not reflected above although it is everywhere in Prague. Instead, another part of Baroque style are the ice-cream cone-style roofs on some of the ceilings. If you look in the distance you’ll see them.

Gothic, by contrast, is characterized by its long spires and ash-colored roofs. That’s the central focus of the bridge and even the clock tower on the right. I like that style of building.

But I also liked the bridge especially for its religious significance. The Charles St bridge has carvings of Christian saints all along the side of it, and Gothic churches have a history behind them in that their layout is intended to tell the gospel story; it was how it was told to pre-literate societies. For example, the churches are laid out in the shape of a cross, they are oriented a particular direction, and the spires signify being close to God. The Czech Republic has one of the highest rates of atheism in Europe but it was not always this way, as demonstrated by its architecture and carvings.

I’ve wanted a mural on the wall for a couple of years now. I had several ideas in mind but ultimately settled on Prague after I bought a painting on the street but couldn’t find a frame that fit for it. Rather than spending $100 on a frame (no exaggeration), I decided to spend money on the wall.

I don’t regret it at all.

* * * * *

You may be wondering what this has to do with cyber security? Well, in June 2013, MAAWG had a session in Vienna, Austria. After Vienna, my wife and I went to the Czech Republic for a week. We spent time in Cesky Krumlov (highly recommended) and the rest in Prague.

While in the Czech Republic, I started drinking beer for the first time in my life. All my previous years, I didn’t drink it. I had it a few times but strongly disliked the taste. But in the Czech Republic, I tried it and it was amazing! It was the Pilsner Urquelle and that’s the drink that got me into trying various types of beer. The Pilsner Urquelle doesn’t taste the same in the US as in Europe, but I’m fortunate enough to live in a part of the country where they brew pretty good beer locally. It turns out that I didn’t dislike beer, I only ever tried stuff that wasn’t very good.

So, this post appears on this blog because if it weren’t for MAAWG, I would not have this mural on my wall, nor would I have ever started drinking beer.

That’s a true story.

In the Office 365 service, we have made a change to the way the service detects bulk email. In the past, we lumped all Bulk email together. For example, suppose you had four messages with the following Subject lines and other characteristics:

1. Subject: Your Daily Deal-of-the-Day!
   
   You signed up for this newsletter once a long time ago, and you read it once per week.
   
   
   
2. Subject: Attend an upcoming webinar for a product you don’t care about!
   
   You were at a conference one time and put your business card in a fishbowl for a drawing for a free iPad Air, but you didn’t win. Unfortunately, you didn’t realize that by giving away your business card you were “consenting” to the people behind the draw to add your name to their email list.
   
   
   
3. Subject: Security News: Company A releases an updated version of its product
   
   You’re a security professional and you want to get up-to-date news on what’s out there. You signed up for this email and read it every day.
   
   
   
4. Subject: The latest Back to School special
   
   You were buying something one time at a large retailer and in order to get 10% off your purchase of pencils, you gave them your email address. Little did you know, this meant signing up to receive advertisements via email. Who reads the fine print on receipts, anyway?

8 months ago, I wrote a blog post about how I am more concerned about being hacked by malicious spammers than I am about being spied upon by the NSA. In the year since Snowden, my views haven’t changed much. I understand that it’s a concern but I am more-or-less ambivalent about it [1].

I understand that there is a very vocal segment that protests this invasion of privacy vehemently, but I just can’t get worked up about it.

Why am I so different from this vocal segment? And why does this vocal segment care so much?

The Principle of Scarcity

To answer this, I recently read the book “Influence: The Psychology of Persuasion” by Robert Cialdini. In it, psychologist Robert Cialdini describes six outlining principles about how to persuade people – principles that have proven themselves over and over again. These are not self-help theories but instead theories that have been tested by science.

One of the topics of the book is the Principle of Scarcity. People view potential losses as more impactful than potential gains. This is universally true, we are more concerned about losing something than we are about winning.

Here’s proof. What would you rather have:

1. Option 1 - A 10% chance of winning $1 million, or
2. Option 2 - A 100% chance of winning $90,000

?

If you’re like most people, you probably go with Option 2. However, if you do the math on the expected payout, you multiply the chance of winning by the amount you would win to get the expected winnings. Option 1 has an expected winning of $100,000 (10% x $1,000,000) while Option 2 is $90,000, less than Option 1.

But most of us want to go with the sure thing of Option 2 even though it is less because it is too psychologically painful for us to “lose” the sure thing of $90,000 compared to the mere possibility of $1 million, even if you know the probabilities.

Even if you personally, reading this right now, say to yourself “Well, I know the math. I would certainly go with Option 1” you still have to fight your natural instincts to do this because it feels wrong and you don’t like doing it. Thus, while you may understand the math in this case, be very sure you won’t understand the math in every case, nor in every real world circumstance with deals with the Principle of Scarcity.

The Increasing Value of Time

Another example is the phrase “If it weren’t for the last minute, nothing would ever get done.” This is our tendency to put things off until there is very little time left and then scrambling to complete it. This is known as “hyperbolic discounting.” What is happening is that we, as humans, are not good at anticipating the future but as a deadline becomes nearer and near – and time-to-complete becomes correspondingly more scarce – the value of the thing we are putting off becomes more urgent as the remaining time becomes much more valuable.

Scarcity is increasing value of something.

As opportunities become more scarce, we desire more freedom, and we hate losing the freedoms we already had.

This goes one step further – it is not just a matter of scarcity that makes something that is more desirable, but instead a drop from abundance to scarcity that makes it much more powerful than constant scarcity.

For example, when governments ban books, it is then that people want to read them. And to add to the intensity, if the drop in abundance is because others want the scarce resource, this increases the desirability.

How it Works in Humans

Researchers have tested this – they had volunteers come in and answer some questions and then leave, but on the way out there was a plate of cookies. When there were plenty of cookies, people rated the cookies’ taste as fine. But when there was only a couple of cookies and plenty of crumbs (indicating that there had been a lot of them previously but others had depleted the stock), people rated them even more highly.

This principle of scarcity is hard-wired into our brains.

So what does this have to do with NSA spying?

Here’s what I think – the scarce resource that we thought we had was privacy. Privacy is valuable and we believed that nobody was looking over our shoulder. Who wants the government spying on them? Nobody, that’s who.

However, when the NSA scandal broke, suddenly this resource/freedom we thought we had was virtually non-existent. And we hate losing freedoms we had before. The fact that it was previously abundant due to encryption, and is scarce now (due to government circumventing it) made it that much worse.

And making it even worse is that government wants our privacy! Thus, someone else is stealing something that was ours and that’s what makes it scarce!

And I think that’s why people are so upset – because of the Principle of Scarcity and how we’re hard wired to react to it.

[1] 10 weeks ago, I had braces put onto my teeth. I’ve never had them done before, that is, I didn’t have them as a kid [2]. Let me tell you, I experience way more angst up to and during that procedure than I ever had thinking about how the NSA might be spying on me.

[2] I’ve needed this procedure for at least a decade. I finally broke down and consented to wearing them for two years.

[3] Yes, this is oversimplified. As it turns out, there are good reasons for being against government over-collection of data just as there are good reasons for there to be a government that runs society.

Office 365 (Exchange Online Protection) regularly asks customers to submit spam samples back so that we can improve the service. This information is also available here:

Submitting spam and non-spam messages to Microsoft for analysis
http://technet.microsoft.com/en-us/library/jj200769(v=exchg.150).aspx

This blog post is a visual step-by-step guide on how to submit spam back to Office 365 using a variety of methods.

1. If using Outlook 2007, 2010, or 2013, use the Outlook Junk Reporting Plug-in.
   
   This is available here:
   http://www.microsoft.com/en-us/download/details.aspx?id=18275.
   
   This is a one-click solution, once it’s installed you can right-click and pick “Mark as spam” and the message comes back to Office 365 in the correct format.
        
   
2. OR, if using Outlook Web Access, right click and mark as junk.
   
   
   
   These samples flow back to Office 365 automatically.
   
   
3. OR, if using Outlook but can’t install the Junk Reporting Plug-in, forward the message as an attachment to the abuse submission alias junk at office365.microsoft.com (replace the “ at ” with an @ symbol).
   
   
   
   It is not required to manually include the message headers but I always do it. Sometimes, depending on your version of Outlook and Exchange, headers get removed from the email attachment. Copy/pasting the original headers guarantees that they will be preserved.
   
   We need the original headers!
   
   To view the message headers in Outlook 2010 and 2013, double-click on the message to open it. Click on the little arrow in the bottom by the Tags piece of the ribbon:
   
   
   The Internet headers are at the bottom of the Properties dialog window:
   
   
   
   
4. OR, if using other email clients, copy/paste the raw source into a message and send to the same email alias.
   
   Using Thunderbird, press Ctrl + U to get the raw message source. Copy/paste that into a new message, there is no need to attach the original.
   
   
   

These are the methods users should use to send spam directly to Office 365. Some customers have internal submission mechanisms not outlined here which are fine so long as we receive the original message headers and body. Submissions that do not resemble the original are not useful because the original information is how we diagnose why a message was, or was not, marked as spam.

Thanks for helping us stop spam.

Introduction

As a filtering service, Office 365 (Exchange Online Protection, or EOP) is dedicated to providing the best antispam filtering possible, and we take this task seriously:

• We are working hard to keep spam out of your inbox
• We are working hard to ensure we don’t mistakenly mark good email as spam

The question we regularly get from customers is this: Why does spam/phishing/malware get through? Why aren’t you blocking it?

Why spam gets through

Spammers and phishers create malware and send spam because it is profitable. They are always working up new ways to work around spam filters and get messages delivered to user inboxes. Because of the number of unique spammers in the world and the rate at which they create new content, the spam you see in your inbox today is new. It is different than what it was yesterday, or the day before, or the day before that. It looks similar, and may use the same technique, but it is not the same message. It is slightly (or greatly) different and has been designed to evade filters.

Spam campaigns vary in duration. There are some that last many hours, and some that last a few minutes. We have tracked campaigns that send thousands, hundreds of thousands, or even millions of spam messages in under 15 minutes.

When you see spam in your inbox, it is usually because it is a new campaign from a spammer and we do not yet have signatures for it. During this window, a spammer can get some spam through our filter defenses to the inbox. However, our filters catch up and the rest of the campaign is marked as spam.

Thus, it is true that some spam gets through. However, a large percentage of it is subsequently caught by one of our anti-spam technologies [1]. End users perceive that we did not catch the spam, but what happens is that the users that are affected are the ones that generate spam complaints, while the ones for whom the filter caught it are unaware that anything was wrong [2].

Last week, I attend MIRcon, Mandiant’s conference on Advanced Persistent Threats. One of the keynote addresses was given by Keith Alexander, the former head of the NSA. I enjoyed his talk, it was a good one.

What Others Are Saying

Here is Kelly Jackson Higgins’ take on his talk, from an article on DarkReading. Everything in the article is accurate:

* Former NSA Director reflects on Snowden Leaks
http://www.darkreading.com/analytics/threat-intelligence/former-nsa-director-reflects-on-snowden-leaks/d/d-id/1316466

Higgins’ main talking point is that Alexander and the NSA were trying to bring to the public attention the fact although that the United States is under constant attack from advanced persistent threats, the Snowden leaks ended up overshadowing any of the good work that the NSA was doing. The NSA is a professional organization and 3rd party auditing showed that what they did:

1. Was authorized by Congress
2. Was within the law
3. Was 100% audited
4. Even though they were audited afterwards, no violations ever came up that were not already self-reported
5. The NSA is highly professional

That’s all I have to say about that, go ahead and check out the article.

My Impression of Others’ Impressions of the NSA

While I was in Washington, D.C., I noticed that there was more of “pro-America” feel, that is (and I am badly paraphrasing) “we understand that the NSA had to do what they did” perspective compared to where I live. Whereas on the left coast, Microsoft’s own top lawyer identified the American government as an advanced persistent threat [1], and you can read other technical blogs that are very critical of the US government’s actions (Google, Yahoo and Apple are all moving to encrypt their data in response to this), I didn’t find any of the anti-government sentiment at MIRcon.

I see this as either the attendees at MIRcon genuinely understand that what the NSA did is more nuanced, and a position of “The government should not collect any data” is too narrow a viewpoint; OR, representatives from these companies work with government and therefore their perspective is skewed; OR, I didn’t sample enough people to get a broader perspective.

In any case, that’s what I experienced.

My raw notes of Keith Alexander’s Keynote

I don’t have time to type this up into a more nuanced blog post, but here are my raw notes from the session.

---------------

2014.10.07 - Keynote Keith Alexander

• Keith Alexander - cyber security people are underpaid (he's a funny guy)
  
• CyberCommand was created based upon intrusion into DoD in 2008 (later believed to be the Russians), wake up call
• Now Target, eBay, Home Depot, JPM; attributed to eastern Europe/Russia
• Did you know 2014 (website, talks about rapid change in technology)
• Top 10 in-demand jobs in 2013 did not exist in 2004. Half of college newbs tech knowledge will be out of date by the time they get to junior year. People being trained for a job that doesn't exist today.
• Talked about how using Watson, they can get cancer treatments figured out in 9 minutes rather than 30 days (important because that 30-days results in cancers metastasizing)
• Within a decade, some diseases will be solved thanks to advances in technology
• We created the Internet, we can secure it.
• But what we have created, today, isn't secure.
  
  
• Pre-2007, Internet was used as a way of going out and exploiting (everyone was doing it)
• Then in 2007 changed from exploitation to disruption (Estonia attacks), had to disconnect from Internet
• Aug 2008 Georgia was hit with cyberattacks (coincided with attacks by Russia govt ground offensive), DDOS attacks
• Tells of issue on DOD networks one Friday afternoon in 2008, some people found 1500 pieces of malware on classified network
• Built a system to mitigate the problem at network speed.
• NSA built the system in 22 hours (!!!)
• In 2011, NSA took a look at DOD networks, 15,000 in all, discovered they have an indefensible architecture (opened up that bag... of fertilizer... can we give this back to the DOD? Nope.)
• Created Cyber Command as a result. Our defense must be as good as their offense
  
  
• Fast forward, actions in 2012 were timed to problems in the middle east
• August: Attack on Saudi Aramco (DDOS coupled with a virus - destroyed data on 30k systems)
• Over 350 DDOS attacks on Wall Street in the intervening one year. 2013: attacks on South Korea
• Goes from stealing data to using the networks as an element of national power.
• People attack cyberspace because that's where the money and IP and secrets are
  
  
• Cyber command
• Joint taskforce to defend the DOD networks but when it came over decided to defend everything within the nation
  
  1. Need a defensible architecture - Too difficult to draw a picture of network without any situational awareness
  
  2. Training - Need to train at a classified threat, offense and defense need to be the same
  
  3. Command and control - How do we work together with govt and industry? There's more industry by orders of magnitude, and exploitation surface is hundreds of time larger. Nothing prevents industry from working with govt for a common cause
  
  4. Cyber legislation - Didn't really discuss this
  
  5. Signature based AV systems good for certain things but not for where we want to go. Need to have real time consumable threat intelligence; detect mitigate report at network speed; within and among networks. These are not technical challenges, it is culture and competitiveness. Just think if we were to work together. It will take several companies and a consortium to figure it out.
      
  
• Q&A's - Are we in a cyber war? When did it start? --> No, not yet but because of his definition
• 22 cryptologists were killed in Iraq and Afghanistan (doing some cyber stuff to change intelligence collection)
  Someone asked a question - what does the NSA collect on me? Metadata goes into business data FISA program
• gave example (2009) of stopping an Al Qaeda operative in the Pakistan area who was talking to someone in the Colorado area (by email, gave phone number in email to FBI). FBI can take that and get the phone number from the phone and email provider. Talked about bouncing around from Colorado to New York and North Carolina, who were also in contact with other known terrorists outside (?) the US.
  
• Q&A’s (Did Angela Merkel have anything interesting to say?)
• If you talk to known high risk contacts, there is a good chance you will be flagged. But otherwise you are probably not going to be looked at. These programs help connect the dots. Everything in the program is audited 100%. Not one person was found doing anything wrong that hadn't already been reported before.
• ACLU did a review of the NSA (Jeff Stone), found NSA helped to thwart plots, operates a high degree of integrity and deep commitment to the rule of law
• People who touch special data have to go through 400 hours of training (more than pilots)
    

Those are all of my notes.

[1] “Like many others, we are especially alarmed by recent allegations in the press of a broader and concerted effort by some governments to circumvent online security measures – and in our view, legal processes and protections – in order to surreptitiously collect private customer data.

…

If true, these efforts threaten to seriously undermine confidence in the security and privacy of online communications. Indeed, government snooping potentially now constitutes an “advanced persistent threat,” alongside sophisticated malware and cyber attacks.”

Brad Smith on the Official Microsoft blog
http://blogs.microsoft.com/blog/2013/12/04/protecting-customer-data-from-government-snooping/

Office 365 now supports anonymous inbound email over IPv6. In this case, “anonymous” means:

1. The sending IPv6 address originates outside the service and is not in any customer’s settings (that is, not in any customer-specified connector)
2. The sending IPv6 address has not been previously allow-listed by the service
3. The sending connection is not sent over TLS (it can be sent over TLS but it is not required)

While Office 365 already permitted customers to create connectors upon which to relay inbound email (that is, email from the Internet to an on-premise mail server), now it also allows those messages to come from the outside into the service, from anyone.

In the above diagram, the part in red is new.

1. Customers must opt-in to receive email over IPv6

Office 365 does not allow any inbound connection over IPv6 to connect to the service by default.

First, customers must request to be opted into the service by opening up a support ticket. The engineering team will then manually configure the service to permit, on a per-domain basis, receiving email over IPv6. This means that if a customer has multiple domains, they can pick-and-choose which ones to enable. Turnaround time for enabling IPv6 is quick, it can be the same day.

Once a domain is enabled for IPv6, its MX-record will resolve AAAA records. For example, for contoso.com:

contoso.com.          3599    IN      MX      5 contoso-com.mail.protection.outlook.com

contoso-com.mail.protection.outlook.com. 10 IN A 207.46.163.247
contoso-com.mail.protection.outlook.com. 10 IN A 207.46.163.215
contoso-com.mail.protection.outlook.com. 10 IN A 207.46.163.138
contoso-com.mail.protection.outlook.com. 10 IN AAAA 2a01:111:f400:7c10::10
contoso-com.mail.protection.outlook.com. 10 IN AAAA 2a01:111:f400:7c0c::11
contoso-com.mail.protection.outlook.com. 10 IN AAAA 2a01:111:f400:7c09::11

Domains that are not enabled for IPv6 do not resolve AAAA requests for their MX records.

Office 365 publishes IPv4 and IPv6 MX-records at the same MX-priority, and therefore it is up to the sender to decide whether to send email over IPv4 or IPv6. Sending mail servers are supposed to prefer IPv6 over IPv4 but some may choose to send all email over IPv4.

If a sender tries to manually connect to the service over IPv6 to a customer, for example contoso.com, but contoso.com has not opted in to receive over IPv6 then the service will reject the message with the permanent reject error:

550 5.2.1 contoso.com does not accept email over IPv6

Office 365 already sends outbound email over IPv6 if the receiver publishes AAAA records in its MX-record.

In addition, Office 365 already supports customers with an on-premise email server that are IPv6 end-points (that is, inbound email from the Internet over IPv4, and customer on-premise mail server is IPv6). This part has not changed.

2. Requirements for senders over IPv6

Second, Office 365 conforms with the Messaging, Mobile and Malware Working Group’s (M³AAWG) recommendations for receivers over IPv6:

http://www.m3aawg.org/sites/maawg/files/news/M3AAWG_Inbound_IPv6_Policy_Issues-2014-09.pdf.

Senders over IPv6 must pass two conditions:

1. The sending IPv6 address must have a PTR record. If it does not, the service will reject the message with the permanent reject error:
   
   550 5.7.1 Service unavailable, sending IPv6 address [$SenderIPAddress] must have reverse DNS record.
   
   
2. The sending email must pass SPF or DKIM verification. If it does not, the service will reject the message with the permanent reject error:
   
   554 5.7.1 Service unavailable, message sent over IPv6 must pass either SPF or DKIM validation.

Representatives from Microsoft worked with other participants in the M³AAWG working group to define and agree to these requirements.

Office 365 stamps the results of the SPF check into the Authentication-Results header, for example:

Authentication-Results: spf=pass (sender IP is 2207:eab0:3001:a01::123)
 smtp.mailfrom=user@example.com; contoso.com; dkim=pass (signature was
 verified) header.d=example.com;

Some customers may find these conditions overly stringent and therefore may choose to not enable IPv6 for their domains until they are confident that either the majority of their traffic over IPv6 passes SPF or DKIM, and has a PTR record; or, the senders who do not pass those requirements transmit exclusively over IPv4.

There is no way to override either of these requirements.

Sending mail servers may decide to retry over IPv4, at which point their email would not be subjected to these requirements, but it is up to the sender.

3. Service wide throttling limits for IPv6

Third, Office 365 has implemented some service-wide throttling mechanisms. Because IPv6 makes minimal use of IP reputation lists, a large spam attack over IPv6 could cause service degradation because performing SPF and DKIM verification consumes more computational resources than a simple IP blocklist check. To protect against spam attacks, or simply misconfiguration of a sending IPv6 host, Office 365 implements throttling of IPv6 ranges.

1. If a particular IPv6 sender has exceeded its sending limits, its connections will be rejected with the permanent reject error:
   
   550 5.3.2 Access Denied, [$SenderIPAddress] has exceeded permitted limits within $range range.
   
   
2. If the service-wide network capacity allocated to IPv6 has been exceeded, any connection over IPv6 will be rejected with the temporary reject error:
   
   421 4.3.2 Local IPv6 capacity exceeded, please try again later.

As the network capacity returns to normal, IPv6 connections will be permitted.

Related Articles

• How to create Allow rules for senders in Office 365 over IPv6
  http://blogs.msdn.com/b/tzink/archive/2014/10/28/how-to-create-allow-rules-in-office-365-for-senders-over-ipv6-and-also-for-ipv4.aspx

Office 365 now permits anonymous inbound email over IPv6. Most of the functionality works the same in IPv4 as IPv6. However, there are some differences for inbound messages where customers want to allow messages from a particular domain or sender.

Whereas in IPv4, customers could create IP Allow rules, this functionality does not exist in IPv6. The reason is that it is cumbersome to manage IPv6 ranges and you won’t get them all correct anyhow.

Fortunately, it is easier (sort of) to manage IP Allows and Blocks in IPv6. IPv6 requires the senders to authenticate with either SPF or DKIM. Office 365 stamps the results of the SPF check into the Authentication-Results header, for example:

From: user@example.com

Authentication-Results: spf=pass (sender IP is 2207:eab0:3001:a01::123)
 smtp.mailfrom=user@example.com; contoso.com; dkim=pass (signature was
 verified) header.d=example.com;

This header can be used to create Allow rules. You no longer need to keep track of IP addresses, you can just allow the domain.

1. The simple, but less secure, way to create Allow rules for IPv6 (and also works for IPv4)

To quickly allow a message over IPv6, create an Exchange Transport Rule (ETR) that does the following:

a) Looks for spf=pass or dkim=pass in the Authentication-Results header

b) Looks for the sender domain you want to allow

To do this using the Exchange Admin Center:

Creating the Allow rule this way requires the domain to authenticate. In IPv6, a domain must pass SPF or DKIM to be allowed into the system, and the advantage of this quick way of creating ETRs is that it also works for IPv4; only real email from the domain bypasses filtering. If the domain is not authenticated in IPv4, this rule will not work and so a spoofed message will undergo filtering most of the time.

2. The more complicated, but more secure, way to create Allow rules for IPv6 (and also works for IPv4)

The above ETR works most of the time, but spammers and phishers can craft messages in such a way to pass SPF or DKIM but still spoof the From: address that is displayed in the email client. For example, the spammer can set up their own SPF and DKIM records, but change the From: address to show a different sender than the one that was authenticated.

From: user@example.com

Authentication-Results: spf=pass (sender IP is 2207:eab0:3001:a01::123) smtp.mailfrom=spammer@spammer.com; contoso.com; dkim=pass (signature was verified) header.d=spammer.com;

This is not the most commonly used spam technique but it occurs often enough to cause problems for some users. To prevent this, create an Exchange Transport Rule (ETR) that does both of the following:

a) Looks for spf=pass or dkim=pass in the Authentication-Results header

b) Looks for the authenticated domain in the Authentication-Results header by searching for text patterns (not “text includes”)

This uses a combination of regular expressions instead of simple text matches. The two regular expressions in the Authentication-Results header to look for in the ETR are:

spf=pass \(sender IP is [a-z\d\:\.]+\) smtp.mailfrom=[a-z\d_]+\@<example.com>

dkim=pass \(signature was verified\) header.d=<example.com>

Replace the highlighted text with the domain you want to allow (but do not include the angle brackets). After you are done, the rule should look something like this:

This is more complicated than the simple way but it prevents spammers from spoofing a domain and then getting a free pass to the inbox.

A few days ago, I posted my notes on Keith Alexander’s talk at MIRcon about the NSA. Today, here’s a blog post about the opposite point of view.

Yesterday, I came across an interview with William Binney, a former NSA analyst who resigned from the agency in 2001. He is a whistleblower who, unlike Edward Snowden, did go through the proper escalation channels when he felt that he found things that the agency was doing that was against the US constitution.

The interview is on Dan Carlin’s Common Sense podcast. I listen to Carlin’s Hardcore History podcast and it is very good, but I just discovered his Common Sense podcast. You can listen to the interview here:

• Dan Carlin Interviews William Binney
  iTunes - http://www.apple.com/itunes/affiliates/download/?id=155974141
  

If you’re opposed to what the NSA is doing in terms of data collection, you will no doubt agree with Binney and his views he discussed in the interview. He is very much against what the NSA is doing.

If you’re not opposed to what the NSA is doing, you will probably disagree with what Binney says.

Finally, if you’re a fence-sitter, you probably won’t hear that much to sway your position beyond what you have already heard in the media, news outlets, and other blogs.

Below is a slideshow of a presentation about DMARC I did at this year’s Virus Bulletin conference in Seattle.

It’s not that technical although I do use a few technical terms. However, even newcomers to email will be able to understand it.

The following is a brief overview of how email over IPv6 works in Office 365, and why we are doing some of the things we are doing. Other services that also support email over IPv6 work similarly.

Source: A plan for email over IPv6 on Slideshare

Related Articles:

• Support for Anonymous Email over IPv6 in Office 365
  http://blogs.msdn.com/b/tzink/archive/2014/10/28/support-for-anonymous-inbound-email-over-ipv6-in-office-365.aspx
  
• How to create Allow rules for senders in Office 365 over IPv6
  http://blogs.msdn.com/b/tzink/archive/2014/10/28/how-to-create-allow-rules-in-office-365-for-senders-over-ipv6-and-also-for-ipv4.aspx

This weekend, I went shopping at random stores around the city where I live. For you see, my wife purchased a book of coupons and we decided to use some of them. We flipped through the book looking for ones we might like and found a few to stores we had never been to, nor would ever go to had we not purchased the coupon book.

We went down to a specialty coffee store and browsed around. We found a couple of coffees we might like to try. Good thing we had a discount because they cost roughly double what we normally buy at Trader Joe’s.

When we went to pay, the staff hadn’t seen the coupons before and then look them up. After confirming it was okay to use their own coupons they informed us we needed to supply an email address.

Normally, both me and my wife decline to provide an email address at any retailer. I don’t want your email notices, I just want the merchandise I can currently trying to acquire. But, this retailer informed us that “we needed to supply an email address in order to use the coupon.” My wife begrudgingly handed it over.

Why should I have to do that? Why do I need to give out an email address at all?

I just got an email from Home Depot today telling me my email address was leaked during their most recent hack this past September. Doing the math in my head, this means that I can expect more spam and probably a bunch of customized phishing attempts (i.e., some phisher impersonating Home Depot telling me that I have to take a particular action in response to the breach) going forward.

And this irks me about giving up my email address. Not only do I not want to give it out because I don’t want to sign up for advertisements from the retailer, I don’t entirely trust them to keep it secure, either. I feel like handing it over is akin to opening my front door and hoping flies and other insects stay outdoors.

I didn’t think fast enough at the time, but next time I have to hand over an email address maybe I should do one of the following:

1. Claim I don’t have an email address
   
   
2. Give a fake email address to domain that doesn’t resolve
   
   
3. Give an email address to a known spam trap
   
   
4. Give an email address that says “do_not_email_me_I_am_only_giving_this_because_I_have_to@example.com”

This probably wouldn’t solve any problems or change anyone’s behavior, but it would certainly make me feel better.

One of the features we have been working on in Office 365/Exchange Online Protection  (EOP) is called Boomerang which is a mechanism to better detect backscatter spam.

Image taken from here.

What is Backscatter?

Backscatter spam occurs when a spammer spoofs your email address and sends it to a random person on the Internet. The random person’s mail server accepts the email message and then later discovers it can’t deliver it. There are a few reasons why this occurs:

• The random person’s mailbox is full
• The random person’s mail server rejects spam
• The random person’s email address does not exist

When that happens, the random person’s mail server sends a bounce message (non-delivery receipt, or NDR) back to the sender saying “Sorry, I could not deliver this message.” However, instead of sending it back to the spammer who sent the message, the mail server sends it back to you.

You then receive this NDR in your mailbox indicating that the message “you” sent could not be delivered. But rather than being informed “your” message bounced, you say “Why am I getting bounces for a message I never sent?” Often times, these bounces contain spam.

It can be very irritating for end users.

Fighting Backscatter with Boomerang

We currently have some basic Backscatter detection in EOP but we are making it better – much better. It uses a technique called Boomerang which borrows from how Hotmail does backscatter prevention. It uses a cryptographic hash that encodes the original sender into the message, and then decodes the hash when it receives a bounce message intended for someone. I won’t go into the full details, but it is similar to Bounce Address Tag Validation (BATV).

Boomerang does more than BATV, however; it also is used to detect conversations between end-users, and it looks at where the end user’s mailbox is located when making a filtering decision.

Enabling Boomerang and Backscatter Prevention

We’ve gone to a lot of effort to ensure that this change is seamless for end users – your filtering experience should get better and you won’t have to do much, if any, work.

• If you have a hosted mailbox, you don’t have to do anything.
  
  You will get Boomerang automatically, and it will automatically figure out the right thing to do. You don’t have to turn it on, but nor can you turn it off even if you login to the Exchange Admin Center (EAC) and disable the rule.
  
  In the tables below, for both Current and New Behavior, regular filtering includes spoof detection wherein messages that are clearly forged are marked as spam.
  
  Table of behavior for Backscatter for customers with hosted mailboxes
  
  

NDR Backscatter Setting	Current Behavior	New Behavior
Off	NDRs go through regular filtering	Legitimate NDRs are delivered, backscatter is marked as spam
On	All NDRs are marked as spam, legitimate and backscatter	Legitimate NDRs are delivered, backscatter is marked as spam

• If you are an on-premise customer (wherein email passes through EOP and is relayed to your on-premise mail server), you need to enable it through the Exchange Admin Center (EAC).
  
  To do this:
  
  1. Login to the EAC
  
  2. Navigate to Admin (top right) –> protection (on left side of screen) –> content filter–> open up a policy –> advanced options–> enable NDR backscatter
  
  
             
  It is not required for you to enable this rule if it is currently off [1]. However, if you send outbound email through Office 365, we recommend you turn it on.
  
  Table of behavior for Backscatter for on-premise customers (without hosted mailboxes)
  
  

  NDR Backscatter Setting	Current Behavior	New Behavior
  Off	NDRs go through regular filtering	NDRs go through regular filtering
  On	All NDRs are marked as spam, legitimate and backscatter	Legitimate NDRs are delivered, backscatter is marked as spam

IMPORTANT!

If you are an on-premise customer and enable this rule but do not route outbound email through Office 365, all NDRs – legitimate and backscatter – will be marked as spam [2].

• If you are a hybrid customer and have some of your mailboxes hosted with Exchange Online and some of your mailboxes in your on-premise environment, your experience will be more complex.
  
  The service will look at where the mailbox is before taking action. It will treat the hosted mailboxes as above – legitimate NDRs will be delivered and backscatter will be marked as spam.
  
  For the on-premise (non-hosted) mailboxes, it depends on what the Advance Spam Filter setting is. If it is enabled, legitimate NDRs will be delivered and backscatter marked as spam. If not enabled, it will go through regular filtering where it may or may not be marked as spam.
  
  We recommend enabling this rule if all outbound email flows through EOP. If you have a split scenario where some outbound email flows through EOP and some doesn’t, then enabling this rule may generate false positives because legitimate NDRs will be marked as spam. However, if you don’t enable this rule you may get backscatter spam in your on-premise mailbox because the regular spam filter may not catch it.

Conclusion

We hope that this helps customers catch more backscatter spam than previously. If you have problems with this feature – either it catches too much or not enough – please let us know.

Thanks for reading.

[1] Some customers have problems with backscatter spam; by enabling the Advanced Spam Rule today, backscatter does go down but unfortunately legitimate NDRs are marked as spam. Boomerang will solve that problem.

However, many other customers do not have problems with backscatter and therefore don’t have the Advanced Spam Rule enabled. After Boomerang is released, these customers will have the same experience and therefore don’t need to enable it. However, if they send outbound email through EOP we still recommend enabling it so that they have proactive protection in case backscatter ever does become a problem in the future.

[2] Boomerang works by looking for cryptographic tags in the bounce message. If the bounce message does not contain the tag, the message is backscatter. Because outbound messages that flow do not flow through EOP may still bounce back in through EOP, Boomerang will be confused and think that the missing tag that EOP inserts is due to the message being spoofed. However, in reality, the message was not supposed to contain the tag. Unfortunately, there is no way to sync that back to EOP and Boomerang if the ASF rule is enabled.

This year I’ve had the privilege of expanding some of my skill set in a field which I find fascinating, but also which I find I am woefully under-qualified to work in: Encryption.

I like encryption. I’ve liked ever since my 4th year in university when I learned all about the mathematical properties behind it, how symmetric and asymmetric ciphers work, and how digital signatures work.

I feel pretty good about my abilities in the basic of encryption.

What I don’t feel good about is key management.

I find that a lot of discussions about encryption do a good job of explaining how encryption works and about the algorithms, and that’s exactly the stuff I already know. What I find they don’t talk about is key management – what does a key lifecycle look? How do you rotate keys? How do you store keys securely? How do you deploy keys securely?

For example, when I was practicing my own encryption for an app I was working on, all I did to encrypt stuff was store the key in a file on my computer, and then store the same key in the remote server in another file and set the permissions properly. I trust myself; if I want a new key, I just create one and copy/paste it.

That’s fine for myself, but what about real life? Large companies need ways to deal with encryption keys beyond copying and pasting them to files. Keys are supposed to be kept away from developers and only Operations can access them. So how do developers create and deploy keys to being with?

I’m not saying that there aren’t books that explain this. I’m sure there are, but most books are light on the details of the key lifecycle.

Fortunately, this year I have been working on three separate features that use encryption and require a key lifecycle, so I have been gaining a little bit of experience. Plus, I was involved in a fourth separate key rotation which I’ll explain below.

First, the features I am working on.

2. Time-of-Click URL protection

Time-of-Click URL protection uses a symmetric encryption key. The feature is not yet available but the way it works is that important components of the message are encrypted into a rewritten URL. This is done so an administrator can later search logs to see if someone clicked on a malicious URL.

This feature requires encryption keys deployed in two places – on the mail servers (the same as Boomerang) and also on the web servers (to decrypt and validate data).

The encryption keys similarly require a key lifecycle and must be periodically rotated.

3. Outbound DKIM

Outbound DKIM is much different than either Boomerang or Time-of-Click protection.

DKIM requires customers to upload their own private DKIM keys with Office 365. During mail flow, we need the DKIM keys in clear text upon which to affix a digital signature.

Rather than storing all of the keys on the mail servers, DKIM keys are stored in a key vault. Office 365 does not store the clear-text keys, it only stores the key IDs and encrypted keys (in fact, the clear-text keys are never stored anywhere). During mail flow, a secure call (using an authentication token) is made to the key vault to decrypt the private DKIM key so it can sign the message. After it finishes signing, the key is discarded.

Outbound DKIM is both a little simpler and a little more complex than either of the previous two features. Key rotation is required to protect the private DKIM keys, rather than to sign new data. It also requires management of the authentication token.

Finally, I had the opportunity to perform a real life key rotation earlier this year.

4. DKIM key rotation for Microsoft

Microsoft uses ExactTarget for some of its email campaigns. Earlier this year, I discovered that there was a DKIM key that was old and could be rotated so that it used a longer key.

I worked with a contact at ExactTarget to create a new DNS record for a subdomain within microsoft.com, publish the public key while they updated the corresponding private key. We tested it, verified it worked, and we now have the key working in production. 

Whew. That’s a lot of work with keys.

I still don’t feel very confident with key management. I feel like I am missing something (actually, many things) but I don’t know what. I also feel like the existing process that I have helped define I don’t understand well enough.

But at least I am learning.

One of the projects I will be working on going forward is helping out with some of the filtering with outlook.com.

In case you haven’t heard, over the past few months Microsoft has merged together the spam filtering units responsible for protecting Office 365 (also known as Exchange Online Protection (EOP), formerly known as Forefront Online Protection for Exchange (FOPE), previously known as Frontbridge) and outlook.com (formerly known as Hotmail). Instead of two different teams with some data sharing, it will be one team with lots of data sharing although not necessarily the same filters – consumer email and enterprise email are different.

To that end, I will be taking over some duties for Hotmail that also show up in Office 365. For example, Hotmail supports both DKIM and DMARC, so the equivalent feature in Office 365 will be the same one Hotmail uses once it moves over to the Office 365 infrastructure (I am working on the Office 365 version of DKIM and DMARC). Similarly, the Boomerang feature in Office 365 is the same one that Hotmail currently uses and will use.

The main piece I will be inheriting is some of the Safety UX (user experience) for both systems’ web interfaces. You may have noticed that Hotmail shows a green shield next to trusted users in its webmail:

We are looking to ensure both Office 365 and outlook.com – on both web, mobile and tablet – all show the same thing for both trusted senders and spoofed messages. Thus, if you’re an outlook.com user and you’re used to seeing a red line when a message is spoofed, when your business goes to Office 365 you’ll see the same thing (this does not necessarily mean that the Outlook client will show the same thing, that’s not decided yet; I don’t know if my scope of responsibilities includes it).

So, my component is figuring out how it looks in some of the web clients and how (if?) we can make it better than it is today; what criteria to use to show these properties; and how it all ties together with spam, phishing, and authentication.

Before you get too excited that “Finally! Someone I know works in Hotmail and I can get them to change Feature X so I can deliver to Customer Y!” let me say this – I don’t work on the general spam filter in Hotmail, nor work with their deliverability team. I know people there but don’t have that much input. So, I can’t help you much in that regard.

But at least you know what I’ll be working on for the next little while.