Archive
ذا ميستيريوس كيس اوف الشركات اللي اتنصب عليها في ملايين
على مدار السنة اللي فاتت ، اشتغلت مع كام شركة اتنصب عليهم في كام مليون حلو كده ، الشركات كلها اتنصب عليهم بنفس الطريقة و نفس الاسلوب ، و للاسف رغم انه الخدعة بسيييييطة جدا الا انها صعب جدا كشفها و فعلا جهنمية ، خلينا نشوف
خطوة رقم 3: يوزر بيكون مش راجل تيكنيكال ، بيكون في العادي بيبعت و بيحول فلوس للخارج ، بيجيلو ايميل تقليدي جدا من شركة هو بيتعامل معاها لاوردر جديد و كل حاجة ، الايميل من ايميل الشركة
خطوة رقم 4: بتفضل الايميلات رايحة جاية عادي ، لحد وقت الاوردر بيجي طلب تغيير الحساب اللي بيتحول ليه الفلوس و تفاصيل التحويل الجديد
لحظة ، هو فين رقم واحد و اتنين ، اتقل…
او في وسط الكلام العادي بيجي ايميل من المورد بطلب تغيير الحساب اللي حاتتحل عليه الفلوس ، طلب عادي من ايميل شركة المورد ، و هنا اليوزر الغلبان بيبص على الايميل ، فعلا من ايميل الشركة ، فيبعت يرد عليه يقوله ممكن تأكد التغيير ، فعلا يجيله التأكيد و هوب يحول الفلوس و بخ
في شركة اعرفها اتنصب عليها في مليون و نص ، و واحدة تانية في 2 مليون ، و في شركة كان حايضيع منها 5 مليون
بس فين المشكلة…..ازاي ده بيحصل….تعالى نشوف
لو شوفت الصورة الاولى ، ده ايميل تقليدي بسيط من ايميلي على الاوتلوك لايميلي على الاوتلوك ، الايميل شكله عااااادي جدا ، بص و راجع كويس
طيب حدوس
Reply
الايميل شكله عادي برضو و تقليدي في الصورة التانية ، ب بص تاني كده ، ستوووووووووووووووووووووووب
بص كويس في الصورة التانية ، في حرف متغير في الايميل ، واخد بالك
بدل
Outlook
بقت
Outluok
و هي دي الثغرة اللي اليوزر الغلبان مش بياخد باله منها خااااااااااااااااااااااااااااااالص
تعالى نبص تاني كده للسيناريو بشوية تفاصيل:
خطوة رقم 1: بيكون حصل اختراق للكومبيوتر في مكان ما اما عند الشركة او المورد و حد شاف الايميلات بين الشركات و عرف طريقة صرف و تحويل الفلوس و الاوردر و فضل لابد في الذرة
خطوة رقم اتنين ، فضل مستني لحد ما اوردر معين حايتحط او تحويل فلوس حايتم و هنا الهاكر يبتدي شغله ، يبعت ايميل من الايميل سيرفر بتاعه بس يضيف في الايميل اللي بيتبعت
Header
بسيط اسمه
Reply-to
في الصورة التالتة حتشوف اني ضفت الهيدر
هنا اما بيجي الايميل في الخطوة 3 ، فهو بيجي شكله من الشركة و طبيعي بطلب تغيير الحساب او تحويل فلوس او او او ، و هنا الراجل بيرد عادي و يطلب التأكيد ، هنا يشتغل ال
Reply-to
و بدل ما يروح الايميل على الايميل اللي في ال
From
بيروح على ال
Reply-to
اللي فيه حرف بسيط متغير اليوزر غالبا مش بياخد باله منه ، ده مش حاجة معقدة لانه ده دور ال
Reply-to
انه بتقول انه الايميل ده جاي من ايميل ، بس الرد يروح لايميل تاني ، بتلاقي الكلام ده كتير اوي في الكساتمر سبورت و الكول سنتر
يبتدي بقا النقاش يتم على الايميل الجديد و الراجل مش واخد باله من حاجة و يجيله التأكيد و كله في السليم و الفلوس تتحول و كل سنة و انت طيب
هل الموضوع ده مؤثر ، فشخ ، و اكتر من شركة اعرفها تم النصب عليها بالشكل ده في ملايين….
طب و الحل يا مرسي ؟!
الموضوع ده معقد اوي لانه ال
Reply to
من ضمن الحاجات التقليدية و الستاندارد بتاعت الايميل هيدرز ، يعني منقدرش نقول انه اي ايميل فيه
Reply-to
يبقا سبام ، مش صح ، ففي عامل مهم جدا على اليوزر ، اضف انه لازم تعمل بروتكشن محترم بيعمل
Anti Spoof
و ان كان الانتي سبوف كان شغال في الحالات دي كلها و مقدرشي يمسكها
مراجع:
Installing Symantec Encryption Server & Exchange 2010 Configuration Part3–Sending Encrypted Emails
In part1 and part 2 we explored the basics of installing the SES and configuring and managing encryption Keys, in this part we will glue part1 and part2 and send encrypted emails.
Understanding Email Policies:
Email policies are the foundation block for handling email, they determine how emails from specific senders sent to specific recipients with specific contents will be handled.
There are set of defaults policies created by default:
they determine how outbound/inbound emails will be handled, the default policy has the following settings:
the outbound client has the following settings:
which tell the SES to encrypt the emails if the source client is SMTP/MAPI to send it to the outbound chain which does the encryption actions:
if we explore the outbound chain, we will find the following settings:
which instructs the SES how to handle specific emails with specific conditions, so I edited this rule and added the “confidential rule”, which encrypts emails sent internally or externally with the word “confidential” in the subject line. You can add your own set of rules to meet your business and enforce certail delivery types link web or protected PDF:
Once you set the rules, you can send encrypted emails, let us see how:
from outlook client, I will send normal email to user@domain.com (which is fictional domain), the client will detect the policy that is set on the server and will send the email out of message steam to the SES:
Because we can’t find a key for user@domain.com, we will send the email to the SES server and the SES will send the user an email notifying him that there is a message waiting him:
In the above email, I am opening the EML file via notepad (I do have only SMTP server at the recipient side), so the message contains the link to open the email (take a look to how the email flowed from the client to keys “the SES Server” to Exchange to the recipient server)
when opening the link, the client will be prompted with the registration (to register in the SES portal with a passphrase), Then the user can login:
Once user login, he can see the email through the portal; The user can reply and interact securely with the internal user or ask for email delivery via secure PDF:
We reached the end of this series, we can send and exchange emails securely with Symantec Encryption Server now. I hope that you liked this series.
Installing Symantec Encryption Server & Exchange 2010 Configuration Part2–Understand key Management
In part 1 https://autodiscover.wordpress.com/2013/05/21/installing-symantec-encryption-management-server-and-exchange-2010-configuration-part1/ we explored the basic steps to install the Symantec Encryption Server.
In This post, we will explore a very important aspect in any encryption solution, which is key management.
Introduction:
to understand what is public/private keys, check these link:
http://www.comodo.com/resources/small-business/digital-certificates2.php
If you read the above articles you will now realize that we will use public and private keys; While Microsoft uses x.509 certificate based on Microsoft CA which utilizes s/MIME to encrypt the messages, Symantec Encryption server uses PGP keys which uses different structure, keys are stored in PGP LDAP server (we will see how to import x.509 certificate to Symantec encryption server later).
Keys Provisioning:
In order for a user to obtain PGP keys, the user must register for PGP keys with the server, let use see the steps to do that.
To Configure email enrolment, first you need to define email route, this tells the encryption server where to send the registration emails and any emails send to your domain, from the control panel, go to mail > mail route and add email route to your server
When you download the Desktop encryption install package and install it on the machine, the client will detect automatically the encryption server and try to contact the server, since I don’t have a valid certificate on my server it will warn me; Click on always trust this site.
enter the email address:
the user will receive an encrypted email
once the user opens the encrypted email he/she can continue the registration:
verify the username and email address:
create a passphrase to protect your key (remember this step as we will talk about it later in details when speaking about the key storage types):
the key will be generated for the user:
now when you open the Encryption Desktop, you will see the keys and policies created by the encryption server assigned to the user:
in the console, you can see the list of managed keys as well:
If you click on the key mode button (from the Desktop Encryption window), you will see that the key is operating ins SKM mode; so what is that?!
Keys in Symantec Encryption Server operates in different modes, the modes are:
- Server Key mode: In this mode, the private keys are stored on the server and users can’t manager their keys
- Client Key Mode: In this mode, the private keys are not stored on the servers and users must manage their own private key and protect it.
- Guarded Key Mode: In this mode, a pass phrased protected private key is stored on the server and clients manage their key
- Server Client Key Mode: a sub key of the private key is stored on the server, the private key still stored on the client.
you must be very careful when selecting the key mode in your environment; depending on the key mode, you will have or lose some features as per the below table:
for the first instance, SKM might be the ultimate answer, but you have to be aware that administrators have control over private keys, so this might be a security concern.
To change the mode of the key being used, click on the reset key button and you will be taken through a page that will help you selecting the appropriate key mode.
you can also restrict the modes available in your organization, to do so, edit the consumer policy and change the available modes:
Installing Symantec Encryption Management Server and Exchange 2010 Configuration Part1
In this blog series, we will install together Symantec Encryption Server (previously known as PGP universal server) and configure it to work with Exchange 2010. Additionally we will explore some cool features around virtual disks, disk encryption and secure email delivery.
The Symantec Encryption Server binaries are certified to be installed as virtual and this is the recommended use from Symantec, and this is the method we will use in our environment.
Symantec Encryption Server can manage several different encryption products and solutions including:
- Symantec encryption email gateway.
- Symantec Encryption Desktop.
- Symantec File share encryption.
- Symantec Encryption portable.
- Symantec Drive encryption.
In this blog, we will install the Symantec Encryption Server v3.3, the latest version (at this time) of the product. There are several design and architectural decision elements that must be taken into consideration for several features to work; we will explore them later.
To install Symantec Encryption Server, download the ISO image and create a virtual machine, the documentation and install guide mandate that the VM must be created with Kernel 2.6 x86, 4 GB memory for single instance and 8 GB for HA instances.
Once you start the VM with the ISO attached, follow the simple install wizard that will take you through the installation steps:
In the IP address field, specify the IP address for the appliance:
Specify the Gateway and DNS servers:
Specify the host name; one important point is to note that your appliance MUST be named (keys.domain.com), this is mandatory if you want to cooperate with other PGP key servers. PGP keys servers contacts the recipients keys servers “if available” (if the server can’t locate a public key for the recipients) on keys.domain.com, thus if you want to facilitate exchange secure emails with external parties you must name the server’s FQDN keys.domain.com and this name must be reachable from outside.
Once you finish the wizard, the setup will start automatically, once finished the appliance will reboot and the post complete setup will be launched:
accept the license agreement
from the installation type, choose the installation mode. since this is the first server we will choose new installation.
set the time/date:
Confirm the IP settings:
Confirm the setup summary:
Reboot:
Enter the license information:
Enter the administrator information and password:
enter the primary domain that you use to send/receive emails:
To protect the server in case it is physcially attacked you must configure the ignition keys, I will use a passphrase as my ignition keys; enter them and continue:
review the setup summary:
Once setup completes you can login to the admin console on https://keys.domain.com:9000
This completes the Symantec Encryption Server installation, in Part 2 we will continue with the initial setup and keys management, part 2 and 3 will be fun, so stay tuned 
.
The Windows Server 2012 new File Server–part 2- Install AD RMS #Microsoft #winserv 2012 #mvpbuzz
Part1: The Windows Server 2012 new File Server–part 1- Access Conditions #Microsoft #winserv 2012 #mvpbuzz
http://goo.gl/FtWbi
Part3:https://autodiscover.wordpress.com/2012/09/10/the-new-file-serverpart3-using-file-classification-adrms-microsoft-winserv-2012-mvpbuzz/
http://goo.gl/A4JlC
In Part 2 of this blog series, We will continue our exploration of the new File Server functionality, In order to complete our journey we will stop by one of my favourite but less fortunate features, Active Directory Rights Management Server.
Active Directory Rights Management Server or AD RMS has been around for several years, and for hidden and secret reasons it wasn’t adopted by a lot of customers, although I believe it is one of the most important features of Windows Server.
What is Active Directory Rights Management Services?
An AD RMS system includes a Windows Server® 2008-based server running the Active Directory Rights Management Services (AD RMS) server role that handles certificates and licensing, a database server, and the AD RMS client. The latest version of the AD RMS client is included as part of the Windows Vista® operating system. The deployment of an AD RMS system provides the following benefits to an organization:
- Safeguard sensitive information. Applications such as word processors, e-mail clients, and line-of-business applications can be AD RMS-enabled to help safeguard sensitive information Users can define who can open, modify, print, forward, or take other actions with the information. Organizations can create custom usage policy templates such as “confidential – read only” that can be applied directly to the information.
- Persistent protection. AD RMS augments existing perimeter-based security solutions, such as firewalls and access control lists (ACLs), for better information protection by locking the usage rights within the document itself, controlling how information is used even after it has been opened by intended recipients.
- Flexible and customizable technology. Independent software vendors (ISVs) and developers can AD RMS-enable any application or enable other servers, such as content management systems or portal servers running on Windows or other operating systems, to work with AD RMS to help safeguard sensitive information. ISVs are enabled to integrate information protection into server-based solutions such as document and records management, e-mail gateways and archival systems, automated workflows, and content inspection.
More Information: http://technet.microsoft.com/en-us/library/cc771627(v=ws.10).aspx
In this blog we will install AD RMS on a new Windows Server 2012 machine, this machine will be used later in my next blog post for Data Classification and policy enforcement.
Installing Active Directory Rights Management Server in Windows Server 2012:
The AD RMS setup has been dramatically improved, in the old days it was hard, and even the improved setup experience in Windows 2008 is no match for the improved setup in Windows Server 2012, and as you can expect everything is controlled by the server manager so to install AD RMS, open the Sever manager and Select Add Roles and Features, from there select AD RMS, Once installed, the Server Manager will tell you that there is pending configuration
In the following screen, select the perform additional configuration:
and in the welcome screen click next:
In the AD RMS Cluster, and since this is the first server, we will create a new cluster:
In the Configuration Database, I will use internal Database, this is a lab environment but make sure to have the proper SQL installation in place if you are using the ADRMS setup in production:
In the Service Account, type in a designated service account, this is a normal account with special permissions (if you are installing the AD RMS on a DC”for testing”, this account must be a member of the Builtin “Administrators” group:
In the Cryptographic mode, Select mode-2 it is much more secure:
In the Key Storage, I will choose to use AD RMS to store the Key:
In the key password, supply a password to protect the key:
In the AD RMS Website, Select the Web Site that will host the AD RMS web services:
In the Cluster Address, Specify the FQDN that will be used my the clients to communicate with the AD RMS Server and the transport protocol, I will keep it simple and choose the HTTP, however you might want to use HTTPS since it is more secure:
In the Server Licensor Certificate name, specify a name for the certificate, and click next:
In the AD RMS service registration, register the AD RMS SCP unless for mysterious reasons you want to do it later:
In the installation summary, review the installation and click install:
Congrats, once finished you then you completed the AD RMS installation, you can configure templates and additional configuration.
In the next blog post, we will see how we can use the AD RMS and Data classification infrastructure to protect valuable and confidential data, on file shares.
The Windows Server 2012 new File Server–part 1- Access Conditions #Microsoft #winserv 2012 #mvpbuzz
Part2: The Windows Server 2012 new File Server–part 2- Install AD RMS #Microsoft #winserv 2012 #mvpbuzz
http://goo.gl/dRHro
Part3:https://autodiscover.wordpress.com/2012/09/10/the-new-file-serverpart3-using-file-classification-adrms-microsoft-winserv-2012-mvpbuzz/
http://goo.gl/A4JlC
I am so excited about the new Windows Server 2012, a lot of nice features and a lot of enhancement but one particular enhancement I am so interested in was around file servers.
for years, File Servers have been the same, a normal share that resides on the server and accessed by users, that is what they are and what they do, nothing new to introduce.
But with the recent increase of security demand, and huge need for DLP (Data leak prevention) and with the believe that most of leaks happens from employees not from hackers or intruders, companies kept looking to enhance their file servers.
The question now days is not about who is accessing the files, but it is about auditing that access, continuously enforcing that access, controlling the access and additionally knowing what is on that share and what sort of data inside and from where it is accessed.
let us take a normal example, a file share is located on corporate network, in the old days the control was only enforced by the File share and NTFS permissions, but there are some catches:
- if the user has permissions to access the file share, he can access it from everywhere, he can access it from a kiosk on the hotel, from his IPAD or tablet device without any control, as long as he has access to data using permissions he can do access it from anywhere (provided that there is a remote access).
- if he got access to the share, does that mean that he is allowed to access the data within the share, for example a share that is created for the R&D team contains all the R&D files, but not all R&D team members ]have the same level of access, now if a confidential file has been mistakenly placed on the share, all of the users who have access to the share can see the confidential data. although users should be aware about data confidentiality, but the company must be able to continuously control the data access on the data files themselves without warring about human mistakes which happens, and this is a big portion of the DLP controls.
- Controlling Access properties using groups are really tricky, and more often groups are created to reflect access criteria, so we have a group for Egypt’s Accountants, and another group for Qatar’s Accountants, and a third groups for Egypt’s Accountants with confidential data…etc and group counts can grow and grow to thousands and thousands of groups to reflect the needed level of access.
Windows Server 2012 comes with a lot of handy features that we will explore in this blog series, talking about Access Conditions, Data Classification, Dynamic Access Controls and Rights Management enforcement.
In Part1, we will explore the new security permissions wizard and the new device permissions in Windows Server 2012.
(My lab setup contains only 1 Domain Controller and 1 file Server both running Windows Server 2012 ENT Edition).
NTFS permissions and the new Device Rules:
I have now a normal file share that is shared with the finance admin group:
This is a normal group that has been created in AD and contains one user account (Finance User) who is a finance admin, he has read only access permissions, this is what we have been doing for the past 20 years.
Now, the company wants him to access the share only from specific group of computers (for the sake of this blog we will use normal blog, in part 3 we will talk about claims based authentication where we will explore claims authentication and we will be able to query the device claims on the fly for more properties and control and access dynamically).
Now I created a Group and Placed Finance User1 computer in it (in this case the File Server), this means that if he logs from the DC on that file share he will not be able to access it. let us see how:
If we go to the Security properties and the advanced share permissions, we can see the FinanceAdmin read and execute permissions, if we click Edit:
We Will see the new security permission wizard:
The above wizard has been enhanced to reflect more usability and control over the process, and also a new section called conditions, let us explore this condition section.
If you click Add a Condition , you will get a new line of condition to control the access:
now we can place some conditions on the user how is accessing, the resource he is trying to access or the device he is accessing from, now let us create a condition to give the user access from a specific device, the device can only be queried about its group membership in later blog post we will see how to query for more properties using claims, now we can select if it is a member of any or each or not member of specific groups, I will control using any and specific my group:
My rule will control the access based on the AllowedFinancePCs which contains the computers from where the financeadmin group can use to access the files, they can login to any device in the corporate by only access the files if they use specific devices to access it “Sweeeeeeeet” 
:
Now, The final Security permissions will be like:
Now let us try it:
I logged on locally to the Fileserver, when I try to access the file I can’t although I have the permission and login locally but I am not using the authorized machine to do that:
if we examine the permissions using the effective permissions. if the user tries to login from the 2008DC machine he will have no permissions:
But if he tries from another machine from the allowedFinancePC group, he will have read permissions:
Note: During my lab I have tried the above setup and didn’t work, although conditions worked correctly for users, it looks like something that needs to be enabled or configured in specific way, I am pinging Microsoft folks and when I reach a solution I will update this blog.
In this lab we have explored the new options for setting access permissions, this is very powerful controlling who and from where can access the data.
In the next blog we will see the power of data classification in Windows Server 2012, Stay Tuned.
Linked In
the New Experts-Exchange.com
Share This Blog
Recent Visitors Traffic
Be Busbared 