PrivacyScore: Improving Privacy and Security via Crowd-Sourced Benchmarks of Websites

Website owners make conscious and unconscious decisions that affect their users, potentially exposing them to privacy and security risks in the process. In this paper we introduce PrivacyScore, an automated website scanning portal that allows anyone to benchmark security and privacy features of multiple websites. In contrast to existing projects, the checks implemented in PrivacyScore cover a wider range of potential privacy and security issues. Furthermore, users can control the ranking and analysis methodology. Therefore, PrivacyScore can also be used by data protection authorities to perform regularly scheduled compliance checks. In the long term we hope that the transparency resulting from the published benchmarks creates an incentive for website owners to improve their sites. The public availability of a first version of PrivacyScore was announced at the ENISA Annual Privacy Forum in June 2017.Comment: 14 pages, 4 figures. A german version of this paper discussing the legal aspects of this system is available at arXiv:1705.0888

Teaching Tip: Hook, Line, and Sinker – The Development of a Phishing Exercise to Enhance Cybersecurity Awareness

In this paper, we describe the development of an in-class exercise designed to teach students how to craft social engineering attacks. Specifically, we focus on the development of phishing emails. Providing an opportunity to craft offensive attacks not only helps prepare students for a career in penetration testing but can also enhance their ability to detect and defend against similar methods. First, we discuss the relevant background. Second, we outline the requirements necessary to implement the exercise. Third, we describe how we implemented the exercise. Finally, we discuss our results and share student feedback

Using a Certificate Public Key to Protect DKIM Public Key Spoofing

Brand Indicators for Message Identification (BIMI) is a standard that allows domain owners to coordinate with Mail User Agents (MUAs) to display brand-specific indicators or logos next to properly authenticated messages. A Verified Mark Certificate allows an email service to authenticate a logo, but currently BIMI is susceptible to DNS spoofing attacks. In this work, BIMI messages are protected from DNS spoofing by aligning the message’s DomainKeys Identified Mail (DKIM) public key with the public key associated with the VMC. The email service may validate the alignment between the keys as part of the authentication of the message. When the keys match, the email service may display the indicator or logo along with the message. When the keys do not match, the email service may reject the authentication and not display the logo or indicator

EMAIL VERIFICATION SERVICE USING BLOCKCHAIN

Current email security solutions depend on various attributes to reduce the chances that a given email (mail) is likely to be a threat. However, current solutions make it relatively easy to target corporate organizations with a Business Email Compromise (BEC) attack. A BEC attack is a non-malicious mail which defrauds key people in organizations into performing, for example, wire transfers meant for the suppliers or partners abroad. The U.S. Federal Bureau of Investigation (FBI) has been tracking BEC, also known as email fraud and email account compromise (EAC), domestically and globally since October 2013. The recent trends related to fraudulent wire transfers and unauthorized disclosures of employee data are alarming: Total identified global exposed losses now exceed $12.5 billion (up from$5.3 billion in December 2016). More than 30,000 victim complaints were submitted between June 2016 and May 2018 via the recently launched Internet Crime Complaint Center (IC3) compliant form. BEC scams targeting the real estate sector rose more than 1,100% between 2015 and 2017. Wage and tax documentation BEC scams extend the threat beyond wire transfers and continue to grow. The US Internal Revenue Service (IRS) indicated it received approximately 900 reports of Form W-2 scams in 2017 (compared to just over 100 reports in 2016). The problem is that there is no absolute way to understand if a mail was sent from a particular sender to a group of recipients

DANE Trusted Email for Supply Chain Management

Supply chain management is critically dependent on trusted email mechanisms that address forgery, confidentiality, and sender authenticity. The IETF protocol ‘Domain Authentication of Named Entities’ (DANE) described in this paper has been extended from its initial goal of providing TLS web site validation to also offer a foundation for globally scalable and interoperable email security. Widespread deployment of DANE will require more than raw technology standards, however. Workflow automation mechanisms will need to emerge in order to simplify the publishing and retrieval of cryptographic credentials that are applicable for general audiences. Security policy enforcement will also need to be addressed. This paper gives a descriptive tutorial of trusted email technologies, shows how DANE solves key distribution logistics, and then suggests desirable automation components that could accelerate deployment of DANE-based trusted email. Pilot deployments are briefly described

Malicious email mitigation strategies

Introduction Socially-engineered emails containing malicious attachments and embedded links have been observed by the Australian Signals Directorate (ASD) being used in targeted cyber intrusions against organisations. This document has been developed by ASD in collaboration with local and international partners to provide mitigation strategies for the security risk posed by malicious emails. It should be read in conjunction with the advice on email security and content filtering contained in the Australian Government Information Security Manual (ISM). Not every mitigation strategy within this document will be suitable for all organisations. Organisations should consider their unique business requirements and risk environment when deciding which mitigation strategies to implement. Furthermore, before any mitigation strategy is implemented, comprehensive testing should be undertaken to minimise any unintended disruptions to the organisation’s business

Design and Implementation of a DMARC Verification Result Notification System

Damages caused by spoofed e-mails as sent from a bank, a public organization and so on become serious social problems. In such e-mails attackers forge the sender address to defraud receivers of their personal and/or secret information. As a countermeasure against spoofed e-mails, sender domain authentication methods such as SPF and DKIM are frequently utilized. However, since most spoofed e-mails do not include DKIM signature in their e-mail header, those e-mails cannot be authenticated by the conventional system. Additionally DKIM has a problem that cannot determine whether the attached signature is legitimate. In this paper, we propose a method to detect spoofed e-mails and alert the user without DKIM signature by utilizing DMARC and implement a system that sends DMARC verification results to receivers. By utilizing this system, the users can obtain alerts for spoofed e-mails that the existing systems cannot warn