Mines S/MIME Certificate Pilot- Phil Romig- Steve Ardern

Why Bother?

95% of all attacks on enterprise networks are the result of successful spear phishing (Allen Paller, director of research at SANS) New York Times HackSouth Korea Banking Hacks

Whaling

“As the name suggests if you think about it, whaling is a variation of phishing. But the targets are a whole lot "bigger" -- like CEOs and other boardroom execs.” – http://www.scambusters.org/

➔ It's not SPAM. This is a very carefully crafted email sent to one or twoHigh-profile employees.

➔ Scammers are not after identities. The goal is to take control of the victims PC, allowing them to steal passwords and confidential information.

FBI reports “several” victims at major financial institutions and otherFortune 500 companies fell for a fake Subpoena. The payload installeddata-mining and keystroke-capturing software.

Why Bother?From: Terence ParkerDate: August 8, 2011 5:39:23 AM MDTTo: Reed Maxwell <rmaxwell@mines.edu>Subject: Negative Report of MINES from Washington DCReply-To: Terence Parker <tparker1196@yahoo.com>

Hi,It's for your reference and look forward to your reply. http://mines.edu.bg-news.org/Negative_Report_of_MINES_from_Washington_DC.zip Best regards,Dr. Terence ParkerProvost and Executive Vice President

Why Bother?-------- Original Message --------Subject: a plagiarized dissertationDate: Mon, 16 Apr 2012 06:03:40 -0700From: Roderick Eggert Reply-To: Roderick Eggert To: Important CSM Faculty

Hi,Attached is a dissertation,which i thought most of it was plagiarized from yours.http://dissertation.fake.com/Magnetic_Properties_of_Materials.zip

Roderick EggertProfessor and Division DirectorDivision of Economics and BusinessColorado School of Mines

--------------------------------------------------------------------------------NOTICE: This message (including any attachments) from Wiley Rein LLP may constitute an attorney-client communication and may contain information that is PRIVILEGED and CONFIDENTIAL and/or ATTORNEY WORK PRODUCT. If you are not an intended recipient, you are hereby notifed that any dissemination of this message is strictly prohibited. If you have received this message in error, please do not read, copy or forward this message. Please permanently delete all copies and any attachments and notify the sender immediately by sending an e-mail to Information@wileyrein.com. As part of our environmental efforts, the frm is WILEY GREEN(TM). Please consider the environment before printing this email.

Why Bother?

If you wanted to break into your school, who's PC would you target?

Goals● Begin to develop a culture among our users whereby they notice

if email from colleagues does not include an S/MIME certificate.

● Start by providing all 51 I.T. Staff members with a certificate.● Easy group to experiment with.

● Reasonably wide variety of technologies in use.

● Increasing number of spear-phishing attempts using fakeHelpDesk or virus warnings.

S/MIME Introduction● S/MIME – Secure Multipurpose Internet Mail Extensions● Widely supported standard used to secure emails

● Allows digital-signing of messages (non-repudiation)● Allows encryption of messages (confidentiality)

● Client-based, requires:● Cryptographic key-pair● User's private-key used for signing● Recipient's public-key used for encryption● Public pieces are signed by trusted CA

S/MIME Vendor Selection● We are not, currently, a member of InCommon

● Cannot mint our own externally trusted certificates for mines.edu● Selected vendor: Comodo

● Mines.edu verification:● Letter signed by CIO, Derek/Phil match whois, used postmaster

● Has admin console through which certificates can be requested● $12 per issued S/MIME certificate

● Other vendor: Symantec/Verisign● Puts “Persona Not Validated” into the CN: field (best-practice)

Requesting certificates● Requests are made by our Comodo account administrator● Each requestee receives an email from Comodo● Goes to Comodo's issuance website● Inputs their email address, along with the provided “pickup” password● Accept T&C's● Key-generation happens locally through browser (truly private?)● Public-key is signed and a certificate is issued● User should create a password-protected backup● This is used across all the user's email clients

Supporting documentation

● Documentation created for “most” of our users:● Mozilla Thunderbird (cross-platform)● Microsoft Outlook (on Windows & Mac)● Apple Mail (on OSX & iOS)● Microsoft's OWA through Internet Explorer (Windows)● Android Mail Reader

● Certificate import instructions for:● Mozilla Firefox● Internet Explorer● Safari● Google Chrome

S/MIME setup● Example: Outlook (Windows)

Issues● Privacy of keys: generation does not involve sending CSRs● “To encrypt, or not to encrypt, that is the question.”

● Need recipients public-key through their S/MIME certificate● How can we make everyone's public-key available?

● Manually send a signed message to the IT staff mailing-list?● Publish to GAL (Global Address List inside AD – Windows only)?● Publish to some other centralized directory (like OpenLDAP?)● Centrally collect and disperse out to the users?

● Question: do we want to do this for everyone?● (Legal issues with, for example, PEDs?)

Open Questions● Encryption!

● Key privacy

● Certificate Validation

● InCommon