SwiftOnSecurityDec 31, 2022
Worse, even if you get an email from your mastodon instance (or ANY web service), an authorized SMTP system could have been hijacked and the link directed to a phishing page, potentially even hosted on a hijacked subdomain.
Layers and layers of caution are required whenever you are prompted to take an unusual action.
https://mstdn.social/@stux/109603992325592066
sΡ‚Ο…xπŸŽ„ (@[email protected])

Attached: 1 image ⚠️ WARNING! ⚠️ I just received this email in a catch-all that was addressed to a user. Mastodon does NOT such mails and this leads to a malicious login page! Please make sure you are on the correct instance URL before logging in! Also make sure the emails are send from the instance you are on! Often this email can be found on the /about page #Mastodon

Mastodon 🐘
Show threadSwiftOnSecurityDec 31, 2022
NOTE: Humans reduce their ability to detect/resist fraud when under time pressure. See how the email puts the victim under duress by threatening to delete messages. To act as quickly as possible. This is a huge red flag that will help you if you know to look for it in attacker communications (or life in general). Because attackers know this is a shortcut to better results.
Show threadSwiftOnSecurityDec 31, 2022
At my work we are planning for this kind of nightmare scenario by moving to tightly-governed and logged SMTP relays. It will take a lot of work but giving vendors SPF/DKIM, although MUST be done in interim as soon as possible so you can get DMARC to enforcement, is a blank check when you are an incredibly sensitive service/huge target.
Most should not worry about this there's a 100 things more important but understand the exposure.
Show threadSean Whalen πŸ‘¨πŸΌβ€πŸ¦ΌπŸ³οΈβ€πŸŒˆπŸ‡ΊπŸ‡¦πŸ•ŠοΈDec 31, 2022

@SwiftOnSecurity #DMARC can definitely be a PITA to implement, particularly for large organizations with many domains and email sources, but it is well worth the pain. That's why I wrote a complete guide and open source software to send DMARC reports to #Splunk and #Elasticsearch. I included pre-made dashboards too.

https://seanthegeek.net/459/demystifying-dmarc/

https://domainaware.github.io/parsedmarc/

Demystifying DMARC: A guide to preventing email spoofing

Learn how the SPF, DKIM, DMARC email authentication standards work together to prevent unauthorized email spoofing β€” and how to use open source tools to deploy DMARC for free

seanthegeek.net
Show threadnobody

@seanthegeek @SwiftOnSecurity DMARC isn't as much the pain as discovering how many domains you have and how many people in entire org actually know what they are used for. unfortunately gaining that knowledge is pre-requisite to implementing DMARC. enforcing domain mgmt practice and onboarding legacy domains .... ya know... the ones that bob or jane in marketing bought decade ago with their credit cards and expensed because of some marketing campaign they wanted to run, now that is fun part. especially when jane retired 8 years ago and bob left the job for greener pastures shortly after...

DMARC? that shit is easy... it's preparing for DMARC that will kill ya...

Dec 31, 2022 at 1:31pmWeb
Show threadDec [{()}]Dec 31, 2022

@Rajiv @seanthegeek @SwiftOnSecurity
I have done a lot of legacy domain work on behalf of customers, mostly chasing the correct responsible persons down and convincing them to take action.

One of the domains had NS records that included these 2 servers:

uucp-gw-1.pa.dec.com
uucp-gw-2.pa.dec.com

When H-P decided to sell off the dec.com domain, they never checked with anyone in HP Labs (Palo Alto), and those 2 hosts were still widely in use.

Show threadDec [{()}]Dec 31, 2022

@Rajiv @seanthegeek @SwiftOnSecurity

Most of the NS records that used these servers had already migrated to the equivalent hostnames under .hpl.hp.com or .labs.hp.com but a significant number had not. Nobody thought that dec.com was going away.

The auction happened in July 2014 and it took a few months for the domain registration to be transferred (to GoDaddy, of course).