Simple things (email security)

I have been working for a long time in the direction of ensuring the security of corporate communications. The main focus is email. Our company has such a policy that managers use their main mail and, of course, you have to consult them on security issues on popular servers. There are a lot of questions to these servers, but some are of particular interest and it is not clear why giant companies did not think about simple things.

1. Notification of an attempt to restore access to an account by sending a SMS notification to the user, an email to the primary and backup addresses.

2. Forced password change, in case of repeated attempts to access the account by selection (brute) and notifying the user about it using the methods of claim 1

3. Notification when using the methods of claim 1 about access from a new machine and when the user verification option is on - blocking access. This feature is partially implemented, but there are no notifications on most services.

4. User identification by device identifier (user_agent + ip + cookies), using localStorage, user control through the session.

6. Adding a function that will allow you to control the user even in case of changing IP and clearing cookies will help localStorage and other measures. For example, transmitting a hidden identifier in the page code or page address, etc.

7. Blocking multiple attempts to restore access through a security question. This mainly refers to "P", where they do not think about it at all, but it also applies to other services.

8. Do you know how secure “G” reacts when you regain access to your mailbox through a backup e-mail address? It shows 60-70% of the backup email address on the recovery page, and if you click on the link, it simply suggests changing the password. G - brilliant.

9. Tracking bots (brute, check). If the encoder turned out to be literate and wrote good software, it can be tracked by the results of its actions and IP. For millions of "twisted" accounts, proxies are not enough, and therefore, they were repeated. Keeping in the database is not so difficult, but if you wish, you can find those who like to use bots from their IP without spoofing. Some coders do not even bother to change the User-Agent, and many simply ignore the requirements of the site and, thus, find system flaws.

10. How to track the program? And is it necessary? Yes, but not always. There are many options, and even there are those that will not predatoryly devour server resources. You can’t frighten captors of bruteers, even Russian, and to create complex systems is to lose users. But you can set an elementary delay for re-entering the password / secret answer. One way or another, this will affect the result of the attacker's work, especially if the delay is random and its violation leads to an alarm mode, since it allows you to detect a bot.

11. Many encoders do not bother to imitate human actions, skip checkmarks, do not read the text, violate the order of the parameters in the request, if you follow this, then again you can easily determine the machine, and therefore complicate the life of the encoders - they may not think so all. Add a random question to the form and make dynamic fields - this will also complicate the life of coders, albeit not for everyone, but it will save you from fools and allow you to focus on serious problems.

12. The more stages, the more difficult. We tried to organize a system in which confirmation was required from the user, or more precisely, from his browser, for this we sent a request every 10 seconds, if the user was on the authorization page, if there was no answer, the session was destroyed, so we killed the anti-captcha.

13. Work on the bugs. How do coders determine the result? By the result, let's say they find the error pointer in the response or address. We solved this question in such a way that the answer with successful authorization did not differ from the result with an error, which required the encoder to do extra work to find differences in the answers; there were also many options. The system that blocked the bot proved to be very effective, but at the same time continued to inform him that the data was erroneous, and then a small feint and a real user received a notification that it was time to stop remembering passwords and contact support.

14. Require contacting technical support before starting to restore access, put the account under control and offer to answer a secret question, for which you need to confirm your desire through another mailing address.

15. The main problem is brute, lack of localStorage and clean cookies, new IP address, new account for brute, how to determine? If there is no IP verification, the user has not logged in for a week, the phone is not connected and there is no backup address, what should I do? The first option is to prohibit such accounts, require the attachment of a telephone, an additional email address and ask a question - does the user need such mail? He will answer - yes, that means he will go to all measures, this is in his own interests. Otherwise there will be “plums” accumulated over the years of brutus.

16. Ensure the security of IMAP and POP3, require the installation of unique passwords other than account passwords, confirm devices and tightly control the connection through these protocols. Again, want a "remote"? Connect the phone, no? Connect mail and sit through the web interface. The measure is tough, but if it becomes the standard, there will be no other choice.

You can describe in detail many security options or provide examples of vulnerabilities that even large resources simply turn a blind eye to. Why is this necessary, if you can blame the user for the lack of proper security, they say that he has viruses, trojans, crooked hands, etc., and in fact show a disregard for his own users. It’s a shame that today large companies are doing this, who have been turning a blind eye to obvious problems and user complaints all these years, and ultimately all the blame has been blamed on them. I would like to apologize for such a service to all users who have lost faith in a good attitude and security on the Web, because owners of large services who do not respect themselves and their customers, call millions of password drains “exception” and “user error”. To acknowledge that their service has allowed this to happen, they lack spirit. This is a good signal for those who look at such things differently, who are ready to create their own customer-oriented service. Taking into account all the latest scandalous stories, with viewing bots of user letters, drains and restrictions, a good and safe service received all the preferences for a quick start, and I am convinced that in the near future we will see their appearance or the second life of outsiders of the market.

Also popular now: