John:

 

The cost of KnowB4 is an annual subscription of approximately $20 per user. So it would be about $600 per year to support training the Board.

 

One thing to note, the training for the staff is specifically intended to protect the ARRL infrastructure. But training the Board, while good information to have, isn’t going to do anything to make our email infrastructure more secure.

 

73,

Barry, N1VXY

 

From: arrl-odv <arrl-odv-bounces@reflector.arrl.org> On Behalf Of John Robert Stratton
Sent: Wednesday, March 4, 2020 9:47 AM
To: arrl-odv <arrl-odv@reflector.arrl.org>
Subject: [arrl-odv:29776] Re: Messages From "Arrl Message Center" ?????

 

Barry and Michael

    Thank you for the explanation.

    What is the cost of the "KnowBe4" training for the staff? Is it an annual cost or per session cost?

    What would it cost to provide the "KnowBe4" training to the Board (the 30 plus the Officers)?

 

 

_______________________________________

 

John Robert Stratton

N5AUS

Director

West Gulf Division

Office:                     512-445-6262

Cell:                         512-426-2028

P.O. Box 2232

Austin, Texas 78768-2232

 

_______________________________________

On 3/3/20 2:28 PM, Shelley, Barry, N1VXY (CEO) wrote:

Mickey:

 

To give you some idea of the approach and methods we’re using here at HQ for email scanning, I’ll let Michael Keane, K1MK describe it:

 

We need to distinguish between the email controls that are in place for

just arrl.org forwards (the Board) versus mail that is delivered to HQ

 

We should also distinguish between emails which have virus or other

malware payloads attached to the message and phishing attempts. Those

are two different kinds of threats which are detected by different

means. Phishing emails may appear as apparently benign as saying "please

call this phone number" or "click on this link". This makes phising

messages more difficult to detect programmatically without

simultaneously generating a whole bunch of false positives -- valid

messages being sent off to the spam folder.

 

All mail inbound messages to arrl.org addresses first passes through

PoBox's anti-spam filtering and basic virus scanning. As part of their

anti-spam filtering PoBox blocks messages that are sent from hosts on

the real-time blacklist which contains known bad actors.

 

PoBox blocks over 90% of the inbound traffic being sent to arrl.org and

arrl.net address as spam or malware. The vast majority of the traffic through PoBox is for arrl.net.

 

"Zero days" in which phishy or spam-ish messages manage to leak through

PoBox's filters can and do occur, and continue until PoBox can adjust

their Bayesian filters in response. If the Board members are interested,

they may forward examples of spam-ish messages that are delivered to

their arrl.org addresses that have managed to evade PoBox's filters onto

Dave or Oscar who can help expedite closing the loop with PoBox to get

leaks plugged more quickly.

 

Once incoming messages hit our inbound Exchange server there is an

additional level of spam filtering in place there. After final delivery

to user endpoints -- desktops -- we are running McAffe Endpoint Security

to protect the endpoints (computers) against possible virus/malware

payloads.

 

But all of the above is not sufficient to block all phishing attempts

which by the very nature of their very design are intended to fly low

under the radar of common safeguards and not to trigger a security

response. To combat what is ultimately a human factors vulnerability, we

have since 2018 required that all staff attend and successfully complete

phishing security training. And to be tested and re-certified on a

periodic basis. We employ KnowBe4 (<www.knowbe4.com>) for staff phishing

security training.

 

  --MK

 

As you are well aware, this is a constant battle. And as Michael noted, we’re using technology and human training to combat the threats.

 

73,

Barry, N1VXY

 

From: arrl-odv <arrl-odv-bounces@reflector.arrl.org> On Behalf Of Mickey Baker
Sent: Tuesday, March 3, 2020 11:12 AM
To: Keane, Michael, K1MK <mkeane@arrl.org>
Cc: arrl-odv <arrl-odv@arrl.org>
Subject: [arrl-odv:29774] Re: Messages From "Arrl Message Center" ?????

 

If we are using only rudimentary filtering in pobox.com, we are headed for a problem. These type emails worry me. Please don't forward them to the rest of the group, which may defeat safeguards - now they're from a trusted source! Please don't click on anything you're not certain that is legitimate, ever!

 

Phishing and "spear-phishing" (targeted email phishing) is one of the highest risk and most successful (for the bad guys) method of system penetration. It is a real problem. There have been some very high profile attacks on government agencies that have resulted in data loss and billions of dollars of damage. Outages at the Cities of Baltimore, Atlanta, Riviera Beach and Key Biscayne, Florida, were cause by activation of an internal employee clicking on a malware email. I've had number of FBI briefings on these outages - in each, a demand was made for ransom that was, curiously, just above the limits of the organization's insurance coverage. The FBI also said that the best antivirus will only detect 60% of viruses and penetration attempts at any given moment, so the scans and updates must be frequent and, if possible, continuous and in-line.

 

From what I see in the message header, HQ probably (hopefully) scans emails when they arrive in-house, perhaps on ARRL workstations. Our emails come from a reflector that may scan for viruses or phishing attempts.  Emails that we are getting are also being scanned by our individual email providers. Gmail, for example, as Ria explained, uses an excellent filter, which is why these messages end up in our spam folders. 

 

However, even if you're using GMail as an end client, you're going to want to use something that scans and quarantines emails. I get one for free for my home from my Internet Service Provider and run a security gateway as well as clients on each workstation. 

 

There's been discussion of the league going to Office 365. I have personally participated in three major migrations of Microsoft Exchange and it isn't easy, but there were complexities of scale, uptime and archive requirements that likely don't exist at ARRL. 

 

Microsoft by default does not supply email anti-virus with Office 365, but it is available from them and other providers. These products typically examine inbound emails and filter or quarantines them before sending them on to the email server. The key is to get an easy to manage, easy to install set of tools to manage this "front end" before the email is sent to Office365.

 

Given all our external-facing systems, I hope that a penetration test is budgeted within IT and these systems are being examined by a security professional periodically. 

 

Mickey Baker, N4MB
Palm Beach Gardens, FL
“The servant-leader is servant first… It begins with the natural feeling that one wants to serve, to serve first. Then conscious choice brings one to aspire to lead." Robert K. Greenleaf

 

 

On Tue, Mar 3, 2020 at 10:23 AM Mark J Tharp <kb7hdx@gmail.com> wrote:

I checked and my GMail spam folder has 16 of these spoofy emails.

And also includes Barrys email about it!

 

Mark, HDX

(GMail user since 2007)

 

image.png

 

On Tue, Mar 3, 2020 at 7:10 AM rjairam@gmail.com <rjairam@gmail.com> wrote:

The reason you may have gotten them is because they did pass SPF checks and beyond that, Yahoo is pretty weak with spam filtering.

 

SPF is Sender Policy Framework where the sending domain has a text record that says that only certain mail servers can send e-mail from that domain. It makes spoofing harder.

 

Except where SPF passes for some reason. In this case it did.

 

In the headers it is unclear as to whether or not PObox, our spam filtering service failed OR if the sender used a hijacked or rented email server.

 

If it’s the former we should remedy this, but if it’s the latter there is nothing we can do.

 

No spam filter is 100% effective but Google uses AI and ML (machine learning) with its neural network which is why it filters out nearly all spam.

 

When in doubt, delete, hover over links and if it looks suspicious it probably is. 

 

73

Ria, N2RJ 

(GMail user since 2004)

 

On Mon, Mar 2, 2020 at 9:22 PM Richard Norton via arrl-odv <arrl-odv@reflector.arrl.org> wrote:

Today I received seven messages, sent to n6aa@arrl.org , advising me that I have some number of "pending messages from your organization." Although the messages appear to come from something called "Arrl Message Center," they come from an address in Japan.

 

The messages have a link that says "Review Messages to release or block them."

 

I have not clicked on that link as this looks suspiciously like a scam that might infect my computer.

 

Have any of the rest of you received them? Has anyone clicked on the link? Anything happen?

 

73,

 

Dick, N6AA

_______________________________________________
arrl-odv mailing list
arrl-odv@reflector.arrl.org
https://reflector.arrl.org/mailman/listinfo/arrl-odv

_______________________________________________
arrl-odv mailing list
arrl-odv@reflector.arrl.org
https://reflector.arrl.org/mailman/listinfo/arrl-odv

_______________________________________________
arrl-odv mailing list
arrl-odv@reflector.arrl.org
https://reflector.arrl.org/mailman/listinfo/arrl-odv



_______________________________________________
arrl-odv mailing list
arrl-odv@reflector.arrl.org
https://reflector.arrl.org/mailman/listinfo/arrl-odv