Jon Moroney on ". . . An Empirical Analysis of Email Delivery Security"

Mini

Presenter: Zephyr Pellerin
Zephyr Pellerin is a security engineer at the threat intelligence firm Polyswarm. He has implemented and evaluated a variety of methods of calibrating and aggregating uncertain expert verdicts on malware, such as the one described in this paper.

Paper
"Better Malware Ground Truth: Techniques for Weighting Anti-Virus Vendor Labels"
https://dl.acm.org/doi/pdf/10.1145/2808769.2808780
We examine the problem of aggregating the results of multiple anti-virus (AV) vendors’ detectors into a single authoritative ground-truth label for every binary. To do so, we adapt a well-known generative Bayesian model that postulates the existence of a hidden ground truth upon which the AV labels depend. We use training based on Expectation Maximization for this fully unsupervised technique. We evaluate our method using 279,327 distinct binaries from VirusTotal, each of which appeared for the first time between January 2012 and June 2014. Our evaluation shows that our statistical model is consistently more accurate at predicting the future-derived ground truth than all unweighted rules of the form “k out of n” AV detections. In addition, we evaluate the scenario where partial ground truth is available for model building. We train a logistic regression predictor on the partial label information. Our results show that as few as a 100 randomly selected training instances with ground truth are enough to achieve 80% true positive rate for 0.1% false positive rate. In comparison, the best unweighted threshold rule provides only 60% true positive rate at the same false positive rate.
~~~~~~~~~~
Main

Presenter: Jon Moroney
Jon is a fan of networks, security, and coffee. He works as a security engineer at Rescale and believes that most security issues start life as maintenance issues.

Paper
"Neither Snow Nor Rain Nor MITM . . .An Empirical Analysis of Email Delivery Security"
https://dl.acm.org/doi/pdf/10.1145/2815675.2815695
The SMTP protocol is responsible for carrying some of users’ most
intimate communication, but like other Internet protocols, authentication and confidentiality were added only as an afterthought. In this work, we present the first report on global adoption rates of
SMTP security extensions, including: STARTTLS, SPF, DKIM, and
DMARC. We present data from two perspectives: SMTP server
configurations for the Alexa Top Million domains, and over a year
of SMTP connections to and from Gmail. We find that the top mail
providers (e.g., Gmail, Yahoo, and Outlook) all proactively encrypt
and authenticate messages. However, these best practices have yet
to reach widespread adoption in a long tail of over 700,000 SMTP
servers, of which only 35% successfully configure encryption, and
1.1% specify a DMARC authentication policy. This security patchwork— paired with SMTP policies that favor failing open to allow
gradual deployment— exposes users to attackers who downgrade
TLS connections in favor of cleartext and who falsify MX records
to reroute messages. We present evidence of such attacks in the
wild, highlighting seven countries where more than 20% of inbound
Gmail messages arrive in cleartext due to network attackers.

Agenda
https://docs.google.com/document/d/1GdxrsbNKyILRVP9GykOaho8qZTiG9ojnpPSYbOV9JaE