DevelopSec

mail security

by Leave a Comment

Apple Mail: Highlighting External Email Addresses

A simple error to make when sending an email with sensitive data is to send it to the wrong email address. Imagine you are sending some information to Dave down in accounting. When you fill out the email you start typing Dave and the auto-complete pops up and you select the first one (out of habit). You think you have selected the right Dave, but what if you didn’t? How would you know that you were about to send potentially sensitive information outside of the organization?

Apple Mail and iOS mail has a built in feature to highlight any email address outside of a specified domain. The steps to enable this are a little different based on the desktop vs. an iPad/iPhone. Let’s look at each one.

Desktop

By default, email addresses all appear the same when composing a new message. The image below shows me composing an email with two addresses:

  • To: james@jardinesoftware.com
  • CC: james@developsec.com

Mail 1

To change this, in the Mail program, go to Preferences…Composing. Under the Addressing: section there is a checkbox for “Mark addresses not ending with“. Check the box and enter your organization’s domain name in the text box. In the image below, I have entered my domain of @jardinesoftware.com.

Mail 2

Now, go back and compose a new message entering in an email address that is in the org and one that is out of it. The email address that is outside of your domain should be highlighted in red. The below image shows my configuration with the same 2 email addresses. Notice that the james@developsec.com address is now listed in red indicating it is external to my organization.

Mail 3

iPhone/iPad

The mail application with the iPhone/iPad also has this capability. To enable this, go into Settings->Mail. Scroll down to the Composing section and click the “Mark Addresses” button (shown below).

Mail 4

On the next screen, enter the email address you don’t want to highlight. In my case, I entered my domain of @jardinesoftware.com. (shown below)

Mail 5

Once the change is stored, go to mail and compose a new message. In my example, I used the same emails as above. Notice that the james@developsec.com email address is now highlighted in red:

Mail 6

Although this is not a fool proof way to stop this type of mistake, it does add in a visual clue that just might catch your attention. Simple changes like this can help reduce your risk of accidentally leaking sensitive information out of your organization.

by Leave a Comment

Gmail will block JavaScript file attachments

According to a recent announcement, Gmail will start blocking .js file attachments starting February 13, 2017.

Blocking specific attachment types isn’t something that is new to Gmail. They already block attaching file attachments that are .exe, .msc, and .bat types. The recent move to add javascript files is most likely related to the recent malware/ransomware campaigns that have started using JavaScript files instead of Microsoft Office files. There was an article posted back in April discussing this trend.

If you are still looking to send another person a JavaScript file, you can just use other services, like Google Drive, Dropbox, or other similar products. While the change doesn’t block all potential avenues for ransomware to be sent via email, it does help reduce the risk of this particular method.

As a user, we still must be attentive to other attack vectors, such as macros within Microsoft Word files which can be used to infect systems. There may be a resurgence of these methods as the JavaScript files start getting blocked.

This move does beg the question as to why not force all attachments to go through a storage service, rather than directly attached to the email. Would that actually create a larger risk with the abundance of links now being sent within emails? Would it just move the threat from your inbox to the cloud service? It would be interesting to get a bigger picture of this landscape for better understanding.


Jardine Software helps companies get more value from their application security programs. Let’s talk about how we can help you. James Jardine is the CEO and Principal Consultant at Jardine Software Inc. He has over 15 years of combined development and security experience. If you are interested in learning more about Jardine Software, you can reach him at james@jardinesoftware.com or @jardinesoftware on twitter.