M3AAWG Issues DKIM New Best Practices in Wake of Disclosed Key

M3AAWG Issues DKIM New Best Practices in Wake of Disclosed Key Length
Vulnerability 
SAN FRANCISCO, CA -- (Marketwire) -- 11/06/12 --  With the recently
revealed ability to spoof email from companies that are using an
outdated, weak encryption key to authenticate their email, the
Messaging, Malware and Mobile Anti-Abuse Working Group is urging
companies to adjust their DKIM processes immediately to improve
end-user safeguards and today issued new best practices that
specifically address the vulnerability. M3AAWG is calling on business
enterprises to replace previously secure 512- and 718-bit
verification keys with 1024-bit and higher encryption, among other
recommendations to better validate the authenticity of who is sending
an email.  
"We've developed a short, succinct paper that explains the relatively
simple and immediate steps large-scale senders can take to safeguard
their brands in response to recent concerns about some levels of key
encryption and usage. Technology is advancing, and to keep pace with
hackers, the industry needs to revisit its practices in light of
their expanding capabilities. We want to get the word out on the
quick changes companies can make to protect consumers and their
brands against this issue," Chris Roosenraad, M3AAWG Co-Chairman
said.  
"M3AAWG Best Practices for Implementing DKIM To Avoid Key Length
Vulnerability,"
(www.maawg.org/sites/maawg/files/news/M3AAWG_Key_Implementation_BP-2012-11.pdf)
details the technical steps that address the current vulnerabilities
and is available in the Published Documents section of the
organization's website at www.maawg.org/published-documents. The
recommendations include: 


 
--  Updating to a minimum 1024-bit key length. Shorter keys can be cracked
    in 72 hours using inexpensive cloud services
    
    
--  Rotating keys quarterly
    
    
--  Setting signatures to expire after the current key rotation period and
    revoking old keys in the DNS
    
    
--  Using the key test mode only for a short time period and revoking the
    test key after the ramp-up
    
    
--  Implementing DMARC in monitoring mode and using DNS to monitor how
    frequently keys are queried. DMARC (Domain-based Message
    Authentication, Reporting a
nd Conformance) is another standard often
    used in conjunction with DKIM
    
    
--  Using DKIM rather than Domain Keys, which is a depreciated protocol
    
    
--  Working with any third parties hired to send a company's email to
    ensure they are adhering to these best practices

  
DKIM is a widely accepted standard used by businesses, governmental
agencies, large email provider services and other entities that
allows an organization to claim responsibility for sending a message
in a way that can be validated by a recipient. For example, email
services, such as AOL, Gmail and Yahoo, and commercial brands
implement the standard as part of their messaging protocol. It
includes an encrypted key in the message headers that ISPs and other
receivers use to verify the message actually was sent by the
referenced company. 
Implementing DKIM makes it more difficult for criminals to forge
illegitimate emails that are made to look like they came from a
recognized company, a ruse that is often used to steal personal
identity information from unsuspecting users. In late October, Wired
journalist Kim Zetter reported that many companies were using weak
encryption keys and other questionable practices as part of their
DKIM implementation that could expose their email to this potential
spoofing by cybercriminals.  
About the Messaging, Malware and Mobile Anti-Abuse Working Group
(M3AAWG) 
The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG)
is where the industry comes together to work against bots, malware,
spam, viruses, denial-of-service attacks and other online
exploitation. M3AAWG (www.M3AAWG.org) represents more than one
billion mailboxes from some of the largest network operators
worldwide. It leverages the depth and experience of its global
membership to tackle abuse on existing networks and new emerging
services through technology, collaboration and public policy. It also
works to educate global policy makers on the technical and
operational issues related to online abuse and messaging.
Headquartered in San Francisco, Calif., M3AAWG is an open forum
driven by market needs and supported by major network operators and
messaging providers. 
M3AAWG Board of Directors: AT&T (NYSE: T); Cloudmark, Inc.; Comcast
(NASDAQ: CMCSA); Constant Contact (NASDAQ: CTCT); Cox Communications;
Damballa, Inc.; Eloqua; Facebook; France Telecom (NYSE and Euronext:
FTE); La Caixa; Message Bus; PayPal; Return Path; Time Warner Cable;
Verizon Communications; and Yahoo! Inc. 
M3AAWG Full Members: 1&1 Internet AG; Adaptive Mobile Security LTD;
Adobe Systems Inc.; AOL; BAE Systems Detica; Cisco Systems, Inc.;
Dynamic Network Services Inc.; Email Sender and Provider Coalition;
Genius; iContact; Internet Initiative Japan (IIJ NASDAQ: IIJI);
McAfee Inc.; Message Systems; Mimecast; Nominum, Inc.; Proofpoint;
Scality; Spamhaus; Sprint; Symantec; Trend Micro, Inc.; and Twitter. 
A complete member list is available at
http://www.m3aawg.org/about/roster.  
Media Contact: 
Linda Marcus, APR
+1-714-974-6356
LMarcus@astra.cc
Astra Communications