Tuesday, October 30, 2007

Batten-Down the iHatches!

207 comments

Earlier I posted an article relating to the difficult relationship between enterprise and the iPhone. Now as a follow up it is necessary to look into the security related issues regarding Apple’s venture into mobility.

Lately there have been a number of articles and sites dedicated to hacking the underlying operating system of the iPhone. Initial attempts were purely for benign reasons of curiosity and (not so benign) unlocking. Both of these feats have now been accomplished and have provided some unexpected results. It seems that Apple, in their rush to get the iPhone to market, neglected to lock down security at the OS level. Worse still, the operating system on the iPhone is not some proprietary device based system, but actually a more-or-less fully functional version of Apple’s OS X!

On the surface this seems fantastic! OS X embedded on a $300 device is an incredible deal! Problems arise however when it becomes apparent just how easy it is to hack these devices. The most evident exploit available presently is related to the fact that all applications on the iPhone are run as Root processes. Essentially this allows any application full access to the entire device immediately upon being exploited.

There are any number of articles around now related to the iPhone becoming a mobile hacking platform however this is not the real issue (any hacker worth his salt probably has at least one laptop anyway). The real problem for the consumer is the privacy of their information stored on the device. For instance, malicious code injected into a website accessed by the Safari browser could gain access to the core functionality of any iPhone. An experienced hacker could then gain access to confidential information such as phone logs and contacts.

From the point of view of a personal user this is bad enough. Thinking of it from an enterprise perspective, the lack of security becomes potentially disastrous! Imagine the CEO of a Fortune 500 company having his call logs, contacts and even private photographs on display for the entire world to see! With this exploit it may even be possible for a hacker to gain control of the camera, snapping photos at inopportune times with the CEO’s own device!

I have the honor of calling myself an Apple fan, user and even expert. I am constantly amazed by the wonders of industrial design created within their walls. That said, for the second article in a row, I have to conclude that although I love the idea of the iPhone, it does not belong in business; at least not until Apple decides to leverage the legendary UNIX security that the device already contains!

Mark


Thursday, October 25, 2007

CC Checkspam

3 comments

You have seen the convenience of managing your spam quarantine by logging into the Ceryx Customer Center and by browsing your daily quarantine digests, but do you know that there is an even faster and more convenient way of managing false positives for people who are always on the go?

Say hello to CC Checkspam.

Checkspam is a feature of the Ceryx anti-spam solution that allows you to e-mail a command to Ceryx Customer Center to search for quarantined messages and have the messages released and mailed back to you in real-time. This will work from any desktop or handheld e-mail client provided the account you use to e-mail the command is the one registered in the Customer Center.

Suppose for example you are on the road and are waiting for an important e-mail from your vendor, john.doe@vendor.com. You suspect that the message was quarantined but your CC Quarantine Digest is set to be sent at 10 PM everyday and you have to respond to this vendor before 5 PM. It’s already 4:45 PM and you an hour away from your hotel where you can connect to the internet and log in to the Customer Center in order to release the message. All you have is your BlackBerry that is configured with your Ceryx account.

To quickly release the message, compose a new email on your BlackBerry, address it to checkspam@ceryx.com, enter the e-mail address john.doe@vendor.com in the subject line and then send the message. The system receives your message, queries your quarantine for all messages from john.doe@vendor.com and automatically releases all messages found to your inbox.

Checkspam can only search the From field of quarantined messages. It uses the “contains” comparison operator to compare the value in the Subject field of your submission with the From field of quarantined messages. This means the more general the value you submit, the more quarantined e-mail could potentially be released.

In the example given above, you could have put @vendor.com as the subject in your e-mail instead of john.doe@vendor.com and that would release all messages from any of your vendor’s e-mail users.

Because Checkspam uses this implicit wildcard comparison operator, great care should be taken in choosing the subject of your submission. Do not put just an @ sign or a dot as your subject unless you want everything in your quarantine released to your mailbox.

The Ceryx Customer Center, or CC for short, is a web-based application that allows Ceryx E-mail Firewall users to manage their filtering service. With CC, users can write filters to block spam or allow legitimate mail through. CC administrators in addition can create, modify and delete CC accounts as well as view email firewall statistics. For customers who are on the Ceryx Hosted Exchange service, CC version 1.6 is integrated with Exchange to allow administrators to also manage their e-mail service. When an administrator creates a CC 1.6 account, for example, a corresponding Ceryx Exchange account is also created. For more information on what else you can do with CC 1.6, please contact sales@ceryx.com.

Ian


Thursday, October 18, 2007

WebReady Document Viewing

241 comments

WebReady Document viewing is a new feature in Exchange 2007 Outlook Web Access. It allows user to view common file types without the need to have the corresponding application installed on their PC. As a result, the user will be able to view the attachments without saving them to disk or opening them in a locally-installed application.

When the user requests to view certain attachments from Outlook Web Access 2007, it gives user the option to open attachment as a webpage. Exchange 2007 then does the conversion so the user doesn’t need anything but a web browser to view the attachment.

Currently, WebReady Document viewing in Exchange 2007 supports the following types of files:
• .doc (Microsoft Word Documents)
• .dot (Microsoft Word Templates)
• .rtf (Rich Text Format)
• .xls (Microsoft Excel Spreadsheets)
• .ppt (Microsoft PowerPoint Presentations)
• .pps (Microsoft PowerPoint Slide Shows)
• .pdf (Adobe PDF Documents)

By the way, documents created by Microsoft Office 2007 are not supported in WebReady Document Viewing at the moment. This limitation will be addressed in Exchange 2007 Service pack 1.

Willy


Tuesday, October 16, 2007

Data Migration – Part 1: Exporting Data

22 comments

Part of moving to a new mail system is the migration of user data. Arguably this is the most important part as this is what your customers (users) see and feel on the ‘new’ system (new to them; if you are at this point you have hopefully been playing with the new system for a while, due diligence and all…). If you don’t believe me in saying this is the most important part to test, plan and execute, try moving your CEO’s mailbox in the middle of the day somewhere around year-end or shortly prior to a board meeting from an old system (Exchange or otherwise) to your new Exchange 2007 system. Enough Said.

Of course there are several factors that need to be taken into consideration when moving a USER (not just the data) from one system to another like installing/configuring clients, re-pointing mobile devices etc. For the purpose of this series, I am going to focus on techniques on getting your user’s data from one spot to another.

Data migration can come in many flavors:
- In-House Exchange 2000/2003 to In-House Exchange 2007 (all part of the same Exchange Org)
- In-House Exchange 2000/2003 to In-House Exchange 2007 (new Exchange Org, or AD forest if you would like)
- In-House POP/IMAP based system to In-House Exchange 2007
- In-House GroupWise to In-House Exchange 2007
- In-House Lotus Notes/Domino to In-House Exchange 2007
- All of the above except replace the last part with ‘Hosted Exchange 2007’ (By the way, Hosted Exchange and Software as a Server (SaaS) in general are the best! End Shameless Plug.)

The above list is a subset of possibilities, but these are the most common situations.

Exporting the Data

Lets deal with the first instance, but only because it’s the easiest to handle. Moving mailbox data between Exchange Servers in the same Exchange Org (or Forest) is as simple as using the Move Mailbox from the Exchange 2007 Exchange Management Console (EMC) or through the Exchange Management Shell via the Mailbox-Move cmdlet. The speed in which data can be moved depends on a few factors, as always, like server power/utilization, network connectivity etc. A good rule of thumb we use when quoting customers at the high level is 1GB/hour. For a great article on how to use Exchange’s built-in tools to move mailboxes between servers in the same org, see the following link:
http://www.msexchange.org/tutorials/Transitioning-Exchange-2000-2003-Exchange-Server-2007-Part3.html

The rest of the instances involve a little bit more work. The hard part is generally getting the data out of the old system in such a way that is useable/importable.

The primary goal is this: get the data to .PST format!

If you’re pulling the data from an Exchange Server (even Exchange 5.5), Exmerge is your friend. Exmerge for those that don’t know, is a tool that runs against the Mailstore and exports all the data on a specified user or group of users mailbox(s) to a *.PST file format. This includes all mail (including the folder tree), deleted items, contacts, calendar items, notes/memos, tasks. Some 'gotchas' that don’t get exported include Mailbox Rules (most of them are client-side anyways), archives (again usually client-side). Another KEY gotcha for Exmerge is that the PST files it exports are in ANSI format, not Unicode. This means that they are subject to the 2GB size limit. So if you exporting the CEO’s 5GB mailbox, you’ll need to take a few runs at it to try and get multiple files down to less than 2GB each. You can filter by date of creation on items to try and narrow down the export. PLAN THIS CAREFULLY!

Exmerge is run on a domain Windows XP/2000 or Server 2000/2003 member (there are older versions available that run on NT). Because of the way inherited permissions are set up on the Exchange Stores by default, you have to be careful which account you run Exmerge as. For Exmerge purposes, I would suggest a dual processor server with lots of storage that is dedicated to this process. Exmerge is very capable of running multi-threaded processes so it can export up to 4 accounts at the same time. For detailed instructions on how to set up Exmerge with the appropriate permissions, see this link:

http://www.exchangeinbox.com/articles/024/exmergesetup.htm

For POP/IMAP type systems, this can be really easy or really difficult. Remember that in a POP setup, generally all the user’s mail is pulled down to the client when the user ‘POPs’ her mail. IMAP does leave the mail on the server, but that’s all it leaves. If the user has contacts, calendar items, tasks, notes (no matter which client software they are using) they are generally ALL stored on the local machine. This is because the POP and IMAP protocols where designed for EMAIL, not the rest of the stuff. The bright side is that if your users are using Outlook or Outlook Express already, there is an export to PST function right at the client. Although not the most glamorous use of time, this could mean the Jr. Admin gets to sit in the server room with two or three different machines in front of her each performing an export to PST on a different user for the next week. Hey, it’s good training.

As for the ‘other’ systems (GroupWise, Lotus Notes/Domino etc.), you generally have to use some sort of third party tool to export the data. We have used Quest Software’s tools for both GroupWise and Notes with success (http://www.quest.com). As part of our Due Diligence when planning and preparing for a customer data migration using a third party tool, we do the following to ensure a smooth migration:

1) We perform test migrations of large, non-production mailboxes (during off hours if at all possible) for the sole purpose of finding out how long it takes to migrate a unit of data. We generally like to metric how much data we can move in an hour and through experience have been able to guess it is usually around 1GB/hour.

2) We perform content test migrations. What this means is to create an empty mailbox on the old system, add one or two items of each item type that is available (so a few mail items, calendar items, recurring appointments, meetings with a few attendees, contacts, tasks with reminders or any other ‘everyday use functionality’ you can think of), and following the process of the tools you are using, move the mailbox to the new system. Coming up with a detailed test plan including documenting what was in the original mailbox, and a test script of what is expected in the new mailbox will allow you to plan for exceptions. There will be exceptions. Some of them can be fixed; some of them users will need to live with. For the latter, if the users are told well in advance, it results in less of an impact on your help desk when you actually move people over.

So at this point you should have a big hard drive full of PST files with your user’s data. You are half-way there. Stay tuned for Part 2 in which I will discuss getting your newly exported PST files into Exchange 2007.

Richard