A PDF Chart of all legal actions taken by enforcement agencies since CASL came into effect. The PDF has live links to the case files.
CAUCE is proud to announce the publication of the new Operation Safety-Net. This document is intended for business and government leaders (but interesting to anyone), and contains 60 pages of clear and readable advice. It addresses best practices for online, mobile, and telephony threats.
CAUCE executive director Neil Schwartzman led the effort as part of the steering committee with peers from M3AAWG and Industry Canada. President John Levine provided technical content on DNS and IP address threats.
Speaking as a Canadian, Sochi was pretty nice. However, in terms of cybercrime, NBC recently published a report which sums it up pretty well :
The following clip is from a remarkable documentary called ‘Thieves by Law’ about the Russia organized crime syndicates and their relationship with the Russian government, which is pretty stunning in its assertions.
I just received this email ostensibly from business reputation firm Dub & Bradstreet. The fact that I don’t actually have a business at present time didn’t escape me, but the verbiage of the email is compelling, and I can see why someone might inadvisedly click on the attachement
I carefully saved the attachement and went over to VirusTotal and uploaded it there. No suprise, it is malware. See for yourself
Looking at the headers we see that this was sent from an IP in Mexico, presumably not a sending platform used by D&B
Received: from fixed-189-17-231.iusacell.net (fixed-189-17-231.iusacell.net [220.127.116.11] (may be forged))
owner: Iusacell PCS de Mexico, S.A. de C.V.
responsible: Rafel Rodriguez Sanchez
address: Montes Urales, 460, Col. Lomas de Chapultepec
address: 11000 - Mxico - DF
phone: +52 55 51095068
nsstat: 20131119 AA
The From: is email@example.com and D&B has SPF records, but does not publish firm -all assertions which would allow a receiving system to reject such mail with 100% confidence and so we see this result:
Authentication-Results: iecc.com; spf=softfail
; <<>> DiG 9.8.3-P1 <<>> dnb.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25745
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;dnb.com. IN TXT
;; ANSWER SECTION:
dnb.com. 300 IN TXT "v=spf1 mx ip4:18.104.22.168 ip4:22.214.171.124 ip4:126.96.36.199/31 ip4:188.8.131.52/28 ip4:184.108.40.206/28 ip4:220.127.116.11/31 ip4:18.104.22.168/31 ip4:22.214.171.124/28 ip4:126.96.36.199 ip4:188.8.131.52/30 " "ip4:184.108.40.206 ip4:220.127.116.11/31 ip4:18.104.22.168/31 include:alerts.wallst.com ~all"
;; Query time: 100 msec
;; SERVER: 10.0.1.1#53(10.0.1.1)
;; WHEN: Thu Nov 21 09:07:43 2013
;; MSG SIZE rcvd: 342
[originally posted at Emailkarma. Written by CAUCE Director Matt Vernhout]
We have found what appears to be an official version of the Canadian Radio-Television and Telecommunications Commissions (CRTC) Canada's Anti-Spam Law CASL regulations on the Canadian Employment Pension Law website along with a brief overview of the regulations.
Here is a quick summary:
Information to be included in an email message has been clarified to included these key identifiers: CEM’s need to be the name by which the person sending the message conducts business, for third party messages you should use the name by which the third party carries on business, and include a statement indicating which person is sending the message and which person on whose behalf the message is being sent.
Contact and mailing address has also been clarified to be; the mailing address of the sender and either a telephone number providing access to an agent or voice messaging system, an email address or a web address of the person sending the message or the person on whose behalf the message is sent.
When it is not possible to include unsubscription information in the CEM you may included that information on a page on the World Wide Web that is readily accessible by the person to whom the message is sent at no cost to them by means of a link that is clearly and prominently set out in the message. This is a big deal for Mobile* messaging and Social Media messages as these platforms and character limitations do not always allow for all of the previously required information… I can’t ever see this being an issue for an email message though.* Mobile Keywords STOP will remain a requirement
All unsubscribe mechanisms referred to in paragraph 6(2)(c) of the Act must be set out clearly and prominently and must be able to be readily performed.
A request for consent has been clarified to include oral or written consent and must be sought separately for each channel (SMS, Email, etc…) of the Act and must include the key identifiers listed above (point 1) along with a a statement indicating that the person whose consent is sought can withdraw their consent at any time.
Computer programs that perform one or more of the functions listed in subsection 10 (5) of the Act [causing a computer system to operate contrary to reasonable expectations] must have a separate consent sought from any other information provided in a request for consent and the person seeking consent must obtain an acknowledgement in writing from the person from whom consent is being sought that they understand and agree that the program performs the specified functions.
What’s Next with CASL?
We are still waiting on the regulations from Industry Canada that will hopefully clarify a number of the outstanding issues and questions that they received during last years comment period. We are expecting to hear from them in the next couple of weeks (Maybe early April) when a new 30 day comment period is scheduled. After these comments are reviewed final regulations will be presented and an enforcement date will be set.
The big question is still outstanding – When is CASL coming into force?
Latest word on this will be at or near the end of Q3 2012 (around October), but the regulations from Industry Canada will clarify this.
Download the CRTC’s Regulations HERE [PDF]
Epsilon Interactive, who sends commercial email on behalf of hundreds of companies, admitted to a security breach that they detected some time in March. Epsilon and its parent company, Alliance Data, have posted two press releases about the breach.
How many companies’ customers' email addresses were lost?
Epsilon has not revealed any statistics beyond ‘2% of our clients’, of which they reportedly have 2,500.
Journalists covering the story have collected notifications sent by about 70 companies, including many financial institutions. The names of these companies have been published at:
What information was lost?
Epsilon has stated that the names and email addresses of their clients' customers were taken. Presumably the attackers were also able to access the names of each client.
What does this mean for consumers?
If you received a notification from one of Epsilon's clients, the thieves know your name and email address. Depending on which company had your information, the thieves may also be know the hotels you may stay at, which credit cards you may use, or where you buy stuff online. If your email address shows up on several of these lists, the criminals can draw together a pretty accurate profile of who you are, and what you typically do, and can guess your income level. Ironically, that is what companies like Epsilon do with the data, too.
Do the criminals have any more information about me?
While it's common for the contents of an email message to include more personal information than your name and email address, as far as we know, this information was not stolen. Often times, different data is stored in different places, and the thieves may have not been able to access the contents of previously sent messages. There is a pretty good explanation of the way these marketing databases generally work here
My address was lost in the Epsilon breach; CAUCE says the only way protect myself against phishing is to change my address. Isn't that is a rather extreme approach?
Sadly, it may not be extreme enough. The Anti-Phishing Work Group reports that there are about 360,000 unique phishing sites, annually .
Anti-virus software catches new malware about 20% of the time, leaving computer end-users exposed to a tremendous amount of viruses, keyloggers, and spyware, and other bad things. Anti-spam software does a pretty good job, getting well upwards of 90% of all spam, but some trickles through. We know that phishing attempts were successful at companies, ESPs, who were on high alert for the attempts.
While some phishing attempts are obvious, almost silly, others can be extremely difficult for end-users to recognize. Our friends at Word to the Wise took apart a legitimate email from an Epsilon client-company, and even email experts had a hard time determining if the email was real. See their article ‘Real. Or. Phish?’.
If your email was lost by a client company of Epsilon, we stand by our suggestion that changing your address is the best way to avoid receiving and having to deal with the phishing emails and other spam that will inevitably come from this data theft. Even if you don't want to abandon your current address entirely, this would be a good time to set up a new address and move your important communications there.
I unsubscribed from a customer list at Epsilon, and still received a notification from them. Isn’t this illegal?
It is arguably illegal under some laws, but it makes good sense that they did mail you. It doesn’t mean you weren’t unsubscribed. Here’s how it works: When you unsubscribe from an emailer’s list, they put your address into what they call a ‘suppression list’. The criminals presumably stole these too. The companies did the right thing by alerting you to the fact that your address was stolen.
How can I unsubscribe from everything at Epsilon?
Epsilon maintains a list of places where you can unsubscribe from a variety of their clients' newsletters.
We do not know if this will ensure that another of their clients will not upload your address to Epsilon in the future, and of course there are many other ESPs out there.
Are the authorities involved? Can I sue someone?
Epsilon is reportedly working with the Secret Service, presumably because information related to bank and credit card clients was lost. Previously, some of the companies who were targets or victims of the previous series of breaches (which, again, may not be connected to the Epsilon incident) have been working with law enforcement.
The Australian Communications and Media Authority and Australian Privacy Commissioner are aware of the attack, having been alerted to it by Dell Australia, whose data was stolen. The breach may prompt an investigation by the UK Information Commissioner's Office, Connecticut Attorney General George Jepsen and Consumer Protection Commissioner William Rubenstein are investigating, and have written a letter to Attorney General of the United States asking him to investigate. Leaders of the House Energy and Commerce panel in the United States have written to the CEO of Alliance Data, Epsilon’s parent company, asking for more details on how many customers were affected and how the breach occurred.
You could try to sue someone: the company holding your data, or Epsilon, or both. There may be class action lawsuits coming out of this, as well as lawsuits by Epsilon’s client companies. If you do file with a class-action, you should not expect a large financial settlement, as these are generally quite small.
CAUCE suggests that if you live in a relevant jurisdiction, you can file a complaint with the local authorities about the breach:
If you have incurred a financial loss as a result of any phishing attack, or see suspicious activity on your bank account, contact your financial institution to alert them and report your credit card stolen immediately. Then, call your local and federal police forces to file a complaint (the bank will not do this for you).
How was the hack accomplished?
Epsilon has not released details about the mechanics of the breach. If it is similar to the hacking attempts targeted at ESPs last year, the hackers may have used social engineering and spear-phishing techniques, leading to an employee mistakenly typing their username and password into a web page controlled by the hacker. However, at this time, we do not know what happened or whether there's any connection to the previous attacks.
Has Epsilon been hacked before?
Maybe. Epsilon has not publicly admitted to any previous attack, but their customer Walgreens has indicated that this is the second time they have lost data by way of Epsilon.
“After the incident last year, Walgreens requested that Epsilon put a number additional security measures in place. Apparently, that expectation was not fully met.” – Walgreen spokesperson, via databreaches.net
Is the Epsilon breach part of the previous series of attacks on the ESP industry?
These attacks appear to have begun as early as November 2009, the first victim being a company called aWeber.
Typically, the criminals would hack into an ESP by sending an employee an email that infected them with keylogger spyware, take over one of their client accounts, and send spam for fake Adobe or Skype software. More than a dozen different ESPs, including Epsilon, were targets or victims of these attacks in 2010.
It is impossible to say if this is the same as what happened to Epsilon more recently. Adobe or Skype spam was seen during previous breaches. This did not happen with the current breach with Walgreen or any other Epsilon customer.
This could have been the same group, using the same point of attack. It could have been a copycat using the same tactics, or an entirely different approach. We do not know, and there are too many variables for anyone to say they know definitively — though if Epsilon were to share what they know with the security community, it's likely that we could understand quite a bit more.
Did Epsilon have lax security?
We do not know what changes they made after their first breach, so it is impossible to say.
Were there things they could have done to improve security?
Obviously — they were hacked, after all. Epsilon will presumably address whatever let the hackers get into their systems this time, but any security professional will tell you that security is never perfect. What appears secure today may be exploited tomorrow.
There are many steps ESPs can take to much improve their security related to client lists and outbound email – we have listed them here
I heard that someone warned ESPs about breaches in November.
They did. Return Path provides services to ESPs, blogged about their own breach, and those at ESPs in November 2010. In fact, the ESP industry was becoming aware of this series of breaches all the way through 2010, as they were happening.
Security isn’t 100%? Why?
Software, and the way it interacts with various web applications is very complicated. Many sites do not, or cannot update all components that go into a web application, because to do so may break functionality on the site, or they are negligent. Home computers are pretty much the same. Microsoft, for example, issued 67 updates this past ‘Patch Tuesday’. Have you updated your computer?
Who is the real victim here?
You are. Epsilon suffered the initial attack. Their clients suffer as well, losing consumer trust. There may also be marketing or advertising agencies involved. But as far as CAUCE is concerned, the people who stand to suffer the most are the regular Internet users who trusted that the major brands whose products they enjoy would keep their email addresses and other personal information safe and secure. If these companies do not take immediate, public actions to prove that they deserve our trust, then they do not deserve our business.
Tags: adobe, alliance data, australia, Australian Communications and Media Authority, britain, canada, epsilon, federal trade commission, ftc, krebs, krebs on security, krebsonsecurity, magill report, malware, office of the privacy commissioner of canada, opc, phish, phishing, privacy commissioner, return path, secret service, security, skype, spam, uk, virus, walgreen
Marketing as Usual? Not a chance. – Epsilon corporate catch phrase
A series of attacks on the Email Service Provider (ESP) community began in late 2009. The criminals spear-phish their way into these companies that provide out-sourced mailing infrastructure to their clients, who are companies of all types and sizes.
Upon gaining access to an ESP, the criminals then steal subscriber data (PII such as names, addresses, telephone numbers and email addresses, and in one case, Vehicle Identification Numbers). They then use ESPs’ mailing facility to send spam; to monetize their illicit acquisition, the criminals have spammed ads for fake Adobe Acrobat and Skype software.
On March 30, the Epsilon Interactive division of Alliance Data Marketing (ADS on NASDAQ) suffered a massive breach that upped the ante, substantially. Email lists of at least eight financial institutions were stolen.
Thus far, puzzlingly, Epsilon has refused to release the names of compromised clients. CAUCE has drawn the a list of from news reports (below)
The obvious issue at hand is the ability of the thieves to now undertake targeted spear-phishing problem as critically serious as it could possibly be.
CAUCE is calling on the ESP industry and ISP and Email Receivers to implement these measures across the board, to protect the PII of end-users everywhere. What follows are best common practices that have existed for many years. It is time to take a stand against the data-thieves, and begin to properly protect end-users, without fail.
ESP & Senders
“Epsilon has refused to provide additional details on what other brands may have been affected.” – Security Week
“SilverPop did not respond to requests for comment” – Krebs on Security
While it is the instinctive corporate reaction to be secretive, such a strategy exacerbates the frustration of the other set of victims of data-theft, namely the end-users. A complete list of breached clients is fundamental to protecting end-users, and allowing them to protect themselves.
We need desperate measure for desperate times, CAUCE calls upon the receiving community to better their protection of end-users.
Tags: AbeBooks, American Express, Ameriprise Financial, Barclays Bank of Delaware, Benefit Cosmetics, Best Buy, Best Buy Canada, breach, Brookstone, Capital One, CITI, City Market, CollegeBoard, data theft, Dillons, Disney Destinations, epsilon, Food 4 Less, Fred Meyer, Fry's, Hilton HHonors, Home Shopping Network, Jay C, JP Morgan Chase, King Soopers, Krogers, L.L. Bean, Lacoste, Marriott Rewards, McKinsey Quarterly, New York & Company, QFC, Ralphs, Ritz-Carlton Rewards, Robert Half, Smith's, spam, TiVo, U.S. Bank, Verizon, VISA, Walgreens
Imagine my surprise (I imagine yours to be similar), when whilst sitting around watching t.v. on a cold Sunday afternoon I was fiddling with my new iPad, and decided during a commercial to cross-check my gmail contacts to my LinkedIn contacts.
I was shown a short list of contacts, with no scroll-bar, (deselected a few, actually) and hit 'ok'. I saw no results, iPad did its thing where pages disappear then relaunch. Then, I tried my other gmail account.
The rest, as they say, is history. I'm not certain if it is because I've been on LinkedIn for a long time, have a business account, have a lot of existing contacts or some combination of these factors, but somehow LinkedIn determined I was a suitable candidate to upload two address books (yes, I overtly OK'ed this step), and invite them all to 'get in touch', or to join LinkedIn.
Included in this wonderful offer were anti-spam mailing lists, people I'd decidedly not prefer to stay in touch with, for example, spammers about whom I've complained. LI also wrote to abuse desks to whom I've complained about said spammers, and at least one (literally) dead friend, a dead email list I used to run (or, at least, I thought it was decommissioned), the billing alias for my telephone company, a whole Smörgåsbord stuffed into a cornucopia of ill-placed messaging.
I do have no small number of people who accepted my offer (my dead friend didn't). As, well, I received no small number of complaints, a total that will undoubtedly mount as people will probably complaint to firstname.lastname@example.org, linkedin.com and elsewhere, justifiably so.
I'm uncertain if this was due to poor UI, generally or UI that only displays on the iPad, and lousy policy regarding address book uploads at LinkedIn and the way that Google aggregates contacts; I will reiterate here what has always been my recommendation regarding such things: Limit inviatation sends to a maximum of 100 at any time, and should an uploaded list have role accounts, the send be held until the validity can be humanly verified. Neither of those things happened.
My two gmail accounts date back to 2006 and 2004 respectively, and I didn't overtly add many of these addresses to my contact list.
There you have it, a case in point and an object lesson in how powerful the tools we use actually are, and the laxity in privacy that is pervasive these days.
Of course, I apologize profusely for the intrusion.
Atypically, I've kept the comment section open for this post, feel free to stay in touch here! ;-)
I spotted a disturbing headline which reminded me to repost a recent series about online privacy in the Wall Street Journal.
A lawsuit filed in federal court last week alleges that a group of well-known Web sites, including those owned by Disney, Warner Bros. Records, and Demand Media, broke the law by secretly tracking the Web movements of their users, including children.
Among the laws that were allegedly violated by Clearspring and the other defendants are the Computer Fraud and Abuse Act, California's Computer Crime law, and that state's Invasion of Privacy Act.
(CNET uses trackers themselves. Using the Firefox plugin Ghostery, we see that they monitor using Twitmeme, Comscore Beacon, Revenue Science, Yahoo Buzz, Facebook Connect, Google Analytics, and Chartbeat to monitor your surfing)
The article above references a multi-part series I highly recommend you read if you care about your online privacy (just for the record, the Wall Street Journal uses the following trackers: Facebook Connect, MSN Ads, Chartbeat, Peer39, Fox Audience Metrics, Google Analytics, Omniture, WoprdPress Stats.
CAUCE uses Google Analytics and Bit.ly, and Typepad, where we are hosted, inserts Quancast tracking into our posts.).