CAUCE: Technology

Technology

02 October 2012

UK regulators fine text spammers over $400,000

According to a BBC report, the United Kingdom Information Commissioner's Office (ICO) will be levying large fines on mobil phone text spammers. In March the ICO started asking consumers to report unwanted calls, texts, and emails, and was deluged with over 30,000 complaints. After sifting through them, they identified bulk text spammers, and announced fines of over £250,000 (about $400,000) unless the spammers can show that they had the permission of the texts' recipients, which of course they can't.

Here in the US, text spam is illegal under the TCPA, the law that forbids junk faxes and other recipient-pays telephone messages, and a few court cases have confirmed it. The FTC has not made text spam a major emphasis, but given the amount ot text spam we're seeing, they need to, soon.

Posted by John L on 02 October 2012 in Technology, World | Permalink | Comments (0) | TrackBack (0)

06 January 2012

Canada moves ahead on the Spam Reporting Centre

One of the important parts of Canada's new anti-spam law (CASL) is the Spam Reporting Centre. It is intended to serve multiple functions, including to help the government track the effectiveness of its anti-spam enforcement, to collect data to bring legal cases under CASL, and, with appropriate measures to protect individuals' privacy, to allow access to academic researchers.

As reported in this article at canada.com, Industry Canada asked for bids to build and operate the SRC, and is now evaluating the bids and will presumably select a winner in the near future. CAUCE assisted IC in creating the framework and bidding requirements for the SRC.

Posted by CAUCE on 06 January 2012 in Canada, Technology | Permalink | Comments (0) | TrackBack (0)

11 August 2011

Facebook has stolen all the contents of mobile address books, including private telephone numbers

As you know, Facebook have a long, storied history, including several ongoing brushes with the Privacy Commissioner of Canada, and despite repeat warnings against abuse of end-user rights, they recently deployed facial recognition software with no notice given their 500,000,000 users.

Today, however was the straw that broke the camel's back. Unbeknowst to me, perhaps by way of their new 'Facebook messanger' [update: actually, by way of Facebook's iPhone app.] they have uploaded the address books of hundreds of millions of users' mobile phones.

I found the home, private, business and mobile telephone numbers of 700 friends, colleagues, co-workers, and associates (Facebook users or not) published on their site [update: on my account only - at least, for the moment, but nonetheless up on Facebook] - I never agreed to this, I never knew about this, and it was only by way of the Sophos blog post below that I discovered this.

To check to see if you have had the same unfortunate thing happened to you:

Log into Facebook
Click on Account (upper RH corner)
Click 'edit friends'
Click 'contacts' (LH side)

(There is the option to disable this feature. Turn OFF synching on your mobile phone, then go here)

update: CAUCE Director Matt Sergeant had this to say on his blog - he nails exactly what is wrong with this:

Addressing the latest Facebook privacy issue

(This is a non-work post, but Disclaimer: I work for Symantec and regularly talk publicly about security issues)

There’s been lots of talk today online about the latest Facebook privacy debacle whereby they have all your cell phone contacts listed on your “Contacts” page.

Facebook have been trying to quiet the storm, as people are posting to their status updates for people to disable this.

First, to combat some FUD: Facebook is not sharing this information from you with your friends. Your buddies aren’t going to be able to call up your Grandma.

But what Facebook have entirely ignored, and why this is again an issue, is the question of permission.

I have two phones. One is a work phone (BlackBerry), and one is my personal iPhone. The only phone the contacts I had listed on Facebook came from is my BlackBerry, which is good, because I have a lot of random old numbers in my iPhone (don’t ask!).

So what happened here? I believe that the latest BlackBerry Facebook app (which recently underwent a major upgrade) automatically set the preference to sync contacts with Facebook. Now it may very well have been in the multi-page user agreement that I accepted, but yes I admit, I don’t read those things. And those agreements don’t even appear on the iPhone version, because, and here’s the fundamental difference I guess: the iPhone version doesn’t transparently change your preferences.

Facebook needs to stop that. I don’t care if it’s useful, or if you’re not sharing it with anyone else. I don’t want you uploading my contacts to your servers without ASKING me first.

It’s that simple. And this is why there are laws against what they have done in various countries, and why this will probably result in yet another lawsuit against them.

Rant over.

CAUCE are stunned by this move, it is beyond the ken. We will be calling upon Facebook to remove this facility immediately (it should always bo opt-in by default, as should ALL end-user options) and failing that, filing complaints with the proper authorities.

See more: http://nakedsecurity.sophos.com/2011/08/11/has-facebook-got-your-mobile-number-now-your-friends-do-too

--
Neil Schwartzman
Executive Director
CAUCE : The Coalition Against Unsolicited Commercial Email

Posted by Neil Schwartzman on 11 August 2011 in Canada, Technology, United States, Warnings, World | Permalink | Comments (0) | TrackBack (0)

01 June 2011

Introducing the Inbox Project

For many years, the Cornell Legal Information Institute (LII) has been a premier source of reference information about laws in the US and elsewhere. One day last year, LII director Tom Bruce and CAUCE president John Levine were talking over breakfast, and noted that there was no authoritative online source of legal information about spam and e-mail, something that the LII and CAUCE are, together, uniquely qualified to create. The Inbox Project is a new section of the LII web site, meeting that need.

We intend for it to be comprehensive, growing to cover not just spam-related state and US law in the United States, but laws in countries around the world, since spam is a global problem. It will be authoritative, researched and written by well-qualified students at the Cornell Law School, with advice from CAUCE. And it will be stable, with an ongoing process to keep it accurate and up to date. The project currently covers US and Canadian law, with case law and laws from other countries added as the students research and analyze them.

This work is funded independently from CAUCE and the LII's regular budget by several generous organizational sponsors. We'll have more to say about them when we formally announce the project next week.

But in the meantime, point your browser at http://www.inboxproject.org where there's already a lot to see.

Posted by John L on 01 June 2011 in Canada, Technology, United States | Permalink | Comments (0) | TrackBack (0)

06 April 2011

Why the Epsilon-Fukushima Analogy Was Apt

A few days ago, CAUCE published a blog post entitled “Epsilon Interactive breach the Fukushima of the Email Industry” on our site, and the always-excellent CircleID.

A small coterie of commenters was upset by the hyperbolic nature of the headline. Fair enough, an analogy usually has a high degree of probability that it will fail, and clearly, no one has died as a result of the release of what appears to be tens of millions of people’s names and email addresses.

But, the two situations are analogous in many other ways, and here’s why. When I wrote the piece, I had in mind an article I recently read at The Economist, ‘When the steam clears - The Fukushima crisis will slow the growth of nuclear power. Might it reverse it?’, which sums up the aftermath neatly.

“FEAR and uncertainty spread faster and farther than any nuclear fallout.” – The Economist

There has been tremendous initial effect across the email industry as a result of Epsilon-shima. That whooshing you may have heard last Saturday was the sound of a collective frightened intake of breath at major brands and ESPs. A security staffer noted he had slept very little over the weekend, as the news broke. The fact of the matter is, this happened to Epsilon, but it could just as easily have happened to any of their competitors, of which there are many hundreds.

Followers of the Twitter #epsilon hashtag, see that regular, everyday people are furious. They are furious that the trusted brands they do business with handed over their personal information to a 3rd party, they are furious that it was stolen due to lack security, and they want to know who the hell Epsilon is (CAUCE Director Dennis Dayman wrote about the need for transparency among emailers here). End-users are also beginning to blame every piece of spam they receive on Epsilon, even though, to date, there has been no verifiable reports that I have seen that the thieves have sent a single piece of spam out. End-users are gun-shy. Unfortunately, they’ll get over it, of course, and drop their guard, making them vulnerable to spear-phishing.

“There will certainly be more durable effects too. Years of cleanup will drag into decades” – The Economist

It’s true. Once lost, these email addresses will very likely be used as spear-phishing targets (remember, the criminals also have the proper names of victims, as well as a list of who they did business with, including their financial institutions). Once they have served that purpose, they will be sold to other spammers, who will send untargeted spam to them. While spam filters will likely take care of most of this problem, there will undoubtedly be financial loses and successful instances of Identity Theft as a direct result of the Epsilon breach. This is a mess that simply can’t be cleaned up by form letters downplaying the theft, assuring people the criminals ‘only’ stole the data they did.

Make no mistake about it, an email address is considered to be personal identifiable information in Canada and Europe, and for good reason, because quite simply it is private information. Canadian and European brands were affected by the Epsilon breach. While the United States lags far behind the rest of the world with regard to breach and privacy legislation, this thing is far from over from an investigative and legal standpoint.

(An ESP) “Looks dangerous, unpopular, expensive and risky. It is replaceable with relative ease and could be forgone with no huge structural shifts in the way the world works. So what would the world be like without it?” – The Economist

ESPs are simply out-sourced services that many companies use to maintain their customer database, and send email marketing campaigns, and sometimes-transactional email, to clients.

We know that Epsilon lost 50 companies’ client information. What if all 50 of those companies were doing their own email and database management? In practical terms, I could see that making things worse. Relying on relatively unskilled, or even incompetent IT and marketing departments at retailers to do email correctly from a technical and policy standpoint is a highly unlikely scenario. Mass emailing is quite complicated these days, with laws, technical requirements, and methodologies ever-changing. Better to centralize the adherence to industry standards in the hands of the experts. If ESPs magically disappeared, mass email marketing would be in a bigger mess that it is today.

Like Fukushima, there were plenty of preemptive rumbles that should have reasonably warned Epsilon and the other ESPs that something bad was coming. There had been at least a dozen breaches of ESPs in the last year, and database and site breaches are as ‘common as car crashes’ as British telecom Chief Security Officer Bruce Schneier said.

Akin to the Tokyo Electric Power Company, even in light of prescient safety reports, ESPs failed to react appropriately to secure their sites. Databases should be encrypted, industry-standard security technologies and policies deployed, and 2-factor authentication implemented to access private data, across the board, as quickly as humanly possible.

Sadly, none of these is a silver bullet that will make data 100% secure. There is no such thing as 100% security, but all holders of private information, including ESPs must be held accountable to the highest standards, and not continue to allow themselves to be dumb, low-hanging fruit for criminals.

ESPS … “won’t go away, but … must to some extent remain a sideshow, however spectacular it looks when (they go) wrong. – The Economist

Epsilon, and other members of the sending and ESP communities have a tremendous opportunity to change in front of them, to become competitively better than ever. Epsilon will likely recover from this debacle, but the next ESP breached in a similar manner? Their fate remains quite uncertain.

Posted by Neil Schwartzman on 06 April 2011 in Canada, Technology, United States, World | Permalink | Comments (0) | TrackBack (0)

04 April 2011

Epsilon Interactive breach the Fukushima of the Email Industry

Marketing as Usual? Not a chance. – Epsilon corporate catch phrase

A series of attacks on the Email Service Provider (ESP) community began in late 2009. The criminals spear-phish their way into these companies that provide out-sourced mailing infrastructure to their clients, who are companies of all types and sizes.

Upon gaining access to an ESP, the criminals then steal subscriber data (PII such as names, addresses, telephone numbers and email addresses, and in one case, Vehicle Identification Numbers). They then use ESPs’ mailing facility to send spam; to monetize their illicit acquisition, the criminals have spammed ads for fake Adobe Acrobat and Skype software.

On March 30, the Epsilon Interactive division of Alliance Data Marketing (ADS on NASDAQ) suffered a massive breach that upped the ante, substantially. Email lists of at least eight financial institutions were stolen.

Thus far, puzzlingly, Epsilon has refused to release the names of compromised clients. CAUCE has drawn the a list of from news reports (below)

The obvious issue at hand is the ability of the thieves to now undertake targeted spear-phishing problem as critically serious as it could possibly be.

What to do?

CAUCE is calling on the ESP industry and ISP and Email Receivers to implement these measures across the board, to protect the PII of end-users everywhere. What follows are best common practices that have existed for many years. It is time to take a stand against the data-thieves, and begin to properly protect end-users, without fail.

ESP & Senders

Security must be the top corporate priority. Both Silverpop and Epsilon Interactive were either breached repeatedly, or failed to fully mitigate their initial security lapse in December. I was told by one ESP security staffer that he hadn’t been given sufficient resources to affect all the appropriate changes. That is at best lamentable.

Two-factor authentication must be implemented for ESP system access for both staff and clients.

Senders and ESPs must sign all email with DKIM, and authenticate all mailing IPs with SPF.

ESPs must check all outbound content against domain blacklists such as SURBL and the Spamhaus DBL before deployment.

ESPs must deploy extended-validation certificates on web properties.

ESPs and senders must rigourously adhere to the MAAWG Senders’ BCP

ESPs and brand owners should use the services of email authentication services such as Authentication Metrics, eCert, Return Path, and Truedomain, as well as anti-phishing services like BrandProtect, Internet Identity and tools such as Lashback’s BrandAlert

ESPs must adopt and embrace a culture of transparency and commit to cooperative full disclosure

“Epsilon has refused to provide additional details on what other brands may have been affected.” – Security Week

“SilverPop did not respond to requests for comment” – Krebs on Security

While it is the instinctive corporate reaction to be secretive, such a strategy exacerbates the frustration of the other set of victims of data-theft, namely the end-users. A complete list of breached clients is fundamental to protecting end-users, and allowing them to protect themselves.

Receiving Systems

We need desperate measure for desperate times, CAUCE calls upon the receiving community to better their protection of end-users.

Email receivers must follow Yahoo! Mail’s lead and deploy multi-layer phishing protection.

Email receivers must deploy DKIM and SPF checking, and treat messaging failing such checks accordingly by labeling the subject line, placing it in a spam folder, or blocking it entirely.

Email receivers must deploy checks using URI blacklists like SURBL and Spamhaus on message headers and content domains.

Email receivers must take extreme measures, even if there are false positives. Better safe that sorry, and given the potential damage these breaches can cause to a recipient, far better that there are false positives (legitimate email refused or sidetracked to the bulk folder) than false negatives (illicit email delivered to the inbox).

The list of breached companies

Posted by Neil Schwartzman on 04 April 2011 in Canada, Frequently Asked Questions, Technology, United States, Warnings, World | Permalink | Comments (0) | TrackBack (0)

18 March 2011

Microsoft, others help take down Rustock Botnet

Microsoft's DCU and some federal agencies took down the Rustock botnet two days ago. A hearty CAUCE congratulations to all those involved, in the forefront, and behind the scenes.

Here's a compilation of various news and data sources:

Krebs on Security: http://krebsonsecurity.com/2011/03/rustock-botnet-flatlined-spam-volumes-plummet/
Wall Street Journal: http://online.wsj.com/article/SB10001424052748703328404576207173861008758.html

Microsoft: http://blogs.technet.com/b/mmpc/archive/2011/03/18/operation-b107-rustock-botnet-takedown.aspx & http://blogs.technet.com/b/microsoft_on_the_issues/archive/2011/03/18/taking-down-botnets-microsoft-and-the-rustock-botnet.aspx

CBL (2nd & 3rd charts) http://cbl.abuseat.org/totalflow.html & http://cbl.abuseat.org/rustock.html
Spamcop: http://www.spamcop.net/spamgraph.shtml?spamweek
Nixspam: http://img.ly/3eix

The court orders (PDF) http://bit.ly/fg0d0u

Posted by Neil Schwartzman on 18 March 2011 in Technology, United States, World | Permalink | Comments (0) | TrackBack (0)

19 February 2011

BBC World News Facebook Account Hacked

Sadly, it can happen to anyone. Poor passwords, or clicking on an errant link can end up with something like this on your Facebook account. There is, of course, no such tool, although the landing page at http://valcreepers.tk/ will try to convince you otherwise.

Don't be fooled - don't add this rogue app, or any other, to your Facebook account, ever.

Posted by Neil Schwartzman on 19 February 2011 in Technology, Warnings, World | Permalink | Comments (0) | TrackBack (0)

24 January 2011

I don't really want to stay in touch on LinkedIn

Imagine my surprise (I imagine yours to be similar), when whilst sitting around watching t.v. on a cold Sunday afternoon I was fiddling with my new iPad, and decided during a commercial to cross-check my gmail contacts to my LinkedIn contacts.

I was shown a short list of contacts, with no scroll-bar, (deselected a few, actually) and hit 'ok'. I saw no results, iPad did its thing where pages disappear then relaunch. Then, I tried my other gmail account.

Sigh.

The rest, as they say, is history. I'm not certain if it is because I've been on LinkedIn for a long time, have a business account, have a lot of existing contacts or some combination of these factors, but somehow LinkedIn determined I was a suitable candidate to upload two address books (yes, I overtly OK'ed this step), and invite them all to 'get in touch', or to join LinkedIn.

Included in this wonderful offer were anti-spam mailing lists, people I'd decidedly not prefer to stay in touch with, for example, spammers about whom I've complained. LI also wrote to abuse desks to whom I've complained about said spammers, and at least one (literally) dead friend, a dead email list I used to run (or, at least, I thought it was decommissioned), the billing alias for my telephone company, a whole Smörgåsbord stuffed into a cornucopia of ill-placed messaging.

I do have no small number of people who accepted my offer (my dead friend didn't). As, well, I received no small number of complaints, a total that will undoubtedly mount as people will probably complaint to abuse@cauce.org, linkedin.com and elsewhere, justifiably so.

I'm uncertain if this was due to poor UI, generally or UI that only displays on the iPad, and lousy policy regarding address book uploads at LinkedIn and the way that Google aggregates contacts; I will reiterate here what has always been my recommendation regarding such things: Limit inviatation sends to a maximum of 100 at any time, and should an uploaded list have role accounts, the send be held until the validity can be humanly verified. Neither of those things happened.

My two gmail accounts date back to 2006 and 2004 respectively, and I didn't overtly add many of these addresses to my contact list.

There you have it, a case in point and an object lesson in how powerful the tools we use actually are, and the laxity in privacy that is pervasive these days.

Of course, I apologize profusely for the intrusion.

Atypically, I've kept the comment section open for this post, feel free to stay in touch here! ;-)

--
Neil Schwartzman
Exectuive Director
CAUCE

Posted by Neil Schwartzman on 24 January 2011 in Frequently Asked Questions, Technology, Warnings | Permalink | Comments (0) | TrackBack (0)

02 November 2010

Kidnapping, Theft and Rape Are Not "Cyber" Crimes

Kidnap. Rape. There are no lesser words that can be used to describe what happened to the daughter of an anti-spam investigator in Russia.

His daughter was recently released, according to Joseph Menn’s recent article on Boing Boing, after having been kidnapped from her home five years ago, fed drugs, and made to service men, as a warning to ward off further investigations.

The criminals behind these vicious acts were also responsible for large spamming organization associated with Russian Mob activity.

Note that we say "also."

When someone is mugged, harassed, kidnapped or raped on a sidewalk, we don't call it "sidewalk crime" and call for new laws to regulate sidewalks. It is crime, and those who commit crimes are subject to the full force of the law.

For too long, people have referred to spam in dismissive terms: just hit delete, some say, or let the filters take care of it. Others — most of us, in fact — refer to phishing, which is the first step in theft of real money from real people and institutions, as "cyber crime." It's time for that to stop.

Some of these crimes involve technology. So what? Criminals have used technology before.

Some of these crimes cross borders. So what? Crimes have crossed borders before.

Spam isn't illegal everywhere yet. So what? Spam 2.0 (spam, malware & spyware) is the leading edge of far worse activities, often things that have been illegal as long as we've had laws.

It is high time that governments and law enforcement stop thinking of computer crime as that perpetrated by teenagers in their parent’s basement. It is the Russian Mob and other organized criminals that are doing this.

While we are at it, we should mention ‘cyber-warfare’, something too often conflated with cyber-crime. Cyber-crime is not "cyber-warfare.” There may be state or terrorist agencies copying the tactics and methods of these criminals, but that does not mean that the criminals must be left alone until new cyber-warfare agencies have been created and funded.

As Purdue computer science professor ‘Spaf’ Spafford was recently quoted as saying in a note-worthy piece ‘Cyberwar Vs. Cybercrime’ on the GovInfo Security blog

"Why aren't we seeing the investment and prioritization being made in law enforcement, first? Why is all the publicity, funding and prioritization being given to the military - with efforts such as the build-up of the military cyber command - when so much of the clear and present threat is from the criminal element and not from other nation-states?"

Just so, Prof. Spafford!

As we have said repeatedly on this site, these are criminal gangs who have found an incredible loophole in the justice systems of the world: they can rob banks and people, with little chance of getting caught, let alone going to jail. This is not because they're doing things that aren't illegal; they've just found a new way to hide.

David Black, manager of the RCMP's cyber infrastructure protection section recently said to CAUCE Executive Director Neil Schwartzman “we don’t do spam”. OK, but why not? Spam is no longer, and hasn’t been for some time, about simply sending unwanted emails. Spam is now a delivery mechanism for malware, which in turn threatens infrastructure, and facilitates theft. We have seen precious few cases filed using existing Federal computer intrusions laws in Canada, and none, to our knowledge have been filed under the renovated anti-phishing law, S-4, passed in September 2009.

Governments and law enforcement agencies need to begin to treat online theft with the same seriousness as they do other physical crimes. It is time to bring this up to the diplomatic level, or seriously consider refusing packets from places that treat the Internet, and innocent victims, as their personal ATM.

CAUCE is made up of people who care about email qua email. We understand it, we love it. It is still the ‘killer app’. Furthermore, we understand why some folks in law enforcement or the judiciary might ask, "When there are people stealing millions or hurting people in the commission of violent crimes, why are you wasting our time with 'just' a spam case?” Here's why:

Most spam is sent by organized criminal gangs, just like other organized crime.
Those gangs intentionally operate trans-nationally, in an effort to frustrate investigation and prosecution.
Money laundering of the proceeds from spam is routine, and that money directly fuels official corruption and other social ills.
Some spammers are actually selling something. Their favorite product? Counterfeit pharmaceuticals. In many cases these may be scheduled controlled substances, sold in bulk, and available to minors; in other cases, critical medicines needed to properly treat cancer and other serious illnesses may be counterfeit placebos, with potentially tragic results.
Spammers operate by compromising tens or hundreds of thousands of end-user PCs, violating those users' privacy and sometimes steal sensitive personally identifiable information such as individuals’ and even corporate access to financial services at the same time they're using their systems to spam. Computer ‘phishing’ is no less a crime than bank robbery, home invasion, and mugging.

Cyber criminals consider cyber crime to be a virtually riskless offense; they're unlikely to be identified; if identified, they're unlikely to be investigated; if investigated, they're unlikely to be charged and prosecuted; if prosecuted, they're unlikely to be convicted; if convicted, they're unlikely to do jail time.

The courts need to make it clear that that's wrong in all respects. If you commit cyber crimes, you will be identified, investigated, charged, prosecuted, convicted and sentenced to serious time and we will seize your assets.

This will not happen so long as crime, which involves the Internet, is dismissed as "cybercrime" and either scoffed at, or used to justify ever-increasing cyberwarfare budgets

This isn't just email. This isn't a war. This isn't "cyber.” This is crime. It is time to call a cop, and expect a response.

by CAUCE Executives J.D. Falk & Neil Schwartzman

Posted by Neil Schwartzman on 02 November 2010 in Canada, History, Prognostication, Technology, United States, Warnings, World | Permalink | Comments (1) | TrackBack (0)