CAUCE: Technology

Technology

28 September 2013

spamNEWS 09/28/2013

CAUCE posts regularly on topics related to spam. Here are our picks of the most interesting news items of the day.

You can follow them in real time on Twitter on Google + or on LinkedIn

Facebook wins $3M injunction against spammer Steven Vachani aka Power.com http://news.cnet.com/8301-1023_3-57604866-93/facebook-wins-$3m-injunction-against-spammer/

Revealed: UK secretly arrested 16-year old boy for world’s ‘biggest’ DDoS-attack http://rt.com/news/uk-boy-arrested-ddos-attack-411/

Data Broker Giants Hacked by ID Theft Service http://krebsonsecurity.com/2013/09/data-broker-giants-hacked-by-id-theft-service/

DMARC Forward Reporting: Why Network Owners Should be Informed, too http://blog.abusix.com/2013/09/24/dmarc-forward-reporting-why-network-owners-should-be-informed-too/

LinkedIn Class Action http://www.linkedinclassaction.com

A Study of Whois Privacy and Proxy Service Abuse by @MAAWG STA Dr. Richard Clayton http://www.lightbluetouchpaper.org/2013/09/25/a-study-of-whois-privacy-and-proxy-service-abuse/

Is Fake iMessage App Malware or Not? http://www.enterprise-security-today.com/story.xhtml?story_id=121000A6NWYX&nl=7

Do not use iMessage Chat for Android – it’s not safe [Updated] @digitaltrends http://www.digitaltrends.com/mobile/imessage-chat-android-security-flaw/#ixzz2gDyzRIv1

ICANN and Your Internet Abuse By Garth Bruen @circleid http://www.circleid.com/posts/20130924_icann_and_your_internet_abuse/

Twitter's User Growth Slows, Perhaps As A Result Of Spam Account Purges Ahead Of IPO http://www.businessinsider.com.au/twitters-user-growth-slows-2013-9

Spam Arrest's Sender Agreement Fails Because Email Marketer's Employees Lacked Authority http://www.circleid.com/posts/20130919_spam_arrests_sender_agreement_fails/

Apple's a tasty phishing target for scammers http://www.pcworld.com/article/2049287/apple-is-a-tempting-phishing-target-for-scammers.html

Ransomware Puts Your System To Work Mining Bitcoins http://blog.malwarebytes.org/intelligence/2013/09/ransomware-puts-your-system-to-work-mining-bitcoins/

KETLER INVESTMENTS CC vs. South African INTERNET SERVICE PROVIDERS’ ASSOCIATION http://badwhois.info/Ketler_Invest_v_ISPA_JMNT_REVISED.PDF

Posted by CAUCE on 28 September 2013 in Legal, News, Technology, United States, Warnings | Permalink | TrackBack (0)

11 June 2013

Court rules that proxy registrations and flaky opt-out info violate CAN SPAM

A Utah court recently ruled in a CAN SPAM case Zoobuh vs. Better Broadcasting et al. The decision has two interesting aspects. The spammer used proxy registrations to hide the WHOIS contact information on the return addresses, which the court declared was a CAN SPAM violation, the first time a Federal court has said so.

Also, the required notices about how to opt out were not in the spam itself, but were (in theory at least) in images on remote web servers that the spam referred to. Noting that many mail programs don't show remote images for security reasons, the court found that they weren't an adequate opt-out.

The defendants never replied to the suit and defaulted, so even though the court awared over $1 million, there's little chance the plaintiffs will ever see any of it. But this is a useful precedent for other people who want to use what little anti-spam protection CAN SPAM provides.

CAUCE president John Levine wrote in more detail in his blog.

Posted by John L on 11 June 2013 in Legal, News, Technology | Permalink | Comments (0)

29 March 2013

The Spamhaus Distributed Denial of Service – How Big A Deal was it?

If you haven't been reading the news of late, venerable anti-spam service Spamhaus has been the target of a sustained, record-setting Distributed Denial-of-Service (DDoS) attack over the past couple of weeks.

Al Iverson over at Spamresource has a great round-up of the news, if you didn't manage to catch this item, go check it out, then come on back, we'll wait ...

Of course, bad guys are always mad at Spamhaus, and so they had a pretty robust set-up to begin with, but whoever was behind this attack was able to muster some huge resources, heretofore never seen in intensity, and it had some impact, on the Spamhaus website, and to a limited degree, on the behind-the-scenes services that Spamhaus uses to distribute their data to their customers, who happen to be some of the biggest sites and services on the Internet. Spamhaus notes they protect as many as 1.7 billion email accounts.

Some reasonable criticism was aimed at the New York Times, the BBC and Cloudflare for being a little hyperbolic in their headlines, and sure, it was a bit Chicken Little-like, the sky wasn't falling and the Internet didn't collapse.

But don't let the critics fools you, this was a bullet we all dodged.

For one, were Spamhaus to be taken offline, their effectiveness in filtering spam and malware would rapidly decay, due to the rate at which their blocklists need to be updated. The XBL anti-botnet feed and the SBL list both have many additions and deletions every day. These services are used to protect mail servers and networks against the most malicious criminal traffic. If they go down, a lot of major sites would have trouble staying up, or become massively infected with malware.

There are also a ton of small email systems that use the Spamhaus lists as a key part of their mail filtering (for free as it turns out). Were those lookups prevented, or tampered with, those systems would buckle under the load of spam that they dispense with ease thanks to Spamhaus.

To put it into perspective, somewhere between 80% & 90% of all email is spam, and thats the stuff Spamhaus helps filter. So it doesn't take a Rocket Scientist to figure out that if filters go out, so do the email systems, in short order. AOL's Postmaster famously said, at an FTC Spam Summit a decade ago, before the inception of massive botnets, that were their filtering to be taken offline, it would take 10 minutes for their email systems to crash.

Due to some poorly researched media reports (hello, Wolf Blitzer!), there is a perception that this is a fight between two legitimate entities, Spamhaus and Stophaus; some press outlets and bloggers have given equal time to the criminals (we use that word advisedly, there is an ongoing investigation by law enforcement in at least five countries to bring these people to justice). Nothing could be further from the truth. The attackers are a group of organized criminals, end of story. There is nothing to be celebrated in Spamhaus taking it on the chin, unless you want email systems and networks on the Internet to stop working.

So yeah. this was a big deal.

Postscript: There were some reports early on in the attack that some of the Spamhaus feeds may have been hijacked. There is no indication that that is ongoing.

Posted by CAUCE on 29 March 2013 in Legal, Technology, Warnings, World | Permalink | Comments (0)

02 October 2012

UK regulators fine text spammers over $400,000

According to a BBC report, the United Kingdom Information Commissioner's Office (ICO) will be levying large fines on mobil phone text spammers. In March the ICO started asking consumers to report unwanted calls, texts, and emails, and was deluged with over 30,000 complaints. After sifting through them, they identified bulk text spammers, and announced fines of over £250,000 (about $400,000) unless the spammers can show that they had the permission of the texts' recipients, which of course they can't.

Here in the US, text spam is illegal under the TCPA, the law that forbids junk faxes and other recipient-pays telephone messages, and a few court cases have confirmed it. The FTC has not made text spam a major emphasis, but given the amount ot text spam we're seeing, they need to, soon.

Posted by John L on 02 October 2012 in Technology, World | Permalink | Comments (0) | TrackBack (0)

05 January 2012

Canada moves ahead on the Spam Reporting Centre

One of the important parts of Canada's new anti-spam law (CASL) is the Spam Reporting Centre. It is intended to serve multiple functions, including to help the government track the effectiveness of its anti-spam enforcement, to collect data to bring legal cases under CASL, and, with appropriate measures to protect individuals' privacy, to allow access to academic researchers.

As reported in this article at canada.com, Industry Canada asked for bids to build and operate the SRC, and is now evaluating the bids and will presumably select a winner in the near future. CAUCE assisted IC in creating the framework and bidding requirements for the SRC.

Posted by CAUCE on 05 January 2012 in Canada, Technology | Permalink | Comments (0) | TrackBack (0)

11 August 2011

Facebook has stolen all the contents of mobile address books, including private telephone numbers

As you know, Facebook have a long, storied history, including several ongoing brushes with the Privacy Commissioner of Canada, and despite repeat warnings against abuse of end-user rights, they recently deployed facial recognition software with no notice given their 500,000,000 users.

Today, however was the straw that broke the camel's back. Unbeknowst to me, perhaps by way of their new 'Facebook messanger' [update: actually, by way of Facebook's iPhone app.] they have uploaded the address books of hundreds of millions of users' mobile phones.

I found the home, private, business and mobile telephone numbers of 700 friends, colleagues, co-workers, and associates (Facebook users or not) published on their site [update: on my account only - at least, for the moment, but nonetheless up on Facebook] - I never agreed to this, I never knew about this, and it was only by way of the Sophos blog post below that I discovered this.

To check to see if you have had the same unfortunate thing happened to you:

Log into Facebook
Click on Account (upper RH corner)
Click 'edit friends'
Click 'contacts' (LH side)

(There is the option to disable this feature. Turn OFF synching on your mobile phone, then go here)

update: CAUCE Director Matt Sergeant had this to say on his blog - he nails exactly what is wrong with this:

Addressing the latest Facebook privacy issue

(This is a non-work post, but Disclaimer: I work for Symantec and regularly talk publicly about security issues)

There’s been lots of talk today online about the latest Facebook privacy debacle whereby they have all your cell phone contacts listed on your “Contacts” page.

Facebook have been trying to quiet the storm, as people are posting to their status updates for people to disable this.

First, to combat some FUD: Facebook is not sharing this information from you with your friends. Your buddies aren’t going to be able to call up your Grandma.

But what Facebook have entirely ignored, and why this is again an issue, is the question of permission.

I have two phones. One is a work phone (BlackBerry), and one is my personal iPhone. The only phone the contacts I had listed on Facebook came from is my BlackBerry, which is good, because I have a lot of random old numbers in my iPhone (don’t ask!).

So what happened here? I believe that the latest BlackBerry Facebook app (which recently underwent a major upgrade) automatically set the preference to sync contacts with Facebook. Now it may very well have been in the multi-page user agreement that I accepted, but yes I admit, I don’t read those things. And those agreements don’t even appear on the iPhone version, because, and here’s the fundamental difference I guess: the iPhone version doesn’t transparently change your preferences.

Facebook needs to stop that. I don’t care if it’s useful, or if you’re not sharing it with anyone else. I don’t want you uploading my contacts to your servers without ASKING me first.

It’s that simple. And this is why there are laws against what they have done in various countries, and why this will probably result in yet another lawsuit against them.

Rant over.

CAUCE are stunned by this move, it is beyond the ken. We will be calling upon Facebook to remove this facility immediately (it should always bo opt-in by default, as should ALL end-user options) and failing that, filing complaints with the proper authorities.

See more: http://nakedsecurity.sophos.com/2011/08/11/has-facebook-got-your-mobile-number-now-your-friends-do-too

--
Neil Schwartzman
Executive Director
CAUCE : The Coalition Against Unsolicited Commercial Email

Posted by Neil Schwartzman on 11 August 2011 in Canada, Technology, United States, Warnings, World | Permalink | Comments (0) | TrackBack (0)

01 June 2011

Introducing the Inbox Project

For many years, the Cornell Legal Information Institute (LII) has been a premier source of reference information about laws in the US and elsewhere. One day last year, LII director Tom Bruce and CAUCE president John Levine were talking over breakfast, and noted that there was no authoritative online source of legal information about spam and e-mail, something that the LII and CAUCE are, together, uniquely qualified to create. The Inbox Project is a new section of the LII web site, meeting that need.

We intend for it to be comprehensive, growing to cover not just spam-related state and US law in the United States, but laws in countries around the world, since spam is a global problem. It will be authoritative, researched and written by well-qualified students at the Cornell Law School, with advice from CAUCE. And it will be stable, with an ongoing process to keep it accurate and up to date. The project currently covers US and Canadian law, with case law and laws from other countries added as the students research and analyze them.

This work is funded independently from CAUCE and the LII's regular budget by several generous organizational sponsors. We'll have more to say about them when we formally announce the project next week.

But in the meantime, point your browser at http://www.inboxproject.org where there's already a lot to see.

Posted by John L on 01 June 2011 in Canada, Technology, United States | Permalink | Comments (0) | TrackBack (0)

06 April 2011

Why the Epsilon-Fukushima Analogy Was Apt

A few days ago, CAUCE published a blog post entitled “Epsilon Interactive breach the Fukushima of the Email Industry” on our site, and the always-excellent CircleID.

A small coterie of commenters was upset by the hyperbolic nature of the headline. Fair enough, an analogy usually has a high degree of probability that it will fail, and clearly, no one has died as a result of the release of what appears to be tens of millions of people’s names and email addresses.

But, the two situations are analogous in many other ways, and here’s why. When I wrote the piece, I had in mind an article I recently read at The Economist, ‘When the steam clears - The Fukushima crisis will slow the growth of nuclear power. Might it reverse it?’, which sums up the aftermath neatly.

“FEAR and uncertainty spread faster and farther than any nuclear fallout.” – The Economist

There has been tremendous initial effect across the email industry as a result of Epsilon-shima. That whooshing you may have heard last Saturday was the sound of a collective frightened intake of breath at major brands and ESPs. A security staffer noted he had slept very little over the weekend, as the news broke. The fact of the matter is, this happened to Epsilon, but it could just as easily have happened to any of their competitors, of which there are many hundreds.

Followers of the Twitter #epsilon hashtag, see that regular, everyday people are furious. They are furious that the trusted brands they do business with handed over their personal information to a 3rd party, they are furious that it was stolen due to lack security, and they want to know who the hell Epsilon is (CAUCE Director Dennis Dayman wrote about the need for transparency among emailers here). End-users are also beginning to blame every piece of spam they receive on Epsilon, even though, to date, there has been no verifiable reports that I have seen that the thieves have sent a single piece of spam out. End-users are gun-shy. Unfortunately, they’ll get over it, of course, and drop their guard, making them vulnerable to spear-phishing.

“There will certainly be more durable effects too. Years of cleanup will drag into decades” – The Economist

It’s true. Once lost, these email addresses will very likely be used as spear-phishing targets (remember, the criminals also have the proper names of victims, as well as a list of who they did business with, including their financial institutions). Once they have served that purpose, they will be sold to other spammers, who will send untargeted spam to them. While spam filters will likely take care of most of this problem, there will undoubtedly be financial loses and successful instances of Identity Theft as a direct result of the Epsilon breach. This is a mess that simply can’t be cleaned up by form letters downplaying the theft, assuring people the criminals ‘only’ stole the data they did.

Make no mistake about it, an email address is considered to be personal identifiable information in Canada and Europe, and for good reason, because quite simply it is private information. Canadian and European brands were affected by the Epsilon breach. While the United States lags far behind the rest of the world with regard to breach and privacy legislation, this thing is far from over from an investigative and legal standpoint.

(An ESP) “Looks dangerous, unpopular, expensive and risky. It is replaceable with relative ease and could be forgone with no huge structural shifts in the way the world works. So what would the world be like without it?” – The Economist

ESPs are simply out-sourced services that many companies use to maintain their customer database, and send email marketing campaigns, and sometimes-transactional email, to clients.

We know that Epsilon lost 50 companies’ client information. What if all 50 of those companies were doing their own email and database management? In practical terms, I could see that making things worse. Relying on relatively unskilled, or even incompetent IT and marketing departments at retailers to do email correctly from a technical and policy standpoint is a highly unlikely scenario. Mass emailing is quite complicated these days, with laws, technical requirements, and methodologies ever-changing. Better to centralize the adherence to industry standards in the hands of the experts. If ESPs magically disappeared, mass email marketing would be in a bigger mess that it is today.

Like Fukushima, there were plenty of preemptive rumbles that should have reasonably warned Epsilon and the other ESPs that something bad was coming. There had been at least a dozen breaches of ESPs in the last year, and database and site breaches are as ‘common as car crashes’ as British telecom Chief Security Officer Bruce Schneier said.

Akin to the Tokyo Electric Power Company, even in light of prescient safety reports, ESPs failed to react appropriately to secure their sites. Databases should be encrypted, industry-standard security technologies and policies deployed, and 2-factor authentication implemented to access private data, across the board, as quickly as humanly possible.

Sadly, none of these is a silver bullet that will make data 100% secure. There is no such thing as 100% security, but all holders of private information, including ESPs must be held accountable to the highest standards, and not continue to allow themselves to be dumb, low-hanging fruit for criminals.

ESPS … “won’t go away, but … must to some extent remain a sideshow, however spectacular it looks when (they go) wrong. – The Economist

Epsilon, and other members of the sending and ESP communities have a tremendous opportunity to change in front of them, to become competitively better than ever. Epsilon will likely recover from this debacle, but the next ESP breached in a similar manner? Their fate remains quite uncertain.

Posted by Neil Schwartzman on 06 April 2011 in Canada, Technology, United States, World | Permalink | Comments (0) | TrackBack (0)

04 April 2011

Epsilon Interactive breach the Fukushima of the Email Industry

Marketing as Usual? Not a chance. – Epsilon corporate catch phrase

A series of attacks on the Email Service Provider (ESP) community began in late 2009. The criminals spear-phish their way into these companies that provide out-sourced mailing infrastructure to their clients, who are companies of all types and sizes.

Upon gaining access to an ESP, the criminals then steal subscriber data (PII such as names, addresses, telephone numbers and email addresses, and in one case, Vehicle Identification Numbers). They then use ESPs’ mailing facility to send spam; to monetize their illicit acquisition, the criminals have spammed ads for fake Adobe Acrobat and Skype software.

On March 30, the Epsilon Interactive division of Alliance Data Marketing (ADS on NASDAQ) suffered a massive breach that upped the ante, substantially. Email lists of at least eight financial institutions were stolen.

Thus far, puzzlingly, Epsilon has refused to release the names of compromised clients. CAUCE has drawn the a list of from news reports (below)

The obvious issue at hand is the ability of the thieves to now undertake targeted spear-phishing problem as critically serious as it could possibly be.

What to do?

CAUCE is calling on the ESP industry and ISP and Email Receivers to implement these measures across the board, to protect the PII of end-users everywhere. What follows are best common practices that have existed for many years. It is time to take a stand against the data-thieves, and begin to properly protect end-users, without fail.

ESP & Senders

Security must be the top corporate priority. Both Silverpop and Epsilon Interactive were either breached repeatedly, or failed to fully mitigate their initial security lapse in December. I was told by one ESP security staffer that he hadn’t been given sufficient resources to affect all the appropriate changes. That is at best lamentable.

Two-factor authentication must be implemented for ESP system access for both staff and clients.

Senders and ESPs must sign all email with DKIM, and authenticate all mailing IPs with SPF.

ESPs must check all outbound content against domain blacklists such as SURBL and the Spamhaus DBL before deployment.

ESPs must deploy extended-validation certificates on web properties.

ESPs and senders must rigourously adhere to the MAAWG Senders’ BCP

ESPs and brand owners should use the services of email authentication services such as Authentication Metrics, eCert, Return Path, and Truedomain, as well as anti-phishing services like BrandProtect, Internet Identity and tools such as Lashback’s BrandAlert

ESPs must adopt and embrace a culture of transparency and commit to cooperative full disclosure

“Epsilon has refused to provide additional details on what other brands may have been affected.” – Security Week

“SilverPop did not respond to requests for comment” – Krebs on Security

While it is the instinctive corporate reaction to be secretive, such a strategy exacerbates the frustration of the other set of victims of data-theft, namely the end-users. A complete list of breached clients is fundamental to protecting end-users, and allowing them to protect themselves.

Receiving Systems

We need desperate measure for desperate times, CAUCE calls upon the receiving community to better their protection of end-users.

Email receivers must follow Yahoo! Mail’s lead and deploy multi-layer phishing protection.

Email receivers must deploy DKIM and SPF checking, and treat messaging failing such checks accordingly by labeling the subject line, placing it in a spam folder, or blocking it entirely.

Email receivers must deploy checks using URI blacklists like SURBL and Spamhaus on message headers and content domains.

Email receivers must take extreme measures, even if there are false positives. Better safe that sorry, and given the potential damage these breaches can cause to a recipient, far better that there are false positives (legitimate email refused or sidetracked to the bulk folder) than false negatives (illicit email delivered to the inbox).

The list of breached companies

Posted by Neil Schwartzman on 04 April 2011 in Canada, Frequently Asked Questions, Technology, United States, Warnings, World | Permalink | Comments (0) | TrackBack (0)

18 March 2011

Microsoft, others help take down Rustock Botnet

Microsoft's DCU and some federal agencies took down the Rustock botnet two days ago. A hearty CAUCE congratulations to all those involved, in the forefront, and behind the scenes.

Here's a compilation of various news and data sources:

Krebs on Security: http://krebsonsecurity.com/2011/03/rustock-botnet-flatlined-spam-volumes-plummet/
Wall Street Journal: http://online.wsj.com/article/SB10001424052748703328404576207173861008758.html

Microsoft: http://blogs.technet.com/b/mmpc/archive/2011/03/18/operation-b107-rustock-botnet-takedown.aspx & http://blogs.technet.com/b/microsoft_on_the_issues/archive/2011/03/18/taking-down-botnets-microsoft-and-the-rustock-botnet.aspx

CBL (2nd & 3rd charts) http://cbl.abuseat.org/totalflow.html & http://cbl.abuseat.org/rustock.html
Spamcop: http://www.spamcop.net/spamgraph.shtml?spamweek
Nixspam: http://img.ly/3eix

The court orders (PDF) http://bit.ly/fg0d0u