United States

09 June 2011

CAUCE Director Neil Schwartzman Wins Prestigious MAAWG Award

CAUCE Executive Director Neil Schwartzman won the prestigious Mary Litynski award on June 08, 2011 for his contributions to Internet anti-abuse efforts, including the passage of Canada's Anti-Spam Law. Here is his acceptance speech.

This is not the first award I've received from the MAAWG community. A few years ago, at a meeting in Washington, D.C., I received an honorary doctorate when recognized me as Dr. Evil. At the past meeting, at Disney, you honored me with a t-shirt branding me as Grumpy, from the Seven Dwarves.

As much as I treasure those memories, this award is very special to me.

Mary Lytinski was a warm, helpful, friendly person. It is nice to see that MAAWG is applying these criteria when deciding a suitable winner of the award in her name.

Seeing Mary at the registration desk was our opening ritual three times a year, and her greeting -- no matter how busy -- told every attendee that this was going to be a good meeting. Mary's contribution to our community and our cause cannot be measured.

I can’t begin to express my gratitude for this award, named in honor of our old friend; I am profoundly humbled, particularly when we consider the roster of others in our community undeniably as deserving of recognition.

My contributions to the Internet community, like that of so many others, began as a volunteer. To some, that might be a puzzling thing, to do something without financial recompense. To others, most in this room, it is the most natural thing of all.

There are a number of reasons why I try to embody a spirit of volunteerism. For one, my mother volunteered her time throughout her life. She undoubtedly passed this aspect on to me.

When I got online in 1992, the net was largely non-commercial. There was no world wide web. It was all about text, and community spirit, and volunteered contributions. Even when employees of a commercial entity worked on standards or software, it was with humility and a sense of collaboration, of building the Internet together.

The commercialization of the net has brought with it some astounding, wonderful new technologies and contributions to our global society. I am able to write to my friend, one of the happiest people I’ve ever met, a peasant girl named Shandy, who lives in rural China, because she has a Hotmail account. A far-flung community was able to express our love and support for our friend and colleague J.D. Falk, by way of Facebook, and email, and AOL Instant Messaging. Perhaps most profoundly, an offshoot of Google, 23andme, allowed me to reconcile with my biological mother, sister and brother, this past weekend after 50 years.

These are the things that motivate me to voluntarily advocate for the anti-abuse community. Because along with all these commercial offerings, there is still a fundamental, precious human element, a drawing together of the global village that criminals, if we let them, would rend asunder. There is still real, honest human communication -- that abusers sully. This human element is the magic intrinsic to the Internet, and something that must be protected. It isn’t just about email systems being spammed, and websites under ddos. It is what they represent -- the people, the data, and the ability to communicate -- that we strive to protect.

The DNA of the Internet, the vast majority of underlying technologies and protocols, were dreamt up and realized by volunteers. Grassroots, volunteer anti-abuse efforts such as my organization, CAUCE, many of the DNSBLs, discussion groups -- all manner of efforts to stave off the wolves at the door, nearly all done on a voluntary basis or as a contribution to the community.

And then there’s MAAWG.

While most of us are paid to be here, involvement in MAAWG can take up a tremendous amount of time. It often encroaches into one’s personal life, or one’s ability to accomplish the balance of our paid work, in effect, MAAWG is very much run by people volunteering of their time, expertise and brilliance.

And so, I accept this award on behalf of all the volunteers past, present and future, my peers and my betters, with the hopes that our work is properly honouring the person for whom this award is named, our dear departed Mary Litynski.

Thank you.

Posted by on 09 June 2011 in Canada, Press Releases, United States, World | | Comments (0) | TrackBack (0)

| | | |

01 June 2011

Introducing the Inbox Project

For many years, the Cornell Legal Information Institute (LII) has been a premier source of reference information about laws in the US and elsewhere. One day last year, LII director Tom Bruce and CAUCE president John Levine were talking over breakfast, and noted that there was no authoritative online source of legal information about spam and e-mail, something that the LII and CAUCE are, together, uniquely qualified to create. The Inbox Project is a new section of the LII web site, meeting that need.

We intend for it to be comprehensive, growing to cover not just spam-related state and US law in the United States, but laws in countries around the world, since spam is a global problem. It will be authoritative, researched and written by well-qualified students at the Cornell Law School, with advice from CAUCE. And it will be stable, with an ongoing process to keep it accurate and up to date. The project currently covers US and Canadian law, with case law and laws from other countries added as the students research and analyze them.

This work is funded independently from CAUCE and the LII's regular budget by several generous organizational sponsors. We'll have more to say about them when we formally announce the project next week.

But in the meantime, point your browser at http://www.inboxproject.org where there's already a lot to see.

Posted by on 01 June 2011 in Canada, Technology, United States | | Comments (0) | TrackBack (0)

| | | |

28 April 2011

Continued Data Leaks: The Game is Rigged

Earlier this week, gigantic technology company Sony admitted that "an illegal and unauthorized person" had accessed their database of 77,000,000 PlayStation Network users, obtaining names, addresses, gaming profiles, and possibly credit card numbers.  Their response upon discovering the breach was decidedly old-school: they turned everything off while investigating.

If the ESP breaches we've been reporting are Godzilla, Gamera, and other residents of Monster Island, then the PlayStation breach is the larger and more powerful MechaGodzilla.  If the ESP breaches are planets in the solar system, the PlayStation breach is Jupiter — and the New York Yankees' mistaken exposure of 20,000 ticketholders is poor, downgraded Pluto.

As if size alone wasn't enough, the PlayStation breach may require an even more radical response from the victims whose information was stolen.  As The Globe and Mail explained yesterday afternoon, you should start by changing your password — especially if you've used that same password anywhere else.  But since Sony admits that credit card numbers might have been stolen too, you'll need to call your bank and get a new card with a new number — which some banks charge for.  You'll also need to change all the billing info associated with the old card number.  Oh, and if you don't want game-related spam and phishing attacks, you'll need to change your email address too.

Inconvenient? Annoying? Absolutely. Unfair? No question. But when the big companies to whom you've entrusted your information can't keep it secure, you're stuck having to find ways to stay safe on your own.

To be sure, the companies whose data was stolen (these, Sony, and more) are victims too — but they're all big enough to weather the storm.  How about you?

Posted by on 28 April 2011 in United States, Warnings | | Comments (0) | TrackBack (0)

| | | |

20 April 2011

Oh, Poo! Diapers.com & Optivo GmbH the latest victim of the ESP Adobe Gang

Diapers.com is the latest in a long series of ESP breaches by way of optivo.de. Optivo were alerted to this breach on April 14.

UPDATE: While Responsys is the current ESP of record for Diapers.com according to their website (and have been since 11/2009, according to company officials); this may indicate the tagged address was taken from Responsys, another ESP (some companies use more than one ESP), their previous ESP Silverpop, or from diapers.com directly.

Thanks to REDACTED for the report.

Delivered-To: REDACTED
Received: by 10.229.107.19 with SMTP id z19cs52292qco;
        Tue, 12 Apr 2011 21:47:45 -0700 (PDT)
Received: by 10.204.74.167 with SMTP id u39mr326019bkj.144.1302670065088;
        Tue, 12 Apr 2011 21:47:45 -0700 (PDT)
Return-Path: <return@demo.srv2.de>
Received: from mail17-54.srv2.de (mail17-54.srv2.de [193.169.180.54])
        by mx.google.com with ESMTP id c1si470386bky.10.2011.04.12.21.47.44;
        Tue, 12 Apr 2011 21:47:45 -0700 (PDT)
Received-SPF: pass (google.com: domain of return@demo.srv2.de designates 193.169.180.54 as permitted sender) client-ip=193.169.180.54;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of return@demo.srv2.de designates 193.169.180.54 as permitted sender) smtp.mail=return@demo.srv2.de; dkim=pass header.i=Adobe@demo.srv2.de
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mailing; d=demo.srv2.de;
 h=Message-ID:Date:From:Reply-To:To:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding; i=Adobe@demo.srv2.de;
 bh=Ob9u6TxtQqwyE0MTiwnn5kGewhc=;
 b=YXkzQAJ1/oHetfZxTPgwT35YL3se7xFVZitbg/bQwO5O4gqMSsU89Q3Wo5oJVSRy2P9mH0M+wm62
   2G75INYa+RsiLp9qQ2rtCUyXYQ24v7CEEs1ggg06Pj5giRymB1uS+ySNfuDTkh2eYifyKg7F9lx/
   dlKHvahHPVa5U6m6+wY=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=mailing; d=demo.srv2.de;
 b=deGmdf/mVGx8f7o9EcPDZl4uaoxzLXPDR9jc2ILr9g9IgkAY1urF8dnGE9ydx7hrXiMckon1o7NI
   mJdGspev4TuPwWvY1jNldcUX93xrqYAcMGr4v4VM4rGGvXmxPFM7VTaJjnjMy9++N6n8BvC/zQuO
   BngpUpwys6rmeOEyu68=;
Received: by mail17-54.srv2.de id hkklf20farcr for <REDACTED>; Wed, 13 Apr 2011 06:47:43 +0200 (envelope-from <return@demo.srv2.de>)
Message-ID: <re-pOaX3BUQnds72BhAcj4J1wrgwTrlqCM5OetY-EHI4W55-1UZ8D6Y-UUQ14MG@demo.srv2.de>
Date: Wed, 13 Apr 2011 06:47:43 +0200 (CEST)
From: Adobe Systerm Incorporated <Adobe@demo.srv2.de>
Reply-To: re-EHI4W55-1UZ8D6Y-13HAPU9@demo.srv2.de
To: REDACTED
Subject: =?ISO-8859-1?Q?Adobe_Acrobat_Reader_10x_:_all_?= =?ISO-8859-1?Q?new,_all_powerful_!_Upgrade_Now=3F?=
MIME-Version: 1.0
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-ulpe: re-pOaX3BUQnds72BhAcj4J1wrgwTrlqCM5OetY-EHI4W55-1UZ8D6Y-UUQ14MG@demo.srv2.de

GETTING MORE DONE AT WORK NOW COMES IN A CONVENIENT BOX

See how Adobe Acrobat Reader is a step above anything you've experienced before, so you can be even more productive.

Upgrade Adobe Acrobat Reader

Just how much faster can you work with Adobe Acrobat PDF Reader
software? Fast enough to stay on top of last-minute changes, connect
with key decision makers, and share updates with co-workers.

You'll discover how easy it is to reuse content by exporting PDF files
to Microsoft Word or Excel formats. And how quickly you can automate
multi-step tasks with new, guided Actions. No wonder PC Magazine
says, "There's a lot to like in Acrobat X PDF Reader."

Download Now To Try Us Out

Copyright 2011 Adobe Systems Incorporated. All rights reserved.

Adobe Systems Incorporated
343 Preston Street
Ottawa, ON K1S 1N4
Canada  

*************

Delivered-To: REDACTED
Received: by 10.229.107.19 with SMTP id z19cs53998qco;
        Tue, 12 Apr 2011 22:29:46 -0700 (PDT)
Received: by 10.223.27.14 with SMTP id g14mr73129fac.129.1302672585540;
        Tue, 12 Apr 2011 22:29:45 -0700 (PDT)
Return-Path: <return@demo.srv2.de>
Received: from mail17-45.srv2.de
 
 (mail17-45.srv2.de
 
 [193.169.180.45])
        by mx.google.com with ESMTP id l25si86220fah.191.2011.04.12.22.29.45;
        Tue, 12 Apr 2011 22:29:45 -0700 (PDT)
Received-SPF: pass (google.com: domain of return@demo.srv2.de designates 193.169.180.45 as permitted sender) client-ip=193.169.180.45;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of return@demo.srv2.de designates 193.169.180.45 as permitted sender) smtp.mail=return@demo.srv2.de; dkim=pass header.i=Skype@demo.srv2.de
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mailing; d=demo.srv2.de
 
;
 h=Message-ID:Date:From:Reply-To:To:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding; i=Skype@demo.srv2.de;
 bh=lF+2G6Rq1lrcc66z2TQZb33J6eQ=;
 b=GadElK40VNPm/e12VYpQLZai3O/5IRkfLTDOu6tYSuTaFGs27w76Azhu3SIgU5H4ixgP8O5BeN34
   9qn/8S1djO0khRgjeyISbKWddAOzOFYIsgBO6HIFgeqhfPBXlSd4030HF5WHTiIhuHEUr1aNhv9L
   UpL8c6x64PGnrvNU5Ow=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=mailing; d=demo.srv2.de
 
;
 b=eEKJOR6eX0npHpBOmJPiHfkopOggjkq13StcWwuWK7LoNebJha4z8OXbFCKN2TxFKh/HaF5wlppd
   zyzYzoevuAgWJPNmpabtyOk6om7JJn1/moYlEERevNE2IA917NV2R9kDFEB7nfmcopy28XA5FSEr
   Bb1dZ6jQEr/hvgud7mQ=;
Received: by mail17-45.srv2.de
 
 id hkkqci0farc7 for <REDACTED>; Wed, 13 Apr 2011 07:29:44 +0200 (envelope-from <return@demo.srv2.de>)
Message-ID: <re-pOaX3BUQnds72BhAcj4J1wrgwTrlqCM5OetY-EHPDGH2-1UZ8D7F-8KIZFU@demo.srv2.de>
Date: Wed, 13 Apr 2011 07:29:44 +0200 (CEST)
From: Skype Support <Skype@demo.srv2.de>
Reply-To: re-EHPDGH2-1UZ8D7F-BX918B1@demo.srv2.de
To: REDACTED
Subject: Download New VOIP Addons For More Skype Free Talks
MIME-Version: 1.0
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-ulpe: re-pOaX3BUQnds72BhAcj4J1wrgwTrlqCM5OetY-EHPDGH2-1UZ8D7F-8KIZFU@demo.srv2.de

SKYPE VoIP ADDONS UPDATES

This is to notify that new updates have been released for Skype
 
. Following are major new features:
 
- Talk more for free via Voice Over IP (VoIP).
- Lower cost when connecting to landlines (much cheaper than Calling Card).
- Record your conversation (better than telephone quality).
- Instant messaging& file-sharing, video calls.
- Now available on PSP !
 
To check and upgrade, go to Skype Updates Center
 
 
Skype has changed the way we think of telecommunications.
 
Thank you for choosing us.
 
With best regards,
 
Skype Support

Posted by on 20 April 2011 in United States, Warnings, World | | Comments (0)

| | | |

16 April 2011

Tough Day for Online Scum

The 3rd Friday in April 2011 wasn't the 13th, but it probably felt that way for a number of online scammers.

Gambling

Operators of several gambling sites,  Pokerstars.com, Fulltiltpoker.com and Absolutepoker.com and their online payment processors were charged with money laundering and fraud. Site domains and billions of dollars were siezed. It has long been known that these sites are dodgy, Joseph Menn laid much of it out in his book Fatal System Error (2010), with allegations of organized crime involvement, rigged gaming, and so on, and Journalist Brian Krebs made mention of money-laundering-by-gambling in 2007.

What Krebs alleges had been confirmed to CAUCE by federal investigators in private discussions years prior to that. The scam is easy, the perpetrators take a large amount of cash (usually stolen), and lose it to associates in online gambling games. Online thieves aren't the only people who avail themselves of this, terrorists use the scheme too, which may go some ways to explain the United States' stance on online gambling.

Online fora and Twitter went wild soon after these closures, with many noting that money they had in accounts on these sites was frozen and seemingly lost. The (big) house always wins.

Acai Berry "News" Reports

You've probably seen the spam, where you click through a link, and end up with what looks like a news reporter, extolling the virtues of Acai berry as a cure-all.The FTC put an end to some of that, charging 5 different companies behind this ubiquitous scam. Some of the domains the spammer/scammers used were

breakingNewsAt6.com
channel2local.com
channel6reports.com
channel9healthbeat.com
bhannel9NewsReports.com
consumernewspick.com
consumertipsdaily6.com
healthnews10.com
news4daily.com
theconsumerweeklydigest.com
usahealthnewstoday.com
usahealthreportstoday.com

(While CAUCE thinks Acai Bery is a yummy drink, your local supermarket is a cheaper alternative to buying the stuff online from spammers)

Good riddance to bad garbage. We should take a moment to note that just because a site has the word 'consumer' in its domain name doesn't mean it has your best interests at mind. Caveat emptor, always, and especially online.

 

Posted by on 16 April 2011 in United States, Warnings, World | | Comments (0) | TrackBack (0)

| | | |

15 April 2011

Submission to ICANN WHOIS Team review

 

CAUCE North America
PO Box 727
Trumansburg NY 14886
E-Mail: secretary@cauce.org

13. Apr. 2011

ICANN
by electronic mail

We appreciate the chance to comment on the ICANN WHOIS Review Team Plan as announced at http://www.icann.org/en/announcements/announcement-04mar11-en.htm

CAUCE NA, as an all-volunteer Internet end-user advocacy organization established in 1998 has moved beyond its original narrow mission of encouraging the creation and  adoption of anti-spam laws to a broader stance of defending the interests of individual Internet users.  CAUCE NA is led by a combined Board with a cumulative century of experience in the field of Internet advocacy and technology.

Based on that experience, including experience directly engaging with ICANN in a variety of capacities, we would like to offer the following comments on your proposed whois policy review activities.

1. Whois Is A Critical Anti-Abuse Resource

Combatting Internet abuse without access to whois data would, in most cases, be difficult if not impossible. To paraphrase a common cliché, IP addresses and domains don't attack Internet assets, people attack Internet assets. We cannot pierce the veil and map IP addresses and domain names to those people without routine access to the crucial information whois data contains.

If whois were to cease to be routinely available, targets of serious Internet abuse will have no alternative but to employ lengthy legal process to compel disclosure of resource assignment and allocation information. This process is cumbersome, time-consuming and expensive, and benefits no one except the attorneys who will be involved in pressing or defending these actions, and the miscreants who will enjoy weeks, months, sometimes even years of anonymity in which to continue to conduct their abuse with impunity. This abuse happens at internet speed; a slow response is effectively no response at all.

2. Whois Needs To Be A True Production Service Offering

Currently whois is offered on something of a "hobbyist" basis, particularly in TLDs that use the “thin” whois model. At one provider it will use one format, while at other times and at other providers, it will use another. This lack of consistent formatting, along with restrictive access policies, makes whois access something that's only suitable for small scale interactive "craft" access rather than being a production-ready and robust service that's appropriate for the volume of domains and other resources involved in today's domain name ecosystem.

If Internet abusers can script the creation of domains at arbitrary scale, but security teams and anti-abuse researchers are limited to some small number of manual whois queries per day, the abusers can obviously simply out-automate and out-scale us. This enforced handicap represents bad public policy.

Other technical ways that whois data access can and should be improved include:

  • Whois data should be available via authenticated channels (or in a standardized bulk format) so that legitimate uses aren't thwarted by restrictive rate limits. (Authenticated access can and should be logged and audited to ensure that abuse is not occuring)
  • Whois data should be structured in a consistent, standard format amenable to machine parsing. We believe that the tag:value form used by thick whois servers meets this requirement, so long as they continue to use a restricted and consistent tag vocabulary, and the definitions of each tag are available to the public — perhaps as an IETF RFC.
  • Whois data should be aggregated and distributed from a central location using the “thick” model, rather than being distributed across hundreds or thousands of providers on a distributed "thin" model. This ensures both consistency and availability.

3. Whois Is a Community Resource

While law enforcement officers play a critical role in mitigating online crime, they are too few in number and too poorly funded to mitigate all online abuse. Much online abuse is handled by other entities, ranging from non-sworn government administrative agencies (such as the Federal Trade Commission here in the United States), to non-governmental organizations such as CAUCE NA or Spamhaus, to agents of aggrieved private parties seeking to protect their company's assets (including facilities, trademarks and intellectual property being used online in illegal ways).

If whois access were narrowly restricted to sworn law enforcement officers only, the "thin blue line" of law enforcement, important though it may be, will not be sufficient to maintain the status quo. The security and stability of the Internet will be negatively impacted, with an associated loss of public trust and transparency.

That said, we would not object if sworn law enforcement officers or civil investigators were offered expanded access to whois data, such as a routine ability to view an unfiltered version of whois data that is not encumbered by obfuscating private or proxy registration mechanisms — provided such access is authenticated, logged and audited to protect against arbitrary abuse and misuse.

4. Whois Data Must Be Meaningful

We have seen examples of whois data services that are present in name, but effectively of no value. For example, consider the data for chase-online-banking.com:

Domain: chase-online-banking.com
Registrar: Eurodns S.A.

Registrant:
Company:
Name: I P Freely
Address: 123 blowme lane
City: tacoma
Country: UNITED STATES
Postal Code: 98409

 

Administrative Contact:
Company:
Name: I P Freely
Address: 123 blowme lane
City: tacoma
Country: UNITED STATES
Postal Code: 98409
Phone: +012589636541
Fax:
Email: maiybs@gma.com

Technical Contact:
Company:
Name: I P Freely
Address: 123 blowme lane
City: tacoma
Country: UNITED STATES
Postal Code: 98409
Phone: +012589636541
Fax:
Email: maiybs@gma.com


Original Creation Date: 2011-04-04
Expiration Date: 2012-04-03


Status:
clientTransferProhibited

This entire WHOIS entry is transparently fraudulent. There is no “blowme lane” in Tacoma WA, no North American phone number starts with 01, and even if the zero were corrected as a typo, there is no 258 area code. The e-mail address is invalid, and even the simplest attempt to send a confirmation message would have revealed that mail to it is rejected.

If we see abuse involving that domain, which we have, there is no way to find an appropriate security or abuse contact.

It is nominally whois data, but it provides no information whatsoever about who or what that domain actually is. This shows what whois can devolve to, if we as a community allow it to degrade without objection.

We acknowledge that whois data, like any data, can potentially be abused. Not all whois data is equally at risk, however. For instance, we do not believe that an entity engaged in Internet commerce should have the same right to anonymity online that a political or religious dissident might require, and in fact, the customers of the Internet have a compelling right to know with whom they're doing business. We therefore urge ICANN to eliminate whois anonymity as an option for corporations and other non-natural persons controlling Internet resources.

5. Improvements To WDPRS and Whois Accuracy

When missing or inaccurate whois information is detected, users have the option of reporting that inaccuracy via the Whois Data Problem Reporting System (http://wdprs.internic.net/).

Unfortunately that system is operationally cumbersome, requiring domain-by-domain reporting via a web form, followed by email confirmations, even in cases where hundreds or thousands of domains share the same inaccuracies and the same registrar.

We understand that ICANN has a bulk WDPRS submission facility currently used by only a small number of high-volume reporters. That service should be made available, with suitable registration or other safeguards to deter abuse, to any entity submitting multiple WDPRS reports.

We also believe that the information WDPRS receives is not being appropriately leveraged to identify and address ongoing abuse. While WDPRS complaints may result in the correction of individual erroneous whois records, ICANN does not use that data to identify systematic problems, including potentially rogue ("bulletproof") registrars who make no effort at maintaining accurate whois data whatsoever — and may even treat whois inaccuracy and other violations of ICANN's rules as a competitive advantage.

Moreover, why is ICANN not sharing the substance of the community WDPRS reports it receives with community stakeholders? If there was more transparency about the reports received, consumer confidence in whois data accuracy would improve and we could even imagine a "PhishTank"-like model where community members could help to verify the reports that have been made via WDPRS.

We also believe that the costs associated with correcting erroneous whois data, particularly in the case of grossly and obviously inaccurate whois data, should be passed along to the registrar that has allowed that data to be accepted. Even the simplest of automated screening would easily allow many bogus point of contact data elements to be flagged at the time of domain registration; other types of online businesses have been doing this for years. Currently some registrars do not care if they accept bogus whois point of contact data, but if there were financial consequences to large amounts of invalid WHOIS, that could change.

Registrars that exhibit a clear and ongoing pattern of routinely accepting or failing to correct obviously bogus whois information should be subject to notice and breach proceedings under the registration agreement.

6. Adequacy of the "Key Definitions"

The Review Team also asked for feedback on the adequacy of the definitions it proposed at http://www.icann.org/en/announcements/announcement-04mar11-en.htm

In our opinion, the following adjustments would strengthen those definitions.

As written, definition 4.1 (Law Enforcement) does not distinguish between sworn law enforcement officers with criminal law enforcement powers (such as sworn federal law enforcement officers, sworn state police officers, sworn county sheriffs, and sworn municipal police officers here in the United States), and other entities incidentally included in an overly broad definition, including judges, lawyers, prosecutors, private security officers, administrative investigators and even parking enforcement officers (so-called "meter maids") whose responsibilities include "maintenance, co-ordination, or enforcement of laws, multi-national treaty or government-imposed legal obligations."

We believe "law enforcement officers" should be defined more narrowly to be only those individuals who have:

  1. been sworn or commissioned as a law enforcement officer by a government agency of competent authority;
  2. who are charged with upholding the general criminal laws of  an applicable jurisdiction, including having power of arrest;
  3. typically have received specialized peace officer training (e.g., here in the United States such courses are typically offered by the Federal Law Enforcement Training Center ("FLETEC") or a similar program offered by one of the individual states, such as as Oregon's Department of PublicSafety Standards and Training Academy ("the DPSST Academy");
  4. and who normally receive tangible official signs of their role such as a police uniform or official credentials (a badge and/or ID card).

In adjusting this definition, we do not mean to imply that ICANN should exclude non-sworn government officials from the scope of its work -- even though those government officials are non-sworn, they play an important role in enforcing applicable law via civil processes. They simply require a different label (such as "civil enforcement officer" or "administrative enforcement agent").

For example, here in the United States, while FTC investigators are not sworn law enforcement officers, they play an important role in compelling fair business practices using the civil enforcement powers at their disposal. They're just "investigators" and not "law enforcement officers" within the customary meaning of that term of art.

We also believe that ICANN should explicitly consider whether "law enforcement" includes those who may be members of national intelligence services, or a country or multinational organization's military services, recognizing that in some countries (such as the United States), there may be as many as seventeen agencies and organizations involved in collecting and processing national security-related intelligence information (see http://www.intelligence.gov/about-the-intelligence-community/ ).

Definition 4.2 (Applicable Laws) appears to concentrate primarily on laws related to "the collection, use, access, and disclosure of personally identifiable information." That focus would be appropriate if whois policy issues turned solely on matters related to registrant privacy.

CAUCE NA believes that any whois study must recognize the applicability of all criminal and civil laws on whois policy, and the impact of whois policy on those laws in turn.

Such laws would include, but not be limited to:

  • laws against child exploitation and online "child pornography"
  • laws making it illegal to attempt to obtain financial information without authorization by means of deceit or artifice ("phishing")
  • laws forbidding the creation and distribution of viruses and other malicious computer software
  • laws prohibiting the online sale and distribution of narcotics and other controlled drugs
  • laws forbidding the advertising and delivery of copyright and trademark infringing products such as "knock-off" watches and pirated software, music and movies
  • laws forbidding fraudulent schemes such as advance fee fraud schemes, penny stock "pump-and-dump" scams, products making baseless promises of weight loss or body enhancement
  • laws regulating the collection of email addresses and distribution of bulk commercial email

Only when personal privacy rights are weighed against the full set of criminal and civil laws designed to protect a jurisdiction's citizens, can we achieve an appropriate balance between protecting privacy and protecting citizen's property and persons from all applicable risks.

In many cases the protection of property and persons from malicious actors is best served by access to whois information, rather than by withholding that information from interested parties.

Thus, that balancing process requires a more inclusive definition of "applicable laws" in CAUCE's opinion.

Defintion 4.3 ("Producers and Maintainers of WHOIS DATA") comingles a variety of parties and roles in ways that fail to adequately recognize important differences in perspectives and interests. For example, 4.3.A, "Producers" is defined as "The individuals or organizations supplying contact data for inclusion into WHOIS data." While that's seemingly a simple entity -- typically the person registering a domain -- in reality, things are less clear.

For example, whois data producers may include:

  • the true or ultimate registrant
  • a proxy registrant acting on behalf of the true or ultimate registrant
  • a registrar or hosting company, perhaps listed as a default "technical" point of contact for all domains they register on behalf of the true or ultimate registrant
  • a registration services provider acting on behalf of a registrar as an independent contractor or as the registrar's agent

These roles may change over time as well. For example, an engineer who may have initially registered a domain on behalf of an employer may change roles or change employers, yet still be carried on a registration as the point of contact for that domain, simply because the relevant data has never been verified and updated.

We might attempt to clarify all this by referring to an "initial producer" of whois data, or a "primary producer" of whois data, or a whois data "producer of record," depending on our emphasis, but any of those titles are only an approximation given the actual underlying practice.

We are also confused by the definition of "Data Controllers," particularly the trailing sentence fragment: "May or may not be directly involved in these functions." While that tautologically covers all possible cases, and in fact all persons, it does little to illuminate what's intended in this case, and is so overly inclusive as to render the definition of "Data Controllers" effectively meaningless.

More substantively, the sundry roles lumped into the "definition" of "Data Controllers" should be explicitly teased apart unless there is some compelling reason to throw them all into the same vague stew. Those who may work in the IETF to define the whois protocol (thus defining what data may be collected), have little to do with those who may work in ICANN to "govern" how that data may be used, or the judges who may "require its release." Don't lump them all together.

7. Determining The Extent to Which Whois Policy Is Effective, and Meets the "Legitimate Needs of Law Enforcement," and Assessing The Extent to Which "Consumer Trust" Is Being Promoted

Finally, we are not persuaded that the articulated program of work will substantively meet the defined purposes of:

  • assessing the extent to which WHOIS Policy is effective,
  • meeting the legitimate needs of law enforcement, and
  • promoting consumer trust.

If you have a grand program of work, but it doesn't meet those goals, you're wasting your time.

If ICANN wants to know these things, we recommend that it collect hard data on these topics using generally accepted technical market research and statistical methods. Simply asking for comments from the "usual suspects" (particularly when scant feedback is often provided) will not give a true understanding of what's happening in the real world.

Given the technical nature of the questions involved, ICANN should formally poll experts knowledgeable in the areas involved, as well as law enforcement agencies with officers who specialize in cyber crime, and organizations that represent consumer interests. This engagement needs to be proactive on ICANN's part, and not merely represent a willingness to listen to comments that may happen to trickle in from particularly motivated respondents who happen to comment.

Thank you for the opportunity to comment on this work, and we stand ready to address any points about which you may have questions or need further information.

Sincerely,

CAUCE North America

Posted by on 15 April 2011 in Canada, Press Releases, United States, Warnings, World | | Comments (0)

| | | |

13 April 2011

CAUCE News, Volume 13, Number 1 April 2011

Welcome

Welcome to the thirteenth year of CAUCE News. CAUCE was involved in an unprecedented number of important initiatives in 2010, which we would like to take a moment to tell you about.

CAUCE participated in the Digital Phishnet meetings in Montreal, Canada, was represented at the Anti-Phishing Working Group meetings in Dallas, the Team Cymru Cybercrime meetings in Lyon, France, attended all meetings of the Messaging Anti-abuse Working Group, was present at Toronto's ARIN (American Registry for Internet Numbers) meeting, several IETF (Internet Engineering Task Force) meetings, and countless hours advocating for the passage of Canada's Anti-spam Law, C-28, now known as CASL.

CAUCE was instrumental in the development by the U.S. FCC's Communications Security, Reliability and Interoperability Council (CSRIC) its ISP Network Protect BCP document, providing substantial input to the final product.

We thank all our CAUCE supporting and organizational members, whose yearly membership fees allow CAUCE to function, to attend these conferences, and to advocate on behalf of computer users who want to see the fight against malicious online abuse come to a succesful end. All CAUCE directors and officers are volunteers who give generously of their time.

Facts and Tips for Consumers about the Epsilon Breach

Epsilon Interactive, who sends commercial email on behalf of hundreds of companies, admitted to a security breach that they detected some time in March. Journalists covering the story have collected notifications sent by about 70 companies, including many financial institutions.

If you received a notification from one of Epsilon's clients, the thieves know your name and email address. Depending on which company had your information, the thieves may also be know the hotels you may stay at, which credit cards you may use, or where you buy stuff online. If your email address shows up on several of these lists, the criminals can draw together a pretty accurate profile of who you are, and what you typically do, and can guess your income level. Ironically, that is what companies like Epsilon do with the data, too.

There has been a lot of talk, blogging, tweeting and press reportage about the Epsilon breach, but little in the way of concrete information to consumers as to where they stand, if their personal information (PII) such as their name and email address has been lost to criminals. The CAUCE Board of Directors have developed the following FAQ that provides facts and guidance for those affected by the breach

Read more

 

Impenetrable Processes and Fool's Gold at ICANN
By: J.D. Falk, Director-at-large

A couple of weeks ago, I attended part of the ICANN meeting in San Francisco. I've been watching ICANN and been peripherally aware of their issues since the organization began, but this was my first chance to attend a meeting.

What I learned is that ICANN is a crazy behemoth of a bureaucracy, steeped in impenetrable acronyms and processes that make it nearly impossible for someone new to get up to speed.

The best example of this is the recent approval of the .XXX top-level domain. There are already top-level domains for specific types of companies or organizations: .MUSEUM for museums, .COOP for co-ops. None of them have been very successful ? there are only a few hundred museums in .MUSEUM and 6000 co-ops in .COOP ? but they've been mostly harmless. So okay, the adult entertainment industry wants a top-level domain, why not let them have it?

Read more

 

C-28 Anti-Spam Law Receives Royal Assent
By: Shaun Brown, Counsel & Director-at-large

It's been a long time coming, but Canada finally has an anti-spam law. Bill C-28, the law with no name, was passed in December, 2010

First introduced in April 2009 as C-27, the Electronic Commerce Protection Act, it died when parliament was prorogued in December 2009, only to be resurrected in May of 2010.

Having been involved since the beginning, and eagerly awaiting its passage, CAUCE is excited and relieved to see Bill C-28 become law; it provides Canada with the tools to do its part in the global fight against spam and related threats.

Read more

 

Yes, People Still Care About Email Spam

Just over a month ago, we posted an article entitled "Do People Still Care About Email Spam Anymore?". Part of the reason why people might not care anymore, according to this article, is that email has become pass?. With so many other new ways to communicate, why even bother with email?

Not only did a few readers take the time to post some compelling counter-arguments to our article, even muckraking marketing columnist Ken Magill has weighed in on the debate. Citing a few recent studies ? including a finding by the Pew Internet & American Life Project that email is still the No. 1 online activity across all age groups of internet users ? Magill goes so far as to advocate a pretty hefty dose of harassment for the next person who states in public that email is dead.

According to The Radicati Group, there are currently 1.4 billion email users. A study by Nielsen found that 25 minutes out of every hour spent on a mobile device is on email. And so on.

Read more

 

Consider supporting CAUCE by becoming a free or supporting individual Member or an organizational Sponsor: Join Here. Organizations can support CAUCE at several levels, starting at $5,000 per year. Sponsors may enjoy a range of benefits, including logo placement and recognition in our periodic newsletter. Please contact us via e-mail at support@cauce.org for additional information.

We encourage redistribution of this message, as long as they are not spammed anywhere, are on-topic for any forum to which you send them, and include our copyright notice. When in doubt, post the URL of our site (http://www.cauce.org) instead, or put it in your signature. Press, broadcast, and Internet media may treat this material as they would a press release.

Posted by on 13 April 2011 in Canada, United States, World | | Comments (0) | TrackBack (0)

| | | |

11 April 2011

Facts & Tips for Consumers about the Epsilon Breach

Epsilon Interactive, who sends commercial email on behalf of hundreds of companies, admitted to a security breach that they detected some time in March. Epsilon and its parent company, Alliance Data, have posted two press releases about the breach.

How many companies’ customers' email addresses were lost?

Epsilon has not revealed any statistics beyond ‘2% of our clients’, of which they reportedly have 2,500.

Journalists covering the story have collected notifications sent by about 70 companies, including many financial institutions. The names of these companies have been published at:

What information was lost?

Epsilon has stated that the names and email addresses of their clients' customers were taken. Presumably the attackers were also able to access the names of each client.

What does this mean for consumers?

If you received a notification from one of Epsilon's clients, the thieves know your name and email address.  Depending on which company had your information, the thieves may also be know the hotels you may stay at, which credit cards you may use, or where you buy stuff online. If your email address shows up on several of these lists, the criminals can draw together a pretty accurate profile of who you are, and what you typically do, and can guess your income level. Ironically, that is what companies like Epsilon do with the data, too.

Do the criminals have any more information about me?

While it's common for the contents of an email message to include more personal information than your name and email address, as far as we know, this information was not stolen. Often times, different data is stored in different places, and the thieves may have not been able to access the contents of previously sent messages. There is a pretty good explanation of the way these marketing databases generally work here

My address was lost in the Epsilon breach; CAUCE says the only way protect myself against phishing is to change my address. Isn't that is a rather extreme approach?

Sadly, it may not be extreme enough.  The Anti-Phishing Work Group reports that there are about 360,000 unique phishing sites, annually [2010].

Anti-virus software catches new malware about 20% of the time, leaving computer end-users exposed to a tremendous amount of viruses, keyloggers, and spyware, and other bad things. Anti-spam software does a pretty good job, getting well upwards of 90% of all spam, but some trickles through. We know that phishing attempts were successful at companies, ESPs, who were on high alert for the attempts.

While some phishing attempts are obvious, almost silly, others can be extremely difficult for end-users to recognize. Our friends at Word to the Wise took apart a legitimate email from an Epsilon client-company, and even email experts had a hard time determining if the email was real. See their article ‘Real. Or. Phish?’.

If your email was lost by a client company of Epsilon, we stand by our suggestion that changing your address is the best way to avoid receiving and having to deal with the phishing emails and other spam that will inevitably come from this data theft. Even if you don't want to abandon your current address entirely, this would be a good time to set up a new address and move your important communications there.

I unsubscribed from a customer list at Epsilon, and still received a notification from them. Isn’t this illegal?

It is arguably illegal under some laws, but it makes good sense that they did mail you. It doesn’t mean you weren’t unsubscribed. Here’s how it works: When you unsubscribe from an emailer’s list, they put your address into what they call a ‘suppression list’. The criminals presumably stole these too. The companies did the right thing by alerting you to the fact that your address was stolen.

How can I unsubscribe from everything at Epsilon?

Epsilon maintains a list of places where you can unsubscribe from a variety of their clients' newsletters.

We do not know if this will ensure that another of their clients will not upload your address to Epsilon in the future, and of course there are many other ESPs out there.

 Are the authorities involved? Can I sue someone?

Epsilon is reportedly working with the Secret Service, presumably because information related to bank and credit card clients was lost. Previously, some of the companies who were targets or victims of the previous series of breaches (which, again, may not be connected to the Epsilon incident) have been working with law enforcement.

The Australian Communications and Media Authority and Australian Privacy Commissioner are aware of the attack, having been alerted to it by Dell Australia, whose data was stolen. The breach may prompt an investigation by the UK Information Commissioner's Office, Connecticut Attorney General George Jepsen and Consumer Protection Commissioner William Rubenstein are investigating, and have written a letter to Attorney General of the United States asking him to investigate. Leaders of the House Energy and Commerce panel in the United States have written to the CEO of Alliance Data, Epsilon’s parent company, asking for more details on how many customers were affected and how the breach occurred.

You could try to sue someone: the company holding your data, or Epsilon, or both. There may be class action lawsuits coming out of this, as well as lawsuits by Epsilon’s client companies. If you do file with a class-action, you should not expect a large financial settlement, as these are generally quite small.

CAUCE suggests that if you live in a relevant jurisdiction, you can file a complaint with the local authorities about the breach:

 If you have incurred a financial loss as a result of any phishing attack, or see suspicious activity on your bank account, contact your financial institution to alert them and report your credit card stolen immediately. Then, call your local and federal police forces to file a complaint (the bank will not do this for you).

BACKGROUNDER

How was the hack accomplished?

Epsilon has not released details about the mechanics of the breach. If it is similar to the hacking attempts targeted at ESPs last year, the hackers may have used social engineering and spear-phishing techniques, leading to an employee mistakenly typing their username and password into a web page controlled by the hacker.  However, at this time, we do not know what happened or whether there's any connection to the previous attacks.

Has Epsilon been hacked before?

Maybe. Epsilon has not publicly admitted to any previous attack, but their customer Walgreens has indicated that this is the second time they have lost data by way of Epsilon.

“After the incident last year, Walgreens requested that Epsilon put a number additional security measures in place. Apparently, that expectation was not fully met.” – Walgreen spokesperson, via databreaches.net

Is the Epsilon breach part of the previous series of attacks on the ESP industry?

These attacks appear to have begun as early as November 2009, the first victim being a company called aWeber.

Typically, the criminals would hack into an ESP by sending an employee an email that infected them with keylogger spyware, take over one of their client accounts, and send spam for fake Adobe or Skype software. More than a dozen different ESPs, including Epsilon, were targets or victims of these attacks in 2010.

It is impossible to say if this is the same as what happened to Epsilon more recently. Adobe or Skype spam was seen during previous breaches. This did not happen with the current breach with Walgreen or any other Epsilon customer.

This could have been the same group, using the same point of attack. It could have been a copycat using the same tactics, or an entirely different approach. We do not know, and there are too many variables for anyone to say they know definitively — though if Epsilon were to share what they know with the security community, it's likely that we could understand quite a bit more.

Did Epsilon have lax security?

We do not know what changes they made after their first breach, so it is impossible to say.

Were there things they could have done to improve security?

Obviously — they were hacked, after all. Epsilon will presumably address whatever let the hackers get into their systems this time, but any security professional will tell you that security is never perfect. What appears secure today may be exploited tomorrow.

There are many steps ESPs can take to much improve their security related to client lists and outbound email – we have listed them here

I heard that someone warned ESPs about breaches in November.

They did. Return Path provides services to ESPs, blogged about their own breach, and those at ESPs in November 2010. In fact, the ESP industry was becoming aware of this series of breaches all the way through 2010, as they were happening.

Security isn’t 100%? Why?

Software, and the way it interacts with various web applications is very complicated. Many sites do not, or cannot update all components that go into a web application, because to do so may break functionality on the site, or they are negligent. Home computers are pretty much the same. Microsoft, for example, issued 67 updates this past ‘Patch Tuesday’. Have you updated your computer?

Who is the real victim here?

You are. Epsilon suffered the initial attack. Their clients suffer as well, losing consumer trust. There may also be marketing or advertising agencies involved. But as far as CAUCE is concerned, the people who stand to suffer the most are the regular Internet users who trusted that the major brands whose products they enjoy would keep their email addresses and other personal information safe and secure. If these companies do not take immediate, public actions to prove that they deserve our trust, then they do not deserve our business.

Posted by on 11 April 2011 in Canada, Frequently Asked Questions, Press Releases, United States, Warnings, World | | Comments (0)

| | | |

08 April 2011

Was your Email lost by Epsilon? Change your Address!

So far, 67 companies have admitted to having lost your personal information (PII) as a result of the Epsilon breach, including at least 8 financial institutions (list here).

Epsilon, and their customers are issuing advice to end-users like you. They are telling you not to answer emails from strangers, and to not provide information in response to emails. They are telling you to:

 Just hit delete.

That is, at best, bad advice. These stolen addresses will probably be used to send you phishing mail and attempts to install spyware, keyloggers and other malware on your computer: you will be at great risk of handing over even more information to the criminals behind these thefts.

CAUCE has a much safer alternative to protect yourself:

Change your address!

Your old address is ruined, and although changing is a hassle, Identity Theft  and losses at your bank are a much bigger hassle. Changing is the only 100% guaranteed way you can avoid all the spam that is about to head your way.

Change all of your login accounts at various retailers and banks, and other services you use, update them all with the new address. Today is a good time to come up with some fresh passwords to use, too. Keep the old address account in case you forget your password somewhere, but you can ignore it, moving forward.

If you want to get fancy, you can ‘tag’ your new address. Security blogger Brian Krebs has information on how to do this here. No matter what, change your address as soon as possible. Consider it one of your 'To Dos" for the weekend.

 

Posted by on 08 April 2011 in Canada, United States, Warnings, World | | Comments (0) | TrackBack (0)

| | | |

06 April 2011

Why the Epsilon-Fukushima Analogy Was Apt

A few days ago, CAUCE published a blog post entitled “Epsilon Interactive breach the Fukushima of the Email Industry” on our site, and the always-excellent CircleID.

 A small coterie of commenters was upset by the hyperbolic nature of the headline. Fair enough, an analogy usually has a high degree of probability that it will fail, and clearly, no one has died as a result of the release of what appears to be tens of millions of people’s names and email addresses.

But, the two situations are analogous in many other ways, and here’s why. When I wrote the piece, I had in mind an article I recently read at The Economist, ‘When the steam clears - The Fukushima crisis will slow the growth of nuclear power. Might it reverse it?’, which sums up the aftermath neatly.

“FEAR and uncertainty spread faster and farther than any nuclear fallout.” – The Economist

There has been tremendous initial effect across the email industry as a result of Epsilon-shima. That whooshing you may have heard last Saturday was the sound of a collective frightened intake of breath at major brands and ESPs. A security staffer noted he had slept very little over the weekend, as the news broke.  The fact of the matter is, this happened to Epsilon, but it could just as easily have happened to any of their competitors, of which there are many hundreds.

Followers of the Twitter #epsilon hashtag, see that regular, everyday people are furious. They are furious that the trusted brands they do business with handed over their personal information to a 3rd party, they are furious that it was stolen due to lack security, and they want to know who the hell Epsilon is (CAUCE Director Dennis Dayman wrote about the need for transparency among emailers here). End-users are also beginning to blame every piece of spam they receive on Epsilon, even though, to date, there has been no verifiable reports that I have seen that the thieves have sent a single piece of spam out. End-users are gun-shy. Unfortunately, they’ll get over it, of course, and drop their guard, making them vulnerable to spear-phishing.

“There will certainly be more durable effects too. Years of cleanup will drag into decades” – The Economist

It’s true. Once lost, these email addresses will very likely be used as spear-phishing targets (remember, the criminals also have the proper names of victims, as well as a list of who they did business with, including their financial institutions). Once they have served that purpose, they will be sold to other spammers, who will send untargeted spam to them.  While spam filters will likely take care of most of this problem, there will undoubtedly be financial loses and successful instances of Identity Theft as a direct result of the Epsilon breach. This is a mess that simply can’t be cleaned up by form letters downplaying the theft, assuring people the criminals ‘only’ stole the data they did.

Make no mistake about it, an email address is considered to be personal identifiable information in Canada and Europe, and for good reason, because quite simply it is private information. Canadian and European brands  were affected by the Epsilon breach. While the United States lags far behind the rest of the world with regard to breach and privacy legislation, this thing is far from over from an investigative and legal standpoint.

(An ESP) “Looks dangerous, unpopular, expensive and risky. It is replaceable with relative ease and could be forgone with no huge structural shifts in the way the world works. So what would the world be like without it?” – The Economist

ESPs are simply out-sourced services that many companies use to maintain their customer database, and send email marketing campaigns, and sometimes-transactional email, to clients.

We know that Epsilon lost 50 companies’ client information. What if all 50 of those companies were doing their own email and database management? In practical terms, I could see that making things worse. Relying on relatively unskilled, or even incompetent IT and marketing departments at retailers to do email correctly from a technical and policy standpoint is a highly unlikely scenario. Mass emailing is quite complicated these days, with laws, technical requirements, and methodologies ever-changing. Better to centralize the adherence to industry standards in the hands of the experts. If ESPs magically disappeared, mass email marketing would be in a bigger mess that it is today.

Like Fukushima, there were plenty of preemptive rumbles that should have reasonably warned Epsilon and the other ESPs that something bad was coming. There had been at least a dozen breaches of ESPs in the last year, and database and site breaches are as ‘common as car crashes’ as British telecom Chief Security Officer Bruce Schneier said.

Akin to the Tokyo Electric Power Company, even in light of prescient safety reports, ESPs failed to react appropriately to secure their sites. Databases should be encrypted, industry-standard security technologies and policies deployed, and 2-factor authentication implemented to access private data, across the board, as quickly as humanly possible.

Sadly, none of these is a silver bullet that will make data 100% secure. There is no such thing as 100% security, but all holders of private information, including ESPs must be held accountable to the highest standards, and not continue to allow themselves to be dumb, low-hanging fruit for criminals.

ESPS … “won’t go away, but … must to some extent remain a sideshow, however spectacular it looks when (they go) wrong. – The Economist

Epsilon, and other members of the sending and ESP communities have a tremendous opportunity to change in front of them, to become competitively better than ever. Epsilon will likely recover from this debacle, but the next ESP breached in a similar manner? Their fate remains quite uncertain.

Posted by on 06 April 2011 in Canada, Technology, United States, World | | Comments (0) | TrackBack (0)

| | | |

« Newer | Older »

CAUCE North America is financially supported by our organizational and individual members.

REPORT SPAM

Recommended Resources
On Guard Online (United States)

Get Cyber Safe (Canada)

Categories

Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported