CAUCE

04 February 2019

CAUCE welcomes Dave Piscitello to Board of Directors

Spam infrastructures have evolved to become formidable means of delivery of a diverse and growing set of cyber attacks, from financial fraud and business compromise to political influence and malware campaigns. Central to these attacks is an ever increasing dependency on and exploitation of domain names and the domain name system (DNS).

We welcome Dave Piscitello, formerly VP of Security at the Internet Corporation for Assigned Names and Numbers (ICANN) to the CAUCE Board. Since 2005, Dave has been practicing at the nexus of domain abuse and mitigation. He has been instrumental in bringing operational security, law enforcement, and Internet Identifier communities together to confront abuses of the Internet name space. Dave has sought to raise cross-community awareness of abuses and misuses of domain names and the DNS by studying and calling attention to policy vacuums and weaknesses, by promoting abuse reporting systems that can help governance bodies and lawmakers make informed decisions , and by delivering DNS investigations training programs for law enforcement.

Posted at 17:03 in News | Permalink

09 December 2017

CAUCE Welcomes Two New Board Members - Tom Grasso and Allison Nixon

With the rapid evolution of spam and threats to consumers CAUCE has recruited two industry veterans to round out our board and continue being the consumer voice to Law Enforcement and Regulatory communities around the world.

We would like to welcome Allison Nixon, Director of Security Research at Flashpoint and Tom Grasso, Supervisory Special Agent at the FBI to the CAUCE board.

Allison is a threat researcher, verifier of leaks, and hunter of humans. She has been a background source for numerous investigations and articles that focus on the post-breach issue of "who dunnit?". She performs original threat research and is at the forefront of answering questions that people have not yet thought to ask. In 2013, she spoke at Blackhat about bypassing DDOS protection. In 2014, she released a paper detailing methods for vetting leaked data. She has been looking into the issue of "booters" and DDOS services. She researches DDOS attribution, cybercrime attribution, and criminal communities. In her spare time she grows tomatoes and makes puns.

Tom has been a FBI Agent since 1998 and has worked for the FBI’s Regional Computer Crime Squad in Chicago and the High Technology Crimes Task Force in Pittsburgh. He has also served as the FBI Liaison to the CERT/CC at Carnegie Mellon University. Mr. Grasso is now part of the FBI’s Cyber Division and is assigned to the National Cyber-Forensics and Training Alliance (NCFTA) in Pittsburgh, a joint partnership between law enforcement, academia, and industry. Mr. Grasso is also an Adjunct Professor of Criminology at La Roche College in Pittsburgh.

It goes without saying that we are all very excited with these additions.

Posted at 02:37 in Press Releases, World | Permalink

Tags: Board, Directors

27 October 2017

Standing Committee on Industry, Science and Technology Review of CASL

Standing Committee on Industry, Science and Technology

Review of CASL, Canada's Anti-Spam Law

Hour 1: Privacy Commissioner of Canada

Hour 2: Neil Schwartzman & Matthew Vernhout, CAUCE.org

http://parlvu.parl.gc.ca/XRender/en/PowerBrowser/PowerBrowserV2/20171024/-1/28163

Posted at 17:50 in Canada, Legal, News, World | Permalink

24 October 2017

Verbal Comments to INDU about CASL, Ottawa 10/24/2017

Verbal comments by Neil Schwartzman, Executive Director and Matthew Vernhout, Director-at-large of the Coalition Against Unsolicited Commercial Email to the Standing Committee on Industry, Science and Technology, Ottawa, October 24, 2017

Neil Schwartzman

With apologies to The Bard of Avon,

Friends, Parliamentarians, countrymen, lend me your ears;

I come to praise CASL, not to kill it.

The evil that critics of CASL do lives with them;

The good is imbued in its sections;

So let it be with CASL.

CASL’s noble adversaries may tell you the law is too ambitious, as If it was a grievous fault.

CASL enshrines the work of 2005's federal task force on spam, best practices found in our final report are now global industry standards. Best practices do nothing without holding bad players accountable.

CASL is a crowd-sourced law, taking input from hundreds, working tens of thousands of hours. The Messaging Anti-Abuse Working Group, MAAWG, is a one hundred eighty five member industry association of companies such as Apple, Facebook, Google, Amazon, and Bell Canada. MAAWG participated in the CASL process and sent a letter to the Prime Minister urging passage of the law.

My name is Neil Schwartzman, I am the executive director of CAUCE, the coalition against unsolicited commercial email. I wrote the world’s first distributed spam filter, and 20 years later, here we are.

I am a management consultant; my clients include the world’s largest company and the world’s biggest sender of email, and I teach cyber investigation methods to international law enforcement.

Spam filtering costs recipients 20 billion dollars a year according to researchers at Microsoft and Google, and the fact is spam has become much worse of late, ransomware and phishing payloads are vicious.

Affiliate spam, 90% of the pouriel hitting our networks is a open sewer spraying 1 BILLION messages per hour at our families, friends and colleagues.

Unsolicited junk email, texts and phonecalls from Wal-Mart, DirecTV, and Fidelity are some of the affiliate spam sent by third parties earning commissions from the brand. CASL was purpose-built to remedy such activity.

Studies and data have proven CASL is protective shield to the spam coming into, and out of Canada.

Law enforcement can’t possibly investigate - nor do they know about - all spam attacks. CASL’s Private Right of Action, a right integral to America’s CANSPAM Act, has been suspended, lamentably preventing Canadian ISPs, businesses and organizations from seeking compensation for damages to their networks and users.

Declarations of CASL’s damaging effects are laughable. The OECD has projected Canada’s 2018 economic growth outlook to be the best of the G-7; Quebec enjoys their lowest unemployment rate in three decades.

Yes, legitimate companies bear costs to become compliant, just as when PIPEDA came into force.

Business must be vigilant - data breaches occur daily, business email compromise results in losses in the hundreds of millions. CASL defines the modern standards of data integrity and permission companies must maintain in the global economy. The EU’s updated GDRP privacy law comes into effect in 2018. Failing to maintain parity will put us at a severe economic disadvantage.

In two cases prosecuted by the CRTC, the marketing departments of Rogers and Kellogg's were found to bought spam email lists from third party firms.

Why are spammers afraid of CASL and trying to gut it of effectiveness? Because it is working. We will hear from my colleague Matt who is a 20-year marketing professional, who has data proving marketing has grown in volume and effectiveness under CASL.We keep hearing about chilling effects, yet, our economy is growing, marketing is more effective. Chilling? I’m feeling rather warm.

CASL is so frightening to spammers, that they lobby Canada’s law enforcement and legislators. American groups with direct business interests to shady, black-hat spamming groups will make presentations to this very body.

With this in mind, I exhort you to leave CASL intact. Adjust, yes, clarify, no doubt, but do not come here to kill CASL. Do Caesar proud.

Thank you.

Matthew Vernhout

Good Afternoon, to our distinguished Members of Parliament thank you for inviting us to speak with you today.

My name is Matthew Vernhout, I am here on behalf of the CAUCE. In my professional capacity I am the Director of Privacy and Industry Relations for email analytics firm 250ok, the Chair of the Email Experience Council’s Advocacy committee, and an active member of the global email marketing community. I participated in the drafting of America’s CAN-SPAM act and had the pleasure of speaking to this Committee in support of CASL in 2009.

I have published dozens of articles, been quoted in the press, spoken at numerous industry events, and consulted with some of North America’s top brands regarding CASL compliance.

In fact, one of the comparative benchmark reports I authored for ISED; was recently cited in the CRTC decision on the constitutional challenge by CompuFinder.

The positive effects of CASL on the email industry are remarkable.

I am delighted to say analysis finds the email industry thriving and experiencing significant growth. Businesses ensure they have recipient consent and they are seeing the positive benefits of those efforts.

A common trend has emerged from several reports published in the past three years: more messages are delivered to Canadian consumers inboxes post-CASL, due to better list management practices and increased consumer trust.

A recent industry report shows that two countries with the toughest anti-spam legislation, Canada and Australia, also have the best deliverability of commercial emails to inboxes in the G-8 countries studied.

The basic framework of CASL is a series of email marketing best practices that have been the basis of most of my consulting efforts over the past seventeen years:

•Ask permission first

•Honour opt-outs

•Be clear of who you are and why you are writing to your customer.

CASL has taken these ideas made them the law of the land.

As my colleague stated, CASL is working to diminish spam, moreover, it is working to make legitimate email marketing more successful, and more effective.

There is far too much baseless fear, uncertainty and doubt being spread by the naysayers of CASL, who are neither anti-abuse nor marketing professionals.

When I speak with marketers about their compliance efforts and the changes that they make to their digital marketing I often hear, “This is a lot of work, but isn’t nearly as difficult as I thought it would be.”

However, we still have a long road ahead of us. The Spam Reporting Centre receives 6,000 complaints per week, totalling more than one million complaints since 2014.

For example, the blacklist operators SURBL notes that there are currently 70 DOT C A domains spamming counterfeit goods scams to Canadians.

There are also active spam gangs set up on hosting providers in Montréal, Hamilton, and Vancouver.

Regarding the PRA suspension, this renders CASL toothless. I recommend the PRA be revisited to allow network operators who carry the cost of spam to avail themselves of redress.

In closing, it is our hope that the law remains a strong and viable tool to protect email marketing, networks, and consumers from unwanted spam messaging.

Canadians, like all consumers, deserve nothing less.

Update

TO: INDU@parl.gc.ca

October 28, 2017

To whom it may concern,

We are forwarding an electronic message from Deborah Evans of Rogers Media Inc.

The undertaking that RMI signed with the CRTC on November 26, 2015 reads, in part:

AND WHEREAS the CCEO has advised RMI that Commission Staff is of the view that express consent is required to send commercial electronic messages on behalf of unknown third parties. More specifically, Commission start is of the view that implied consent cannot be relied upon to send commercial electronic messages on behalf of unknown third parties, without obtaining prior specific express consent in accordance with the Act, Regulations and Regulations (CRTC);

Should anyone see daylight between our stated position and that of RMI, we would wish to correct the record. Ms. Evans’ email reads as follows:

Date: Sat, 28 Oct 2017 15:23:18

From: Deborah Evans <Deborah.Evans@rci.rogers.com>

To: John Levine <john.levine@cauce.org>

Subject: Re: INDU Committee

CAUCE’s comments to the industry committee were that Rogers was prosecuted and found to have bought spam lists from third parties.

This is factually incorrect. We do not buy lists.

The reference you made to our undertaking was not that we bought lists, but sent messages (to our existing lists) on behalf of third parties using implied consent.

We were not found guilty of this, the Chief Compliance Officer merely noted that she disagreed with our interpretation of the rules.

CAUCE has publicly stated that Rogers bought spam lists. Again, I cannot stress enough that this is factually incorrect.

The matter is obviously not resolved. I was really hoping we could deal with this amicably but this does not seem to be the case. We will pursue other options.

Neil Schwartzman

Executive Director,

CAUCE.org Inc.

Posted at 14:52 in Canada, Legal, News, World | Permalink

14 May 2017

The Criminals Behind WannaCry

359,000 computers infected, dozens of nations affected world-wide! A worm exploiting a Windows OS vulnerability that looks to the network for more computers to infect! This is the most pernicious, evil, dangerous attack, ever.

The Big One Wired pronounced.

"An unprecedented attack", said the head of Europol.

Queue the gnashing of teeth and hand-wringing!

Wait, what? WannaCry isn’t unprecedented! Why would any professional in the field think so? I’m talking about Code Red, and it happened in July, 2001.

Since then dozens, perhaps hundreds of Best Common Practice documents (several of which I’ve personally worked on) have been tireless written, published, and evangelized, apparently to no good effect. Hundreds of thousands, perhaps millions of viruses and worms have come and gone.

Our words ‘update your systems, software, and anti-virus software’ and ‘back up your computer’, ignored. The object lesson taught by Code Red, from almost sixteen years ago, forgotten.

Criminal charges should be considered: Anyone who administers a system that touches critical infrastructure, and whose computers under their care were made to Cry, if people suffered, or died, as is very much the possibility for the NHS patients in the UK, should be charged with negligence. Whatever ransom was paid should be taken from any termination funds they receive, and six weeks pay deducted, since they clearly were not doing their job for at least that long.

Harsh? Not really. The facts speak for themselves. A patch was available at least six weeks prior (and yesterday, was even made available by Microsoft for ‘unsupported’ platforms such as Windows XP), as was the case with Code Red.

One representative from a medical association said guilelessly, in one of the many articles I’ve read since Friday ‘we are very slow to update our computers’. This from someone with a medical degree. Yeah, thanks for the confirmation, pal.

The worm has been stopped from spreading. For now. iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com was registered by a security researcher, and sinkholed.

Sorry, forget it. I went for a coffee while writing this, and predictably WannaCry V2 has since been spotted in the wild, without the kill-switch domain left dangling.

What have we learned from all of this, all of this for a lousy $26,000?

If someone gets arrested and charged, and by someone, I mean systems administrators, ‘CSOs’ and anyone else in line to protect systems who abjectly failed this time, a lot. WannaCry infections to critical infrastructure are an inexcusable professional lapse. Or, we could just do all of this again, next time, and people may die.

Afterthought: My organization, CAUCE.org recently turned 20 years old. When it started, we didn’t believe things could get this bad, but it wasn’t too soon after that it became apparent. I issued dire warnings about botnets in 2001 to the DHS, I made public pronouncements to these ends in 2005 (greeted by rolled eyes from an RCMP staff sergeant). I may have been a little too prescient for my own good at the time, but can anyone really say, in this day and age, that lives are at stake, and we are counting on those responsible for data safety to at least do the bare minimum? I await your comments, below.

Posted at 09:20 in History, News, Prognostication, Technology, Warnings, World | Permalink | Comments (0)

27 April 2017

Follow-up-up To Loudmouths Wanted: Sorry, not sorry

In March, I posted a call to action to those of us in the community who have the inclination to fight against a movement to redact information critical to anti-abuse research. Today i felt compelled to react to some of the discussions on the ICANN discussion list dedicated to the issue of WHOIS reform:

Sorry, not sorry: I work every working hour of the day to protect literally hundreds of millions of users from privacy violating spam, phish, malware, and support scams.

Should access to WHOIS data be redacted in any way beyond what it is at present, my work will be made impossible. I spend 90% of my day in WHOIS data, the other 10% sculpting the data in a manner to provide reason and proof to hosting provider and registrars to take action against real-life criminals on their networks.

I also prepare cases for law enforcement to act upon. Contrary to popular belief in some quarters, LE cannot possibly begin to know about the stuff I (and my many, many colleagues) see, until we tell them. That’s how it works. Any of the big botnet and crime ring take-downs and arrests you’ve ever seen have involved a public-private collaboration between individuals, researchers such ads myself, and law enforcement.

So, I’d like to issue congratulations to all those who want to redact. You will, without a single iota of uncertainty, will expose many more people to real – not potential or hypothetical – privacy issues of a far more serious nature than you could possibly imagine, all in the badly mangled, misguided, and muddleheaded notion of what privacy actually is in the real world. ‘Cut off your nose to spite your face’ has never been more apt.

I hope you tell your Mom, family and your friends what you are trying to do here, while I spend my time trying to protect them from real evil: Revenge porn. Identity Theft. Plain old theft. Stalking. Photographic representation of the rape of children. Trolling, leading to the destruction of people’s lives. Emptied bank accounts.

Tell them you don’t want me to be able to do my job, and that you are trying to make it impossible, because you think access to the data that has been public and without challenge under the world’s privacy laws for twenty years is better off limited to the point of uselessness, sacrificed on some misshapen altar of privacy.

If I sound angry at what you are attempting to do, then I’ve hit my mark. i am furious. The security sector is furious. We are terrified that you may have any degree of success in this regard, because you apparently don’t know, or don’t care what the actual results will be. Placating with ‘gated access’ means there will be some among my peers and colleagues, far more talented and effective than I, who simply cannot gain access, and the resulting mess will be on your head, and at risk of overstating my case, the blood on your hands.

So again, congratulations. Mother’s Day is coming up. Be sure to make mention of this in the card you send. Now, if you’ll excuse me, I’ll go back to diving in the data lake of WHOIS, trying to keep spam and far worse evil off’ve your network.

K bye tnx.

Neil Schwartzman

Executive Director

Coalition Against Unsolicited Commercial Email

http://cauce.org

Twitter : @cauce

Posted at 08:57 in Legal, Prognostication, World | Permalink

11 April 2017

Protecting yourself from Vishing

Many people are very trusting when they receive phone calls claiming to be from their bank, credit card company, or ISP. However, scam phone calls are becoming more and more common every day. From the IT Support phone calls about a computer virus, or a call from your local cable company that is providing a new customer deal that is too good to be true (but are secretly trying to steal your account credentials) we are all encountering these more and more often.

As a consumer, you need to protect yourself and challenge anyone calling you so they are forced to validate who they are before you give them any information.

This is the summarized transcript from a call I had just this morning with "a representative" claiming to be from American Express* but being unwilling to validate that they were actually calling from the credit card company.

Caller: Hello, This is [Female name I missed] from American Express, is this "My Name"?

Me: Yes

C: I'm calling about an offer we sent you in the mail, did you get it?

M: What was the offer concerning?

C: If you could just validate some information I could explain the offer...

M: Sure - Can you please validate you're Amex first, then I'll validate who I am...

C: Sir, I need to validate who you are before we continue...

M: Before we continue I need you to validate you're actually Amex.

C: I don't understand what you're asking? I'm just calling to talk about an offer we sent you.

M: Great, tell me about this offer.

C: Sir, I just need to validate you're who you say you are.

M: Great, please validate that you are Amex first.

C: Sir, Please validate your DOB.

M: You called me, and I said hello and yes that's who you've reached. Please validate you're Amex.

Repeat the last 7 lines a few times and then I got tired of the conversation, said goodbye and hang up the phone.

As a consumer frequently targeted by Phone scams, it's time to start taking a stand against these phone calls and force companies to validate who they are before giving away you personal information. Companies will need to adapt to a smarter, more suspicious consumer that is looking to protect their identity.

* Maybe it actually was Amex, but they failed to validate this to me and the call ended.

CRTC Do Not Call List (Canada)

FTC Do Not Call List (United States)

Posted at 15:13 in Canada, United States, Warnings | Permalink

Tags: Amex Phone

24 March 2017

LOUDMOUTHS WANTED FOR ICANN WHOIS Replacement Work

TL;DR? It’s worth reading, BUT, if not - ICANN has yet another group looking at WHOIS, and there is ahuge push to redact it to nothing. I spend easily half my day in WHOIS data fighting online crime, losing it would not make my job harder, it will make it impossible.

PLEASE JOIN THE ICANN GROUP and help us fight back against people who are fighting in favour of crime.

M3AAWG has submitted at least three comments in this regard, but that’s not how ICANN works, they consider numbers of submissions to be more important than who is making a statement. M3 with hundreds of member companies, counts for one vote.

Do it now; it is time for the security community to stand up strong to this nonsense. Thanks.

https://community.icann.org/display/gTLDRDS/Next-Generation+gTLD+Registration+Directory+Services+to+Replace+Whois

Thanks,

Neil Schwartzman

Executive Director

Coalition Against Unsolicited Commercial Email

Rant shared with permission:

Subject:

ICANN WHOIS Replacement Work

Date: March 24, 2017 at 4:05:52 PM GMT-4

We have been trolling them with facts for a month now. I learned a lot about that group in that time. Here’s a blood pressure boosting wall-of-text rundown:

The group is a bunch of registrars and “right to be forgotten” privacy people. They want to kill DomainTools and all similar services.

The "privacy" advocates want domain ownership to be anonymous without a court order. They have no concern about privacy violation caused by criminals. They don’t care that anonymous free speech is already available or that the domain system they are trying to create will be tremendously dangerous for dissidents and so forth to trust. They want to create privacy by forcing us to delete data we have collected from public sources. They are extremist fanatics with ideas unburdened by knowledge. People on this mailing list have done far more to protect privacy than these so called advocates.

And for the registrars, it appears they are intent on saving money as they don’t want to deal with the complaints or maintenance of whois. They seem uninterested in the fact that their small savings will cause huge losses for someone else. Some are dismissive of law enforcement, and some have spoken hostile words about Spamhaus, where the only other mouths I have heard such words from belonged to spammers. The arrogance from some of them is palpable.

I am not exaggerating. The list archives are public, and you should decide for yourself.

_______________________________________________________

I don’t want this to be an entirely negative reactionary issue. There are opportunities. If enough people *who actually use WHOIS and own domains* participate, we can make WHOIS better.

Have you ever been irritated with a bad domain that enjoys the benefits of WHOIS privacy?

Have you ever been irritated that a registrar makes you visit their website and answer a CAPTCHA to see the WHOIS record, only to find out their website is broken?

Have you ever been irritated with a registrar that gives your search warrants the middle finger and discloses no whois?

Have you ever been irritated with registrars that minimize their exposure on DomainTools(and other WHOIS archivers) so they can appeal to abusers?

If we don’t participate, the risk is that bad policy hurts the Internet while increasing the profit of a minority. It has happened before. Here are some past ICANN policy issues:

the .ZIP TLD, apparently no one involved saw a potential problem, but they certainly saw profits

An explosion in general of TLDs that increased profits for registrars, with few controls on price abuse to the benefit of registries and the expense of everyone else.

Companies spending hundreds of thousands of dollars to get a TLD, and domains on new TLDs- to prevent anyone else from using their name.

Make no mistake, killing our visibility will reduce the money they spend on abuse complaints and subpoenas. It is insane that this minuscule industry dictates policy that increases risk for the global financial system.

_______________________________________________________

In case you didn’t see this, here is a list of quotes said in earnest by people who ICANN is taking policy input from. Feel free to cross reference them with the public archives, and you will see that they absolutely believe this, and that they dominate the conversation:

“Shit Registrars Say"

On defenders losing access to WHOIS:
"Buhu my work will get harder"

--

On law enforcement stating that access is crucial:
"Good thing that police are law "enforcement" not legislators. They can ask for anything they like, it is not like it has legal binding status. It is a wish list, nothing more..."

--

Stepping on toes:
"Harvesting and storage of whois data to be re-wrapped and sold is illegal and many registrars state this on the terms and conditions.
[...]
storage of whois data is illegal unless it was for a lawful purpose and the only one I can think of is transfers.
[...]
This will step on some registrars toes as well as [Brand Protection professional]'s toes who have a business model around the supply of whois data for commercial gain (namely charging for it)."

--

On the legality of Domaintools and WHOIS archives:
"Who says we need a Whois Archive? The GDRP have explicitly a section about the right to be forgotten, that will say all records deleted!

The way f.ex Domaintools operate today are not in the terms of a lot of whois providers conditions and in some cases illegal"

--

On what you can do with WHOIS data you query:
"Depends on the terms you accept when you make the whois inquiry. You may be violating the terms of the registrar or registry providing the whois service. "

----------------------------

Feel free to share my observations with others(TLP:GREEN) because we should spread awareness. This is regulatory capture at significant expense to us but we can stop it. Participate, vote, and we can make ICANN great again.

You can join the ICANN working group via this page. There is no barrier to entry, no cost, and no minimum requirement beyond filling out a statement of interest.

https://community.icann.org/display/gTLDRDS/Next-Generation+gTLD+Registration+Directory+Services+to+Replace+Whois

We’ve played bad cop/worse cop enough. Yall to show up and say something. Right now our community's concerns receive mockery and disrespect. You need more than one voice there. You need a multitude. These people need to become a minority.