Internet News published this article yesterday, about zombie PCs (http://www.internetnews.com/security/article.php/3796526/The+Webs+Latest+Threat+Smarter+Zombies.htm) getting smarter and harder to track, as they are regularly asking for new IP addresses from their ISPs, ultimately rendering anti-spam software that works by blocking IPs now useless:
Unfortunately, my first thought reading through this is a big “I told you so” to the universe of security experts who keep insisting that IP reputation is the silver bullet in the ongoing war against spam and other e-mail bourn threats. Commtouch (www.commtouch.com) is a world recognized expert in the field of IP based reputation and should be taken at their word. If they say that IP reputation is finally dead, I would agree.
The fact that IP based reputation schemes are flawed has been well known to Sendio (www.sendio.com) for years. We have always believed the only type of security that really works is active security. All of the current IP reputation schemes are passive/reactive; employing complex algorithms to make guesses based on patterns and probabilities. Clearly, in a world where there is big money at stake, the bad guys are highly motivated to find mechanism that allow them to evade these passive security paradigms.
I believe the time has come for the security community-at-large to recognize that we need to move away from passive guessing schemes to active authentication methodologies.
Cisco’s annual security study is out, and not surprisingly personalized spam and phishing attacks are on the rise:
http://ibtimes.com/articles/20081217/personalized-spam-rising-sharply-study-finds.htm
Personalized spam rising sharply, study finds
By JORDAN ROBERTSON
SAN FRANCISCO (AP) — Yes, guys, those spam e-mails for Viagra or baldness cream just might be directed to you personally. So, too, are many of the other crafty come-ons clogging inboxes, trying to lure us to fake Web sites so criminals can steal our personal information.
A new study by Cisco Systems Inc. found an alarming increase in the amount of personalized spam, which online identity thieves create using stolen lists of e-mail addresses or other poached data about their victims, such as where they went to school or which bank they use.
Unlike traditional spam, most of which is blocked by e-mail filters, personalized spam, known as “spear phishing” messages, often sail through unmolested. They’re sent in smaller chunks, and often come from accounts the criminals have set up at reputable Web-based e-mail services. Some of the messages are expertly crafted, linking to beautifully designed Web sites that are bogus or immediately install malicious programs.
Cisco’s annual security study found that spam is growing quickly — nearly 200 billion spam messages are now sent each day, double the volume in 2007 — and that targeted attacks are also rising sharply.
More than 0.4 percent of all spam sent in September were targeted attacks, Cisco found. That might sound low, but since 90 percent of all e-mails sent worldwide are spam, this means 800 million messages a day are attempts are spear phishing. A year ago, targeted attacks with personalized messages were less than 0.1 percent of all spam.
The latest attacks include text-message spam, e-mails trying to trick business owners into coughing up credentials for their Google advertising accounts, or personalized “whaling” e-mails to executives claiming that their businesses are under investigation by the FBI or that there’s a problem with their personal bank account.
As the world’s largest maker of networking gear, Cisco is in a unique position to study the traffic flowing through its customers’ networks, which include the biggest Internet providers and corporations. The latest study was based in part on the company’s ability to monitor 30 percent of all Web and e-mail traffic through its hardware and software and a network of companies that contribute data.
I just read the following from Business Week. Clearly, the world is coming to Sendio with respect to the concept/importance/integration of person-to-person electronic communication.
The end of instant messaging (as we know it) (http://www.msnbc.msn.com/id/27770292/)
One of the biggest problems with e-mail is the complete lack of an inherent security model. Like the telephone, most people have come to take e-mail for granted; expecting that it simply works. Most e-mail users do not know how easy it is to forge almost every aspect of an e-mail message. We have all received spam that, when viewed in our e-mail client (Outlook, Entourage, Gmail, etc.) appears to have been sent to us, from us. How can this happen?
There is a common misconception amongst many in the e-mail security space that anti-fraud technologies like Sender Policy Framework (SPF), SenderID and Domain Keys Identified Mail (DKIM) are part and parcel anti-spam technologies. While it is true that anti-fraud/anti-forgery technologies have a nice side-effect of preventing some spam, this is not their main goal. In addition, by lumping these imporant technologies in as simply anti-spam misses the point and tends to dimish the importance of these technologies.
Protecting your domain from e-mail forgery is up to you; the owner of the domain. Does your domain publish a Sender Policy Framwork (SPF) record (http://www.openspf.org/)? If not, why? What are you waiting for? Is your inbound e-mail checked to see if the sender’s domain publishes a SPF record? If not, why? After all, if the sender’s domain administrator has elected to take domain forgery seriously, you should as well. Finally, are you recognizing DKIM (http://www.dkim.org/) signatures for inbound e-mail and is your e-mail server signing outbound e-mail?
In case you are wondering… Google, eBay, Yahoo, Cisco, and many other large companies are now on the DKIM bandwagon.
The following excerpt comes from MSNBC’s “The Red Tape Chronicles” :
[Let me begin by saying that you cannot make this stuff up!]
Friday: 10 Oct 2008
(http://redtape.msnbc.com/2008/10/att-customer-ca.html#posts)
AT&T reserves the right to change its terms of service by sending its Internet service customers an e-mail. Apparently, it also reserves the right to deposit those e-mails into its customers’ junk mail folders.
Last month, AT&T made some controversial changes to its Internet policies. Verbiage indicating that high-bandwidth users might experience some intentional slowdowns irritated some techies; another section that forces customers to use binding arbitration to resolve disputes annoyed consumer organizations; and an L.A. Times reporter bristled at the size of the full new agreement — 2,500 pages.
But Lance Mead, an AT&T Internet customer from Encino, Calif., almost missed the entire controversy. His notification of the new terms of service was sent via e-mail on Sept. 18, but AT&T’s own spam filters trapped the e-mail as spam and deposited it in his junk mail folder, he said. On a whim, he checked the folder and spotted the notice. He was furious.
Someone — anyone — please tell me how this is not proof positive the entire premise behind e-mail spam filtering is seriously flawed? I completely understand that mistakes happen. However, these “mistakes” are also considered “false positives.” In the “e-mail game” it is the false-positives that cost business real money. Is it really the end of the world if 5% to 10% of the e-mail received in your inbox is spam? Probably not. It is unnecessary, annoying, and unproductive to be forced to wade through spam, but missing an important e-mail thanks to the flawed concept of filters, a.k.a. guessing machines, should be considered absolutely unacceptable.
According to Wikipedia, e-mail spam is defined as follows:
“E-mail spam, also known as unsolicited bulk Email (UBE) or unsolicited commercial email (UCE), is the practice of sending unwanted e-mail messages, frequently with commercial content, in large quantities to an indiscriminate set of recipients. (http://en.wikipedia.org/wiki/Spam_(electronic)#E-mail_spam)”
This definition is okay, but is overly broad. I would like to propose the “Triangle of Spam” in an effort to more accurately define the problem.
Simply put, for any piece of e-mail to be considered “spam” it must be unsolicited, anonymous, and high volume. If any one (or more) of these characteristics is not met, the e-mail can be considered unwanted, but is not “spam.”
It is important to distinguish between “spam” and simply unwanted e-mail. For example, are “Lowest Fare” updates from United Airlines spam or, in my case, simply unwanted (I never fly United)? While I’m sure I did fly United at some point in the distant past, I certainly do not plan on flying United anytime soon. Technically speaking, United has the right, by virtue of our “previous business relationship,” to send me these updates. However, in my particular case, these are absolutely unwanted e-mails, but they cannot (or should not) be considered spam.
I am very interested to hear what other people think of the “Triangle of Spam.”
It sure would be a great move for the folks at HP (Hewlett Packard) to build an operating system to further distinguish themselves within the terribly “me to” desktop hardware world. Simply put, if Apple can do it, why not HP?
Here is the article I read from Business Week…
HP’s ‘End Run’ Around Windows
“The carefully crafted ecosystem of tech companies built around Microsoft’s Windows operating system is showing signs of strain. Hewlett-Packard (HPQ), a longtime Microsoft ally, has quietly assembled a group of engineers to develop software that would make Windows Vista easier to use, or bypass some of its more onerous features. A Skunk Works of engineers at the company is even angling to replace Windows with an HP-assembled operating system, sources say.”
Do I think HP can build an operating system to compete with Windows? Absolutely. As of 12 Sept 2008, HP has a market cap of ~$115B and, according to BusinessWeek “HP is the world’s largest supplier of PCs, with about 19% market share, and analysts estimate overall sales will grow 10.3% this year, to $115 billion.” In my opinion, building an operating system is something HP must do if it intends to remain relevant in the years to come.
Keeping in mind that I hope this is all true and the folks at HP really do have the guts, I would like to offer the 3 following suggestions:
- Whatever you do, make sure you launch with a full-blown (and functionally complete) replacement for Outlook (use Evolution as your starting point). This will be key to your success. Winning the “hearts & minds” of corporate/business users will be what makes this venture successful. Do not forget: E-mail is still the Internet’s “killer app!” To be very specific, for better or worse, your Outlook replacement must fully integrate with Microsoft Exchange (2003/2007+). This means group calendering, contacts (address books), notes, public folders, rules, etc. If you want to know what you need, take a look at Entourage2008, compare its support with Outlook 2007, and fill in the gaps. Entourage2008 is about 75% good enough.
- Work closely with the OpenOffice developers and the folks at Sun to assure the OpenOffice productivity suite is as close to being a real replacement for Microsoft Office as possible. I use OpenOffice on a daily basis and think it’s great, however, there are still way too many formatting and usage incompatibilities with Microsoft Office, particularly with Word & PowerPoint. You need to spend the money to make sure OpenOffice and Microsoft Office can be used as interchangably as possible.
- Make sure you work with RIM to assure compatibility with their BlackBerry PDAs, their desktop software, and their BES (BlackBerry Enterprise Server).
If you are reading this and happen to be from HP… Good luck! I, and a huge percentage of the free-world are pulling for you. I will be happy to help any way I can.
FaceBook - LinkedIn – MySpace – Plaxo – Twitter. What do these have in common aside from the fact they are all wildly successful? Simple… Each of these are important players in the latest 21st century craze, forever to be known as “social networking.” I am a huge fan of FaceBook. I don’t know about you, but I love getting “FaceBooked” by random friends, family members, and/or business associates from my past. Once or twice per week I get one of those “Random Person has requested to add you as a friend on FaceBook” e-mails.
I’m in the business of making e-mail a safe and more productive tool. Part of my job is to consider questions like “Why is FaceBook so great and why do so many people use it?” After careful consideration, I have come to the conclusion that FaceBook has succeeded in providing more than simply a nice social networking environment. Thanks to FaceBook’s “opt-in by request only” nature, people are able to connect and communicate one-to-one (and in some cases one-to-many) with only those people they have authorized. I know many people who have stopped using traditional free e-mail services like Gmail and Yahoo, and instead use FaceBook to communicate with friends and colleagues. I ask these people why they have abandoned e-mail and in all cases the answer has been the same. “FaceBook is easy to use, is safe from threats, and is spam free.”
I do not know anyone that works for FaceBook. However, if I did, I would certainly compliment them on creating the secure communications channel that e-mail could have been.
This brings me to the explanation of the title of this posting…
In my opinion, e-mail is the original “social networking” tool. To quote George Lucas, “A long time ago in a galaxy far, far away….” in a pre-FaceBook, pre-LinkedIn world; there was e-mail. Before the “bad guys” and “marketing guys” messed up e-mail, it was a great tool for managing your social network of friends and business associates. Unfortunately for e-mail, there is no built-in concept of “opt-in by request only” functionality. In fact, with e-mail, there is virtually no built-in security whatsoever.
As the original “killer app,” for e-mail to maintain its undisputed role as the most important communications medium since the telephone, it seems clear to me that e-mail needs to be “upgraded” at least to a security level equal to that of other major social networking tools.
For e-mail to continue as the Internet’s “killer app” there is no question the issue of security, or with e-mail, the lack of security, needs to be addressed. The key to solving the security problem lies in the recognition that human interaction is a key component of the email process. I realize this seems obvious, but for some reason we have “missed the forest because of the trees” when it comes to e-mail security.
In the final analysis, no one is better to determine what email you want to receive than you. In addition, the concepts of privacy and security, though completely missing from email, have been incorporated into all modern communications tools. The best examples are Instant Messaging (IM) and social networks (Facebook, MySpace, LinkedIn, etc.). Simply put, if I want to add someone to my Facebook network, I need to ask for their specific permission. If I want to send someone an instant message using Gtalk, I need to ask for their specific permission before I am permitted to send even a single message; the exact same process applies to Yahoo, MSN, AOL, etc. Not to over simplify, but it would not be wrong to summarize that Sendio has succeeded at bringing email up to a level of security commensurate with other modern communications tools. Our “radical” improvement comes from our realization that human interaction is the lost key to safer, more secure and efficient email.
Does this “radical” thinking represent a paradigm shift?
The Sendio approach to email security is more a paradigm extension than a shift. We have all become very comfortable with caller-id on our cell phones and have embraced the verification steps required to participate in social networks. As demonstrated by the rapid adoption of Instant Messaging and SMS “texting,” it is clear that people have no problem with the concept of sender’s authenticating themselves; no one complains or worries about sender authentication for chat rooms or on-line forums. Therefore, we see little or no pushback when this level of security is added to email. I believe the challenge before us today is not shifting people’s paradigms, but helping them connect the dots. Because of email’s importance within the fabric of business it is no wonder that people are very “touchy” about the process. What we need to do is help people see that we have done nothing more, or less, than bringing email “up-to-speed” with current technologies.
e-mail | tgolan, 16 Jan 09 | 
Comments (0) 