Here's an interesting development on the war against spamming. Apparently, it is now becoming libelous to label someone a spammer. In his article, Don't Call It Spam, Forbes' Andy Greenberg reports on how labeling an email mass marketer, a spammer can land you in court. Here's a snippet of what he writes about this -

"When the Spamhaus Project, an organization devoted to cataloguing the Internet's most prolific spammers, placed marketer e360insight on a spammer "blacklist" in November 2003, the result was a $25 million lawsuit. E306insight founder David Linhardt says his Wheeling, Ill.-based marketing [firm] should never have been on Spamhaus' Registry of Known Spamming Operations...since his company landed on Spamhaus' list, it has been blocked from 4 million e-mail accounts, and has lost more than $3 million in revenue. "

Linhardt sued last year and won a judgement for $11.7M but Spamhaus, located in the UK has refused to pay. This kind of case may be unusual but I don't think we've heard the last of them...I'm quite sure disputes like this will continue to arise.

Part of the problem stems from a lack of a legal definition for spam. What is spam? If it's simply unwanted, unsolicited emails, there are many legitimate companies that fall into that category when all they are doing is simply marketing.

The notion of an opt-in list helps but isn't really an effective or fair solution. I hate spam as much as the next guy but I also have the perspective of running a small business and using email marketing campaigns as a means to promote a company webcast or new program. We mailed only to a mailing list that opted in but we were at times still accused as spamming by service providers. All it takes is one complain from a recepient from an opt-in list of thousands. Sometimes, the guy that opted in on behalf of the company had since departed...other times, the person who opted in forgot that he did so. We always got it cleared up with the ISPs but it was a hassle.

This is an interesting development because overall, I think from an end user's perspective, most ISPs appear to have gotten a decent handle on spam, unlike 2-3 years ago. To do so, besides the use of antispamming technology, they needed to adopt a strict stance against anything that looked or smelled like spam. But in the process, have legitimate companies been hurt? Or is this just the price you pay for the good of the entire Internet ecosystem?

Posted by andreyee in Odds and Ends | Permalink | Comments (0) | TrackBacks (0)

My last post on insider attacks mentioned the importance on knowing who you're hiring for that oh-so-important IT admin position. Here's a Dec 2006, Information Week article - The Case for Background Checks essentially making the the same point.

Roger Duriono, was hired by UBS PaineWebber in 1999 without a background check which would have uncovered a police record. Instead, Duriono ended up committing computer sabotage by releasing a logic bomb which crashed a couple thousand corporate servers and temporarily interrupted trading for thousands of brokers. The financial loss wasn't detailed in the article but needless to say, the loss of trading business was far more than the cost of fixing the technical problem.

The lessons here are simple. When it comes to security, an ounce of prevention is worth a pound of cure. Background checks and character references matter. To the point I made in the last post, hire for technical expertise but if you think integrity or character isn't important....think again. I bet UBS wished they did.

Posted by andreyee in Insider Attacks | Permalink | Comments (0) | TrackBacks (0)

Insider attacks are typically more insidious than highly publicized worms. Who's behind these insider attacks? The simple answer is insiders, of course...disgruntled workers, untrusted contractors, etc...

A closer look might be a little more revealing according to this ComputerWorld article. Based on a Carnegie Mellon study, it highlights a couple of interesting statistics. 86% of all attackers are IT workers, with a majority of those holding sys admin privileges. More than half were committed by ex employees regaining entry via old user names and passwords. Does the phrase "fox guarding the hen house" come to mind? You can read the full Carnegie Mellon study here. It offers practices that will help detect and protect against these attacks based on system dynamics.

In addition to the recommendations of the study, I'd suggest that these statistics can teach us a few things -

First, security policies regarding termination of employees should be defined, documented and practiced. Documentation is important especially for a small IT group. In the event, your sys admin is the one terminated, you need to be able to hand it off to someone to execute on the policy.

Second, when it comes to security policies, checks and balances are good. We too often focus on technology and forget the security audit process.

Third, it matters who you hire, not simply what they can do. Hire for technical brilliance, for sure but ignore character at your own risk. Especially when you're hiring for a position that has sys admin privileges and access to proprietary and privacy info, you cannot put too high a premium on integrity.

Finally, monitor for insider attacks. It's vitally important because insider attacks pose a greater risk with regard to corporate data and intellectual assets. I'm going to stay on this topic over the next couple of weeks because I think it's largely overlooked so stay tuned.

Posted by andreyee in Insider Attacks | Permalink | Comments (0) | TrackBacks (0)

Just in time for SuperBowl Sunday, Websense reports that the website of Dolphin Stadium , the site of the SuperBowl, has been infected by a trojan malware. Visitors to the site will inadvertantly initiate the execution of a malicious Javascript. The script will download a keylogger onto compromised Windows machines.

Obviously, attackers are taking advantage of the high degree of traffic generated by Superbowl interest. Until further notice, it's probably advisable to avoid the site.

Posted by andreyee in Alerts/Warnings | Permalink | Comments (0) | TrackBacks (0)

For the past 5 years, instant messaging has gone from the home to the enterprise. A number of companies focused on tackling corporate IM security emerged, only to find that the going much rougher than expected. The market simply isn't materializing as expected. IM security, while attracting attention in the press, didn't really register in the minds of security managers as a threat of highest priority.

Meanwhile, many of the IM security companies have sold out, closed up or limped along. It turns out that security for IM is melding into existing security solutions as a feature rather than a separate product. This doesn't mean there aren't threats associated with IM or that IM security should be ignored.

I've put together the Top 10 IM security best practices for your edification -

#10 - Treat IM Communication as Untrusted. IM is great for informal communication but when used in a corporate environment, it must be viewed as an "untrusted" communication medium. This means no communication of corporate sensitive information

#9 - Separate passwords for IM. If you're going to take #10 seriously, then ensure that you don't use thhe same passwords for trusted communication channels as you do for unofficial, untrusted channels like IM.

#8 - Host your own IM server. It's not always feasible for every company but if IM is to be used extensively as a corporate communication medium, hosting your own IM server and securing it is essential

#7 - Keep current with patches - Like any software, IM security starts with keeping patch currency on both client and server side software

#6 - Define and adopt user policies. - Educate users on what's appropriate to communicate on IM and what's not. Also, the security policies associated with the use of IM - see # 5

#5 - Reject all attachments from untrusted sources. This is not your father's IM. Today, IM can transmit files, stream video, audio and other content.

#4 - Do not click on links from untrusted sources. We're accustom to this policy on email but sometimes let our guard down in other mediums.

#3 - Use encrypted IM for sensitive info. If you're using IM for anything sensitive, use an encrypted IM channel

#2 - Link IM to corporate directory. It's a layer of security and makes it easier to switch IM systems, if you ever want to do so.

#1 - Mitigate risks through security tools. Having a corporate IM system is one thing, securing it is another. Make sure you have tools to filter out SPIM (IM Spam), firewalling and intrusion prevention tools with specific IM security packages to protect against IM specific attacks.

Posted by andreyee in Network Security | Permalink | Comments (0) | TrackBacks (0)