spam

CAN-SPAM's utter failure

Jeff Caruso — Mon, 06 Oct 2008 15:10:31 -0400

To be fair, even when the CAN-SPAM Act was passed five years ago, there was much skepticism over whether it would actually work. But I guess I always hoped that it would do something to stem the tide. Here we are, five years later, and the volume of spam traffic is up tenfold, and much of it is more malicious than it was before. Now, when spammers get their hooks into you, they really sink them in.

Read more

What Went Wrong?

Mon, 06 Oct 2008 10:18:37 -0400

Consider the source. "I have come to the conclusion that one useless man is a disgrace, two men are called a Law Firm, and three or more become a Congress." -- John Adams

I'm a psychiatrist of the software industry, and used to hold an Original Evil Presidentship on Wall Street

CurtMonash — Fri, 03 Oct 2008 04:03:37 -0400

Creators of spam web sites commonly steal and sometimes modify existing web content, the better to look "real" to the search engines. Some specifics of how this happens can be found in a couple of posts on splogs and black hat SEO. A few days ago, I tripped across an example of this that seemed pretty funny, kind of like a Mad Libs version of my career. In close to its entirety, it reads (links removed, emphasis added):

He afterwards co-founded EvernetInc., a $40 meg networking systems integrator. Since 1990, he has owned and operated Monash Research, an analysis and consultive steadfastly cover software-intensive sectors of the subject industry. Do you want to buy guild wars gold? In that period he also has been co-founder, presidency, or chairwoman of various else discipline startups.
Laconic has served as a strategic consultant to umpteen well-known firms, including Vaticinator, Microsoft, SAP, AOL, CA, and Netezza. Concise attained a Ph.D. in maths (Spunky Theory) from University Lincoln. He has held body positions in maths, economics and open insurance at University, Altruist, and Suffolk universities.
Similarly, players are the penultimate connexion of investigation. LOTRO has its reliability problems (such solon than Guild Wars ever did, and I intend to investigate few ideas as to why). guild wars gold is the currency used to buy and trade items. But flatbottom so, they’re uncovered quickly, and for the most location secure relatively shortly. LOTRO also does a nice job of but editing aspects of the scheme if fact missions or whatever are generally imperfect.

Read more

Scammers using gloomy economic news to lure victims

SecurityBlog — Thu, 02 Oct 2008 00:25:21 -0400

Not surprisingly, scammers and spammers (or are they one in the same?) are jumping on the bleak economic news as a means delivering their wares. ScanSafe is reporting a number of hackers using the Bank of America brand in a phishing attack that uses the bad economy as a lure. The messages contain a link for more information, but really download malicious code to the targeted user's machine. Always be wary of e-mail from a bank. Best to go to the bank's main URL and access your account data from there. Barracuda Networks saw a big uptick in pump-and-dump stock spam messages that claim entertainment companies are benefiting from the falling economy. The messages claim the companies being touted are "recession proof." Obviously, if you're getting stock tips from unsolicited e-mails, you've got issues. On the bright side, there doesn't seem to be any malware associated with the Spam. Hopefully, we'll soon have news of spammers using the booming economy as a lure. That would be a nice change of pace.

Anatomy of a Data Breach: A Global Perspective

rsherstobitoff — Mon, 29 Sep 2008 11:53:42 -0400

In the wake of undiscovered data breaches and subsequent public exposure, regulatory compliance and security audit standards are becoming ever more important to protecting critical assets.

Despite the increase in the number of data breaches via illicit means, internal controls seem to fail when it comes to the assurance that critical assets remain uncompromised. According to the Identity Theft Resource Center a total of 336 breaches have been reported in 2008 alone, putting the overall number at 69% greater then this time last year. This is a concern for security teams especially given the fact that a lack of dedicated resources exist to combat and revert this trend.

This is significantly important to take into consideration when going through the formal audit process to certify adherence to Sarbanes-Oxley (SOX), Graham Leach Bliley (GLBA), Payment Card Industry (PCI), or Health Insurance and Portability and Accountability Act (HIPAA).

With the significant increase in data exposure corporations can’t afford to take short-cuts when it comes to information assurance. Otherwise it is almost certain that one will become a victim of a serious exposure of sensitive information. This article will explore the several disconnects between established and accepted security audit framework and the variable of hidden infections.

The problem as it exists today – hidden threats from within

The variable of hidden and unidentified infections will almost certainly introduce a degree of unknowingness and concern when it comes to the protection of sensitive information and adherence to regulations.

Read more

Littering laws?

jimmaclachlan — Tue, 23 Sep 2008 11:03:24 -0400

They should have charged him with littering & charge him $1000 per piece. That's what he's really doing - throwing his trash on my lawn. Unlike junk snail mail, he isn't even using 'Current Resident' to get his email to an individual. He's just using up everyone's bandwidth & resources by spraying garbage through the system in hopes that some lands in the correct place. It's reminiscent of dumping propoganda leaflets by airplane.

Why Security-as-a-Service (SaaS) reduces the total cost of ownership (TCO)

rsherstobitoff — Mon, 22 Sep 2008 16:04:25 -0400

Recently I have been getting a number of questions concerning the cost savings of a security-as-a-service (SaaS) model versus a traditional on-premise solution. While there are certainly a number of direct benefits to the end-user (easier to use and upgrades are usually transparent), I thought for the purpose of this article to elaborate on the most important one: “reducing the total cost of ownership (TCO) via the outsourcing of security services”.

So what is exactly meant by reducing the total cost of ownership? Well according to industry analysts a good portion of small to medium sized companies out-source their security services to a 3rd party provider. Obviously this strategy has real benefits especially to companies who lack the technical ability to manage and maintain an on-premise anti-malware solution.

As a result, we're seeing a lot of SMBs outsource their desktop anti-malware requirements to a managed service provider and/or adopt a Security-as-a-Service model. This helps reduce complexity and time-to-market when implementing new security technologies and will not require a high degree of skill to maintain the solution.

Because SaaS traditionally hasn’t resided on-premise it takes the overhead of managing and maintaining a complex myriad of technologies and places the responsibility with the provider. Take for example a small medicare facility with 100 employees; now if we factor in the following variables into the equation we can clearly see the reduction in TCO as a SaaS model eliminates a number of headaches associated with a traditional on-premise model:

* Eliminates the need for additional hardware or resources required for managing and maintaining a SaaS based anti-malware solution.

* Upgrades are usually transparent, thus, the need for dedicating time and resources to upgrade from one version to another is no longer required.

Read more

"Succession Planning: Toolkit for Execution" -- a special report of the Sith Academy?

CurtMonash — Sun, 21 Sep 2008 23:46:10 -0400

I'm on a variety of business email lists that I probably never signed up for in the first place, as well as a bunch that I arguably did. Generally, not-so-best-practices for bulk e-mail annoy me. But one particular sender -- while guilty of dubious opt-in, as well as of an unnecessary opt-out followup e-mail -- leaves me more amused than annoyed. That's due to the striking title of their repeated e-mail:

Succession Planning: Toolkit for Execution

That sounds as if it could be -- well, as if it could be brutally effective.

If for any reason you do want "60+ pages of real succession planning materials", several years old, for > 1,000 Euros, these folks will be happy to sell you same.

Security Shouldn't Take a Backseat to Virtualization

rsherstobitoff — Mon, 15 Sep 2008 12:39:04 -0400

There’s no question that advances in server virtualization technology are becoming popular among corporations that want to save money by consolidating resources and improving operational efficiency. Virtualization enables a dramatic increase in cost savings in ongoing maintenance and the cost required to keep physical assets afloat. These benefits are often seen by CIOs and other information technology leaders as adding tremendous value to an existing robust IT infrastructure. Who wouldn’t want to save money by reducing the size and extent of their data center, especially in the manufacturing and financial services industries?

Read more

Perhaps an Email address or two is in order

Mike.D. — Mon, 15 Sep 2008 09:32:16 -0400

Perhaps we should post the personal and professional Email addresses of the justices on the Virginia Supreme Court to places where such addresses are commonly harvested by spammer bots. They MIGHT

Securing the Line Part 6 - Is Phone Spam Nearing?

Matthew Nickasch — Fri, 05 Sep 2008 08:13:28 -0400

Everyone is virtually familiar with email spam. It's constantly generated, attempted to be filtered, and we eventually receive a fraction of it. There is quite an argument surrounding the best filtering and protection procedures and strategies, yet a lot of spam can be stopped before it's even sent. How? Simply don't let the would-be "spammer" get a hold of the address in the first place. In parallel, the modern-day worldwide telecommunications network has the same exact issue. Now, "phone spammers" have a much larger, and cheaper, arsenal at their fingertips. Take a mental inventory of how many DIDs or outward-facing phone numbers your organization has. Now, ask yourself how many of those numbers are published or placed on websites. Quite a few, right?

Read more

Message Labs Advertising

Schratboy — Wed, 03 Sep 2008 19:47:16 -0400

Whatever solution MLabs is offering is just the next hurdle that the Spammers will jump over with ease on their way to constantly evolving their business to remain competitive. Whatever Mlabs does it's a small bump in the road. Spam will not go away anytime soon.

CardBrowser -- a cautionary tale of how not to respond if you're caught spamming

CurtMonash — Tue, 02 Sep 2008 19:52:35 -0400

The most annoying spam isn't the Viagra ads and so on, because those are easy to get past. It's the more targeted stuff that looks as if it MIGHT be of interest to you. For example, bogus press releases are a big annoyance to me, because I at least briefly skim every press release that comes in. And so when something with the title NEW: LinkedIn for Tech Industry, Download C-level, Sales & Mark turned out not to be about LinkedIn at all, but rather to be a promotional piece by a dubiously ethical outfit called CardBrowser, I got a negative impression.

Like most people, I rarely hit Unsubscribe links, fearing that will just encourage the spammers. But occasionally I email companies directly and, perhaps after a couple of exchanges (heated or otherwise), they stop writing me. CardBrowser hadn't quite made it to that level for me, but then CardBrowser CEO Steve Morgan happened to reach out to me in a personal, salesy email.

At this point I searched my inbox, saw a double-digit amount of unsolicited mail from CardBrowser, and brought it to his attention. Instead of the standard "Oops, so sorry", he insisted that CardBrowser was lily-pure, and I must have signed up for the list and forgotten all about it.

So I clicked one of the unsubscribe links. It revealed that I was signed up with the username "Friend." I wrote back to Steve, pointing out that I had never signed up for a list as "Friend" in my life, and furthermore criticizing him for the email subject line quoted above. He wrote back terminating the conversation.

Read more

Virus attacks highest ever in July, Google says

Google Subnet — Wed, 13 Aug 2008 07:58:27 -0400

With two Gmail outages in as many weeks, perhaps it's time that Google turned its attention to e-mail security, specifically e-mail viruses. The company posted notes on both the Google Online Security Blog and on Google's Enterprise Blog saying that this July was hands-down the worst for virus attacks and noted that on July 24 alone, Google's Postini servers encountered nearly 10 million virus-laden messages.

Read more

CNN Alerts Spam

rsherstobitoff — Tue, 12 Aug 2008 18:44:51 -0400

Recently there have been a number of spam campaigns distributing malcode to unsuspecting users through embedded links (which is certaintly not an uncommon tatic used by hackers today). However, in this latest round of attacks, spammers are using very authentic looking email messages as a way of spoofing CNN alerts in order to entice users into executing code. Because of the scale and volume of this attack the messages will all appear to be the same at first glance, but the content and the sites they link to are different - meaning a large number of low profile web-sites had to be hacked and converted into malware distribution points. One common theme found is the "missing flash codec" message indicating that an update is required in order to view the content.

Read more

Google's try to clean up Blogger backfires

Google Subnet — Tue, 05 Aug 2008 10:22:45 -0400

Google's Blogger site is riddled with malware and spammers, a fact that StopBadware.org attributes to Google's No. 5 ranking on its list of most infected network sites on the Internet (the other 4 sites that round out the top 5 are all in China). But Google's remedy may have been worse for users than the spam.

Read more

Fake Google Adwords Site Discovered

rsherstobitoff — Mon, 04 Aug 2008 19:39:48 -0400

It appears that another round of phishing attacks have emerged and this time they are targeting the Google Adwords platform. Emails are being sent to unsuspecting users containing subject lines such as: "Update your billing information" "From Adwords No-Reply" "Verify Adwords Account" The idea behind this phishing attack is to obtain credit card information by tricking users into thinking that their ads have become in-active and in order to continue they must re-enter payment information. The site that a user is directed to from the email message looks very authenticate in terms of the real site (in fact the link in the email is real, but some behind the scenes clever HTML coding has changed that).

Read more

Spam tortilla sandwiches, and other oddities from Google Mail contextual advertising

CurtMonash — Wed, 23 Jul 2008 22:30:10 -0400

I’m a big fan of outsourcing one’s email to Google, and then continuing to use one’s favorite email client. (I’ve never switched away from Eudora.) Accordingly, I rarely use the actual Gmail interface – except when traveling and hence away from my desktop computer.

Recently I have been on vacation, logging directly into Gmail a lot. And so I started noticing the contextual ads that appear above the lists of messages. It turns out that – well, on the whole they’re not terribly contextual. Highlights include:

Read more

Spam King pulls prison vanishing act

Layer 8 — Wed, 23 Jul 2008 10:20:51 -0400

Seems the Spam King is also an escape artist. Eddie Davidson this week just walked away from a federal prison camp in Colorado where he had been serving 21 months for his massive spamming activities.

Read more

Just what we didn't need -- a cheap way to beat automated spam detection

CurtMonash — Wed, 16 Jul 2008 05:37:41 -0400

One of my recent posts attracted a suspicious pair of comments – cheery blurbs from two different ecstatic users of the same obscure service, something called QAlias. The writing style of the two was similar, and resembled that of many similar promotional comments I've seen on other blogs.

Upon review, the first QAlias comment is from an “Andy Greider,” who claims in the comment to be a QAlias subscriber. But when I followed the suggestion in his comment to google him, Andy Greider's QAlias page showed him to be a QAlias manager. Oops.

Read more