Thursday, December 11, 2008

5 Years After CAN-SPAM

Larry Seltzer at eWeek: "The other big thing that CAN-SPAM did was to set rules for businesses to follow in order to do mass-mailings. These were the most controversial part of CAN-SPAM because they were opt-out instead of opt-in. This is why critics said, and continue to say, CAN-SPAM 'legalized spam.'"

I think the current state of commercial email is largely determined by market forces exerted via new media. Smart companies have found out that customer relations and marketing outreach goes much better if you don't send people email they don't ask for.

The Internet is not only a uniquely self-documenting phenomenon, is self-reflective and self-monitoring. If GM were to start sending out a mass of unsolicited commercial email asking consumers to support the federal bailout, I bet it would be canceled before it was completed. The feedback loops through Twitter and social networks are instant and effective (see the whole Motrim baby debacle: "Motrin Learns: Hell Hath No Fury Like Baby-Wearing Moms").

And hell hath no furry like consumers spammed. Any spammer with a detectable street address, traceable web site, or list phone number would be in big trouble. Not only because of the spam he or she sent, but as a target on which to vent the pent up anger generated by the thousands of spammers who have no detectable street address, traceable web site, or list phone number.

Did CAN-SPAM help or hurt? Five years on I would say it didn't hurt. And it has probably helped. (It certainly gave me something I could wave at companies who were not getting the message; today they all have the message --"Thou shalt not send unsolicited email"--engraved in their policies).

Sunday, November 30, 2008

Underground Data Market Tops $275 Million

The market for buying and selling stolen credit card numbers and access to financial accounts has reached the $276 million mark, according to Symantec (as reported by TechTarget).

"Symantec said the total value of the stolen data has risen sharply in recent years as spam gangs and individual phishers sell credit card information in bulk on Web forums and bulletin boards right in the public eye. The market has become so big that phishers have to fight for credibility in a seedy underground where it's common for cybercriminals to phish other phishers."

So, after we sort out the world financial crisis and the fossil fuel crisis and global warming and international terrorism, we will still have these immoral scumbags to deal with? Great!

Wednesday, October 29, 2008

WARNING: Enom Phishing Scam

WARNING: Enom Phishing Scam Domain Name News: "We have received several reports of phishing scam emails that at first glance appear to be coming from domain name registrar Enom.com. The emails warn of a complaint for invalid whois information and ask the user to login. Of course the link that the email directs you to is not a valid Enom domain name. The site is likely harvesting user names and passwords to access legitimate Enom accounts."

These are very nasty messages--I just got a couple and they make your heart race at first read because you are informed someone has bought your domain. A pox on the perpetrators!

Monday, September 01, 2008

Medical Alert: HIPAA gets six figure teeth

Ten years ago I started to alert my clients to the emergence of privacy as the new "driver" of data security. Eight years ago I started to warn them about the specific implications of the Health Insurance Portability and Accountability Act ( HIPAA). In the slide deck that I created for my first HIPAA seminar I made sure my audiences were aware of the penalties built into HIPAA, such as fines up to $250K and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information.

I can't tell you how many doctors and hospital administrators greeted that slide with disbelief. And, given the lingering arrogance so endemic to America's crumbling health care community, some doctors went so far as to suggest I was simply scare-mongering to scrounge up security consulting work. The attitude among many was something like this: "Nobody would dare to levy fines on us because of some esoteric aspect of patient data storage."

Well, here we are in the Summer of 2008 and the penny has finally dropped. In fact, ten million pennes have dropped. because the HHS, the U.S. Department of Health & Human Services, has collected $100,000 from a hospital that allowed unencrypted personal health data to leave the premises, as detailed in this this comprehensive posting by Sara Kraus over on the privacy law blog.

Providence Health & Services, a Seattle-based not-for-profit health system, was forced to paid $100,000 to HHS and enter into a Corrective Action Plan with the government to avoid a “civil monetary penalty.” That three-year plan is like probation and is no cake walk. Failure to comply could result in more penalties and Providence could still face criminal liability.

The immediate trigger fort this HHS action was "five incidents in 2005 and 2006 in which unencrypted electronic protected health information (“ePHI”) of Providence patients was stored on backup tapes, optical disks and laptops that were taken off-site from Providence by members of its workforce, and then misplaced or stolen, potentially compromising the health information of over 386,000 patients."

So if you are in any way responsbile for health care data, I urge you to read the details in the blog post linked above. You do not want to be next on the HHS hit list. Also note that, as I predicted, there is a cumulative effect to the various and diverse privacy legislation passed during the last ten years. The incidents at Providence might have been hushed up but state notification laws required patients be advised of the loss of their information. Further note that there was no evidence that any personal information was wrongfully used as a result of these incidents. When HHS investigated it focused on Providence's failure to implement policies and procedures to safeguard the ePHI. And that failure cost $100,000.

(FYI, the picture is a hippo skull on which the massive teeth of the beast can be clearly seen -- thanks to Wikimedia for the image.)

Wednesday, August 13, 2008

News Spam Rolls On: First CNN, now MSNBC

The outbreak of spam that pretends to be a news alert from CNN has now morphed into "BREAKING NEWS" from MSNBC, like this message proclaiming that trading in McDonalds has been suspended.

However, the message is not part of a dump-n-pump stock scam, merely a variant of the basic take-me-to-your-Trojan attack. Indeed, another one of these that I received has the strangely amusing headline: "Study reveals bass players 'every bit as dull as golfers.'" What bass playing recipient could resist checking out that story?

This type of attack looks like it will run for some time (I predict Google will be the next patsy). So information security staff might want to send out a generalized alert to employees warning them to

a. disregard [and delete without reading] any news alerts they have not specifically requested,
b. decline to install any new video players.

And so the world grinds on, with each new technology benefit poisoned by selfish, twisted souls. Sigh...

Tuesday, August 12, 2008

Nasty New Form of Spam: CNN News Alerts

I have received a handful of these in the past few days, messages that look like they could be a CNN news alert that I had signed up for, except I hadn't.

The subject = "Breaking news" and spammers have designed them like this because many of us humans find it hard to resist a breaking news story. This means a lot of people may open these messages before the spam filters and malware detectors are updated and the security staff get out the word to the troops.

The link inside these messages can be quite goofy, like "Titanic sinks again in 2008." But some people will fall for them. And when they click on the story link they will probably find themselves on a web site in Russian or China. They will then get a message saying that, in order to view the video of the news story, they need to download new video player software. A convenient download is provided, but the software it sends you is a Trojan that takes compromises your system. These messages come hot on the heals of the "Daily Top Ten" from CNN that were very convincingly crafted (including an unsubscribe link that actually appeared to work).

There are only two things that will stem the tide of this garbage:

a. Widespread improvement in the general standards of human behavior.
b. Widespread adoption of new email standards.

Sadly both a and b still appear to be a long way off.

Monday, August 04, 2008

Laptops in Peril at the Airport

My brother, Mike, has been busy this week, responding to questions about the latest Ponemom Institute survey, which suggests a heck of a lot of laptops are separated from their owners at airports. He did more than a dozen radio interviews in one day!

I've worked with Larry Ponemon in the past and he does a pretty mean survey. So if he says 3,800 computers go missing each week from Europe's 24 busiest airports, I'm inclined to believe that's the case. An even more shocking finding is that more than half of these laptops are never retrieved. People traveling with their laptops should take note.

One of the first things I do when I get a new laptop is tape my business card to the bottom of it (taking care not to block any ventilation ports).

Friday, August 01, 2008

Travelers' Laptops May Be Detained At Border

If this wasn't in the Washington Post I would think it was a hoax: Travelers' Laptops May Be Detained At Border. More than anything else, this should awaken those who so far have been complacent to the reality of what our government has been doing to our rights these last 7.5 years.