Public-interest technology, information security, data privacy, risk and gender issues in tech
Thursday, December 11, 2008
5 Years After CAN-SPAM
I think the current state of commercial email is largely determined by market forces exerted via new media. Smart companies have found out that customer relations and marketing outreach goes much better if you don't send people email they don't ask for.
The Internet is not only a uniquely self-documenting phenomenon, is self-reflective and self-monitoring. If GM were to start sending out a mass of unsolicited commercial email asking consumers to support the federal bailout, I bet it would be canceled before it was completed. The feedback loops through Twitter and social networks are instant and effective (see the whole Motrim baby debacle: "Motrin Learns: Hell Hath No Fury Like Baby-Wearing Moms").
And hell hath no furry like consumers spammed. Any spammer with a detectable street address, traceable web site, or list phone number would be in big trouble. Not only because of the spam he or she sent, but as a target on which to vent the pent up anger generated by the thousands of spammers who have no detectable street address, traceable web site, or list phone number.
Did CAN-SPAM help or hurt? Five years on I would say it didn't hurt. And it has probably helped. (It certainly gave me something I could wave at companies who were not getting the message; today they all have the message --"Thou shalt not send unsolicited email"--engraved in their policies).
Monday, December 01, 2008
Underground Data Market Tops $275 Million
"Symantec said the total value of the stolen data has risen sharply in recent years as spam gangs and individual phishers sell credit card information in bulk on Web forums and bulletin boards right in the public eye. The market has become so big that phishers have to fight for credibility in a seedy underground where it's common for cybercriminals to phish other phishers."
So, after we sort out the world financial crisis and the fossil fuel crisis and global warming and international terrorism, we will still have these immoral scumbags to deal with? Great!
Sunday, November 02, 2008
A new phish frontier: Domain registrar accounts
New and expanded attempted to get personal data via domain names warnings--n0w includes Networks Solutions.
Wednesday, October 29, 2008
WARNING: Enom Phishing Scam
These are very nasty messages--I just got a couple and they make your heart race at first read because you are informed someone has bought your domain. A pox on the perpetrators!
Monday, September 01, 2008
Medical Alert: HIPAA gets six figure teeth
I can't tell you how many doctors and hospital administrators greeted that slide with disbelief. And, given the lingering arrogance so endemic to America's crumbling health care community, some doctors went so far as to suggest I was simply scare-mongering to scrounge up security consulting work. The attitude among many was something like this: "Nobody would dare to levy fines on us because of some esoteric aspect of patient data storage."
Well, here we are in the Summer of 2008 and the penny has finally dropped. In fact, ten million pennes have dropped. because the HHS, the U.S. Department of Health & Human Services, has collected $100,000 from a hospital that allowed unencrypted personal health data to leave the premises, as detailed in this this comprehensive posting by Sara Kraus over on the privacy law blog.
Providence Health & Services, a Seattle-based not-for-profit health system, was forced to paid $100,000 to HHS and enter into a Corrective Action Plan with the government to avoid a “civil monetary penalty.” That three-year plan is like probation and is no cake walk. Failure to comply could result in more penalties and Providence could still face criminal liability.
The immediate trigger fort this HHS action was "five incidents in 2005 and 2006 in which unencrypted electronic protected health information (“ePHI”) of Providence patients was stored on backup tapes, optical disks and laptops that were taken off-site from Providence by members of its workforce, and then misplaced or stolen, potentially compromising the health information of over 386,000 patients."
So if you are in any way responsbile for health care data, I urge you to read the details in the blog post linked above. You do not want to be next on the HHS hit list. Also note that, as I predicted, there is a cumulative effect to the various and diverse privacy legislation passed during the last ten years. The incidents at Providence might have been hushed up but state notification laws required patients be advised of the loss of their information. Further note that there was no evidence that any personal information was wrongfully used as a result of these incidents. When HHS investigated it focused on Providence's failure to implement policies and procedures to safeguard the ePHI. And that failure cost $100,000.
(FYI, the picture is a hippo skull on which the massive teeth of the beast can be clearly seen -- thanks to Wikimedia for the image.)
Wednesday, August 13, 2008
News Spam Rolls On: First CNN, now MSNBC
However, the message is not part of a dump-n-pump stock scam, merely a variant of the basic take-me-to-your-Trojan attack. Indeed, another one of these that I received has the strangely amusing headline: "Study reveals bass players 'every bit as dull as golfers.'" What bass playing recipient could resist checking out that story?
This type of attack looks like it will run for some time (I predict Google will be the next patsy). So information security staff might want to send out a generalized alert to employees warning them to
a. disregard [and delete without reading] any news alerts they have not specifically requested,
b. decline to install any new video players.
And so the world grinds on, with each new technology benefit poisoned by selfish, twisted souls. Sigh...
Nasty New Form of Spam: CNN News Alerts
The subject = "Breaking news" and spammers have designed them like this because many of us humans find it hard to resist a breaking news story. This means a lot of people may open these messages before the spam filters and malware detectors are updated and the security staff get out the word to the troops.
The link inside these messages can be quite goofy, like "Titanic sinks again in 2008." But some people will fall for them. And when they click on the story link they will probably find themselves on a web site in Russian or China. They will then get a message saying that, in order to view the video of the news story, they need to download new video player software. A convenient download is provided, but the software it sends you is a Trojan that takes compromises your system. These messages come hot on the heals of the "Daily Top Ten" from CNN that were very convincingly crafted (including an unsubscribe link that actually appeared to work).
There are only two things that will stem the tide of this garbage:
a. Widespread improvement in the general standards of human behavior.
b. Widespread adoption of new email standards.
Sadly both a and b still appear to be a long way off.
Monday, August 04, 2008
Laptops in Peril at the Airport
I've worked with Larry Ponemon in the past and he does a pretty mean survey. So if he says 3,800 computers go missing each week from Europe's 24 busiest airports, I'm inclined to believe that's the case. An even more shocking finding is that more than half of these laptops are never retrieved. People traveling with their laptops should take note.
One of the first things I do when I get a new laptop is tape my business card to the bottom of it (taking care not to block any ventilation ports).