Security framework document published

The Online Trust Alliance has published a security framework for ESPs.
Overall, I think it’s a useful starting point. I don’t agree with all of their suggestions. Some of them are expensive and provide little increase in security. While others decrease security, like the suggestion to force regular password changes.
I think the most important part of the document is the question section. The key to effective security measures is understanding threats. Answering the self assessment questions and thinking about internal processes will help identify potential threats and their vectors.
The document is not a panacea, and even companies that implement all of their recommendations will still be open to attacks from other avenues. But it certainly is a very good way to open the security discussion.

Related Posts

Protecting customer data

There have been a number of reports recently about customer lists leaking out through ESPs. In one case, the ESP attributed the leak to an outside hack. In other cases, the ESPs and companies involved have kept the information very quiet and not told anyone that data was leaked. People do notice, though, when they use single use addresses or tagged addresses and know to whom each address was submitted. Data security is not something that can be glossed over and ignored.
Most of the cases I am aware of have actually been inside jobs. Data has been stolen either by employees or by subcontractors that had access to it and then sold to spammers. There are steps that companies can take to prevent leaks and identify the source when or if they do happen.

Read More

Epsilon – Keep Calm and Carry On

There’s been a lot of media coverage and online discussion about the Epsilon data breach, and how it should be a big wake-up call to email recipients to change their behavior.
There’s also been a lot of panic and finger-pointing within the email industry about What Must Be Done In The Future. Most of the “you must do X in response to the data loss” suggestions are coming from the same people and groups who’ve been saying “you must do X” for years, and are just trying to grab the coattails of the publicity about this particular incident, though.
Not many people seem to be talking honestly about what this will really mean to an individual recipient whose email address Epsilon lost, though. I’m going to try to answer some questions I’ve seen asked realistically, rather than with an eye to forwarding an agenda.
1. Who are Epsilon?
Epsilon are an Email Service Provider, or ESP. That means that they handle sending email on behalf of other companies. If you’re on a company’s mailing list – you’re getting regular newsletters or special offers or any sort of email advertising – the odds are very good that the company isn’t sending you that email themselves. Instead they’re probably contracting with one of hundreds of ESPs to send the email for them. This is a good thing, as sending email to a lot of people “properly” such that it’s delivered to them in a timely fashion, it’s sent only to people who want it and so on is quite difficult to do well and any ESP you choose is likely to be better at it than a typical company trying to start sending that bulk mail themselves.
2. What happened at Epsilon?
The what is pretty simple – somebody stole a list of names and email addresses of people who were being sent email via Epsilon. Nobody outside of Epsilon and law enforcement really know the details of how it was done, though lots of people are speculating about it.
3. Is this identity theft? Do I need to check my credit rating and so on?
No, it’s not something that’s going to lead to identity theft. All that was stolen was your name, your email address and some of the companies who send you email. Your postal address, credit card numbers, social security numbers and so on aren’t at risk, even if you’ve given those to the companies who are sending you email. The only information those companies passed to Epsilon were your name and email address, nothing more, so that’s all that was stolen.
4. Is this common?
Yes, it happens all the time. I use tagged email addresses when I give them to a company, and I’ve done so fairly consistently for the better part of two decades. That lets me track when email addresses are leaked, by who and to whom. Email addresses you give to a company leak to spammers all the time. That’s true for huge companies, tiny one-woman companies, tech-savvy companies, everyone.
5. How do email addresses leak from companies to spammers?
There are a lot of ways

Read More

Security, security, security

James Hoddinott posts, over on the Cloudmark blog, about another arrest associated with hackers infecting machines with a trojan that steals personal information.
There are so many security risks out there, and these messages have been hammered home recently. Home users are at risk from trojans, some spread by spam and some spread by advertising networks. Corporate users are at risk from all of those, but also from spear phishers who set out to infiltrate their business.
We all need to think hard about security. Not just keeping our Windows machines patched, but also thinking about what information we’re sharing and what passwords we’re using and all of the many things that create security.
We’re making some improvements to our security here. What are you doing at home and at work to keep your information, and your customer’s information, secure?

Read More