Browsers, security and paranoia

MAAWG is coming up and lots of us are working on documents, and presentations. One of the recent discussions is what kind of security recommendations, if any, should we be making. I posted a list of things including “Don’t browse the web with a machine running Windows.”
Another participant told me he thought my recommendation to not use a windows machine to browse the web was over the top and paranoid. It may be, but drive by malware attacks are increasing. Visiting big sites may not be enough to protect you, as hackers are compromising sites and installing malware to infect visitors to those sites. Some ad networks have also been used to spread malware.
Criminals have even figured out how to install malware on a machine from email, without the recipient having to click or open attachments.
Avoiding the internet from a machine running Windows is a security recommendation I don’t expect many people to follow, but I do not think security and anti-virus software is enough to protect people from all of the exploits out there.
Of course, there are a lot of reasons that one might be forced to use a particular browser or operating system. For instance, I was on the phone with my bank just today to ask if they supported Safari. They say they do, but there are some things that just don’t work. The customer service rep said that they recommend Internet Explorer to all their users. She then suggested I switch browsers. No thanks, I’ll deal with the broken website.
Compromises are a major threat, and criminals are spending a lot of time and money on creating ways to get past current security. No longer is “not clicking on malware” enough to protect users. When a security clearinghouse is compromised and used as a vector for a targeted attack against Google, none of us are safe. When a security company is compromised, none of us are safe.
I realize my recommendation to avoid browsing the web on a Windows based machine is more wishful thinking than practical. I also know that other browsers and operating systems will be targeted if enough people move away from currently vulnerable operating systems. And I know that a simple, offhand suggestion won’t fix the problem.
As someone who’s been online long enough to see the original Green Card spam I know that online dangers evolve. But I can’t help thinking that most of us aren’t taking the current threats seriously enough.

Rancid Slime and Email Marketing
I know your customers' passwords

Related Posts

Spamming ESPs: the followup

Campaign Monitor contacted me about yesterday’s post. The phrasing I picked out of the spammers AUP matched their AUP quite closely. In fact, if you plug the AUP into Google, Campaign Monitor comes up as one of the first hits.
It was not Campaign Monitor I was talking about. In fact, the ESP I received the mail from is not on the first 8 pages of Google hits for the phrases I posted.
A similar thing happened when I posted about Dell spamming me. Dell has multiple ESPs, and one of their ESPs contacted me directly in case they were the ones Dell was spamming through. It was no surprise to me that they weren’t the ESP involved.
This is what good ESPs do. Good ESPs monitor their reputation and monitor what people are saying about them. Good ESPs notice when people claim they’re being spammed and effectively reach out to the complainers so they can investigate the claim.
Good ESPs don’t just rely on the complaint numbers to take action. They keep an eye out on social networks to see who might be receiving mail they never asked for.

Read More

Another security problem

I had hoped to move away from security blogging this week and focus on some other issues. But today I see that both CAUCE and John Levine are reporting that there is malware spam coming from a Cheetahmail customer.
Looking at what they shared, it may be that Cheetahmail has not been compromised directly. Given mail is only coming from one /29, which belongs to one customer it is possible that only the single customer account has been compromised. If that is the case, then it’s most likely one of the Cheetahmail users at the customer got infected and their Cheetahmail credentials were stolen. The spammer then gained access to the customer’s Cheetahmail account.  It’s even possible that the spammer used the compromised customer account to launch the mail. If this is the case, the spammer looked exactly like the customer, so most normal controls wouldn’t have noticed this was a spammer.
This highlights the multiple vectors these criminals are using to gain access to ESPs and the mailing systems they use. They’re not just trying to compromise the ESPs, but they’re also attempting to compromise customers and access their accounts so that the spammer can steal the ESPs hard won and hard fought sending reputation.
Everyone sending mail should be taking a long, hard look at their security. Just because you’re not an ESP doesn’t mean you aren’t a target or that you can get away with lax security. You are also a target.

Read More

What blogs are you reading besides mine?

It’s been a week. A very, very long week. Which means that at 4 on a Friday I’m grasping at straws for something interesting to write about. So I do what I do when I’m out of ideas, I look through the email related blogs I’m subscribed to.
A bunch of them are still active, but there’s a good dozen or so that haven’t been updated in months. I realize I’m getting most of my current news from Twitter (or, Facebook) not from my actual RSS feeds.
So what email / marketing / delivery / internet security related blogs are people reading these days? What should I add to my list to keep up to date on the pulse of the email industry?
EDIT: apparently the Akismet filter I use went berserk with the multiple links in comments. I think I’ve pulled everything they caught incorrectly. If you tried to post and it’s not showing, drop me an email at the obvious place.

Read More