When did you check your security last?

A few years ago security and breach protection was all the topic of the day in the email space. There were some high profile break ins at ESPs and data companies and everyone was looking at their security. Companies were vocal and public about their security enhancements. Many in the email industry even used the term “advanced persistent threats.”
Security seems to have taken a back seat to Yahoo releasing user names, and Gmail introducing tabs in the inbox and all the myriad of tiny details that we feel we have some control over.
But security still should be at the forefront of our minds. Just today Adobe announced a major compromise resulting in both a customer information leak and a source code theft.
It serves as a reminder to all of us that security threats are ongoing and we cannot become complacent.

Related Posts

What blogs are you reading besides mine?

It’s been a week. A very, very long week. Which means that at 4 on a Friday I’m grasping at straws for something interesting to write about. So I do what I do when I’m out of ideas, I look through the email related blogs I’m subscribed to.
A bunch of them are still active, but there’s a good dozen or so that haven’t been updated in months. I realize I’m getting most of my current news from Twitter (or, Facebook) not from my actual RSS feeds.
So what email / marketing / delivery / internet security related blogs are people reading these days? What should I add to my list to keep up to date on the pulse of the email industry?
EDIT: apparently the Akismet filter I use went berserk with the multiple links in comments. I think I’ve pulled everything they caught incorrectly. If you tried to post and it’s not showing, drop me an email at the obvious place.

Read More

Post-mortem on the Spamhaus DOS

There’s been a ton of press over the last week on the denial of service attack on Spamhaus. A lot of it has been overly excited and exaggerated, probably in an effort to generate clicks and ad revenue at the relevant websites. But we’re starting to see the security and network experts talk about the attack, it’s effects and what it tells us about future attacks.
I posted an analysis from the ISC yesterday. They had some useful information about the attack and about what everyone should be doing to stop from contributing to future attacks (close your open DNS resolver). The nice thing about this article is that it looked at the attack from the point of view of network health and security.
Today another article was published in TechWeekEurope that said many of the same things that the ISC article did about the size and impact of the attacks.
What’s the takeaway from this?

Read More

Get a helmet

There’s been a lot of interesting reaction to Steve’s security post yesterday. A lot of people seem upset that we have pointed out one of the ways that ESPs may be getting compromised. Complaints range from the message being overly simplistic, through to complaints that we just don’t understand how much of an issue security is, through to complaints that we’re not pointing out that some ESPs actually are secure. Some people have even provided counter examples of how simple it is to compromise any company, so why are we picking on ESPs.
Security is a problem any company faces. Some industries are bigger targets than others, and ESPs have really jumped up the target list. ESPs are getting lists stolen. ESPs are getting reputations stolen.
There’s one ESP I know for a fact that has lost multiple customer lists 3 times. Three companies I get email from are hosted there. When all three of those tagged addresses started getting spam, the only logical assumption was that the ESP was compromised. Again. Those are companies I want to hear from, though, and I changed addresses on their sites after every breach. What’s distressing, though, is the total lack of response from either the customer or the ESP to my notices about the breaches.  To be fair, the problem seems to have stopped more recently.
Silence and refusal to address an issue is a big problem. An address I gave a company on the Only Influencers list was stolen (I’m not going to say leaked because I actually trust them to not have violated their privacy policy) sometime back in early 2011. I didn’t notice right away because my spam filters were catching the mail, but eventually the spammers managed to get one into my inbox. When I saw it, I started checking and realized that address had been compromised a long time ago. I notified the company, with as much history of the address as I could. I ended my message with:

Read More