This popped up on my FB feed yesterday.
What say you? Do we need to create a major effort to improve online security? What challenges do you see to making it work?
Edit: After I published this, I found an article stating that 3.7 million people had their personal health information compromised in a recent attack.
Word to the Wise has joined the i2Coalition. Today they posted our introduction to their blog.
Why did we do it?
Email, and online spaces, are so important to modern life. We shop, bank, communicate, play and interact online. The internet has facilitated everything from political revolution to coffee dates and international friendships. Steve watched the Berlin Wall fall from his college dorm room over the internet. The internet was a major factor in the organization of the Arab Spring and other political movements. And sometimes we just meet people online. BBSes, usenet, email, and social networks let us connect with each other.
With that being said, too many people see online spaces as nebulous and “not real.” But the reality is that people genuinely connect, organize, and participate in online spaces. Those spaces need to be protected so these things can continue. The internet is, in many ways, a very special and unique place that has facilitated the growth of millions of communities. Unless we protect the infrastructure, these communities will fall apart and be useless.
I had hoped to move away from security blogging this week and focus on some other issues. But today I see that both CAUCE and John Levine are reporting that there is malware spam coming from a Cheetahmail customer.
Looking at what they shared, it may be that Cheetahmail has not been compromised directly. Given mail is only coming from one /29, which belongs to one customer it is possible that only the single customer account has been compromised. If that is the case, then it’s most likely one of the Cheetahmail users at the customer got infected and their Cheetahmail credentials were stolen. The spammer then gained access to the customer’s Cheetahmail account. It’s even possible that the spammer used the compromised customer account to launch the mail. If this is the case, the spammer looked exactly like the customer, so most normal controls wouldn’t have noticed this was a spammer.
This highlights the multiple vectors these criminals are using to gain access to ESPs and the mailing systems they use. They’re not just trying to compromise the ESPs, but they’re also attempting to compromise customers and access their accounts so that the spammer can steal the ESPs hard won and hard fought sending reputation.
Everyone sending mail should be taking a long, hard look at their security. Just because you’re not an ESP doesn’t mean you aren’t a target or that you can get away with lax security. You are also a target.
One of the common things I see as a delivery consultant is that companies do their best to set effective policies about email, but make it difficult to comply with those policies. It happens all the time. It’s one of the reasons that the tweets Steve shared about Sec. Clinton’s email server rang so true to me.
One of the commenters on that post disagrees, and uses banks and health care as an example.
Erik says: