Category Archives: Security

Email insight: How to keep your email address as secure as possible

  By Remy | June 7, 2011 - 09:00 | Email Marketing Insight, Security
Leave a comment

There’s been a rise recently in whole databases of email addresses being breached, stolen and blatantly posted on the web. Sometimes it was a specific hack to harvest addresses from ESPs, because the hackers (spammers?) know they have good addresses. But sometimes it was a hack to expose severely weak systems, as in Sony’s recent breaches.

Regardless of the type or purpose of the hack you as a consumer and email subscriber are most of the time left out in the cold. Your carefully protected email address is now at the eager hands of numerous spammers: or maybe even worse, identity thiefs. Instead of receiving a boatload of spam your email address could get hacked (read Yahoo Mail, Hotmail become new targets for hackers) and people taking over your online accounts. Let’s see…

PayPal, eBay, your online banking account, all your forum accounts, travel websites, shopping sites, gaming accounts like Steam or GameSpy, creative accounts like YouTube, Soundcloud or Audiotool… I don’t think I need to go on. Troy Hunt has done some tests on the plain text files (sigh) taken from the SonyPictures servers in a recent breach: see his report here.

One pass to rule them all?

Some of his most important findings are that passwords are reused across networks, and that they are in general quite simple: contrary to the common preaching of security experts to keep passwords unique, difficult and use special characters. The only secure password is the one you can’t remember, also by Troy Hunt, tells the story of the burden of many passwords and securing them for real with 1Password app. I’m not too sure a very complex master password will help, but at least it’s better than 123456 or jesus, right?

What can you do to do damage control when you have found out your email account (may) have been breached or your email address stolen? There are some options, and further on I will describe some options to prevent your email account from being exposed/hacked.

If stolen then…

Some simple but effective things to do are:

  • Change the password of all affected accounts (if you can still login)
  • Consult with your (web) mail providers on account access: they will have a secondary address or your cellphone number to get your account back to you
  • Warn others who are in your address book to not open or click any ‘weird’ emails seeming to come from your account

To help prevent email addresses being stolen or compromised

  • Change your password regularly, at least once a month
  • Do not click on any links in weird or malicious emails, even if they seem to come from friends
  • Only sign up for the services you really want and/or need, not just anything
  • Use a difficult password, no cheating! Use uppercase and non-alfanumeric passes

These tips are by no means final or complete: just a reminder what some of the things are that you can do when it all goes wrong or how to prevent it of doing so. All the breaches so far have been truly dreadful, but regardless who is responsible in the end you as the actual owner of an email address have a responsibility too: too not let a hacker or spammer get hold of it too easily. Now go forth and secure your email address! This post might see a follow up in the near future when I have more tips on this subject.

A final tip on passwords: there’s a quite good password tester over at http://www.passwordmeter.com: it should give you the option to make and test a very strong password, to avoid the embarrassing event that someone accesses your account with hi-mom or microsoft…

 

Newsflash: Epsilon email data breach – millions of email addresses stolen

  By Remy | April 5, 2011 - 09:00 | Security
Leave a comment

Email service provider Epsilon has been hit by a hacking attempt which affected many top level companies including Citi, Disney Destinations, Best Buy and Target. The press release posted on Epsilon’s website last Friday states that just 2 percent of total clients was hit, and only email addresses and/or customer names were obtained. As Epsilon has more than 2500 clients and sends out more than 40 billion emails a year, even 2 percent amounts to 50 companies being hit.

The full list of companies hit so far:

AbeBooks
AIR MILES Reward Program (Canada)
Ameriprise
Barclays Bank of Delaware ( Barclay’s L.L. Bean Visa card)
Beachbody
bebe
Best Buy
Best Buy Canada Reward Zone
Benefit Cosmetics
Brookstone
Capital One
Citi
City Market
College Board
Dillons
Disney Destinations
Eileen Fisher
Ethan Allen
Food 4 Less
Fred Meyer
Fry’s
Hilton Honors
Home Shopping Network (HSN)
Jay C
JPMorgan Chase
King Soopers
Kroger
Lacoste (via TG Daily)
Marriott Rewards
McKinsey Quarterly
New York & Company
QFC
Ralphs
Red Roof Inn
Ritz-Carlton Rewards
Robert Half International
Smith Brands
Target (via KrebsonSecurity.com)
TD Ameritrade
TiVo
US Bank
Visa (Barclays Bank of Delaware/L.L. Bean Visa, BJ’s Visa
Walgreens

Oddly enough Benefit Cosmetics is a former client, according to databreaches.net: they raise the question as to why the Benefit Cosmetics data was still on the Epsilon servers at the time of the data breach.

Some email marketers response to the event:

More resources, responses and info on the Epsilon data breach can be found here:

Securityweek: Massive Breach at Epsilon Compromises Customer Lists of Major Brands
Mashable: Epsilon hacked
Spamtacular: It’s the Fukashima of email marketing! Or, not.
Joeism Blog (Joe Colopy of Bronto): Email service providers are the new banks
Best Buy: Statement: Best Buy E-mail Vendor Epsilon Reports That Some Best Buy Customer E-mail Addresses Were Accessed

Update 9:45 CET

I have received a notification email from Target mentioning the attack. The email:

Charlotte Observer demands city email subscriber list

  By Remy | January 25, 2011 - 09:00 | Email marketing, Security
1 Comment

Last week David Hobby from Strobist (an excellent photographer lighting resource by the way) noted that the Charlotte Observer had demanded the city of Charlotte to hand over its email subscriber list. According to the local law called the North Carolina Public Records law the city must provide this information. Quoting the article:

Apparently, the Charlotte Observer is using N.C. Public Records law to gain access to subscribers of the city’s email alerts. But this isn’t for an article or an investigative piece: The person at the Observer who is seeking the email addresses has the title of “Director of Strategic Products and Audience Development,” hardly a journalist-like job title.

The request has been met with quite some resistance which is definitely understandable: one of the local County Commisioners noted that they would not comply with the request and furthermore do their utmost to keep the Charlotte Observer from getting any other information from the city. The request was done by the newspaper’s director of strategic products and audience development. It seems that this person is looking at and using the law in the wrong way: this is not the way to collect email addresses for marketing, surely.

More coverage on this topic can be found here and here.

Pingdom posts email spam stats insight

  By Remy | January 21, 2011 - 09:00 | Security, Spam
1 Comment

The people over at Pingdom have posted some insight into email spam statistics: this includes an overview of spam facts, originating geolocations of spam and the size of botnets.

Some of the stats posted include the fact that the majority of spam is in English (90%), 2/3rd is pharmaceutical spam and spam from webmail services makes up only 0,7%. Furthermore newsletter spam is increasing too: that type of unsollicited mail is now secondary in unwanted mail.

From the botnet locations and activity below we can conclude that some of the major sources of spam from botnets are east-coast USA, Europe and India:

See the full article on Pingdom here.

Canadian anti-spam bill C-28 passes into law

  By Remy | December 22, 2010 - 09:00 | Security, Spam
Leave a comment

On the 15th of December the Canadian Fighting Internet and Wireless Spam Act (FISA), Bill C-28, was passed as law by the Federal Parliament and has received Royal Assent. This means that Canada finally has an actual and up-to-date spam law, which is quite strict too (that’s a good thing). The main purpose is to cut down the amount of spam people receive: the way to achieve this is by creating a comprehensive regulatory regime of offences, enforcement mechanisms, and severe penalties.

The basics involved in the new law are as follows:

- it is prohibited to send or cause or permit to be sent to an electronic address a commercial electronic message unless the person to whom the message is sent has consented to receiving it, whether the consent is express or implied.

- Address harvesting and dictionary attacks to gather email addresses are completely forbidden.

- The sender must be identified, and contact information must be included.

- Unsubscribe should be simple and completely processed within 10 days of unsubscribing.

Anti-phishing and anti-malware is also included in the law:

Anti-Phishing

FISA contains an anti-phishing provision that would prohibit a person, in the course of commercial activity, from altering the transmission data in an electronic message so that the message is delivered to a destination other than or in addition to the destination specified by the sender, without the sender’s express consent. The consent must be informed, and an effective and timely consent withdrawal mechanism must be provided as well.

Anti-malware

Lastly, the anti-malware provision under FISA prohibits a person, in the course of commercial activity, from installing any computer program on any other person’s computer system, or causing that computer program to send an electronic message from the computer system, without the consent of the owner or authorized user of the computer system. In most circumstances, the required consent must be express and informed, and an effective and timely consent withdrawal mechanism must also be provided. There are limited exceptions that permit implied consent to the installation of legitimate computer software. There is also a three-year transition provision that provides for implied consent to the installation of a software update or upgrade in limited circumstances.

For people familiar with the American CAN-SPAM act or the European guidelines/laws, the above should not pose any trouble in applying to current or future email marketing strategies and campaigns.

Google launches email cloud service Message Continuity

  By Remy | December 10, 2010 - 10:00 | Security
Leave a comment

A lot of Google/GMail news in recent days: first the Priority Inbox update and now Message Continuity. It’s a corporate cloud service for companies which want to have a backup when their Microsoft Exchange goes down. The new service is powered by Postini as noted on the official Google Blog: Google acquired Postini back in 2007.

The way Message Continuity works is by replicating email accounts which are hosted on Microsoft Exchange servers using the cloud services of GMail, Contacts and Calendar. In the event of failure, maintenance or (scheduled) downtime logging into GMail will suffice to continue email communications.

Next to having a backup in the cloud, actually making the transition to Google Apps later in time will be easier for companies because the data is in sync between both platforms: there will be no need to migrate email, contact and calendar data.

More information can be found on the Google Enterprise Blog and at www.google.com/postini.