Tag Archives: security

Email insight: How to keep your email address as secure as possible

  By Remy | June 7, 2011 - 09:00 | Email Marketing Insight, Security
Leave a comment

There’s been a rise recently in whole databases of email addresses being breached, stolen and blatantly posted on the web. Sometimes it was a specific hack to harvest addresses from ESPs, because the hackers (spammers?) know they have good addresses. But sometimes it was a hack to expose severely weak systems, as in Sony’s recent breaches.

Regardless of the type or purpose of the hack you as a consumer and email subscriber are most of the time left out in the cold. Your carefully protected email address is now at the eager hands of numerous spammers: or maybe even worse, identity thiefs. Instead of receiving a boatload of spam your email address could get hacked (read Yahoo Mail, Hotmail become new targets for hackers) and people taking over your online accounts. Let’s see…

PayPal, eBay, your online banking account, all your forum accounts, travel websites, shopping sites, gaming accounts like Steam or GameSpy, creative accounts like YouTube, Soundcloud or Audiotool… I don’t think I need to go on. Troy Hunt has done some tests on the plain text files (sigh) taken from the SonyPictures servers in a recent breach: see his report here.

One pass to rule them all?

Some of his most important findings are that passwords are reused across networks, and that they are in general quite simple: contrary to the common preaching of security experts to keep passwords unique, difficult and use special characters. The only secure password is the one you can’t remember, also by Troy Hunt, tells the story of the burden of many passwords and securing them for real with 1Password app. I’m not too sure a very complex master password will help, but at least it’s better than 123456 or jesus, right?

What can you do to do damage control when you have found out your email account (may) have been breached or your email address stolen? There are some options, and further on I will describe some options to prevent your email account from being exposed/hacked.

If stolen then…

Some simple but effective things to do are:

  • Change the password of all affected accounts (if you can still login)
  • Consult with your (web) mail providers on account access: they will have a secondary address or your cellphone number to get your account back to you
  • Warn others who are in your address book to not open or click any ‘weird’ emails seeming to come from your account

To help prevent email addresses being stolen or compromised

  • Change your password regularly, at least once a month
  • Do not click on any links in weird or malicious emails, even if they seem to come from friends
  • Only sign up for the services you really want and/or need, not just anything
  • Use a difficult password, no cheating! Use uppercase and non-alfanumeric passes

These tips are by no means final or complete: just a reminder what some of the things are that you can do when it all goes wrong or how to prevent it of doing so. All the breaches so far have been truly dreadful, but regardless who is responsible in the end you as the actual owner of an email address have a responsibility too: too not let a hacker or spammer get hold of it too easily. Now go forth and secure your email address! This post might see a follow up in the near future when I have more tips on this subject.

A final tip on passwords: there’s a quite good password tester over at http://www.passwordmeter.com: it should give you the option to make and test a very strong password, to avoid the embarrassing event that someone accesses your account with hi-mom or microsoft…

 

Charlotte Observer demands city email subscriber list

  By Remy | January 25, 2011 - 09:00 | Email marketing, Security
1 Comment

Last week David Hobby from Strobist (an excellent photographer lighting resource by the way) noted that the Charlotte Observer had demanded the city of Charlotte to hand over its email subscriber list. According to the local law called the North Carolina Public Records law the city must provide this information. Quoting the article:

Apparently, the Charlotte Observer is using N.C. Public Records law to gain access to subscribers of the city’s email alerts. But this isn’t for an article or an investigative piece: The person at the Observer who is seeking the email addresses has the title of “Director of Strategic Products and Audience Development,” hardly a journalist-like job title.

The request has been met with quite some resistance which is definitely understandable: one of the local County Commisioners noted that they would not comply with the request and furthermore do their utmost to keep the Charlotte Observer from getting any other information from the city. The request was done by the newspaper’s director of strategic products and audience development. It seems that this person is looking at and using the law in the wrong way: this is not the way to collect email addresses for marketing, surely.

More coverage on this topic can be found here and here.

Spam volume declined in last quarter of 2010

  By Remy | January 10, 2011 - 09:00 | Spam, Trends in Email Marketing
2 Comments

Much to many people’s delight (have you noticed it?) the amount of spam has declined quite a bit in the last months of 2010. According to Cisco’s Ironport Senderbase website spam volume fell no less than 209 billion messages from 301 billion to 92 billion in December 2010, a drop of 31% over 6 months. Looking historically at a period of 18 months, back in July 2009 spam volume was 229 billion, which accounted for 88,1 percent of total email volume. Last december that percentage of total email volume dropped to 85,1.

Next to Cisco, the people over at Symantec also noticed the drop: they not only have the stats but also provide some possible answers to the big difference in volume:

According to MessageLabs, there was a huge reduction in output from the Rustock botnet, which was by far the most dominant spam botnet in 2010.  Since December 25, the Rustock botnet has basically disappeared as the amount of spam from it has fallen below 0.5% of worldwide spam. In addition to the decline in the Rustock botnet activity, MessageLabs also pointed out that two other major botnets disappeared off of the spam map. The Lethic botnet has been quiet since December 28, and the Xarvester botnet went silent on December 31.

So apparently the shutting down of some botnets can be blamed for this, in a positive way. Let’s hope this trend will continue and more botnets will be shut down: this will help get rid of one of the biggest annoyances in modern life that is spam.

More resources:

Word to the wise blog: more spam graphs

eWeek: Botnet holiday spam levels drops for Christmas

Return Path hit by phishing attack

  By Remy | November 29, 2010 - 09:00 | Security
Leave a comment

Return Path has noted on their In The Know blog late last week that they’ve been hit by a phishing attack. The post is an update to the earlier post about the phishing attack which Return Path expected to be aimed at other ESPs as well.

In the update Return Path puts in the following:

Since the time of our posting and into late evening yesterday we received data from our ESP partners and some clients responding to our post that make us suspect that some of our data within Return Path may have been compromised as part of this same phishing scheme.

As no other ESPs have posted anything about this event, it seems that only Return Path is hit (so far). The blog post further notes that only a small amount of addresses has been compromised:

Even though this is a small list, it is still a serious issue since many of the addresses on the list themselves have downstream access to larger email lists. As a reminder, Return Path does not warehouse large consumer mailing lists or deploy any client email campaigns directly.

If you’re an ESP and have received ‘odd’ emails on the addresses used with Return Path services, be sure to contact them: you can send an email to Neil Schwartzman at phishing2010@returnpath.net.

Hotmail gets more secure: full https sessions

  By Remy | November 10, 2010 - 14:30 | Email clients, Security
Leave a comment

On the Windows Live team blog it is noted that Hotmail security has been improved to include optional full https sessions. This is part of a number of security updates to help enhance the protection level of Hotmail accounts. Next to this update all SkyDrive, Photos, Docs and Devices pages will use SSL encryption as well. Enabling your Hotmail account to use HTTPS can be done here: https://account.live.com/ManageSSL.

If HTTPS is turned on for Hotmail sessions certain connections from programs will not work: these include Outlook Hotmail Connector, Windows Live Mail (the followup to Outlook Express) and Windows Live for Windows Mobile / Symbian.

In the comments of the blog update on the Windows Live team blog it is noted that these security updates may have been triggered by the recent news that Facebook and Twitter fail basic security test: Hotmail got a bad grade there too (a D-) but not as bad as Facebook or Twitter (an F). Best security results were achieved by GMail and WordPress (with SSL) which scored an A.