Unfortunately, using a disposable or temporary email address doesn’t help when you’re already being spammed in volume. Before I took some corrective measures and blacklisted some domains and addresses, I was getting upwards of 100 pieces of spam every day. My mail provider’s spam filtering was somewhat effective, but some spam still got through while there were quite a few false-positives. I quickly realized that wasn’t the solution.

As an avid listener of the podcast “Security Now!,” I have heard Leo Laporte speak very highly of MailRoute.net. I decided to give it a try and signed up for their 15-day free trial last week. As required by the service, I changed my MX record to point to mailroute.net’s servers. I then turned off my host’s spam filtering. Within minutes, the spam started trailing off and there were no false positives. I’m definitely going to spring for the yearly subscription when the trial ends.

Just today, I noticed one false positive–an email from a client’s backup software–but that was easy to fix. I just selected the message and told MailRoute to “Recover and whitelist sender.” The message appeared in my mailbox instantly.

Check it out.

This appears to be a warning of some sort, though it really makes little sense. The link points to a Slovenian domain name and if the victim clicks the link, they are taken to a 404 error page that attempts to download a PDF file, undoubtedly infected with an info-stealer of some sort.

The header is real, linked from the actual federalreserve.gov website which is intended to make the victim believe the email is real, which, of course, it is not. Examination of the headers shows a Return-Path to a Gmail address.

Please inform your family and friends to immediately delete this email should they receive it.

Dear customer.

The parcel was sent your home address.
And it will arrive within 3 business day.

More information and the tracking number are attached in document below.

Thank you.
© 1994-2011 United Parcel Service of America, Inc.

Just delete it upon receipt.

“Most of us are used to entrusting our information to a password, but we know that some of you are looking for something stronger,” Shah blogged. “…2-step verification … makes your Google Account significantly more secure by helping to verify that you’re the real owner of your account.

“2-step verification requires two independent factors for authentication, much like you might see on your banking website: your password, plus a code obtained using your phone.”

As I write this, the feature is still not available on my accounts, but it should be there shortly.

I hope that Google’s lead will bring a sea change in how all SaaS providers view security.

For the full story, here is the blog post:Advanced sign-in security for your Google account.

During an on-site call on Friday, the office manager approached me and said she had discovered that some of the staff were using extremely insecure passwords, things like their initials and birthdate, and at least two cases of “password.” She asked me what to do. I told her order everyone to immediately create secure passwords with a minimum length of 8 characters and have at least three of the following: upper case letters, lower case letters, numerals and special characters. (Note: this is a law office, so users are not allowed to change passwords on their own. The owners of the firm keep a secure list of everyone’s passwords so they always have access to employees’ hard drives.)

When I checked my email yesterday morning, I found a message with a spreadsheet attached. Yes, it was the list of passwords for me to change on the server; every password conformed to the standard. So, it looks like there will be no more insecure passwords at that firm. I consider that real progress

Now, maybe I can get them to understand and use email encryption so they won’t be sending me passwords in clear text.

Date: Wed, 1 Dec 2010 03:34:23 -0500
Subject:  Thhis___Recessionn__is_Faar__Fromm_Oveer___-___Leaarn__Howw_tto_GGet___IIRS___
Taax___Deebt___RRelief__WWhile_You___Stilll__Can!!

Dear [delted],

Hirinng___Formerr_IIRS_Agentts__too___Solvee___TTax_Debtt__PProblems__-___G
Good__OOr_Bad??___Relieff__IRRS_OOff_Your_Bacck_SStress!

http://lixxxx.com/yO27av

Thanks,

Ronald Sloan

{%RND***********^^^^^^^^     **********^^^^^^^^^^%}

This is an even goofier tactic than the one some marketers use to attempt to fool the filters (FR’EE, m0n’ey, and other silliness).

Would anyone fall for such a message? It should be obvious (if they even see it in the inbox) that it’s spam. Nevertheless, maybe a few of these will get through and if experience tells me anything, a few clueless souls will click.

Dear Valued Customer,

We recently became aware of unauthorized access to an email list of customers who receive special offers and newsletters from us. As a result, it is possible you may have received some spam email messages asking you to go to another site and enter personal data. We are sorry this has taken place and for any inconvenience to you.

We want to assure you that the only information that was obtained was your email address. Your prescription information, account and any other personally identifiable information were not at risk because such data is not contained in the email system, and no access was gained to Walgreens consumer data systems.

As a company, we absolutely believe that all customer relationships must be built on trust. That is why we believe it is important to inform you of this incident. Online security experts have reported an increase in attacks on email systems, and therefore we have voluntarily contacted the appropriate authorities and are working with them regarding this incident.

We encourage you to continue to be aware of increasingly common email scams that may use your email address to contact you and ask for personal or sensitive information. Always be cautious when opening links or attachments from unsolicited third parties. Also know that Walgreens will not send you emails asking for your credit card number, social security number or other personally identifiable information. So if ever asked for this information, you can be confident it is not from Walgreens.

If you have any questions regarding this issue, please contact us at 1-888-980-0963. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

Sincerely,

Walgreens Customer Service Team

I am happy to report that I haven’t seen any spam that I can identify as being related to the breach.

If you are a Walgreens customer, be sure to use caution and don’t blindly assume that a message you receive from them, especially if it asks for personal information, is valid. Here are several tips from US-CERT you should put into practice for ALL of your emails:

• Filter spam
• Don’t trust unsolicited email
• Treat email attachments with caution
• Don’t click links in email messages
• Install antivirus software and keep it up to date
• Install a personal firewall and keep it up to date
• Configure your email client for security

Be careful out there!

Start-to-finish SSL encryption is a very good thing when it works. And it usually does. Google has offered always-on encryption for more than two years on the GMail platform. Now Microsoft’s Hotmail features the same thing, almost. Here’s what I got when I tried to set it up (emphasis added):

Connect with HTTPS

• Account Connect with HTTPS

Using HTTPS will help keep your account secure from hackers-especially if you commonly use public computers or unsecure wireless connections.

Important note: Turning on HTTPS will work for Hotmail over the web, but it will cause errors if you try to access Hotmail through programs like:

• Outlook Hotmail Connector
• Windows Live Mail
• The Windows Live application for Windows Mobile and Nokia

If you only need a temporary HTTPS connection, enter “https” in front of the web address instead of “http”.

The page then gives you the option to use HTTPS automatically or manually, citing the important note above. I don’t use Outlook or Windows Live Mail, so I opted for automatic.

I’m sure they’ll get this resolved as they are aware of the issues according to this blog post. Here’s an excerpt:

To enable HTTPS for your Hotmail inbox, calendar, and contacts, go to https://account.live.com/ManageSSL. Once you enable this feature, all of your future connections to Hotmail will be delivered over SSL.

Some connections to Hotmail won’t be available if you turn on HTTPS, including:

• Outlook Hotmail Connector
• Windows Live Mail
• The Windows Live application for Windows Mobile (version 6.5 and earlier) and Symbian

We’re constantly working to continue providing great security for our customers, so stay tuned.

Still, watered down or not, it’s much more secure than it was.

I Don't Think So!

“A 15-year-old Californian caught with a stolen scooter while high on drugs has been banned from using encryption – despite the lack of any computer crime element to his alleged offences. In fact, there was actually no computer involved in the commission of the crime at all.” So begins this article in The Register.

What idiocy–or paranoia–is this? It never ceases to amaze me that otherwise educated people, like lawyers and judges, can be so stupid when it comes to technology. Encryption has nothing to do with the theft of a piece of physical property by any stretch of the imagination. Sure, if the kid was stealing money out of bank accounts or hacking debit card machines or something like that, it would make sense. But this crime had nothing to do with computers and banning him from using encryption isn’t going to prevent him from committing a similar crime in the future.

At first, the kid was completely banned from using a computer except for doing schoolwork. That meant no social networking, Facebook, etc. Here’s an excerpt from the ruling:

[J.J.] shall not use a computer that contains any encryption, hacking, cracking, scanning, keystroke monitoring, security testing, steganography, Trojan or virus software.

[J.J.] is prohibited from participating in chat rooms, using instant messaging such as ICQ, MySpace, Facebook, or other similar communication programs.

[J.J.] shall not have a MySpace page, a Facebook page, or any other similar page and shall delete any existing page. [J.J.] shall not use MySpace, Facebook, or any similar program.

[J.J.] is not to use a computer for any purpose other than school related assignments. [J.J.] is to be supervised when using a computer in the common area of [his] residence or in a school setting.

What? Did the judge think that he was going to contact his scooter chop shop crime syndicate co-conspirators? Fortunately, some reason prevailed and an appellate judge lifted most of these restrictions as being in violation of First Amendment rights:

Through the use of chat rooms, any person with a phone line can become a town crier with a voice that resonates farther than it could from any soapbox. Through the use of Web pages, mail exploders, and newsgroups, the same individual can become a pamphleteer. . . . Two hundred years after the framers ratified the Constitution, the Net has taught us what the First Amendment means.

Score a point for that judge. However, the restriction not to use “encryption, hacking, cracking, scanning, keystroke monitoring, security testing, steganography, Trojan or virus software” wasn’t completely lifted and was only modified to prohibit him from “knowingly” using a computer with these things.

That someone can be so completely clueless about technology as to rob someone of their ability to use their Gmail account (it uses SSL) or to even log into Yahoo! mail or Hotmail (both use SSL during login) is disturbing. The appellate judge, regardless of the position he took above, still doesn’t have a clue as to what the First Amendment really means: He has completely taken away J.J.’s ability to communicate via those particular webmail accounts. Moreover, he has forced J.J. to be totally insecure with any login to any account he may have on any server that requires SSL.

That’s not acceptable.

"Here You Have" Worm | Source: Securelist.com

Yet another email worm has been circulating via email with the subject line “Here You Have”–an obvious misunderstanding of the English idiom “here you go” on the part of a non-native English speaking cracker. Another subject line being used is “Just For You.” Besides the text shown above, this also appears in some messages: “This is The Free Dowload Sex Movies,you can find it Here.
http://www.sharemovies.com/library/SEX21.025542010.wmv”

Here is what McAfee says about it:

When a user chooses to manually follow the hyperlink, they will be prompted to download or execute the virus.  When run, the virus installs itself to the Windows directory as CSRSS.EXE (not to be confused with the valid CSRSS.EXE file within the Windows System directory).   Once infected the worm attempts to send the aforementioned message to email address book recipients.  It can also spread through accessible remote machines, mapped drives, and removable media via Autorun replication.

The good news is that the site hosting the malware has been taken down, effectively killing the worm. However, infected machines will still be spewing the emails, so need to be cleaned. If you suspect you or a client or family member is infected, run a malware scan on the system.