Entries Tagged "email"

Page 10 of 12

Leaked MediaDefender E-mails

This story is poised to become a bigger deal:

Peer-to-peer (P2P) poisoning company MediaDefender suffered an embarrassing leak this weekend, when almost 700MB of internal company e-mail was distributed on the Internet via BitTorrent. The e-mails reveal many aspects of MediaDefender’s elaborate P2P disruption strategies, illuminate previously undisclosed details about the MiiVi scandal, and bring to light details regarding MediaDefender’s collaboration with the New York Attorney General’s office on a secret law enforcement project. We have been reviewing the data for days and will have multiple reports on the topic.

More info here.

And now, phone calls were leaked. Here’s a teaser—Ben Grodsky of Media Defender talking to the New York State General Attorney’s office:

Ben Grodsky: “Yeah it seems…I mean, from our telephone call yesterday it seems that uhm… we all pretty much came to the conclusion that probably was ehm… caught in the email transmission because the attacker, I guess what you call, the Swedish IP, the attacker uhm… knew the login and the IP address and port uhm… but they weren’t able to get in because we had changed the password on our end, you know, following our normal security protocols uhm… when we are making secure transactions like these on the first login we’ll change the password so, obviously, well not obviously but, it seems that, most likely scenario is that, at some point that email was ehm… intercepted.

You know just because it is,.. probably it was going through the public Internet and there wasn’t any sort of encryption key used to ehm… protect the data in that email.”

Ben Grodsky: “…if you guys are comfortable just communicating with us by phone, anything that is really really sensitive we can just communicate in this fashion…”

Ben Grodsky: “OK [confused, taking notes]. So, you are gonna disable password authentication and enable public key?”

Ben Grodsky: “…that part has… has not been compromised in any way. I mean, the communications between our offices in Santa Monica and our data centers have not been compromised in any way and all those communications to NY, to your offices, are secured. The only part that was compromised was…was the email communications about these things.”

Ben Grodsky: “…All we can say for sure Media Defender’s mail server has not been hacked or compromised…”

[Answering to the question “What kind of IDS you guys are running?”]
Ben Grodsky: “Ehm…I don’t know. Let me look into that.”

EDITED TO ADD (9/20): Media Defender’s source code is now available on P2P networks. Actually, I’m feeling sorry for them.

Posted on September 18, 2007 at 12:03 PMView Comments

Terrorist Plot Foiled in Germany

Score one for the good guys.

EDITED TO ADD (9/7): The more I read about this, the more obvious it is that intelligence and investigation is what caught these guys, and not any wholesale eavesdropping or data mining programs.

EDITED TO ADD (9/18): This article is a detailed writeup of the actual investigation. While it seems that intercepted emails were instrumental at several points during the investigation, the article doesn’t explain whether the intercepts were the result of some of the wholesale eavesdropping programs or specifically obtained for this case.

Posted on September 6, 2007 at 11:57 AMView Comments

4th Amendment Rights Extended to E-Mail

This is a great piece of news in the U.S. For the first time, e-mail has been granted the same constitutional protections as telephone calls and personal papers: the police need a warrant to get at it. Now it’s only a circuit court decision—the Sixth U.S. Circuit Court of Appeals in Ohio—it’s pretty narrowly defined based on the attributes of the e-mail system, and it has a good chance of being overturned by the Supreme Court…but it’s still great news.

The way to think of the warrant system is as a security device. The police still have the ability to get access to e-mail in order to investigate a crime. But in order to prevent abuse, they have to convince a neutral third party—a judge—that accessing someone’s e-mail is necessary to investigate that crime. That judge, at least in theory, protects our interests.

Clearly e-mail deserves the same protection as our other personal papers, but—like phone calls—it might take the courts decades to figure that out. But we’ll get there eventually.

Posted on June 25, 2007 at 4:13 PMView Comments

Image Spam

Good article on image spam:

A year ago, fewer than five out of 100 e-mails were image spam, according to Doug Bowers of Symantec. Today, up to 40 percent are. Meanwhile, image spam is the reason spam traffic overall doubled in 2006, according to antispam company Borderware. It is expected to keep rising.

The conceit behind image spam is graceful in its simplicity: Computers can’t see.

Definitely look at the interactive graphics page.

Posted on May 22, 2007 at 6:46 AMView Comments

1933 Anti-Spam Doorbell

Here’s a great description of an anti-spam doorbell from 1933. A visitor had to deposit a dime into a slot to make the doorbell ring. If the homeowner appreciated the visit, he would return the dime. Otherwise, the dime became the cost of disturbing the homeowner.

This kind of system has been proposed for e-mail as well: the sender has to pay the receiver—or someone else in the system—a nominal amount for each e-mail sent. This money is returned if the e-mail is wanted, and forfeited if it is spam. The result would be to raise the cost of sending spam to the point where it is uneconomical.

I think it’s worth comparing the two systems—the doorbell system and the e-mail system—to demonstrate why it won’t work for spam.

The doorbell system fails for three reasons: the percentage of annoying visitors is small enough to make the system largely unnecessary, visitors don’t generally have dimes on them (presumably fixable if the system becomes ubiquitous), and it’s too easy to successfully bypass the system by knocking (not true for an apartment building).

The anti-spam system doesn’t suffer from the first two problems: spam is an enormous percentage of total e-mail, and an automated accounting system makes the financial mechanics easy. But the anti-spam system is too easy to bypass, and it’s too easy to hack. And once you set up a financial system, you’re simply inviting hacks.

The anti-spam system fails because spammers don’t have to send e-mail directly—they can take over innocent computers and send it from them. So it’s the people whose computers have been hacked into, victims in their own right, who will end up paying for spam. This risk can be limited by letting people put an upper limit on the money in their accounts, but it is still serious.

And criminals can exploit the system in the other direction, too. They could hack into innocent computers and have them send “spam” to their email addresses, collecting money in the process.

Trying to impose some sort of economic penalty on unwanted e-mail is a good idea, but it won’t work unless the endpoints are trusted. And we’re nowhere near that trust today.

Posted on May 10, 2007 at 5:57 AMView Comments

MI5 Terror Alerts by E-mail

Sounds like security theater to me:

But he added that one of the difficult questions was what people should do about the information when they receive it: “There’s not necessarily that much information on the website about how you should act and how you should respond other than being vigilant and calling a hotline if you see anything suspicious.”

The first, called Threat Level Only, will inform the recipient if the nationwide terror threat level changes. The condition is currently listed as severe.

The second more inclusive service is called What’s New, and will be a digest of the latest information from MI5, including speeches made by the director general and links to relevant websites.

I’ve written about terror threat alerts in the UK before.

EDITED TO ADD (1/15): System is in shambles and being overhauled:

Digital detective work by campaigners revealed that the alerting system did little to protect the identities of anyone signing up.

They found that data gathered was being stored in the US leading to questions about who would have access to the list of names and e-mail addresses.

Posted on January 10, 2007 at 6:31 AMView Comments

Targeted Trojan Horses Are the Future of Malware

Good article:

Security technology can stop common attacks, but targeted attacks fly under the radar. That’s because traditional products, which scan e-mail at the network gateway or on the desktop, can’t recognize the threat. Alarm bells will ring if a new attack targets thousands of people or more, but not if just a handful of e-mails laden with a new Trojan horse is sent.

“It is very much sweeping in under the radar,” said Graham Cluley, a senior technology consultant at Sophos, a U.K.-based antivirus company. If it is a big attack, security companies would know something is up, because it hits their customers’ systems and their own honeypots (traps set up to catch new and existing threats), he said.

Targeted attacks are, at most, a blip on the radar in the big scheme of security problems, researchers said. MessageLabs pulls about 3 million pieces of malicious software out of e-mail messages every day. Only seven of those can be classified as a targeted Trojan attack, said Alex Shipp, a senior antivirus technologist at the e-mail security company.

“A typical targeted attack will consist of between one and 10 similar e-mails directed at between one and three organizations,” Shipp said. “By far the most common form of attack is to send just one e-mail to one organization.”

Posted on October 17, 2006 at 7:04 AMView Comments

1 8 9 10 11 12

Sidebar photo of Bruce Schneier by Joe MacInnis.