Points of Pain

A recent article I wrote for ADVANCE for IT Executives on-line magazine (http://health-care-it.advanceweb.com) dealt with the challenges unique to the health care industry because of their unfortunate position in the cross hairs their routine communications employ similar terminology to the purveyors of smut and spam. Common industry words, in their context benign, such as “breast” or “Viagra,” pose particular problems for filtering mechanisms, which can’t distinguish the difference between purveyors of smut and patient communications or correspondence from health care colleagues. Think about how costly, time-consuming and distracting that misjudgment can be. In a reflection of how tightly intertwined spam and the health care industry are, in October 2008, a U.S. District Court shut down what had been called the largest “spam gang” in the world after amassing more than three million complaints about the operation’s attempt to sell prescription drugs, weight-loss pills and male-enhancement products.

So while the health care community is particularly hampered by the inherent flaws of traditional spam filtering mechanisms which were designed to only guess at the safety of the message by screening for “suspect” words, that industry isn’t alone in feeling acute pain. If we randomly selected IT Administrators from any range of industries and forced them into a group session, every one of them could fill hours on the couch with stories about how their resource allocations were haywire dealing with spam.

To reuse a very recently overused cliché, if the definition of insanity is doing the same thing over and over in anticipation of a different outcome, then we might all need group therapy or more. Leaves me wondering why so many are still using filter technology in ever increasing variations, getting the same failed results, and trying yet another variation.

Fake Obama News

An article that caught my attention this morning by Brian Prince of eWeek (http://www.eweek.com/c/a/Security/Malicious-Sites-With-Fake-Obama-News-Trying-to-Build-Botnet/) details the latest in e-mail security attacks:

“Spammers are luring victims to a malicious site with false reports by President-elect Barack Obama. The spam is being sent out by the Waledac botnet, which security researchers say is a reincarnation of the infamous Storm botnet.”

These types of attacks are bound to increase until people realize, once and for all, that unauthenticated e-mail = unsafe e-mail. I feel badly for people that are falling victim to these sorts of attacks, however, the bad guys will continue to exploit the instant gratification mentality so prevalent today that causes people to open/read e-mails before they look to see from whom they are sent. Under no circumstances should anyone ever open an email from an un-authenticated sender. Until organizations and service providers, large and small, realize this fact and implement systems to enforce true person-to-person e-mail authentications we should expect to read an ever increasing number of stories much like this one.

Zombie PCs Attack

Internet News published this article yesterday, about zombie PCs (http://www.internetnews.com/security/article.php/3796526/The+Webs+Latest+Threat+Smarter+Zombies.htm) getting smarter and harder to track, as they are regularly asking for new IP addresses from their ISPs, ultimately rendering anti-spam software that works by blocking IPs now useless:

Unfortunately, my first thought reading through this is a big “I told you so” to the universe of security experts who keep insisting that IP reputation is the silver bullet in the ongoing war against spam and other e-mail bourn threats. Commtouch (www.commtouch.com) is a world recognized expert in the field of IP based reputation and should be taken at their word. If they say that IP reputation is finally dead, I would agree.

The fact that IP based reputation schemes are flawed has been well known to Sendio (www.sendio.com) for years. We have always believed the only type of security that really works is active security. All of the current IP reputation schemes are passive/reactive; employing complex algorithms to make guesses based on patterns and probabilities. Clearly, in a world where there is big money at stake, the bad guys are highly motivated to find mechanism that allow them to evade these passive security paradigms.

I believe the time has come for the security community-at-large to recognize that we need to move away from passive guessing schemes to active authentication methodologies.