Asian Anti-Spam Guide 1

© MediaBUZZ Pte Ltd January 2009 Asian Anti-SpamHighlights Guide 2 • Combating the latest inbound threat: Spam and dark traffic, Pg. 13 • Secure Email Policy Best Practices, Pg. 17 • The Continuous Hurdle of Spam, Pg. 29 • Asian Anti Spam Acts, Pg. 42

Contents:

• Email Spam: A Rising Tide 4

• What everyone should know about spam and privacy 7

• Scary Email Issues of 2008 12

• Combating the latest inbound threat: Spam and dark 13

• Proofpoint survey viewed spam as an increasing threat 16

• Secure Email Policy Best Practices 17

• Filtering Out Spam and Scams 24

• The Resurgence of Spam 26

• 2008 Q1 Security Threat landscape 27

• The Continuous Hurdle of Spam 29

• Spam Filters are Adaptive 30

• Liberating the inbox: How to make email safe and pro- 31 ductive again

• Guarantee a clear opportunity to opt out 33

• The Great Balancing Act: Juggling Collaboration and 34 Authentication in Government IT Networks

• The Not So Secret Cost of Spam 35

• How to Avoid Spam 36

• How to ensure your e-mails are not classified as spam 37

• Blue Coat’s Top Security Trends for 2008 38

• The Underground Economy 40

• Losing Email is No Longer Inevitable 42

• Localized malware gains ground 44

• Cyber-crime shows no signs of abating 45

MEDIABUZZ PTE LTD • Asian Anti-Spam Acts 47 ASIAN ANTI-SPAM GUIDE

© MediaBUZZ Pte Ltd Asian Anti-SpamHighlights Guide January 20093 • Frost & Sullivan: Do not underestimate spam, Pg. 65 • Unifying email security is key, Pg. 71 • The many threats of network security, Pg. 76 • The UTM story, Pg. 82 Contents:

• Social Networks: The New Frontier for Spam 52

• JupiterResearch: Marketers on guard, email marketing 54 facing tough times

• The Importance of Reputation and Message Relevance 55

• Anti-Spam Legislation and Enforcement Down-Under 56

• Honeypots and Spam 57

• Leading security threats to SMBs 59

• Know what to do when spam is in your Inbox 60

• Email Authentication tools still not widely used 61

• False positives are on the radar, but spam filters 62

• ANTI-SPAM SUPPLEMENT 64

• Frost & Sullivan: Do not underestimate spam 65

• Packing even more of a punch in email security 67

• Spam’s not going away and more security with control 69 needed • Unifying Email Security is Key 71

• Email Reputation and Authentication are Crucial in the 73 War against Spam

• UTM SUPPLEMENT 75

• The Many Threats of Network Security 76 • Frost & Sullivan: 80 The Possibilities with UTM are Endless

• UTM story 81

• Bringing the x Factor to Unified Threat Management 82

• UTM: Bent on Creating a Storm 85

• International Anti-Spam Legislation Snapshop 88

MEDIABUZZ PTE LTD • Editorial 88 ASIAN ANTI-SPAM GUIDE

IT security and control firm Spam relayed from hijacked spam messages on other peo- Sophos has recently released botnet computers ples' profiles - these don't just its report on the latest trends Email spam is almost always get read by the owner of the in spam, and revealed the top sent from innocent third party profile, but anyone else visiting twelve spam-relaying coun- computers which have been his or her page." tries for the second quarter of hijacked by hackers. These bot- In May, the LinkedIn business 2008. The investigation re- net computers are owned by networking system was used by veals a disturbing rise in the innocent parties, who are un- scammers seeking to swindle level of email spam travelling aware that cybercriminals are money from unwary corporate across the internet between using them for financial gain. executives. On this occasion, April-June 2008, and how Typically they are home users the spammers offered a share of some spammers are now us- who have not been properly pro- a non-existent US $6.5 million ing Facebook and mobile tected with up-to-date anti-virus inheritance fund, further high- phones to spread their mes- software, firewalls and security lighting the need for users to be sages. patches. It is therefore important vigilant to unsolicited ap- By June 2008, research reveals that more be done to raise proaches online. that the level of spam had risen awareness amongst computer Sophos experts note that the to 96.5% of all business email. users about the importance of level of Facebook, Bebo and Having risen from a figure of keeping their PCs secure. LinkedIn spam is still dwarfed by 92.3% in the first three months email spam, but there is a grow- of the year, corporations are ing trend for spammers to use now facing the fact that only one other techniques to spread their in 28 emails is legitimate. messages. "If your company is on the inter- Another growing method for net, it's going to be hard for it to spammers to spread their mes- do business unless it has an sages is via SMS texts sent to effective anti-spam defense in mobile phones. Spamming a lot place. Otherwise the amount of of people via text message is an junk mail will be swamping legiti- effective way of generating a mate correspondence from your flash-flood denial-of-service at- customers and suppliers," says tack against the telephone sys- Graham Cluley, senior technol- tem of an organization you don't ogy consultant for Sophos. "It like. As mobile operators give should be remembered also that away more and more "free texts some spam is not just a nui- per month" as part of their call- sance, but malicious in its intent Spam: Spreading in new ways ing-plans, and make available - trying to get you to click on an Sophos has discovered that SMS web gateways that can be attached Trojan horse or lead spammers are increasingly us- exploited by hackers, we may you to a dangerous website. ing networking websites such as see more spammers using SMS Organizations need a consoli- Facebook and LinkedIn to send to clog up phonelines. dated anti-spam and anti- their unwanted links to online malware solution at their gate- Email continues to be a favorite stores and bogus lottery and tool of spammers and still pre- way, updated around the clock financial scams. to neutralize the latest internet sents a danger to computer us- attacks." "Spammers are finding them- ers. It is common for cybercrimi- selves increasingly obstructed nals to spam out links to com- Sophos recommends compa- by corporate anti-spam de- promised websites, often using nies acquaint their users with fenses at the email gateway. In a subject line and message to best practice advice for minimiz- a nutshell - we're stopping the tempt computer users into clicking best practice advice for mini- bad guys getting their marketing ing through the promise of a mizing exposure to spam, auto- message in front of their in- breaking news story or a lewd matically update their corporate tended audience," says Cluley. topic. virus protection, and run a con- "To get around this, we are see- solidated solution at their email The Pushdo Trojan dominated ing spammers exploiting net- the chart of most widespread and web gateways to defend works like Facebook to plant against viruses and spam. continues on Page 5

From Page 4 — Email Spam: A Rising Tide malware spreading via email, accounting for 31 per cent of all reports. Pushdo has been spammed out during the year with a variety of disguises. Some for example, have claimed to contain nude photo- graphs of Hollywood stars Nicole Kidman and Angelina Jolie. On the bright side, attacks via email file attachments, however, have reduced in 2008. Only one in every 2,500 emails examined for malicious purposes, such as which have conspired to make it in the first six months of 2008 identity fraud. Spear-phishers more difficult to get some of- was found to contain a malicious generate the victims' addresses fending websites taken down attachment, compared to one in by using special software or us- promptly. 332 in the same period of 2007. ing lists of employees found on From the criminals’ point of view the networks of social media Phishing still going strong the use of Chinese domain sites such as Facebook or names is attractive, as they do Sophos continues to see wide- LinkedIn. not have to change their domain spread phishing email cam- To guard against this risk, all so regularly and may be able to paigns targeting the users of organizations should ensure operate for a longer period of online financial employees are fully educated time. institutions, and popular auction about the dangers of posting too Backscatter spam and payment websites. In recent much information on these sites, months social networking web- and of accepting unsolicited A noticeable spam trend during sites like Facebook have also friend requests the first half of 2008 was the caught the interest of phishers. growth in the number of non- “Businesses need to bite the delivery report (NDR) messages It is important to remember that bullet and take better care of generated by mail systems that phishing campaigns are not spe- securing their computers, net- accept spam messages during cific to any one operating sys- works and websites. They not an SMTP session. If there is a tem, and can affect any internet only risk having their networks delivery error (for instance, user regardless of whether they broken into, but are also putting “mailbox full” or “user doesn’t use Microsoft Windows, Mac OS their customers in peril by pass- exist”), the system attempts to X or a brand of UNIX. Because ing on infections,” adds Cluley. send a bounce message back to they exploit trust and human “On the other hand, office works the supposed original sender. nature rather than software they also must realize that it’s not just The bounce message is directed are likely to continue to be a the business fat cats who need to the email address found in problem for the foreseeable fu- to worry about this. Visiting an the envelope sender information ture. infected website from your work (the Return-Path header) in the Spear-phishing on the rise PC, or sharing too much per- original message. Because this sonal or corporate information 'Spear-phishing', which involves address has been forged in on sites like Facebook, could messages that have been per- most spam messages, the lead to you being the criminal’s sonalized to a specific domain bounce message is delivered to route into your company.” or organization, has become a mailbox of a sender who did more common in recent months. China as a host of Spam not send the original spam mes- These emails will appear to There is a growing trend for sage. come from a trusted source, spammers to host their content This is known as “backscatter such as a member of IT staff at and websites on Chinese web spam”. Specific addresses or the same company as the recipi- servers. This has caused prob- domains that are favorites of ent, and ask for personal infor- lems for some security compa- spammers can be the target of mation or username and pass- nies because it is harder to get hundreds, or even thousands, of word confirmation. Those who visibility on Chinese domain backscatter spam messages reply to these messages will name information than it is for every day. inadvertently be supplying infor- other countries. There are also mation that the phisher can use language and cultural issues continues on Page 6

From Page 5 — Email Spam: A Rising Tide Mobile phone spam motivated cybercriminals. On Unfortunately, there is still a Another growing method for average, Sophos says it detects common belief that spam is not spammers to spread their mes- 16,173 malicious webpages a threat but with virtually all of it sages is via SMS texts sent to every day - or one every five unwanted, and mobile phones. seconds. This is three times a dangerous proportion linking faster than the rate seen during According to the Internet Society to infected websites, organiza- 2007. of China, 353.8 billion spam tions should be secure their messages were sent to the Over 90 per cent of the web- email and web country’s mobile phone owners pages that are spreading Trojan gateways just as fastidiously as in the last year. As a conse- horses and spyware are legiti- their desktops and laptops. quence, China’s 574 million mo- mate websites (some belonging Email spam after all these years bile phone users, receive on to household brands and For- is still continuing to plague us- average over 600 spam mes- tune 500 companies) that have ers.◊ been hacked through SQL injec- sages each year. Of the By Shanti Anne Morais 438,668 spam complaints re- tion. ceived in June 2008, 39.17 per- SQL injection attacks exploit cent were regarding fraudulent security vulnerabilities and insert texts and 36.28 percent were malicious code into the data- commercial adverts. base running a website. Compa- A Glance at the first The problem is not confined to nies whose websites have been 6 months of 2008 China - Dublin and Texas have struck by such an attack often also recently seen spam at- clean-up their database, only to • Total number of different tacks. be infected again a few hours malware threats in exis- later. Users who visit the af- tence – over 11 million Spamming a lot of people via fected websites risk having their text message is an effective way computer taken over by hack- of generating a flash-flood de- • Biggest malware threat – ers, and their personal banking nial-of-service attack against the SQL injection attack information stolen by identity telephone system of an organi- against websites thieves. zation. As mobile operators give away more and more “free texts In addition, Sophos has identi- • New web infections – 1 per month” as part of their call- fied that the number one host for new infected web page ing-plans, and make available malware on the web is Blogger discovered every 5 sec- SMS web gateways that can be (Blogspot.com), which allows onds exploited by hackers, we may computer users to make their see more spammers using SMS own websites easily at no • Spam-related webpages – to clog up phone lines. charge. Hackers both set up 1 new page discovered malicious blogs on the service, every 20 seconds Cybercriminals getting more and inject dangerous web links creative and content into innocent blogs • Top malware-hosting in the form of comments. country – US with 38% The company has also noted Blogspot.com accounts for 2 per from research of the first six cent of all of the world's mal- months of 2008 that cybercrimi- • Top spam-relaying conti- ware hosted on the web. nent – Asia with 35% nals are increasingly using creative new techniques in their at- Business websites attacked tempt to make money out of • Email with infected attach- internet users. Thousands of webpages be- ments – 1 in 2500 longing to Fortune 500 compa- Most attacks are now designed nies, government agencies and • Spam in business email – to try and out-fox traditional se- schools have been infected, 97% curity systems such as email- putting visiting surfers at risk of scanning. infection and identity theft. High • New types of spam – Mo- profile entertainment websites bile, Facebook and back- Web Infection rates surging such as those belonging to scatter spam The first half of 2008 has seen Sony PlayStation and Euro an explosion in threats spread 2008 ticket sales companies are • Top host for malware – via the web, the preferred vector amongst the many to have suf- Blogger (Blogspot.com) of attack for financially- fered from the problem.

Email users need to know sent to multiple recipients who more about e-mail, spam and did not request it -- even though privacy to keep up with the they may be in the right target global electronic communica- audience to potentially tion environment. So we pre- appreciate such a message. sent some spam-related is- This is the hardest kind of spam to stop spam. Although you may sues that could affect Asian to understand; and it's the type not be a junk emailer, the laws email users and e-marketers that is most pervasive in the being discussed and enacted and provide information about B2B marketing world today. dangers surrounding spam could affect your organization, Anyone who sends a message and how to move toward per- simply because their wording to a list of customers or targeted mission-based marketing. can be fairly broad. So, you may prospects, each one of whom not think of yourself as a spam- did not proactively give permis- What is Spam? mer, and still get in legal trouble sion ahead of time to receive someday. There is no official, legal, defini- that particular type of message,

tion of spam that everyone on could be guilty of sending the Internet has agreed on. spam. UNITED STATES However, generally it can be Every year more bills are intro- Is this spam as "bad" as the first one of three things: duced into the House and Sen- two types? That depends on the ate in relation to email. These law in the state or country the are moving forward without Spam posts recipient is in, your organiza- much opposition (after all, who These are messages posted to tion's stated privacy policy, and wants to take the side of a nasty email discussion groups, chat how annoying the message spammer?) Currently six, includ- rooms or bulletin boards that are might be in terms of promotional ing a wireless spam bill, are un- "off topic" or distinctly promo- content and/or frequency. der discussion. tional in a non-promotional set- Unfortunately when it comes to Most require that all email mes- ting. If you belong to a discus- the annoyance factor, spam is in sages include an opt-out option sion group to discuss the aero- the eye of the beholder. Which (i.e. a way to get your name off space industry and someone means a message you think is the list) and that list owners are posts a message marketing an perfectly acceptable might in- to be held accountable for swift aerospace trade show, that tensely annoy some recipients. could be spam depending on unsubscribe processes. In the rules of the list. Most lists In the end, THE SENDER'S the B2B space, proposed laws publish rules for new joiners so OPINION DOESN'T MATTER. look a lot like current fax market- they will know exactly what's All that matters is the opinion of ing legislation -- you can email considered spam before they the recipient. anyone with whom you have a post. If somebody thinks you spam- "current business relationship." med him or her, you probably 15 states, including California, "Junk" email did. already have spam laws on the This would be a broadcast email books. In general these laws will message sent to multiple recipi- The Legal Outlook only affect business marketers if ents who did not request it, and (Please Note: We at Me- they have an office in that state, who aren't even in the right tar- diaBUZZ Pte Ltd are not law- and are knowingly sending un- get audience for it. For an exam- yers, nor did a lawyer review the solicited email messages to re- ple, an offer for Viagra sent to information below prior to publi- cipients in that state with whom millions of people regardless of cation. It's merely intended to they have no prior relationship. their age, sex or health. This serve as a starting point for dis- kind of spam is easy to spot be- cussion between you and your CANADA cause it's so obvious. legal counsel.) Canadians are way ahead of the

Thanks mostly to the growth of United States in terms of email Non-permission marketing annoying junk emailers, citizens regulation. New Canadian regu- This is an email message which around the world are contacting lations took effect January 1, is (or appears to be) a broadcast their governments asking them continues on Page 8

From Page 7 — What everyone should know about spam and privacy

2001 that currently apply to So, European laws could defi- You can't just switch company every company doing business nitely affect some legitimate names! with organizations that are regu- American companies who do Aside from ISPs, the other peo- lated by the Canadian govern- not think of themselves as ple who can block your email ment, such as banks, airlines, spammers. are corporate mail managers trucking companies, telecommu- You cannot be prosecuted or and the individual recipients. nications firms, etc. fined if you do not have a Euro- Most medium-large organiza- These regulations are on an pean office. However, if you do tions have someone in charge of evolving schedule -- by 2004 the have ties to Europe, watch out! their email system. If that mail laws will affect everyone doing Three different expert sources manager receives a few com- business in Canada regardless have told us that as of July 1 plaints from folks in the office of their relationship with the gov- 2001, the European Commis- about a potential spammer, he ernment. sion are specifically seeking or she is likely to block all email Non-Canadian organizations American violators they can from that sender in the future. with Canadian subsidiaries make a very public example of. Most individuals can also easily and/or offices located in Canada One source said, "A lot of peo- block email these days with just should learn more about this ple think the Europeans are just a few keystrokes by using the regulation immediately. We also rattling their sabers. They're not. "mail block" or "block sender" recommend that others track They're serious about this." feature in their email program. this area carefully because the In none of these cases -- the evolving Canadian situation ISPs, Corporate Mail Manag- ISPs, corporate mail managers could be used as a predictive ers & Black Holes and individuals -- are the people forecast for American legisla- Even if you are in full compli- involved generally consulting tion. ance with the law in every coun- with lawyers before they block try on earth, you can still get in your email. It's not about the trouble as a spammer. law. They see something they think is spam and they stop it. Why? Because Internet Service End of discussion. Providers (ISPs), such as Sing- Tel, StarHUB, or Pacific Internet So even if your email is com- that provide the means for completely legal, it can still be panies and individuals to go blocked if the recipients think it's online, have to power to stop spam. It's all a question of per- anyone they think is a spammer ception. We asked several ex- from using their systems. Quite perts on both the ISP and corpo- simply, if an ISP decides you rate mail manager side to de- are a spammer, they can stop scribe the measures they take to any email from your server from decide if something is spam or going through their system. not. Generally their answer boiled down to the number of If ISPs are so powerful, then complaints they received and why is there so much spam to- who they received them from. If EUROPE day? Simply because it's very the CEO complains about being The European Commission set easy to open an email account. spammed, you can bet the mail a fairly strict anti-spam directive Many junk emailers open email manager is going to block that more than a year ago. In gen- accounts under false names, emailer! eral European lawmakers are in use them once, and then fold up favor of opt-in lists where the shop and move to the next ac- Most experts also told us to bear recipients have proactively count within a few hours. By the in mind that ISPs and managers asked to be on the list. They are time the ISPs move to stop are busy these days. They don't not in favor of opt-out lists, them, they are long gone. have a lot of time to closely ex- where recipients have been amine each case of suspected However if you are a legitimate placed on the list without their spam. So a couple of complaints business, chances are you're permission and they must opt- can be enough for many of them sending out email using your out (or unsubscribe) to get off to take action. own company name. So, if an the list. ISP decides to stop you from ISPs and many major corporate Many American businesses cur- emailing their members, it's a lot and governmental mail manag- rently email their customers and harder for you to get around it. ers are well-connected. prospects on an opt-out basis. continues on Page 9

From Page 8 — What everyone should know about spam and privacy Thanks to email discussion groups and bulletin boards, they often pass the word when they spot a suspected spammer. So, if you've been blocked by one organization, you can find yourself quickly blocked by others. The most famous blocking list is called the "Black Hole." Aside from the obvious junk emailers, some pretty big company names have appeared on this list at one time or another, reportedly including Microsoft and Real Some may tell their ISP or cor- permission-based marketing Networks. porate mail manager to block all immediately. email from you in future. Some Protecting Your Brand may decide just to delete all Gathering Permission "Why can't I just test it?" We emails from you in future without If you are new to permission hear this question all the time. A opening them. marketing, your first step should marketer (usually from a direct This is a particular problem for be to get a copy of Seth Godin's mail background) says, "Well B2B marketers because your book, "Permission Marketing: sure, spam isn't a great thing. sales prospect pool is probably Turning Strangers Into Friends But there's no law against it, and fairly limited. You don't have and Friends Into Customers." I probably won't end up in the tens of millions of potential cus- This best-seller, published in Black Hole because I'm not run- tomers. You may not even have 1999, is still the basis of most ning a scam or selling sexual tens of thousands. If you are strategies and tactics behind material. So, why can't I just test operating in a tightly targeted successful email marketing to- sending a broadcast email to a pool, you shouldn't further limit day. non-permission list to see if it your prospects by sending works for me?" something they might perceive Here are some of the basics Our answer is - you can. But be as spam. every marketer should know: forewarned, you may be risking Conversely, if your company is a THE THREE TYPES OF PER- something more than a few legal big famous brand name, and MISSION - All permission is not fines and IT problems. You may you are caught spamming, it alike. be risking your brand. could turn into an online PR cri- Even if you don't get think spam sis as users email each other 1. Opt-Out: is a big deal, plenty of other and post the news on public In this situation the list owner people do. In fact, plenty of your boards and chat rooms. informs people that they are on customers and best prospects How can you know up-front if the list -- and the only way they do. Studies have shown that your customers and/or pros- can get off the list is to take ac- about 40% of recipients really, pects will perceive your email as tion by unsubscribing, cancelling really hate anything they per- spam? The easiest and best or "opting out." Basically you're ceive as spam, and an addi- way to know is to ask them. saying, "You're already on my tional 30% just dislike it. list and if you don't want to be If you are currently sending So, your non-permission cam- on my list then you'll have to tell regular emails to a list of people paign may get orders. In fact if me. Otherwise I'm going to keep who have opted-in to get email the list is a highly targeted one, emailing you." from you, you should consider and your offer is strong, you sending a survey as well. Lots Some opt-out lists are created may make a profit ... initially. But of surveying software on the when there are pre-checked at what cost? market now makes this re- boxes on registration or order Even if some of the people on markably quick, inexpensive and forms online. If visitors have to the list respond positively, up to easy. take action by unchecking the 70% of people on that list may box, then that is considered opt- If you are currently sending have been annoyed by your ing-out. emails to a list of people who message. Some may even be have not specifically asked to In general opt-out lists perform annoyed enough to swear to get that type of email from you, less well for marketing cam- never do business with you you should begin investigating paigns than opt-in lists because again. continues on Page 10

From Page 9 — What everyone should know about spam and privacy people haven't proactively that customer about that particu- TOP 4 WAYS TO GATHER asked to receive the information. lar sale -- sending shipping in- PERMISSION In a growing number of formation and/or a receipt by The number one question we're recipient's minds opt-out lists email. You can't add them to asked by readers is, "Am I al- are spam. So, if you plan to go your newsletter list and say it's lowed to send someone just one in this direction, it's worth think- "opt-in" because they didn't. unsolicited email in order to ask ing twice first. for permission to add them to As one businessperson told us, my list?" In other words, is it ok "I get antagonized when a com- to spam someone once, so you pany assumes I want to be on can avoid spam in the future? their list. If you just ask me first, Given the legal, ISP and brand- I might happily agree to be on it. ing concerns we've outlined But if you tell me I'm already on above, the answer is probably it and I have to do some work to not. get off, you've antagonized So how do you gather permis- me from the start. Opt-out is not sion? By using all the media -- a very customer-friendly way to 3. Double Opt-In: both online and offline -- that proceed." Have you ever been tempted to you already use to interact with put someone else's email ad- your marketplace successfully, 2. Opt-In: dress into a registration form? such as: Unlike opt-out, people on opt-in Or have you ever signed up a 1) Direct Mail: Many companies lists have actively requested to friend or colleague for an email have gathered opt-ins by using be added to the list. They are newsletter? Double opt-in is de- postal postcards, snap-packs or hand-raisers. They have not signed to prevent this from hap- other direct mail packages to only given you their email ad- pening. ask people on their postal list to dress, they have also given you If a list is a double opt-in list, a opt-in to their email list. explicit permission to email them message is automatically sent to Usually they direct recipients to a certain type of message with a the person who's been signed a Web address where they can certain type of frequency. up, asking if he or she really sign up. You might also want to Here's the biggest point of con- wants to be added to the list. add a phone number. fusion -- if someone has given Unless he or she actively 2) Broadcast Email: Be very you their email address, per- replies positively, his or her sure the email list you use is haps on a business card or on a name is wiped from the list very either an opt-in list (or double- form they filled out as a site visi- shortly thereafter and they never opt-in to be safest.) Your best tor, they are NOT an opt-in. The get another message. bet is to ask to see the form that only way someone can be an Some purists believe the only people opted-in on. If a list opt-in is if they know what they way you can be safe and sure owner can't show you that, then are opting-in for - a newsletter, a that your list is really opt-in is to don't rent the list. Also, if a list regular sales message, a third make it double opt-in. This is owner offers to sell you the list -- party ad message ... whatever. probably a good idea if you plan so the list is in your hands and It's got to be spelled out. to rent your list (most lists on goes out under your company That's why if you are collecting the rental market are double name -- then it is assuredly NOT email names (and which com- opt-in) or if highly secure or con- an opt-in list. pany these days isn't?) you fidential information will be sent On occasion if you have a very need to also collect specific per- to the names on the list. strong, beloved brand name, mission. You need to ask people Otherwise, most marketers can and you have an email list of at the point of collection what simply use the singular opt-in -- customers who have bought sorts of things you can do with but be prepared for some com- from you recently, you may be their name in the future -- such plaints from people who will an- able to get away with sending a as send them a newsletter. grily email you saying, "Hey I broadcast email to those cus- If you don't ask anything, if you never signed up for this!" Every tomers once to ask them to opt- just gather an email address at singular opt-in emailer in the in. This may not be legally safe the point of sale without ques- world gets these complaints at in Europe or Canada, and tions, then in strict terms the least occasionally. So you need unless you are careful, it can only way you can use that email a procedure in place to deal with hurt your brand in the USA. address is to communicate with them. So proceed with caution.

continues on Page 11

From Page 10 — What everyone should know about spam and privacy 3) Email Newsletter Ads: Many This means you should take two Some companies have found marketers have had great suc- steps: that whoever headed up Y2K cess gathering qualified pros- 1. Have a plan of action for the compliance is a good person to pect opt-ins by advertising in opt-in names you collect. With tap for this role as well. email newsletters because their permission you might want You may want to start the proc- newsletter lists are often more to email them some sort of use- ess by hiring the services of a targeted than broadcast email ful information at least every 4-6 privacy consultant. Although lists. You won't have much weeks. Quarterly mailings there are plenty of them in space - - sometimes less than are probably too far apart. Europe and Canada, there are 50 words -- so focus your copy 2. Always add a section to your still only a handful in the United on a single strong offer. White messages that tells people how States. papers, free newsletters, sweep- you got their email address, and stakes and other free offers how they can get off the list eas- work well. ily (and without cost.) 4) Your Communications Ma- terials: Your opt-in offer should CREATING AN EFFECTIVE be on almost every communica- PRIVACY POLICY tion your company makes. This includes, every page of your Every organization collecting Web site (consider making it email addresses must have a part of your navigation bar), privacy policy. While it's not the business cards, employee email law in most countries yet, it's signatures, space advertising in simply good business. As a mar- American readers have recom- magazines, print materials, or- keter, you'll be pleased to hear mended the following: that company after company der forms, customer service in- Your policy should simply state has reported that when they bound calls, etc. Remember a exactly how your organization include a link to their privacy few years ago when you had to plans to use any and all data policy when asking for an opt-in add your URL to everything? collected from your Web site. (or sale) it increases response Now you have to do the same Our biggest warning -- be care- rates. with your opt-in offer. ful not to make your privacy pol- In some senses privacy policies icy too broad sweeping. If you are the 100% money-back guar- say something like "We'll never antees of the 21st century. Hav- give your data to a third party" ing a good strong one can help watch out, because if you ever raise your sales, although cus- use an outside email fulfillment tomers may rarely use it. provider to send messages, they could easily be construed as a third part WHO SHOULD MANAGE YOUR PRIVACY POLICY How often should you update a policy? As often as things At least one person in your or- change in the way your organi- ganization should be in charge zation handles data. Experts of creating, maintaining and HOW LONG DOES PERMIS- recommend your policy man- managing your privacy policy. If SION LAST? ager check with all departments you don't already have a Chief for changes at least every six Not as long as you think. People Privacy Officer, someone in your have short memories. In fact months. In fast-moving organi- legal, marketing or IT depart- zations, quarterly might be your one research report showed that ments may take charge. Who- best bet. just under 5% of opt-ins will ever it is should be very good at completely forget they signed up cross-departmental communica- And yes, expect changes. Say- for your list within 30 days. The tion. ing "This policy will never ever general rule of thumb is any change until the end of time" is Your Privacy Manager will need name you haven't emailed in six a sure way to invite trouble. ◊ months to a year has probably to coordinate with every depart- forgotten they ever gave you ment that collects, touches or permission. So if you email uses customer or prospect data them, they may think you're a in some way. This includes spammer. sales, accounting, marketing, customer service ... you name it!

What do Halloween and a sent Obama’s Unsightly Spam organizations to deploy anti- email have in common? Both A malicious spam email spread virus technology at the email can be equally frightening, in September claiming to have a gateway, email server and end- according to Proofpoint, a link to a sex video of Obama, user desktop levels. provider of unified email se- but instead included spyware to Qualcomm’s Email Cemetery curity, archiving and data loss steal sensitive data from the Qualcomm got smacked with an prevention solutions. With victim’s computer. Current $8.5 million penalty because it Halloween lurking around the events and sensational news bungled its own discovery of corner, Proofpoint has identi- headlines—both real and fic- email relevant to a patent law- fied some of the scariest tional—remain popular subject suit with Broadcom. As more email issues of 2008. lines for phish and spam attacks courts require thorough discov- These blunders, attacks and because of their potential to lure ery searches, mistakes like mishaps have caused sleepless recipients into opening the email these will come to the forefront. nights and financial peril for con- or its attachments. Batting Back Backscatter sumers, corporate executives, Emails: Dead and Buried Stephen Gielda, president of politicians and of course, email Oracle Corp. failed to unearth and IT administrators. Paketderm, found his servers CEO, Larry Ellison’s emails that were being inundated with a In no particular order, Proofpoint were sought as evidence in a tidal wave of backscatter mes- highlights some of this year’s class-action lawsuit. According sages. At one point, he was be- email mishaps below: to the US District Judge Susan ing hit by 10,000 bounce back Phishing Fiasco Illston, Oracle should have fig- messages per second. ured out a way to comply with In September, it was reported Angel-O-Lantern the order to produce the infor- that cyber-criminals were Countrywide CEO Angelo launching fake sites for charities mation, which was issued in late 2006. Mozilo hit reply rather than for- and asking unsuspecting con- ward when typing ‘disgusting’ in Email Job Elimination sumers for donations to help in response to a customer’s email. the hurricane disaster efforts. Carat’s chief people officer acci- The media and the investor With any phishing site, people dently alerted staffers that their community noticed Mozilo’s re- can be tricked and treated into jobs could be in peril by sending sponse. In fact, one investor on revealing financial information an office-wide email only meant a Web site wrote, “I hope that and often discover the fraud for senior management. Addi- company gets what they de- after it is too late. tionally, the specifics on the talk- serve10.” ing points of their restructuring The Proofpoint Attack Response “Given all of the potential risks were shared. Center reports that “themed” and costs associated with email, phishing attacks continue with Unhealthy News Anchor Ob- it’s no surprise that nearly 15 the latest threats preying on session percent of IT executives that consumer concerns around the A former news anchor, smitten Proofpoint recently surveyed global financial crisis. by his female co-anchor was said they would eliminate email Preying on Palin’s Email charged with hacking into her in their organizations if that were A hacker breached the personal email account 537 times in 146 feasible,” notes Sandra Yahoo! account of vice presi- days, often checking on her 10 Vaughan, senior vice president dential candidate Sarah Palin times a day or more. He logged of marketing and products for and revealed portions of its con- in from both home and work and Proofpoint. “But email has tent on a site called Wikileaks. passed on some of the informa- evolved from a business and Security experts note that it can tion to a Philadelphia newspa- personal communication tool to be fairly simple for a determined per gossip columnist. the most mission-critical applica- person to hack into a personal Space Encounters tion for most organizations. From courts of law to the race email account, but concerns NASA found a computer virus for the presidency, email secu- have been raised about Palin on a laptop aboard the Interna- rity is being taken very seriously. using her personal email for tional Space Station, which car- And while email can cause may- business issues. David C. Ker- ries about 50 computers. Email hem, there are solutions avail- nell, son of Tennessee State continues to be one of the most able that help organizations re- Representative Mike Kernell, common distribution methods duce the substantial risks posed was indicted earlier this month for new viruses and other mal- by both inbound and outbound in the case. ware, underscoring the need for email.”◊

© MediaBUZZ Pte Ltd Asian Anti-Spam Guide 13 Combating the latest inbound threats: Spam and dark traffic One threat that is always high Even more importantly, how- The following are the four major on email administrators’ radar ever, spam filters should rarely types of anti-spam technologies: is spam. There are many anti- catch a valid, wanted email and spam solutions on the market throw it out. These “false posi- • Content filtering. Early solu- today, but the target is con- tives” have caused many argu- tions relied primarily on word stantly moving: spammers get ments between companies lists, email signatures, and more clever and creative to when an expected email has lexical analysis. For instance, get their junk mail to look real, been filtered out and never de- “Viagra” is a word that’s often and anti-spam vendors must livered. Experts recommend that tagged by content filters. To constantly update their tech- the false positive rate be as adapt, spammers started niques to remain effective. It’s close to 0% as possible, since spelling it with “1”s instead of a game of “spy vs. spy”: false positives can cost organi- “I”s, and added spaces. spammers are constantly zations dearly. Later, they began to include learning how to get around Spam is not the only threat to HTML graphics instead of specific anti-spam tech- email servers. While spam is putting in text. Recently, niques, and the best vendors unwanted and often annoying, a spammers began to put their are always coming up with bigger threat to networks today content in embedded PDFs; new technologies to increase is malicious and invalid email some email security vendors the percentage of spam traffic, referred to as Dark Traf- can filter the content of PDFs caught. fic, which can actually damage as well. For instance, some anti-spam an email system or a network. vendors rely on identity analysis Dark Traffic includes viruses, • Behavioral analysis. This or reputation analysis to block worms, and Trojan horses that type of anti-spam technology spam coming from certain IP are sometimes attached to oth- used Bayesian analysis, sta- addresses. To get around this, erwise valid-looking emails. The tistical analysis and heuristics spammers have now imple- directory harvest attack (dHA) is in order to predict spam. The mented zombie attacks or bot- often a precursor to spam, when onus for this type of technol- nets (robot networks), planting a corporate email server is bom- ogy often fell on administra- spyware or Trojans on unsus- barded with thousands—or even tors, who had to do extensive pecting machines, which then millions—of random name com- tuning and trial and error be- work as slaves to remote ma- binations in order to determine fore getting satisfactory re- chines, which then carry out a valid email addresses. Email sults. Bayesian filters also spam campaign. Instead of one denial of service (doS) attacks, increased the likelihood of machine sending out tens of malformed SMTP packets, and false positives. thousands of emails from a sin- invalid recipient addresses are gle IP address, zombie attacks other types of dark Traffic. As • Identity analysis. This looks can have a thousand slave mentioned above, spam and at the identity of known PCs—and a thousand different dark Traffic can have a huge spammers (often referred to IP addresses—sending out ten effect on bandwidth, often repre- as “reputation analysis.”) This to twenty emails each. Effective senting 70-90% of all inbound is a promising technology, email security requires vendors email traffic. Stopping spam and but may require email au- to constantly add adaptive tech- dark Traffic is essential to scal- thentication to become more niques to their anti-spam sys- ing email infrastructure accu- widespread. Also, zombie tems, assuring organizations rately and keeping network per- attacks can get around this that even new threats like zom- formance up. type of defense.

bie attacks won’t get through their systems—and email secu- The evolution of Anti-Spam • Pattern detection. By analyz- rity professionals don’t get those Technologies ing patterns of traffic, as angry calls or emails about un- much as 80% of traffic can wanted messages. Spammers and hackers are be thrown out as invalid. This constantly shifting strategies reduces the load on email Today’s enterprises expect servers and downstream spam filters to catch at least and tactics to get around spam filters. As new tactics evolve, email filters. This type of de- 95% of spam; the best spam tection also does not add to filters catch upwards of 99% of anti-spam vendors must layer the rate of false positives. unwanted emails. their new technology on top of the old. continues on Page 14

From Page 13 — Combating the latest inbound threat: Spam and dark traffic

All these technologies can layer How can organizations be sure However, the need to encrypt on top of one another to create that employees are complying sensitive information can’t be an effective anti-spam filter. with government regulations, or ignored. Organizations need to However, organizations need to that a disgruntled employee isn’t implement a secure messaging implement a secure messaging sending intellectual property or a solution that takes the encryp- solution that takes the encryp- customer contact list to a com- tion burden off the end user and tion burden of the end users and petitor? There could be serious intelligently does the right thing intelligently does the right thing. implications if the wrong infor- to keep messages secure and mation gets in the wrong hands organizations in compliance. Policy-driven control and con- due to an unprotected email In other words, it needs to ana- tent filtering system. lyze who it’s from, what it con- It’s becoming increasingly clear tains, and where it’s going, and Security policy is increasing in that inbound and outbound take appropriate steps automati- both use and importance in to- email security techniques are cally. day’s business environment. linked, especially in content fil- Government regulations, as well tering. Identifying keywords, file Experts strongly recommend the as the high amount of responsi- types, HTML graphics, attach- following features for an effec- bility and enormous workload ments, headers, and junk traffic tive outbound security solution: given to IT professionals, make are essential for both sides of 1. Strong content filtering it much more efficient to imple- the email perimeter. Today’s ment a policy-driven framework email security solutions often 2. Flexible and intuitive policy for security. leverage the same inbound con- controls The first generation of email tent filtering technology for out- • Effective solutions should solutions simply dealt with email bound email. Rules can be cre- take policy actions and coming into an organization. ated that flag proprietary data, route mail based on policy Most anti-spam products rely on social security numbers, or other • Policies should be granu- content filtering, but its impor- personally identifiable informa- lar: identity of sender, tance is expanding. It’s no tion. Certain recipients, such as identity of recipient, longer enough just to look at the auditing firms, can also have matching keywords, at- text in a message. Inbound their emails flagged. tachments, etc. threats can be hidden in mes- The next generation of email • Multiple options should be sage text, headers, HTML security solutions must make available: blocking, en- graphics, and various types of policy management and content crypting, adding a dis- attachments. filtering as robust as possible to claimer, etc. However, email traffic encom- adequately address all customer passes outbound emails as well. concerns. For instance, some • Easy to implement: should To deal with regulations and vendors don’t scan some types be an intuitive GuI instead security concerns, organiza- of attachments, like PDFs, that of a Unix command line tions’ security policies have be- can be at high risk for confiden- • out-of-the-box lexicons for gun to address outbound is- tial information; other vendors common government sues. Email systems make it so only deal with inbound emails, regulations (such as HI- easy to send messages that and have lightweight or hard-to- PAA, GLBA) employees can send proprietary manage solutions for outbound 3. Multiple outbound delivery information, customer informa- traffic. Therefore, it’s becoming methods tion, or accounting information essential to apply similar secu- to anyone, at any time—and rity technology used for inbound 4. Universality send it unencrypted. This could email traffic to outgoing emails. • Any recipient should be expose organizations to many able to receive an email risks, whether or not the em- Best practices for securing that’s been properly se- ployee is sending the email le- outbound messages cured gitimately or not. For instance, if Recipients should addi- an accounting employee needs Email encryption protocols such • tionally be able to se- to send private accounting infor- as TLS, PGP, or S/MIME have curely respond to the mation or customer data to an existed for some time, but the auditor, those emails could be process of deploying encryption email violating government regulations has developed a well-earned if they’re not protected properly. reputation for being difficult, complex, and prone to failure. continues on Page 15

From Page 14 — Combating the latest inbound threat: Spam and dark traffic

Integration and consolidated protect against evolving threats. management If this type of solution is implemented, organizations can be If not addressed properly, the confident that they will be security and architectural chal- quickly protected against new lenges discussed above can types of dark Traffic as they cost companies hundreds of emerge. thousands of dollars in unneces- Leverage and simplify sary infrastructure costs and lost productivity, as well as the con- Email management can be diffi- sequences of noncompliance or cult with many different prod- compromised confidential infor- ucts. Not only can inbound and The demands of today’s enter- mation. Disparate solutions outbound security leverage the prises are driven by new gov- have been available to address same technologies, but adminis- ernment regulations and chang- some of these challenges in the trators also want to use the ing business requirements. Or- past, but increasingly, email ad- same management console to ganizations can choose from a ministrators are looking for con- simplify their work and increase new generation of email security solidation and simplified man- effectiveness. solutions that meet the require- agement. ments to pass the “administrator Gateway filters leverage in- invisibility test” much better than Point solutions are not the bound and outbound email se- first-generation solutions. answer curity with ease of management. This provides administrators In order to meet these require- Many companies have deployed with the highest level of control, ments, complete email security point solutions that just take can perform both inbound and solutions should provide: care of a single email problem. outbound security tasks • Seamless integration of mul- Anti-spam and anti-virus solu- (depending on the solution), tiple security functions tions that check email can be protects against all types of dark • No need for fine tuning or deployed at the user level or as Traffic, and saves the most adjusting of spam and virus an email plug-in. But this type of bandwidth. filters – these should be han- approach is rarely part of an dled by outside experts overall security strategy, and Although they have architectural often leads to gaps or overlaps • Intuitive and effective policy advantages, not all gateway controls in email security. Additionally, email solutions are easy to man- • Deep inspection of all con- most of these one-off solutions age. tent and attachments have different management interfaces, which can lead to high Some gateway vendors simply • Integrated outbound secure administrative cost and effort. partner with third parties for delivery As email security threats evolve, parts of their solution. This isn’t • Centralized control over in- point solutions are often not a problem if the integration is bound and outbound security worth this extra layer of man- done well and customer support Email revolutionized the way agement, since they only deal is seamless to the organization, organizations conduct business, with a single email threat, and but that’s not always the case. and the next-generation email often only using a single method Some providers offer more fea- security solutions continue to for defense. Spam, in particular, tures as part of their core offer- build on those advantages. has evolved past what many ing, and these solutions tend to While choosing the right email point solutions can handle, mak- have integrated functionality, solution may not change the ing the products essentially inef- more streamlined support, and way businesses communicate, it fective. more complete management will deliver dramatic savings— Enterprises now expect email consoles. not just in the areas of budget security solutions to deal with and infrastructure, but also in many different security threats, Any email security solution the time and resources of IT including all the types of dark should offer consolidation of professionals and their organi- Traffic that can eat up so much services and multiple functions, zations.◊ bandwidth. In addition, the de- as well as a single, centralized fending solution should be multi- management tool and central- Condensed from a layered, using different ap- ized reporting. This makes every whitepaper by Tumbleweed, proaches and technologies to administrator’s job easier. now part of Axway

© MediaBUZZ Pte Ltd Asian Anti-Spam Guide 16 Proofpoint survey viewed spam as an increasing threat in Asia Spam is a growing problem for rity risk, followed by webmail He adds that the most common 91% of Asian organizations, (8.7%), from a messaging issue for email users was not with many saying they have security perspective. Blogs that they receive too much lost business, suffered secu- and message boards (2.9%) spam, but that they were uncer- rity or privacy breaches or had are also a growing concern tain they were receiving all customers or clients lose con- as is instant messaging at genuine emails sent to them. fidence in them as a result, 1.4%. “The survey shows just how according to a recent survey • 27.5% of organizations in the dysfunctional email has become from Proofpoint, Inc. region have been negatively at many organizations when the solution -- blocking suspicious “Email is failing in its role as the affected by loss of private emails -- has become a more primary business communication data, with 46.6% of organiza- common problem than the issue tool within many organizations,” tions saying they have disci- it is meant to fix,” elaborates says Gerry Tucker, regional di- plined an employee for violat- Tucker. rector for Proofpoint in APAC. ing email policies. ”As spam volumes have risen, “While organizations have solu- • Respondents also reported we are seeing organizations tions to counter issues like spam that their current anti-spam turning up the settings on their and other inbound threats, their solutions stop less than 95% anti-spam solutions and more approach is generally piecemeal of spam. 24.6% said that genuine emails are being and becoming increasingly inef- their anti-spam solution is blocked as a result.” fective as these issues worsen.” less than 90% effective; 50.7% stated that it is 90- “The survey also shows exactly The recent second Proofpoint 95% effective and 17.4% that how ineffective organizations’ Securing assets For Enterprise it is 95-99% effective. Only anti-spam solutions have be- (SaFE) Survey of email security 2.9% of respondents said come. Best practice recom- issues in Asian enterprises com- their anti-spam solution is mends that solutions should be pleted by 100 IT managers and more than 99% effective. 99% plus effective, something executives in Singapore, Malay- only. Best practice recommends Commenting on the results of sia and Thailand, found out that: that solutions should be 99% the survey, Tucker notes, “Our plus effective, something only • Although spam was a major latest survey highlights how 3% of organization currently concern for organizations, Asian email users are gradually achieve,” he continues. with 47.1% of the respon- losing confidence in email and An interesting point to note, this dents stating that this was the negative effect this has on survey mirrors the results re- their top concern. 51.5% of most organizations. While nega- cently conducted by Proofpoint respondents stated that data tive impacts on staff productivity Australia, which showed that loss was an even bigger con- are most common, significant 72.5% of Australian organiza- cern for their organizations numbers of respondents report tions see spam as an increasing more serious impacts such as • When it comes to data loss. threat.◊ 84.1% of Asian enterprises losing business or loss of cus- stated email as their top secu- tomer confidence.”

With a circulation of 24,000 across the Asia Pacific region, it is targeted at top management, executives, professionals and key decision makers, and driven by news, channel and technology best practices, channel and business strategies, technology feature articles and profiles on ICT/channel companies and leaders.

Many organizations have cor- Some organizations take a “see Identifying problem areas is a porate email policies in order no evil” approach, particularly critical first step. Organizations to accomplish a variety of ob- when they already have an sometimes underestimate the jectives. These policies can email policy in place: they see amount of time that it will take to help businesses gain com- no evidence of noncompliance, create policy and implement a petitive advantages when so they assume (or pretend) that solution. dealing with customers via they meet the demands of regu- Another challenge is that organi- email, as well as give the or- lations. zations simply address needs ganization a way to improve In today’s security environment, that are uncovered by an inter- productivity, reduce misun- compliance must be demon- nal analysis. derstandings, and increase strated. Although companies However, internal analysis can accountability. can ignore a security hole like often overlook critical issues. email policy, an attacker can still This is an area where many exploit it, and an email inadver- companies are willing to “see no tently sent to the wrong person evil,” believing they will some- can still be a public relations how not be responsible for fixing nightmare. In order to be effec- problems if they don’t know the tive, therefore, organizations problems exist. This is an atti- But now that the instant commu- must implement email policy tude that hackers, identity nication of email is expected enforcement. There are many thieves, and attackers love; but from most organizations, some ways to enforce policies and put obviously this attitude is the very real security concerns are systems into place that support wrong approach for the con- arising. Many organizations compliance, but no clear-cut cerns of regulators, consumers, have deployed email systems strategy is laid out in any of the and customers. A n external with the sole purpose of ena- new laws. audit, although it can be expen- bling communication. Often, little There are two ways organiza- sive, will often reveal every area regard is given to the problems tions can choose to comply with that regulations aim to ad- that can arise by email commu- regulations. The first is simply to dress—and will certainly demon- nications falling into the wrong make sure the organization can strate due diligence to your cus- hands. In fact, the security risks pass an audit by meeting the tomers. have become so public—reports minimum requirements (some- of credit card numbers, social times these are referred to as Perhaps the most important as- security numbers, pension ac- “checkbox” solutions). However, pect of policy enforcement and counts, and private health infor- some organizations go beyond compliance is that it is ongoing. mation being stolen—that legis- the “letter of the law” and actu- It is clear that protecting private lators have passed several ally address the security issues information and intellectual regulations in the last decade. that your customers are worried property be a business objective about. for organizations of all sizes. Of course, whether or not your Because of that, it is inadequate company is subject to govern- It is in this spirit that an email to allow policy enforcement and ment regulations, there are policy should be formulated. compliance to be a one-time (or many business reasons to pro- Can you make it easy for your even annual) “project.” It must tect against intellectual property employees to safely send infor- be integrated into the business leaks. If confidential data is sent mation via email to the neces- process. Each regulatory re- to the wrong person, or is sent sary people, both inside and quirement should be mapped to unencrypted, it can irrevocably outside the organization? Can a policy or a standard in the or- damage your business—even if you create and implement proc- ganization, and technology and you’re not subject to govern- esses to protect the necessary automation should be leveraged ment regulations. information? Today’s enter- to support implementation. The paper policies that sales, prises expect spam filters to catch at least 95% of spam; the There is no “one size fits all” customer service, and human policy; it must be written to ad- resources departments put in best spam filters catch upwards of 99% of unwanted emails. dress your organization’s unique place often don’t address all the needs. How is email being used issues—and don’t come close to Approaching security policies to support your business func- meeting the demands of com- tions? plying to those regulations. effectively continues on Page 18

From Page 17 — Secure Email Policy Best Practices

What kind of regulated content The first step to adequate and • Gateway-to-gateway and is going out in your email, and to effective email policy implemen- gateway-to-desktop encryp- whom? Answering these ques- tation is an analysis of your tion is most appropriate for tions will make it clear what email use. business-to-business com- needs to be addressed in the Some questions that can be munications. If your organi- email security policy. helpful to determine email secu- zation and your auditing firm rity needs are: have set up a direct network- Training vs. technology: • How is email being used to to-network connection using which is best for policy and support your business objec- TLS or S/MIME, some sys- compliance? tives? A re there emails that tems can automatically send are going out on a regular, the email using the specified Choosing the right kind of tech- ongoing basis, or is it ad hoc? encryption method, and a nology is very important. Much • What kind of information is system on the recipient’s end like the physical security of an your company sending across can automatically decrypt it. office building, employees email? Is there financial data, Some systems support S/ should be aware of the security health care data, or company MIME gateway-to-desktop features and know how to oper- confidential information being encryption, which means the ate the security functionality in sent? decryption can be done by order to get where they need to • Who are the senders and re- the email client (Microsoft go. It is perfectly reasonable cipients? Internal employees Outlook and Lotus Notes (and usually expected) that em- may have different security both have S/MIME decryp- ployees will need to be trained requirements than business tion capability). This requires how to operate a card reader, partners and customers. coordination between the two an electronic door key, or the companies, or at least prior alarm system. However, it is not Answering these questions will coordination between the reasonable to require users to determine if you require strin- sender and recipient. If re- rewire the alarm system every gent email security measures as cipients have their own digital day in order to get in and out. part a standard process, if is certificates set up to authenti- more effective to look for rogue cate email (most often using Essentially, an effective email data and emails, or if there are PGP and S/MIME), gateway- security system should provide other needs. to-desktop encryption is also employees with a reasonable supported. Be aware that expectation of security. This some companies may not means it should have a degree allow encrypted mail to pass of automation and be part of the through gateways, as it organizational infrastructure but would be an easy way for not be an “undue burden,” much company secrets or malware like the organization’s telephone to be transmitted. system or the physical security system. • Desktop-to-desktop encryption is most appropriate for Choosing and implementing a employee-to-employee or system consumer-to-consumer communication. If an organization Older email security models has senders with recipients tended to block all suspicious who are well-versed in a user Email encryption types content; however, that has encryption method like PGP, proved impractical and inade- an email system can be set Setting up email security as a quate. up to require (and automati- standard process (for instance, cally apply) PGP encryption Some companies have chosen for accountants who send re- between certain users if the reporting only. This can be a ports with private information to file fits the policy. good first step in assessing an auditing firms) requires different analyzing an organization’s • Universal secure delivery is solutions than companies who most appropriate for busi- needs, but if the requirement is need to simply look for possible to protect private information, ness-to-consumer communi- leaks. Email encryption solu- cations (and in some other guard against intellectual prop- tions protect the content of the erty leaks, or comply with legis- cases as well). Some email email from prying eyes, but each security systems have an lation, simple reporting cannot solution is appropriate for a dif- meet this need. ferent scenario. continues on Page 19

From Page 18 — Secure Email Policy Best Practices

equal. Many spam filters have nificantly reduce the number of high rates of “false positives”— false positives on outbound con- real messages that are per- tent. ceived as spam and therefore In addition to looking for specific thrown away. One false positive information—social security can be more damaging to an numbers and so forth—solutions organization than a hundred must also look for patterns that unfiltered spam messages. Be show potential information sure to choose a solution that leaks. If a health care organiza- option to encrypt the mes- has a low rate of false positives. tion can flag an email that con- sage and post it on a secure tains words like “patient” and Web site. It then requires Content and outbound accu- “eligible,” the risk of revealing authentication by the recipi- racy private information can be ent to view. This assures that greatly reduced. messages can stay secure Most of the outbound email traf- Moreover, systems vary on the without requiring recipients to fic organizations have does not kind of attachments they can have technical knowledge of need encryption. process. encryption to view private However, as organizations be- Some systems, for example, documents. See more infor- come increasingly dependent on can’t process PDF files. This mation on universal secure email, it’s nearly inevitable that requires that PDF files cannot delivery below. be sent or received with the as- social security numbers, indi- The basics of intelligent con- vidually identifiable information, surance that the information is tent filtering customer data, proprietary data, safe. Be sure that the system or trade secret will make its way you choose can adequate ad- Once companies analyze their through email. dress all the types of attachments your users commonly email usage and decide on en- The security problem is that the cryption technologies to imple- send. majority of this type of email is ment, the next step is to choose legitimate. That is, this informa- Some email security solutions an email security solution that tion must be sent and received have preconfigured content in- supports their needs. in order for tasks to be accom- spection policies for specific Today, the best practice for ef- plished. (To complicate matters, regulations. Additionally, these fective email policy enforcement sometimes this information must solutions often have pre- and true compliance is to imple- be sent and received in order to configurations available to iden- ment an intelligent content filter- achieve compliance with other tify and flag credit card and so- ing solution. pieces of legislation!) cial security numbers.

Intelligent content filtering is cur- Therefore, solutions must have The following are types of con- rently the only type of approach maximum flexibility. Analyzing tent that can be filtered, and that can adequately address all the content of outgoing email for what today’s email security so- four of the above parts of the personally identifiable informa- lutions can do with that content: integrated business process, tion and proprietary data is es- Message filtering and is therefore the only type of sential. But simply blocking approach that can support the flagged emails won’t suffice; The content of the email itself is necessary business objectives. there must be options for secure scanned. This includes: email delivery that are easy for • Message header Inbound accuracy senders and recipients. • Message subject Part of this flexibility is the ability • Body of message Although outbound email is to limit false positives for out- what most organizations will bound messages. Although Attachment scanning focus on to meet compliance, false positives are generally Attachments can be a big factor inbound traffic can also be a thought of as applying only to for threats, and can also eat up concern. Unwanted email that inbound email, outbound mes- bandwidth. Some email solu- contains malware can under- sages that are flagged errone- tions can only scan certain at- mine the best security policy. ously can create a burden for tachment types. Be sure that the Outbound email security solu- email administrators. Although email solution you choose sup- tions also include inbound solu- false positives are more difficult ports all the attachment types tions as well. to limit on outbound emails, that concern your company. It’s important to note that not all some solutions implement tun- inbound solutions are created able policy controls exist to sig- continues on Page 20

From Page 19 — Secure Email Policy Best Practices methods (like public key infrastructure) still face many practical implementation challenges. However, vendors are working on solutions, and effective identification and authentication solutions are expected to be included in future product re- leases. Policy enforcement

When a policy requirement is noted, there are many options available. The most flexible se- The best solutions can scan file within compressed curity solutions offer more op- hundreds of different file types, attachments (a PDF inside of an tions so that companies can and support rules for attach- RAR inside a ZIP file, for in- have complete control over their ments above a certain size. To stance). email communications, and map adequately preserve bandwidth, Pattern matching business processes directly to a rule can be created to either email policy processes. block large attachments, or A s mentioned above, matching route them to a different delivery on word(s), wildcards, and pat- These options include: method (universal secure deliv- terns is an important way to look • Reporting and logging. This ery, or even an FTP server). To for potential information leaks. simply flags the email and adequately protect against at- Lexicons notes the violation in an audit tacks, the solution should be U sing dictionaries and lists of file. This is often a first step able to scan for the true type of for organizations that are file, not just the extension letters regular expressions are another way to catch potential informa- developing their email poli- (changing the extension letters cies. It is not meant to be a is a common attacking tech- tion leaks. If your business is regulated by HIPAA, GLBA, or final step, as it does not meet nique). the requirements for compli- another specific regulation, an File types include: email solution should provide ance. The best systems al- • ZIP files extensible dictionaries based on low reporting and logging to • PDF files those requirements. It’s also be fully customizable, trig- • Other compression types important to give “weight” to cer- gered by certain events, and (RAR , StuffIt, and more) tain lexicons (weighing “social done in real-time. Another use case is when a new pol- • Graphics files (JPEG, GIF, security number” more than icy is written, it can be re- PNG, and more) “patient,” for example). ported on first to see if the • Video and music files (MP3, Identity triggers are correct. A VI, WMV, and more) • Delivery. Several options are • All Microsoft Office files The sender and recipient infor- available for the delivery of mation is also important. Analyz- Encrypted attachments the actual email communica- ing the traffic from the legal de- As encrypted files and password tion: partment to an outside law firm -protected files prevent email will likely have different rules • Quarantine. This places the security systems from viewing than the CEO communicating message in a secure area for the contents (these files could with a potential business part- review, usually by an email potentially contain viruses, mal- ner. For instance, an intelligent administrator. ware, proprietary information, or content filter can enforce a rule noncompliant information), the • Drop/Delete. If the email is that all email traffic between option to stop encrypted and inappropriate or illegal to your organization and its audit- password-protected documents send, organizations can sim- ing firm must be encrypted. from coming through the system ply drop or delete the email should be available in any good Currently, identification can be at the gateway. email security system. done using methods including • Return to sender. This re- user directories, digital signa- Nested attachments turns the email to the sender tures, and manual addressing. E if a policy violation occurs. E mail systems should support mail authentication is still in its the scanning of a compressed infancy, however, and current continues on Page 21

From Page 20— Secure Email Policy Best Practices An annotation can be added • Archive. This places a copy to the return message ex- of the message in a perma- plaining the policy violation. nent email archive in the file • Defer. Also called “rate- system. throttling,” this is used to con- • Forward. Depending on the serve bandwidth. F or in- policy, an additional recipient stance, if one user is receiv- can be designated and sent ing (or sending) thousands of a copy of the email (for in- emails, the rate of receipt stance, the corporate coun- can be “throttled down” to a sel can receive a copy of any reasonable number every email with the words Universal secure delivery works hour. Another example is that “pending lawsuit”). Also, an like this: an email large attachment alternate relay can be desig- 1. A sender creates an email can be deferred until a time nated to receive the mes- message and hits the send when email traffic is low (in sage. button. the middle of the night, for • Modify headers. Tags, notes, 2. The email security system instance). and other values can be flags the content and/or • Encrypt. Automated routing added to the email headers. identity of sender/recipient for outbound encryption mes- This is typically done if an as requiring encryption. sages is part of a best prac- external system is in place Alternately, the sender can tice for meeting compliance for further processing. mark the item as “secure.”) demands while also address- • Modify subject. E mails can 3. The system automatically ing usability issues. See the be in violation of regulations encrypts the file and posts it list in the “Email encryption” if the subject line contains on the staging server. section above for details and personally identifiable infor- use cases on different out- 4. The system automatically mation. (Subject lines, even bound encryption methods. sends a message to the re- in encrypted emails, are sent cipient with instructions on • Annotate. This allows the in the clear.) Health care or- how to retrieve the message email to be amended with ganizations have set up poli- from the secure store. any text or HTML content the cies that flag emails if social organization desires. Many security numbers or patient 5. The recipient follows the in- companies choose to add a identification numbers are in structions, authenticates to legal disclaimer to outside the subject line. If subject the secure store using a emails, and this automates lines have personally identifi- Web browser, and retrieves this process. able information, they can be the message. Any reply will deleted; if the subject re- also be sent via this secure • Digital signatures. This adds delivery method. a digital signature to the quires conforming to a stan- email, which is often done for dard, information can be Universal secure delivery is authentication purposes. added to the subject line. chosen frequently because it requires very little training for • Routing. E mails can be sent • Strip attachments. If attachments over a certain size are both senders and recipients; to different email domains it protects all necessary within an organization, based not allowed, the message can be sent without them. data, meeting not only the on senders, recipients, or letter of the law but the de- content. This is especially • Tag for further processing. sires of consumers and leg- important in distributed or- This allows policies to be islators; and it leverages ganizations to make sure chained; combinations of familiar technology (a Web emails are routed efficiently factors can be considered browser) to perform its and accurately. and reviewed before action is tasks. • Notifications. When an email taken. Tracking and reporting meets certain requirements, it can trigger an automatic Universal secure delivery A complete email system should notification to be sent to any perform the tracking of emails One of the most commonly de- email address; for instance, a through the chain of receipt. ployed methods of encryption/ supervisor, the legal depart- Senders and administrators can decryption is using a staging ment, or an email administra- get information such as: tor. server to act as a secure store for private messages. continues on Page 22

From Page 21— Secure Email Policy Best Practices • Whether or not the intended recipient received the message • The disposition of the message (for example: Was it quarantined? Was it blocked by a spam filter?) • The identity of the account that opened the message (for example, the intended recipient, a proxy, or an unintended recipient)

Tracking can be performed based on the recipient’s identity, by the message itself, or by attachment. Many of these tracking options are available at the gateway; some options are only available via certain encryption types (e.g., universal secure delivery).

As noted above, reporting is often a first step for organizations that are developing their email policies. Email systems should have complete reporting features, be customizable (by time, by user, by IP address, and much more) and be able to quickly and efficiently create summaries to send to su- pervisors, administrators, and other interested parties.

Conclusion

Creating an email policy and an atmosphere for proper compliance is of paramount importance. When an organization knows what’s at stake—whether it’s supporting business objectives or avoiding the consequences of noncompliance—it can more easily gain support for an implementation strategy. With email security, it’s important to have the flexibility and the power to analyze, as- sess, configure, tune, and audit as needed. E very organization is different, and so every organization’s email security policy will focus on different areas. Many solutions are available, but no matter what solution is implemented, configuring it to meet the email policy is essential to meeting compliance. Choosing a system that is flexible enough to meet your needs, has the power to analyze and process properly, and delivers a seamless user experience can be challenging. But having the right email policy and the right email solution in place are the first steps to help your organization meet those business objectives.◊ Condensed from a whitepaper by Tumbleweed (now part of Axway)

Spam is no longer simply a For businesses, the economic source or mail server of a spam time-consuming irritant. It is a impact of spam, spyware, and message. This type of filtering serious security concern as it the like are all too clear. Not can identify Internet protocol can be used to deliver Tro- only do these threats impact addresses that are suspect jans, viruses, and phishing productivity, network bandwidth, servers or open proxies used by attempts and could cause a hardware resource, and support, spammers as well as servers loss of service or degradation they also introduce serious legal from which no spam is sent. in the performance of network liability issues and undermine resources and email gate- hard-earned corporate brands URL Filters: URL filters, in turn, ways. and reputations. identify spam URLs in messages and remove characters In the face of such mixed that conceal a Web site address threats, what are concerned in a message. This type of filter- businesses to do? Problems ing is very effective against dis- such as spam and spyware guised URLs, extreme randomi- threaten to undermine the integ- zation, and very short mes- rity of a company’s information. sages. Corporate information must remain secure, reliable, and avail- Heuristics Capabilities: Heu- able at all times. And because ristic capabilities are character- spam and spyware utilize the ized by programs that are self- same vehicle—the Internet—as learning, or in other words, they legitimate business-critical com- get better with experience. Heu- munications, the challenge is to ristics offer a highly effective ensure that wanted information defense against new spam by exchange continues while un- analyzing the header, body, and wanted activity is halted. envelope information of incoming messages and looking for Keeping spam, spyware, and distinct spam characteristics other threats out of the work- such as the inclusion of exces- place requires a powerful combi- sive exclamation marks or capi- nation of information security tal letters. While poor heuristics technologies, including an- do little more than create an Symantec’s latest Internet Secu- tispam, antivirus, firewalls, and administrative burden by pro- rity Threat Report Vol. XIII (an policy management. ducing countless false positives, update of Internet threat activity the best heuristics can result in in the Asia-Pacific/Japan region Today’s spam attacks near-perfect accuracy. from July to December 2007) Spammers today use a number found that spam made up 71 Signature Technology: Signa- of tactics to evade detection by percent of all monitored email ture technology also plays an antispam solutions with only traffic globally. Out of all these important role in filtering out limited filtering abilities. As a spam emails, 0.16 percent con- spam. The most advanced sig- result, the most effective an- tained malicious code. This nature technology actually strips tispam solutions such as Sy- means that one out of every 617 random HTML from spam and mantec Mail Security 8300 Se- spam messages blocked by Sy- counteracts the variations that ries employ a variety of filtering mantec Brightmail AntiSpam spammers often insert, resulting techniques to stop complex contained malicious code. Sy- in a potent answer to today’s spam attacks in real time— mantec’s monthly State of Spam highly randomized, HTML-based without compromising accuracy. report also found that spam lev- spam attacks. Similar signature Essential filtering technologies els have been steadily increas- technology is also used to iden- in an antispam solution include: ing from an average of 66 per- tify embedded images, executa-

cent of all messages in July bles, zip files, and other mes- 2007 to 78 percent in July 2008. Reputation Filtering: Reputa- sage attachments through which tion filtering examines the qual- spammers entice recipients. ity or reputation of the sending continues on Page 25

From Page 24 — Filtering out Spam and Scams Foreign Language Identifica- Additionally, firewalls that are reminded of their role in fighting tion: Foreign language identifi- configured to allow only author- against invading threats. A num- cation is another essential spam ized outbound traffic can also ber of policy management tools filtering technique, which can reduce the threat of spyware are available to streamline this identify the 10 to 20 percent of and other malicious code that ongoing process, making it eas- all global spam that is sent in attempts to phone home over ier and less time-consuming to non-English languages. the Internet without the user’s achieve and demonstrate com- knowledge or permission or tries panywide-wide compliance. Mixing It Up to launch fraudulent applications. Firewall rules also can be Effective protection against to- Information security technolo- created to block access to day’s complex threat landscape, gies provide a sophisticated and known spyware sources. where spam is blended with ma- effectual deterrent from informa- licious threats, requires that Furthermore, corporate information security attacks that businesses employ a combination security policies can be up- threaten to undermine the integ- tion of information security solu- dated to ensure that file-sharing rity of business-critical informa- tions. and other software is correctly tion. By utilizing the most inno- implemented and that appropri- vative and powerful antispam filtering techniques together with Antivirus technology works to ate usage policies are in place antivirus, firewall, and other se- identify viruses, worms, and and being followed. Many of the curity technologies, businesses spyware, which are often distrib- best Internet firewalls and ad- can protect the security and uted through spam. When up- vanced antivirus applications availability of their business in- dated regularly and configured are circumvented not by experi- formation even as new genera- appropriately, antivirus solutions enced hackers, but by careless tions of Internet threats can automatically delete or and/or uninformed employees emerge.◊ clean malicious messages, in- who have not been trained to cluding mass-mailing worms recognize and respond to Inter- By Eric Hoh,vice president, that can result in hundreds of net threats. In developing and Asia South Region and spam messages. disseminating a solid, up-to-date head of Global Accounts, information security policy, employees are educated in and Asia Pacific and Japan, Symantec

While Bill Gates’ 2004 predic- phishing spam emerged in Octo- Despite being four years away, tion that spam would be eradi- ber 2008. Symantec defines the lottery scam email claims cated within two years clearly image spam as an unsolicited that the recipient has won missed the mark, few ex- message containing an image in £950k. The recipient is also pected spam’s extraordinary the body. Image spam reached asked to contact the paying resurgence in 2007. Since a peak of 52 percent of all spam agent to claim their money. 2006, spam levels have stead- in January 2007. In September ily climbed from 56% of all 2008, image spam averaged 2 email hit around 76% of email percent of all spam, but in Octo- in the most recent month’s ber 2008, this increased to 9 report. percent. A direct correlation can be made between the increase in image spam and the increase in phishing attacks that contain financial institution logos during October. The file size of image spam messages can put a strain on email infrastructure if not man- Mumbai terrorist attacks bring out the worst in spammers aged properly. Nearly 92 percent of image spam monitored India recently suffered a shock- in the last 30 days had an aver- ing terrorist attack, with hostage age size of between 5-50Kb. situations in Mumbai involving When you consider spam mes- Indian nationals as well as tour- sages in total over the last thirty ists and travelers from all over While the economy is on the days, only 16 percent fall into the world. Updates on the terror- minds of many, it seems it is the 5-50Kb with the majority (79 ists’ activity are still being fol- also on the minds of spammers, percent) of messages falling into lowed closely. who continue to use the econ- the 2-5Kb range. omy as a ruse to deliver their Sadly, spammers would never messages. Spam levels aver- Lottery Scam, Sister to 419 want to miss the chance to capi- aged in at 76.4 percent of all Spam still continuing talize on the fast-spreading messages in October 2008. This Lottery scam, closely related to news of this tragic incident, us- spam level represents a year on Nigerian or 419 spam, continued ing related headlines for their year, increase of nearly six per- in October. Two notable lottery fraudulent emails with product cent since October 2007, but a scams were observed by Sy- advertisements or malicious decrease since the 80 percent mantec in October 2008. The links/attachments. Symantec level in August this year. FIFA World Cup which opens in has come across spam mes- Here are some of the very latest South Africa in 2010 was tar- sages showing news headlines top trend trends according to geted in one scam. This lottery regarding the Mumbai terror, but Symantec: scam message claimed that in the content inside is completely conjunction with the South Af- unrelated and is advertising The Holidays are coming: rica 2010 World Cup organizing pills. committee, a drawing had taken ‘Tis the Season for Spam This spam technique of using place, and the “lucky” email re- recent tragic news events has With the 2008 holiday season cipient won a jackpot of $USD become a staple tactic for spam- approaching, spammers are 800K. In order to claim the prize, mers. Among others events, once again taking a seasonal the email recipient is instructed spammers targeted the Nargis spam angle and using email to to contact a paying agent and cyclone in Myanmar and the tout such wares as pharmaceuti- provide them with their personal Sichuan earthquake earlier this cal, product and casino spam. information.

year. Email recipients are ad- Rise in Image Spam Linked to Also observed this month was a vised not to click on links found Phishing Scams lottery scam message relating to in such spam emails.◊ The connection between a re- the 2012 Olympic Games in cent rise in image spam and London.

Web threats are in now way decreasing, in fact according to Sophos Security Threat report Q1 2008, the web now hosts an unprecedented number of threats and continues to be the preferred way for malware authors to deliver their attacks.

According to Sophos, the company discovers a new infected webpage every 5 seconds. This is an average of more than 15,000 every day, three times more than in 2007. Sophos has also discovered that a new spam-related webpage appears almost every 3 seconds.

Mal/Iframe and Mal/ObJS con-

tinue to dominate the chart as Email threats, spam and they did in 2007, with attackers phishing This calculation includes pages taking advantage of vulnerabili- In the first quarter of 2008, only registered on “freeweb” sites ties 1 in 2500 emails was found to such as Blogspot, Geocities, etc. Sophos predicts this num- be carrying malware – 40 per- ber will increase so long as its The results of research into cent less than in 2007. Rather authors are making money from which countries contain the than incorporating malware into such ruses. By ensuring that most malware-hosting websites the email in the form of an at- spam messages are quaran- reveal some interesting changes tachment, cybercriminals are tined and not delivered to the when compared to 2007, using unsolicited email to pro- recipient, businesses can save Sophos reports. The US has vide links to compromised web- not only time and money, but experienced unprecedented sites. can also help protect their users growth in this area, hosting al- from emails linking to infected most half of all infected web- In addition, Sophos experts sites. sites. The country has almost have discovered many Pushdo

doubled its contribution to the campaigns during the first part In an attempt to defeat sender chart compared to 2007, when it of 2008. They note that some of reputation-based filers, the was responsible for hosting less the techniques used have been spammers who relied heavily on than a quarter of compromised technically sophisticated in an botnets are trying to abuse free websites. attempt to avoid detection. webmail services such as Hot- These techniques involve mail. AOL AIM and Gmail. Ex- changing the type of packers China, which in 2007 was re- perts believe that the rise in used, in which the malware tried sponsible for hosting more than webmail spam might be related to obfuscate itself. half of the infected websites on to spammers having bypassed

the web, has returned to its CAPTCHA techniques – a chal- 2005 standing, playing host to Spam continues to plague com- lenge response test used to de- just a third of infected websites. puter users. Sophos research termine that the user is human.

reveals that 92.3% of all email was spam during the first quar- Thailand has now made its de- According to Sophos, the US ter of 2008. The security com- but to this top 10 list, accounting has decreased its contribution to pany also finds a new spam- for 1 percent of the infected the spam problem, relaying only related webpage on average websites found by Sophos in the 15% of spam, compared to one first quarter of 2007. every 3 seconds – 23,300 each fifth in 2007. day. continues on Page 28

From Page 27 — 2008 Q1 Security Threat Landscape

Sophos is also monitoring a large number of Chinese domains that are being promoted by spam campaigns. Interest- ingly, there is a 2008 promotion inviting people to register .CN domains for a mere USD 14 cents. Such a low cost is attractive to more likely to trust – and there- attempts to outfox a user popu- spammers as they can register fore be conned by – emails that lation which has often, incor- hundred of new domains and purport to be sent from the com- rectly, believed itself to be im- rotate them every few minutes pany’s IT or HR department. mune from many internet secu- during a spam run in order to Sophos advised businesses to rity threats. bypass spam filers that use URL exercise extra vigilance in this blocklists. area. The Future Data leakage Phishing still remains a huge While the idea of protecting your problem for banks and other Stories about organizations from data has been revamped and re financial institutions. It also businesses to government -introduced to the market by poses a problem to large online agencies losing sensitive data many in the security industry, it companies like eBay and Pay- still dominate the press, and is not a new concept. Security Pal. Sophos measured the num- Sophos expects this trend to issues over the last 15 years ber of phishing emails targeting continue in 2008. have revolved around protecting these two organizations in 2007, information – from the macro and found that during the first Questions remain as to how viruses of the early 90s that quarter of 2007, 59 percent of hackers manage to plant mal- tampered with and deleted infor- phishing campaigns targeted at ware even in companies that are mation to today’s large-scale least one of them. PCI compliant. This brings at- data thefts. tention to the crucial point that Just as technological advance- However, the first quarter of achieving compliance must not ments help legitimate marketers 2008 has registered a massive lead to complacency. While no and sales teams to focus their decrease in the number of cam- security system is perfect, it is efforts on specific markets paigns targeting both eBay and worth remembering that the quickly, efficiently and cost- PayPal. PayPal has been the more effort required to steal a effectively, they have also made target in slightly over 15 percent company’s data, the less attrac- life easier for hackers. For both of phishing campaigns, while tive a target it becomes. the good and the bad guys, im- eBay has accounted for jus less proved technology has led to than 4 percent of all campaigns. More Mac malware and vul- improved return on investment. Heightened user awareness nerabilities This is not the time for compa- may be responsible for phishers nies to bury their heads in the looking elsewhere to lure in un- Although still tiny when com- sand and hope no one notices suspecting victims to bogus pared to the Windows malware any gaping security holes in websites. Computer users need problem, Mac users are not un- their network. Today, attacks to remember to be vigilant when scathed when it comes to mal- are sophisticated, well-funded entering confidential data online ware attacks. During the first and at large. Putting in place an and only to do so from a fully quarter of this year, Sophos dis- up-to-date security policy that protected computer. covered a new Trojan designed defends your web and email to scare users into purchasing gateway, proactively protects Spear phishing activities, which bogus security software, poi- your endpoint computers and target specific organizations, are soned web adverts that would mobile devices, and educates also seeing a rise, with educa- lead to either a Mac or Windows your users on appropriate and tional institutions and webmail infection, and vulnerabilities that acceptable online behavior can services being particularly tar- affected Mac users just as easily make an organization a very geted and vulnerable. as Windows lovers. unattractive target indeed.◊

While most users have learned With Apple Macintosh’s market Condensed from Sophos how to recognize most standard share on the rise, it seems likely Security Threat Report Q1 08 phishing attempts, they are that hackers will increase their

into giving them the means to mass mailing of stock trading grow their businesses through spam uses specially crafted the very same methods that graphic files that contained spurred e-commerce growth – background noise, as well as online marketing programs and Adobe .pdf files, which during email advertising. The masses the time are not detected by were clicking on E-mail spam, spam filters. Storm and other banner ads, legitimate Web spam creators are extremely sites, image and .PDF files, notorious for making creative which were all being co-opted use of timely events and topics and used as malware carriers, such as, dancing skeletons for installing viruses, Trojan horses, Halloween, cheap pharmaceuti- worms and other forms of mal- cals and prescriptions, elec- ware, on to e-mail recipients' tronic greeting cards, advertise- and Web surfers' PCs, turning ments for credit reports, elec- them into a network of remotely tronic discount shopping vouch- The birth of the internet com- controlled and “zombified” ers, and more that would entice munication has brought us slaves. To this day, botnets are recipients to open the file attach- much convenience and ironi- still an ongoing problem be- ments or links to the websites. cally hindrance. The well cause they allow spammers to So, can the spam problem ever known spam problem which scale without increasing their be conquered? The fact is that came about in the early 1990s ability to be detected. while the risks can be mini- proves to be a continuous Another thing that is changing mized, spam cannot be totally one. with spam patterns is the degree eliminated as it has evolved into No one in the past would have of sophistication and the scale somewhat of a social problem. thought it was possible and easy of the botnets spam manufactur- On top of this, the spam market to get PC and network users to ers employ today. It takes only a today is valued at approximately install viruses, worms, applica- number of weeks to see the ma- several hundred million dollars tion-downloading Trojan horses jority of spammers utilizing annually. Being such a lucrative and other forms of malware on these same methods, which on business, it is unlikely that their computers. Today, it is esti- a given day can decrease any spammers will ever be a dying mated that 10 to 25 percent of organization’s effectiveness and breed. How can it as long as all PCs in the world are part of revenue significantly. there are people who are willing botnets and the number is a Following a brief period of la- to take risks and potentially constant flux. Albeit increasingly tency, massive Storm-driven make a quick fat profit? hidden, spam has become a spam attacks again lighted up One of the ways to minimize significant topic of discussion everyone’s radar screens. Spam risks is to educate people on and revenue generator of the links to MP3 audio files, You- how they can start protecting internet world today. Tube videos and Adobe .pdf their own computers, such as Just last year, the storm spam- documents are being used to installing anti-virus software to malware hybrid was thought to gull recipients into downloading prevent them from being used grow to become the largest and infected attachments and visit- as botnets. most notorious of spam-driven ing Web sites that serve as mal- Secondly, the tools that are be- robot networks breed. What was ware distribution nodes, in turn ing used to create ‘Storm’ spam frightening about the Storm further infecting their PCs and for example must not be readily group then wasn’t the fact that luring them into part of a net- available and accessible. they had built such a large bot- work of remotely controlled zom- One of the ways to minimize net, but that they proved large bie slaves. risks is to educate people on number of systems could be Presently, the latest evolutionary compromised by simply asking how they can start protecting wave follows an earlier Storm- their own computers, such as end users to install all kinds of driven spam onslaught in which malicious applications. People installing anti-virus software to users are lured into pump-and- prevent them from being used adhered. dump stock trading schemes. as botnets. Next came the part where bot- How it works according to nets were duping Internet users Kaspersky lab is that the first continues on Page 30

From Page 29 — The Continuous Hurdle of Spam Being human, more often than the United States leading the will ONLY happen as a result of not our curious nature urges us CAN-SPAM Act of 2003. In a a breach to a large organization to explore and question the ori- recent case in United States, a or government, causing massive gin and how things are created. social networking giant is set to financial loss and a tarnished With readily available tools on receive $6million for a lawsuit reputation. spam creation, curiosity kills the the company filed against We, as consumers will need to cat; this will slowly and poten- “Spam King” Scott Richter, who be constantly vigilant and keep tially develop into a challenge inundated its members with un- a lookout on all possible spam and competition against the time wanted spam from hijacked ac- such as Nigerian scams, weight- taken to create spam, defend counts in August 2006. This law- loss claims, foreign lotteries and the users and complying with suit was filed under the CAN even fake investment schemes. the laws. In addition, there is SPAM Act. So far, under this For now, spammers will con- currently no financial incentive ACT, the law has managed to tinue investing in this profitable that encourages site operators catch up with other ‘Spam business, fighting the law en- such as Internet Service Provid- Kings’ such as Alan Robert So- forcement agencies. Besides ers to take action against bot- loway for spamming Microsoft’s legislation and anti-spam de- nets. Hotmail Service in 2005, Alan vices, to ensure spam does not overtake our life maliciously, we It is also difficult to charge a per- Rasky and Sanford for interna- can and should play a part to son if his computer becomes a tional illegal spamming and ensure the stop of this globally victim of botnets unknowingly. stock fraud scheme. The problem with spam will infectious disease.◊ Today, there are legal issues reach a stage where serious By Stree Naidu, surrounding spam/phishing measures need to be empha- processes in each country, with Regional Vice President, sized and implemented and this APAC & Japan, Tumbleweed, now part of Axway

Spam filters are adaptive

The approach of the artificial intel- which contain repeatedly the word ligence uses heuristic filters to loan or the dollar-sign are not de- arrange e-mails in mostly prede- fined as spam. The quality of the fined classes (spam, no spam). In filter depends highly on the qual- doing so, the self-learning filters ity of the training. If a filter is not compare new messages to al- well coached, it can generate a ready learned facts and as a re- high interest in false positives. sult determine whether an e-mail Most filters are already pre- is spam or not. An excessive use trained when purchased, but of special characters and capital matching with one’s own e-mail letters, hidden HTML texts, unsub- behavior must still be adapted. scribe lines (supposed possibility That's why it takes a little bit time to opt-out from the list) and a high until heuristic filters work per- 91 percent of all spam filter frequency of certain catchwords fectly.◊ manufacturers use artificial intelli- can be indicators of spam. These gence (AI) based filters. This has attributes are weighted with a Dr. ABSOLIT Schwarz Consulting been established by a market score, which classifies an e-mail offers independent strategy con- survey of “spam filters” by Absolit as spam if it crosses a specific sultation on e-mail marketing and Dr. Schwarz Consulting. The study number. integration of electronic media examines 47 products on their “ Once the filters are trained, they http://www.absolit.de filter methods. “Today, who has adapt further on their own and spam mail in his inbox has to even fit themselves to new tech- blame himself alone. Modern fil- niques of spammers“, says Janine ter methods block more than 99 Bonk, the author of the study. The percent of incoming spam mails, filters orientate themselves by without loosing one single impor- monitoring the typical e-mail be- tant e-mail ", says the e-mail ex- havior of the user. If, for instance, pert Dr. Torsten Schwarz. the user works in a bank, e-mails

With spam levels breaking More recently, spammers have The vast amounts of money ac- records every day, the quin- extended their role from the sim- crued by spammers who have tessential business tool – ply annoying to the outright been arrested and prosecuted is email – has simultaneously criminal, using their emails as a an indication of just how much become a major liability. With beachhead for more malicious money can be made, and the inboxes overrun with more activity. As security vendors handful of cybercriminals who and more unwanted email that have become adept at blocking are caught is nothing compared threatens business productiv- emails containing code which to the huge numbers left unde- ity, regulatory compliance, itself has a viral payload, spam- tected to carry on their cam- and network security, organi- mers and malicious code writers paigns. In today’s workplace, zations are having to look at have found more devious ways the task of blocking the wealth what is being mailed in, out – such as the use of images and of malicious and productivity- and around their network, at PDF attachments – to get spy- hampering email, while allowing the gateway, at the mail ware, zombie-creating Trojans, the free flow of legitimate busi- server and at the endpoint. and other malware on to end- ness communication, is one of users’ desktops. the biggest challenges IT de- Paul Ducklin, Head of Technol- partments face. ogy for Asia Pacific at Sophos, zooms in on the threats posed Email security – a multi-layer by unwanted emails that make it issue through to the inbox, explains the impact these threats have In the past, organizations on organizations, and demon- viewed the problems of email strates what needs to be done almost solely as an inbound in response to make email safe threat – spam and email-borne and productive. malware causing a nuisance, Cybercriminals are increasingly consuming bandwidth and stor- Email in a business spamming out emails offering, age space, and increasingly for example, a plug-in to view infecting endpoint computers. Email today presents a serious videos or pornography or even As described above, the situa- risk to security, business pro- offering free bogus security ap- tion now is much more complex, ductivity, and compliance with plications. The emailed link in and the threats posed by email government and industry regula- reality takes the duped user to exist throughout the whole email tions. As the use of email for an infected website from which infrastructure. As networks in- legitimate business purposes a backdoor Trojan is down- crease in size and complexity continue to go upwards, so does loaded. When the webpage and email use grows, more its use as a tool for unwanted, loads, malware on the website points in the system become illegitimate, and occasionally infects the visiting computer, vulnerable. Inbound, outbound dangerous, business activity. and is then used for a variety of and internal messaging are all There are three predominant criminal purposes, such as to vulnerable and need to be se- sources of risk that every or- steal data or to turn the com- cured as part of an organiza- ganization faces: spam, informa- puter into a spam-sending zom- tion’s overall network and data tion leakage, and compliance as bie. Phishing attacks continue to security. it relates to email. lure unwary users to fake websites where they hand over con- Gateway security – inbound Spam fidential information, such as and outbound bank or credit card details. Professional spammers con- The gateway remains the place tinue to clog up to 90 percent of The reason spam continues to where email protection “tradition unprotected mail stores and in- flourish is because it works. It -ally” sits, providing protection boxes with unwanted emails that can take just one person to against threats such as spam soak up bandwidth, upset end hand over their money or their and phishing attacks, viruses, users with irritating or offensive financial details – wittingly or by denial of service attacks and content, and negatively impact having them stolen – for a cam- employee productivity. paign to be successful. continues on Page 32

From Page 31— Liberating the Inbox

An additional, and perennially lies, providing a more determi- significant threat, is that of mal- nistic approach to protection. ware entering the organization at the endpoint desktops, lap- There also needs to be a clear tops, and notebooks via, for ex- and transparent framework for ample, webmail or a USB mem- behavior, setting down what is ory stick can use the internal acceptable and what is not mail network to spread. Within when it comes to using email. the context of the email system, An explicit, organization-wide the endpoint is the final line of Acceptable Use Policy (AUP), defense. accompanied by the ability to audit its use and enforce its Making email safer rules is a simple first step in directory harvest attacks. demonstrating the intention to While most organizations have meet regulations and goes a It is also at the gateway that experienced dramatic growth in long way toward avoiding liabil- offensive and other inappropri- their email infrastructure, many ity. ate inbound emails are blocked have not seen a corresponding before they can reach the corpo- increase in email security – Making email more productive rate servers. Outbound emails even though email is already the containing confidential or sensi- number one source of security Just as there needs to be robust tive information or emails that threats for organizations. Email security to protect against mal- flout regulatory or corporate protection has tended to be fo- ware, spam, denial-of-service compliance rules can also be cused on the gateway, although attacks, directory harvesting, effectively stopped here. As a there are in reality many points and so on, so there need to be result outbound content monitor- of vulnerability in an email sys- capabilities in any solution that ing and filtering is an increas- tem. This approach, as has will let administrators enforce ingly strategic concern for IT been discussed, can leave a content filtering management administrators. network exposed to a host of and information leakage preven- email related threats that bypass tion policies. For example, secu- Groupware security – internal the gateway defenses. The tra- rity solutions should be able to ditional gateway email hygiene automatically monitor email Internal threats are rapidly model is, therefore, now incom- communications for keywords, climbing the priority list of enter- plete. strings such as Social Security prise security threats and now numbers, and file types that account for three of the top 10 The key to making email safer is might contain proprietary infor- most serious threats facing cor- to secure all the points of vulner- mation. porations today – unintentional ability – protecting all layers and employee error, data stolen by ensuring that the gateway and There need also to be manage- an employee or business part- groupware solutions integrate ment features that lower the ner, and insider sabotage. anti-virus, anti-spyware, anti- administrative overhead, giving phishing and anti-spam protec- administrators visibility and re- The threats associated with in- tion and also provide the ability porting capabilities that allow bound and outbound mail – ma- to filter email for dangerous, them proper control over the licious emails, inappropriate unwanted or confidential con- whole email infrastructure. This content, confidentiality and com- tent. includes the ability to trace mes- pliance breaches – all apply at sages as they flow through the the groupware level, with inter- Maintaining up-to-date endpoint email infrastructure, and the nal mail servers acting as the protection is vital to preventing ability to generate traffic and conduit for all traffic. In addition, infection via other means, as threat reports quickly and easily malware can remain dormant in highlighted above. At all points, in order to paint a clear picture stored email attachments, pos- it is essential to provide com- of what is passing through. This ing a threat to the wider network pletely up-to-date, proactive pro- is particularly important in re- long after they enter the organi- tection against the full range of sponse to inquiries from senior zation. malware threats. Leading anti- management. virus and anti-spam engines Endpoint security – the last automatically detect variants of line of defense spam campaigns or virus fami- continues on Page 33

The CAN-SPAM which is adopted by many governments demands a “clear and conspicuous” e-mail opt-out mechanisms. Some of its important aspects are briefly listed here that you should take them into consideration when sending out messages via e-mail:

• Don't ask for unnecessary information; • Don't be a pedant, regarding misspelling and don't send a message containing just a - cryptic error message and number; • Don't require to log in to your site to unsubscribe. Your site isn't that important; • Don't make your reader say it twice, when he asks to be removed; • Offer a variety of e-mail communications so that your friendly message telling how The recipient decides what e- reader has choices and may the address can still be re- mail he accepts and especially stay on your list; moved. how often – and it’s his choice! • Handle it in real time, so re- • Send a confirmation notice Of course none of us wants to move the email address as with a link that invites to re- see the circulation lists shrink, soon as possible; subscribe. It could have hap- but nevertheless the unsubscribe process shouldn’t be • If an error occurs while re- pened that someone unsubscribed by accident, or some- problematic for those who want moving an address, don't just to be removed.◊ display a cryptic error mes- one else unsubscribed the sage - instead send e.g. a person without permission.

From Page 32 — Liberating the Inbox

Summary It is possible to regain control of Following the four basic princi- inboxes despite the changing ples for making email safe and Since email is a mission-critical nature of malware and spam, productive – maintaining proac- business tool, organizations and it is possible to do this effi- tive, up-to-date protection have no choice about learning ciently. against malware, phishing and to cope with its related security Approaching email from the spam, implementing an AUP, challenges, both external and point of view of the infrastructure creating archiving and reporting internal. There are ways to will help identify where best to processes, and monitoring and make this easier in terms of im- put in place checks and bal- filtering content – will in the long pact on users, security adminis- ances. For example, archiving is run ensure an organization’s trators, and the organization as best left to the groupware level, system, and its users’ inboxes, a whole. because it is here that internal are freed from the tyranny of as well as inbound and out- malware and spam.◊ bound mail can be captured.

© MediaBUZZ Pte Ltd Asian Anti-Spam Guide 34 The Great Balancing Act: Juggling Collaboration and Authentication in Government IT At a time when emphasis in government is on the elimination of silos and promotion of secure collaboration across and within agencies, government IT managers are under the gun to ensure that the right people have the right access to the right resources.

Anytime, anywhere network access is critical for the effective and timely operation of government, particularly during times of crisis or disruption. Technologi- cal advancements over the past decade have created tremendous opportunity for federal agencies to provide employees and contractors with remote ac- So Many Users, So Many Au- cess to the appropriate applica- cess to government resources, thentication Challenges tions is critical to regulate the presenting greater potential for flow of information accurately. collaboration regardless of loca- The concept seems simple, but Ensuring endpoint security com- tion. However, remote access consider that on any given day pliance is also increasing in im- can open a Pandora’s box of federal agencies are confronted portance due to the mobility as- security and authentication chal- with having to provide just the pect highlighted above and the lenges for IT managers tasked right levels of access for an ex- consequent security concerns with protecting sensitive data panded set of users (guests, associated with users accessing and preventing vulnerabilities partners, contractors, employ- the network from personal lap- and intrusions. ees) accessing the network from tops that may not comply with A typical government agency a wide range of mobile devices the security policies of the employs a wide range of per- (both managed as well as un- agency’s network. sonnel with a variety of security managed devices). It’s a task Managing user identity is par- clearances in offices across the that can quickly become un- ticularly important for govern- nation. Add to that a large num- wieldy and ineffective from an ment agencies due to highly- ber of part-time employees, con- identity management perspec- sensitive data that could be tractors and consultants, and tive. compromised if the wrong user federal IT managers are faced When controlling remote net- is given a higher level of access with a daunting task: maintain- work access, government agen- than is approved for their role. ing the delicate balance be- cies need to employ a holistic The first step in identity man- tween securing the network and security approach that inte- agement is the creation of a set promoting collaboration across a grates authentication, data en- of policies that establish who is diverse group of workers using a cryption and data protection. permitted access to what infor- variety of endpoint devices. The Two critical elements of identity mation and under what condi- need for authenticated network management must be consid- tions. These parameters must access control is increasingly ered, namely: apply regardless of user location important to ensure that indi- or endpoint device. viduals are granted the appropri- Establishing effective authen- ate levels of access to the tools tication policies Deploying appropriate tech- and information they need to nology “gatekeepers” effectively collaborate — around Ensuring that only authenticated -the-clock and regardless of and authorized users have ac- their location or device used. continues on Page 35

It’s definitely no se- Remember, even spam that sits ISPs to add extra network and cret, spam is ad- in your ‘delete’ box takes up server capacities. In addition, versely costing busi- valuable storage space which they also install their own anti- nesses lots of cost money. spam solutions. All these are money. Here’s a quick look at costs. how: Dip in Productivity

The Intangible Cost Spam simply wastes your em- Anti Spam and Anti-Virus Spam has an often unseen, ployees’ time. Remember the Technology broader economic impact as old adage, ‘Time is precious’? well, affecting many companies With the amount of malicious Well, according to a study by and even nations that are least mail around, these two should Nucleus Research, the average able to bear the burden. Con- always go hand in hand. Most employee spends 16 seconds sider Nigeria, for example. Nu- companies not only spend thou- reviewing and deleting each cleus Research noted that while sands of dollars on anti-spam spam message. Deleting mes- fraud and corruption have been software and hardware solu- sages is turning out to be the rampant in Nigeria for some tions, but they also drop cash on most expensive spam strategy. time, the country may be forever employees and consultants to The same study reveals that the kept in the digital darkness be- plan, deploy and maintain the average employee at companies cause of the volume of decep- technologies. that delete spam messages tive email sent by local spam- loses an average of 7.3 minutes Wasted Storage mers. The research firm noted per week looking for lost legiti- that most spam filters block any mate messages. Quarantined spam (where junk mail with "Nigeria" in the title or messages are placed in a direc- ISP Costs text, effectively keeping anyone tory for review and confirmation communicating with, from, to or It would be naive to believe that by recipients) requires additional about Nigeria from doing it via ISPs aren't passing along junk storage capacities. For many, email. email's tremendous costs to the whole idea of quarantining their customers. In an October It might be interesting for you to spam is so they can take a look 2007 report, anti-spam software check out just how much spam at it at a later time, and maybe vendor Symantec Corp. esti- is costing your business. find email messages that may mated that 70 percent of all be valuable to them. However, For an idea, try email was spam. The traffic bur- most users don’t ever tend to http://www.cmsconnect.com/ den created by junk email forces review their quarantined spam. Marketing/spamcalc.htm ◊

From Page 34 — The Great Balancing Act

As government users require ing user identity and establish- While remote access can en- network access from a number ing endpoint security, while pro- hance inter- and intra-agency of locations, varying from the viding granular user access pol- collaboration, federal IT manag- most carefully managed net- icy adherence. Coupled with ers must also ensure that users works to vulnerable wireless firewalls and intrusion detection do so securely and reliably. With “hotspots,” the network must and prevention (IDP) solutions, a robust access management employ technology to enforce agencies can ensure compre- solution that integrates network authentication policies for those hensive network protection that security, government agencies seeking access and the equip- lends insight beyond just IP ad- can create a responsive and ment they are using. Compre- dresses into who is actually trav- trusted environment for acceler- hensive “network policing” of ersing the network perimeter ating the delivery of intelligence end users and equipment en- and what specific applications and vital resources to better sures appropriate authorization they are accessing. In addition, serve and protect its constitu- that protects against viruses, SSL VPN platforms can collabo- ents.◊ intrusions and other security rate with IDP solutions to ensure breaches. that malicious, non-compliant By Kang Eu Ween, Regional Secure Sockets Layer Virtual users be quarantined and taken Enterprise Solutions Director, Private Networks (SSL/VPNs) off the network, thereby proving Juniper Networks are a superior means of gather- end-to-end, real-time network protection.

While these attacks can be Use multiple e-mail addresses blocked, some spam is still likely to get through. Currently, there When posting to newsgroups or is no foolproof way to prevent using unfamiliar websites, we spam, but educating users is still recommend creating a particular the crucial factor in fighting the e-mail address for that specific nuisance. purpose. An online search for "disposable e-mail addresses" Check out the following meth- provides you immediately with a ods to prevent spam: list of e-mail providers designed for one-time use e-mails. Disguise e-mail addresses Spam is seen as a minor an- posted in a public electronic Use a filter noyance by some users, while place others are so overwhelmed Many ISPs and free e-mail ser- with spam that they are forced Opt out of member directories vices now provide spam filtering. to switch e-mail addresses. that may place your e-mail ad- You may also consider simply But just how did spammers dress online. buying the appropriate software. get your e-mail address in the If your employer places your e- Although filters are not perfect, first place? The answer usu- mail address online, ask your they can certainly cut down the ally boils down to the individ- webmaster to make sure it is amount of spam a user re- ual’s online behaviour. disguised in some way. ceives.

Research shows that e-mail ad- Be on guard when filling out Avoid using short e-mail addresses posted on websites or online forms requesting your dresses in newsgroups attract the most e-mail address spam. Spammers use software They are easy to guess, and harvesting programs such as If you don't want to receive e- may receive more spam. robots or spiders to record e- mails from a website operator, mail addresses listed on web- don't give them your e-mail ad- Pay attention to stripping spe- sites, including both personal dress unless they offer the op- cific non-essential attachment and institutional web pages. tion of declining to receive e- type files Some spam is generated mail. If you are asked for your e- through attacks on mail servers, mail address in an online setting It’s proven that files that end methods that don't rely on the such as a form, make sure you with .bat, .exe, .pif, .scr, .vbs, collection of e-mail addresses at pay attention to any options dis- or .crd often contain worms and all. In "brute force" attacks and cussing how the address will be viruses.◊ "dictionary" attacks, spam pro- used. Pay attention to check By Daniela La Marca grams send spam to every pos- boxes that request the right to sible combination of letters at a send you e-mails or share your domain, or to common names e-mail address with partners. and words. Read the privacy policies of websites.

FREE SUBSCRIPTION—CLICK HERE

© MediaBUZZ Pte Ltd Asian Anti-Spam Guide 37 How to ensure your e-mails are not classified as spam Commercial e-mails have in tions like for example newslet- Choose your e-mail appendix general a sales focus - but [email protected] or or attachment carefully that’s exactly very often the [email protected]. Appendices in JPG or DOC for- criteria spam filter manufac- mat are also often used by turers make use of to identify spammers. The Adobe Portable spam. Attached you will find Document format, shortly some tips which are quite named PDF on the other hand, easy to implement, so that has not yet been discovered as your own mailing is not de- an appendix of a spam mail. So, clared as spam. if you dispatch your newsletter The race of the spam producers with an appendix, it is best to versus the anti-spam software use the PDF format. solution providers is in full Avoid HTML versions swing. While professional spammers vehemently try to outsmart Graphics lovers will not like this the always improving filter solu- tip, yet: It’s proven that spam- tions, unaware e-marketers of- mers have a preference for ten only stand on the sidelines HTML formatted e-mails. Those and wonder why their e-mails of you who avoid this and stick apparently do not reach their to formulating e-mails as " plain customers. Yet, it is not so diffi- Do not use cryptic characters, text “, perhaps with hyperlinks to cult to ensure that your e-mails slogans, or abbreviations in adequate, nicely formed web aren’t thrown out by spam filters. the reference line pages, endears himself to filters. Spam filters are sensitive to cer- Write the name of the ad- The inner workings of modern tain buzz words, cryptic charac- dressee correctly anti-spam filters ters, slogans, abbreviations or Next to the intrinsic e-mail ad- even empty subject fields. Ref- The following table shows the dress, the complete name be- erence lines like, WIN NOW or modus operandi of advanced longs in the " To: " line of every 200% IN ONLY ONE WEEK are anti-spam software. Steps 1-3 e-mail. Accompanied with a per- classified and rightly eliminated have already been explained. sonal salutation in the body of as spam. Step 4 shows the latest statisti- the mail, the risk of being cal process technology which blocked by spam filters already Don’t use "non-words" in the automatically categorizes e- sinks significantly. Among the mail body mails with high accuracy as millions of spam mails which are The active wordlists of spam SPAM or NOT SPAM, after indi- dispatched daily, only a few e- filters provide an immediate con- vidual setup by the receiver. mails can be found which corre- fiscation of the mail, if fishy spond to this exemplary pattern. words are detected. No chance anymore?! Spam filters are aware of this Advanced solutions even permit Many programs also use individ- and therefore are more likely to a weighing of single words, so ual based Anti-SPAM lists. Once bend the rules with properly ad- that if a defined threshold value your e-mails have landed in dressed e-mails. is exceeded, the whole mail such a personal exclusion list of Use a genuine sender's ad- quickly gets moved into quaran- a receiver, further contact with dress tine. That’s why flowery phrases this addressee will be impossi- ble.¨◊ Not only the address of the ad- in the body of the e-mail should dressee, but also the one of the be avoided, besides the already By Daniela La Marca sender states a lot about the mentioned slogans in the refer- Based on quality to be expected of the e- ence line, as for example "Super “ So werden E-Mails nicht als mail contents. E-mail marketing -Extraordinary-Special-Offer " Spam klassifiziert” by Markus activities, which for organiza- and abbreviations like XXL, Goss, VP Marketing, tional reasons aren’t sent by a XXX, or similar. The best ap- GROUP Technologies AG, personal sender's address, are proach is to set the benchmark Germany more likely delivered, if the with common word and style sender’s address consists of elements of a classical profes- entire word or name combina- sional letter.

The Hack is back! Actually ill- intentioned hackers (who were never really gone) will continue to inject Mobile Mali- cious Code (MMC) into otherwise reputable sites. Using SQL and iframe injections, plus other attacks, hackers go on infecting popular, legitimate Web sites with malicious code. Typically, the infections are timed for peak traffic at the site. The worst part is that visitors don’t have to explicitly download any content to have their own machines infected. Simply browsing or “driving by” sections of these infected sites allows evil scripts to embed themselves in customer PCs and do tremendous damage. Because these are well-known, found to have insufficient secu- Infected devices might even reputable sites—some of the rity features, leaving them vul- be sitting on your living room most trusted names in online nerable to infection. Because mantel! news and commerce—URL- widgets often have access to Digital picture frames and filtering and reputation tools the host operating system, they memory sticks are now vul- won’t block users from visiting pose major risks to users. nerable to attack them. In February, a major electronics Thieves and “ne’er-do-wells” retailer warned customers that a Web sites will remain vulner- will continue to target laptops popular model of digital picture able to attack until security harboring valuable identity- frame, which connects to a com- training and testing become based information. puter over a USB port to display mandatory for Web develop- The black market for personal images, had become infected ers. records (about US$14/name) with the Mocmex Trojan Horse. Web site developers are busy makes laptops attractive targets The popularity of digital photog- learning about new technologies for thieves. A laptop with re- raphy and music downloads is such as Adobe Flex and Micro- cords for 10,000 employees, for leading users to connect a wide soft Silverlight. Security remains example, is worth about variety of devices to their com- an afterthought. As well, evil- $140,000 on the black market. puters. Unfortunately, not all doers continue to develop new Not bad for a dishonest day’s these devices are safe. programs for breaking through work! firewalls and infiltrating HTTP Storm warning! Botnets, like applications and SSL communi- Online videos will become a the Storm botnet, will be re- cations continues. To stay safe channel for attacks. sponsible for the bulk of requires vigilance and reliable spam and malware infections Cisco has already had to patch security solutions. this year. its VOIP protocol to close a security loophole. Vulnerabilities Major botnets (networks of in- Malware infections will spread surely exist in video formats, as fected computers) are now for through widgets in Web sites well. The ever-growing popular- rent to spammers and criminals. and dashboards. ity of videos and video sites The Storm botnet, comprising Even hailing from such leading such as YouTube ensures that over 85,000 machines infected developers as Microsoft and hackers will not neglect this for- by a Trojan, sent about 20% of Yahoo!, widgets have been mat for long. the world’s spam in 2007.

continues on Page 39

From Page 38 — Blue Coat’s Top Security Trends for 2008

Researchers have recently dis- Web security will continue to • Learn how to recognize their covered new, even more insidi- be thwarted by the perform- format and pattern and watch ous botnets, such as MayDay. ance and scalability limitation for them of most Web gateway prod- • Educate all members of the ucts. Through social network sites, IT Dept and Senior Manag- we’ll find old friends—and ers new malware. A “dirty little secret” of the IT security industry is that most • Deploy tools to help you pro- Facebook and MySpace con- Web security gateway products tect your data tinue to add users at an impres- are architecturally incapable of • Do research and look for sive clip, but these sites and scaling to meet enterprise vendor tools that provide you their myriad applications are needs. Enterprises will continue with not just desktop anti vi- vulnerable to attack. For exam- to find themselves short- rus protection, but also: ple, security researchers re- changed by products that prom- • Distributed application threat cently identified Facebook’s im- ise comprehensive network pro- monitoring age uploader as a significant tection but don’t deliver on per- threat to end user security. formance. • Information on employee

web browsing activity In response to identity thefts, Conclusion • Prevention from virus in- companies will begin using jected reputable web sites custom identity numbers Security threats still abound and rather than Social Security some can be disastrous to com- • Filtering to block malicious numbers to identify individu- pany IT infrastructure and cor- URLs and code als. porate data. To better protect • Laptop lock down and recov- your organization, Blue Coat ery processes ◊ New identity standards such as suggests: Open ID will gain popularity as • Be aware and keep current organizations try to minimize of these threats exposure to identity theft.

Symantec recently released a Since these channels are goods and services on the un- detailed study on cybercrime “always open,” advertisers often derground economy, accounting delving into an online under- use scripts to schedule auto- for 31 percent of the total. While ground economy that has ma- matic message broadcasts stolen credit card numbers sell tured into an efficient, global across many servers and chan- for as little as $0.10 to $25 per marketplace in which stolen nels. Along with selling specific card, the average advertised goods and fraud-related ser- items, advertisements are also stolen credit card limit observed vices are regularly bought posted requesting particular by Symantec was more than and sold, and where the esti- goods and services, such as $4,000. Symantec has calcu- mated value of goods offered credit cards from a certain coun- lated that the potential worth of by individual traders is meas- try, or a cashier of a specific all credit cards advertised during ured in millions of dollars. gender. the reporting period was $5.3 The report is derived from billion. The popularity of credit data gathered by Symantec’s cards are easy to use for online Security Technology and Re- shopping and it’s often difficult sponse (STAR) organization, for merchants or credit providers from underground economy to identify and address fraudu- servers between July 1, 2007 lent transactions before fraud- and June 30, 2008. sters complete these transactions and receive their goods. Two of the most common plat- Also, credit card information is forms available to participants in often sold to fraudsters in bulk, the online underground econ- with discounts or free numbers omy are channels on IRC serv- provided with larger purchases. ers and Web-based forums. Many of the goods and services Both feature discussion groups advertised on underground The second most common cate- that participants use to buy and economy servers form a self- gory of goods and services ad- sell fraudulent goods and ser- sustaining marketplace. For ex- vertised was financial accounts vices. Items sold include credit ample, spam and phishing at- at 20 percent of the total. While card data, bank account creden- tempts are attractive because of stolen bank account information tials, email accounts, and just their effectiveness in harvesting sells for between $10 and about any other information that credit card information and fi- $1,000, the average advertised can be exploited for profit. Ser- nancial accounts. Along with the stolen bank account balance is vices can include cashiers who potential financial gain from the nearly $40,000. Calculating the can transfer funds from stolen sale of such information, the average advertised balance of a accounts into true currency, profits can also help build an bank account together with the phishing and scam page host- underground economy business average price for stolen bank ing, and job advertisements for as profits from one exploit can account numbers, the worth of roles such as scam developers be reinvested and used to hire the bank accounts advertised or phishing partners. Advertisers developers for other scams, during this reporting period was on underground channels at- used to purchase new malicious $1.7 billion. The popularity of tempt to capture attention for code or new phishing toolkits, financial account information is their messages using tech- and so on. likely due to its potential for high niques such as capitalization, payouts and the speed at which The potential value of total ad- multi-colored text, ASCII flares, payouts can be made. In one vertised goods observed by Sy- and repeated sales pitches case, financial accounts were mantec was more than $276 across multiple lines (similar to cashed out online to untrace- million for the reporting period. blanketing a wall with the same able locations in less than 15 This value was determined us- advertising poster). Typical ad- minutes. ing the advertised prices of the vertisements list the available goods and services and meas- During the reporting period, Sy- items, prices, and other details ured how much advertisers mantec observed 69,130 distinct such as payment options, con- would make if they liquidated active advertisers and tact information, and qualifiers to their inventory. 44,321,095 total messages describe their goods such as posted to underground forums. “100% successful,” “fast,” or Credit card information is the “legit”. most advertised category of continues on Page 41

From Page 40 — The Underground Economy

The potential value of the total Exploits are another effective advertised goods for the top 10 malicious tool. Exploits consti- most active advertisers was tute vulnerability information and $16.3 million for credit cards and exploit code. They differ from $2 million for bank accounts. the other categories of attack Furthermore, the potential worth tools in that they are not auto- of the goods advertised by the mated by nature. When exploits single most active advertiser are incorporated into automated identified by Symantec during tools, they can then be classified the study period was $6.4 mil- as attack tools. The exploits lion. available in the underground economy are typically tailored to Malicious tools specific market demands. Profit- Malicious tools enable attackers able activities in the under- to gain access to a variety of ground economy (such as iden- keted on underground economy valuable resources such as tity theft, credit card fraud, servers were also observed by identities, credentials, hacked spam, and phishing) require a Symantec during this reporting hosts, and other goods and ser- constant supply of resources period. Products include spam vices. Some malicious tools and (such as compromised personal software, spam relays, compro- services are designed to counter information, credit card num- mised computers to host phish- security measures such as anti- bers, and hosts). Many of these ing scams, and content such as virus software to increase the goods and services are pro- phishing scam pages and phish- lifespan of a malicious code duced by attackers who exploit ing scam letters. Spam is often sample in the wild. The result is vulnerabilities in Web applica- used to advertise black-market a cycle whereby malicious tools tions and servers. The market products—such as pharmaceuti- must be continuously developed for exploit code and vulnerability cal drugs, pump-and-dump and used to produce other information is geared toward stock scams, and pornogra- goods and services. The profits attackers and malicious code phy—and to distribute malicious from these goods and services developers who wish to incorpo- code and launch phishing at- may then be reinvested into the rate fresh exploits into attack tacks that steal credentials, per- development of new malicious toolkits and, therefore, represent sonal information, and credit tools and services. a distinct category of their own. card numbers. Tools range from kits that auto- The highest ranked exploit dur- The highest priced kit during this matically scan and exploit vul- ing this reporting period was site reporting period was for the nerabilities to botnets. These -specific vulnerabilities in finan- hosting of phishing scams, tools may be used to provide cial sites, which were advertised which was offered for an aver- services such as denial-of- for an average price of $740, age price of $10. Prices for this service (DoS) attacks, with prices ranging from $100 to service ranged from $2 to $80. spamming and phishing cam- $2,999. In some cases, it ap- Scam hosting services are often paigns, and finding exploitable pears the same vulnerability advertised with guaranteed up- websites and servers. They can was advertised at both the low time, and virtual hosts may be also be used to generate a num- and high ends of the price included in the scam page ser- ber of goods, such as compro- range. This may indicate that vice. Scammers may also ac- mised hosts, credentials, per- the value of the exploit de- quire domain names by using sonal information, credit card creased as it became over- stolen currency and credit cards data, and email addresses. traded, resulting in many attack- to buy from domain name regis-

ers exploiting the same vulner- trars. Additionally, some adver- The highest priced attack tool, ability in the same financial ser- tisers offer periodic rates for on average, during this reporting vice. Attacks such as these are daily, weekly, and monthly host- period was botnets, which sold very noisy and difficult to con- ing. Periodic hosting services for an average of $225. A botnet duct without detection, increas- range from less than $1 per day can persistently produce many ing the likelihood that the vulner- to $15 per day. other goods and services; it can ability will be noticed and be rented out for specific attacks Diversity is the name of the patched by the maintainer of the or on a periodic basis; and it can game affected website. be upgraded to create new The underground economy is sources of revenue. Spam and phishing tools and geographically diverse and gen- related goods and services mar- erates revenue for cybercrimi- continues on Page 42

It goes without saying that any significant thought as to the spam is a problem. Today's effect of the rules on the variety anti-spam filters struggle to of character sets and language distinguish good email from strings used in the region. junk. But is the cure worse Although there is a variance in than the disease? estimation and calculation of the In response to the vast numbers global spam problem, industry of spam emails being received, analysts acknowledge the prob- anti-spam software vendors lem is a large and growing one. have endeavored to stop spam Ferris Research has predicted from entering inboxes through that the global cost of fighting various means like anti-spam spam in 2008 could be as high filters and firewalls. These cur- as $140 billion, and the total rent-generation email security number of spam sent this year solutions in use rely primarily on could reach 40 trillion mes- English-centric keyword and sages. In 2006, the Radicati content filters to scan through Group found there were 1.1 bil- incoming emails, and send sus- lion email users worldwide with pected spam to the rarely over 171 billion messages sent. become more aggressive in checked junk email folders. Radicati concluded that over their filtering techniques in order Worse still, often the filtering 80% of all messages were to show customers that their technology completely removes spam. inboxes are protected from this disease. the email and the intended recipient has no knowledge that What does this mean for busi- “False positives,” or legitimate the email was ever sent to them. nesses? email incorrectly identified as spam, often go into a junk mail Email recipients in countries in To put it simply, the volume of folder, or do not get through to the Asia Pacific region are par- messages moving through the intended recipients at all. The ticularly vulnerable to the key- internet and the methods used email filter’s arbitrary judgment word, character and IP filtering by the anti-spam vendors to about what is a real email ver- undertaken by the anti-spam solve the spam epidemic have sus what is spam creates signifi- filters. The majority of the solu- significantly increased the risk of cant additional work for IT staff, tions in operation have been legitimate emails being classi- network administrators and ISPs designed for English language fied as spam. One of the most as disgruntled customers ask email markets and applied to widely adopted approaches has Asian language markets without been for the anti-spam filters to continues on Page 43

From Page 41 — The Underground Economy

nals who range from loose col- Governments have become “As evidenced by the Report on lections of individuals to organ- more sophisticated in their the Underground Economy, to- ized and sophisticated groups. awareness of cybercrime, and day’s cybercriminals are thriving During this reporting period, specific legislation has been of information they are gathering North America hosted the larg- developed at various national without permission from con- est number of such servers, with and international levels to com- sumers and businesses,” says 45 percent of the total; Europe/ bat online fraud. As with crime Stephen Trilling, vice president, Middle East/Africa hosted 38 anywhere, the online under- Symantec Security Technology percent; followed by Asia/Pacific ground economy will continue to and Response. “As these indi- with 12 percent and Latin Amer- be a struggle between partici- viduals and groups continue to ica with 5 percent. The geo- pants looking to profit from fraud devise new tools and tech- graphical locations of under- and the various authorities and niques to defraud legitimate us- ground economy servers are antifraud organizations trying to ers around the globe, protection constantly changing to evade shut them down. and mitigation against such at- detection. tacks must become an international priority.”◊

From Page 42 — Losing Email is No Longer Inevitable them to find out why they did not receive an email sent by a known correspondent. Privacy also becomes an issue for business, as anti-spam filters scan through emails containing commercially sensitive information. In industries such as the health industry, not only is the privacy issue a major concern, but the subject matter often overlaps with terms used by spammers to entice people to use adult web sites. This results in the industry unable to rely upon email communications. Certainly by using more aggres- How does the technology No room for errors sive filtering techniques, the work? number of spam reaching in- The only two people who can be boxes decreases significantly, False positive prevention soft- absolutely certain that an email but the risk of losing legitimate ware uses technologies like au- is authentic, are the sender and email also rises. This leads to thentication, reputation, Sender the receiver. By trusting anti- lost business, eroded customer ID, and DKIM. By using safe- spam filters to make guesses on service, lost customer confi- lists, as opposed to blocklists, which emails are spam and dence and miscommunication the technology focuses on en- which are authentic, companies among business contacts. suring that authentic emails are are allowing for errors. protected from anti-spam filters. Once a company has positive How is this issue being ad- This methodology is further en- email reputation, the anti-spam dressed? hanced when companies regis- software which it faces at the ter their adherence to best prac- Is it possible to stop spam, and recipient's end becomes less tice email-sending techniques relevant. When email comes still receive all of your legitimate with organizations that manage email? Absolutely. from a trusted sender, it gets safelists, like Return Path, to fast-tracked and sent straight to False positive prevention (FPP) ensure positive email reputation. the intended recipient’s inbox. is the latest category in email This new solution category can There is no content-filtering or re security that specifically ad- also incorporate aspects such -routing involved. dresses the protection of legiti- as automated whitelisting of a Losing legitimate email is no mate email. Revolutionizing company’s correspondents and email security, FPP shifts the longer acceptable. Losing legiti- reference of a suspect email mate email is no longer inevita- focus to protecting legitimate against various reputation data email first and then blocking ble. The latest evolution in phi- feeds available in the industry. losophy and approach to email spam, rather than just blocking By ensuring that innocent emails fraudulent and malicious emails protection solves the problems are saved from the scrutiny of created by anti-spam filters. and losing legitimate email in anti-spam filters, false positive the process. False positive pre- prevention guarantees that one- With the widespread use of vention software – used alone or to-one emails are always deliv- email today, companies and in conjunction with existing anti- ered. It could be considered Internet Service Providers have spam technologies – ensures very similar to the APEC lane at a responsibility to ensure that that legitimate emails are fast- the airport where “pre- email communication is safe- tracked to the user’s inbox, by- authenticated” passengers are guarded. False positive preven- passing the risk of the anti-spam fast-tracked through immigration tion software has the power to filter misclassifying the email. channels and not subject to ad- guarantee, without doubt, that This not only guarantees that ditional checks imposed on the an email you send will be re- legitimate emails reach the general passengers. ceived - no questions asked.◊ user’s inbox, it also means that content does not need to be By Manish Goel, CEO, scanned, which ensures com- BoxSentry plete privacy in the communication.

Cybercriminals are increas- • Around the world, malware cybercrime laws and the differ- ingly crafting attacks in multi- authors are exploiting the ences in extradition treaties ple languages and are exploit- viral nature of Web 2.0 and make it difficult for enforcement ing popular local applications peer-to-peer networks agents to prosecute criminals to maximize their profits, ac- across borders. cording to a new McAfee, Inc. • More exploits than ever be- report. fore are targeted at locally Europe: Malware Learns the popular software and appli- Language “This isn’t malware for the cations masses anymore,” observes Jeff With 23 languages in the Euro- Green, senior vice president, “Malware has become more pean Union alone, language McAfee Avert Labs. “Cyber- regional in nature during the barriers used to be a hurdle for crooks have become extremely past couple of years,” notes miscreants. Consumers in non- deft at learning the nuances of Green. “This trend is further evi- English speaking countries often the local regions and creating dence that today’s cyber-attacks simply deleted English-language malware specific to each coun- are targeted and driven by a spam and phishing e-mail. To- try. They’re not skilled just at financial motive, instead of the day, malware authors adapt the computer programming — glory and notoriety of yester- language to the Internet domain they’re skilled at psychology and year’s cybergraffiti and fast- site where the scam message is linguistics, too.” spreading worms. We’re in a being sent, and malicious Web constant chess match with mal- sites serve up malware in a lan- McAfee Avert Labs examined ware authors, and we’re pre- guage determined by the coun- global malware trends in its third pared to counter them in any try the target is located in. Cul- annual Global Threat Report, language they’re learning to tural events such as the FIFA titled “One Internet, Many speak.” soccer World Cup in the sum- Worlds.” The report is based on mer of 2006 prompted email data compiled by McAfee’s in- scams and phishing sites luring ternational security experts and in soccer lovers. With the in- examines the globalization of creased sophistication of mal- threats and the unique threats in ware, computer users in the EU different countries and regions. are under attack. In the report, McAfee details the following trends and conclu- China: Virtual Entertainment sions: With more than 137 million com- • Sophisticated malware au- puter users — a quarter of thors have increased country whom play online games — -, language-, company-, and malware authors are cashing in software-specific attacks on virtual goods, currency, and Geographical trends: online games. A majority of the • Cyber-attackers are increas- malware found in China is pass- ingly attuned to cultural dif- The United States: The Great word-stealing Trojans — de- ferences and tailor social Malware Melting Pot signed to steal users’ identities engineering attacks accord- in online games and their cre- Once the launching pad of all ingly dentials for virtual currency ac- malware, today, malware in the counts. China has also become US includes elements of mali- a breeding ground for malware • Cybercrime rings recruit mal- cious software seen around the ware writers in countries with writers, as a large number of world. Attackers use increas- skilled coders do not have legiti- high unemployment and high ingly clever social engineering levels of education such as mate work. The conditions have skills to trick victims and are driven these hackers to cyber- Russia and China looking to exploit the viral nature crime in search of money.

of Web 2.0. Although the United • Cybercriminals take advan- States has cybercrime laws in tage of countries where law place, the lack of international enforcement is lax continues on Page 45

From Page 44 — Localized Malware gains ground

Japan: Losing to Winny — Some of the most notorious at- ciation estimated losses at Malware Spreads from Peer to tack toolkits are produced in R$300 million (about $165 mil- Peer Russia and sold in underground lion USD) due to virtual fraud. markets. These gray-market Malware creators rapidly adapt Winny, a popular peer-to-peer malware tools, combined with password-stealing Trojans to the application in Japan, is prone to lack of legislation against cyber- changes banks make to their malware infestations that can crime, lead experts to believe Web sites.◊ cause serious data leaks. When that the Russian mafia will soon deployed in the corporate set- — if they haven’t already —latch ting, malware on Winny can ex- onto computer crime. Although Global View of Threats — pose data, steal passwords, and the Russian economic situation, By the Numbers: delete files. Unlike in most coun- like that of China’s, has driven tries, malware authors in Japan many hackers to a life of cyber- • 371,002 — Total threats are not motivated by money — crime, Avert Labs predicts that identified by McAfee Avert instead authors seek to expose with a strengthening economy Labs as of Feb. 1, 2008 or delete sensitive data on ma- and stronger law enforcement, • 131,800 — Threats identi- chines. Another common target Russian-made malware will fied by Avert Labs solely in in Japan is Ichitaro, a popular gradually decrease. 2007 word processor. There have been several attacks against Brazil: Bilking the Bank • 53,567 — Unique pieces of malware in 2006 Ichitaro users that exploited unpatched security vulnerabilities Miscreants have made an inter- • 246 percent — Growth of to install spyware on the target national showcase out of Brazil malware from 2006 to 2007 machines. when it comes to bilking online • 527 — New malware identi- bank accounts. With a majority fied daily by Avert Labs at Russia: Economics, Not Ma- of Brazilians banking online, the start of 2008 fia, Fuel Malware cybercrooks use sophisticated social engineering scams to trick • 750 — Expected number of The technical skills of Russians Brazilians into giving up per- new malware identified daily in a stumbling economy make sonal information. In 2005 by Avert Labs at the end of for an active market of hackers. alone, the Brazilian Banks Asso- 2008

Cyber-crime shows no signs of abating

300,000 new zombies per day, of types of spam, proving that and during the second quarter you can’t beat the oldies but of 2008 Secure saw half that goodies. amount. Even though both Swizzor, a rapidly growing Secure Computing Corpora- spam and new zombies are ad/spyware family, now makes tion’s Q2 Internet Threat Re- down this year, Secure Comput- up more than 30 percent of all port has revealed that entering researchers point to other new malware in Q2 of 2008. prises and home users are areas that are increasingly prob- The ZBot spyware family is increasingly being attacked lematic, including: another such ad/spyware family through malicious Web con- that has grown significantly this tent and blended security at- Over 16 percent of all spam quarter. ZBot steals users’ sen- tacks. originates from the U.S., more sitive data while establishing a The company’s research states than twice the amount of the No. backdoor on infected computers that even though the overall 2 country, Russia. In Asia, the to give the attackers full control spam volume is up 280 percent top spam originators are China, over compromised systems. from Q2 2007 to Q2 2008, spam India and South Korea. 50 percent of all websites are volumes have decreased by 40 Male enhancement, product now published in languages percent this quarter. In addition, replica and prescription drug other than English. Q2 of 2007 witnessed over spam hold the top three places continues on Page 46

From Page 45 —Cyber-crime shows no signs of abating

“We are Threats are and will continue to iPhone witnessing be driven by financial motiva- The iPhone has been making its change tions. No matter what the threat presence felt in Asia too over every single is, or how it is delivered, the per- the last few months. It has set day in how petrator is almost always looking itself apart as a new kind of per- the cyber- for financial gain. sonalized device, fusing per- criminals are developing new sonal information, location vectors of attack through spam, Forecast and Predictions awareness, and mobile network- malicious Web content, spyware Brace Yourself: Spam Flood ing capabilities. With this sum and botnet deployments,” says likely Heading Your Way Once total of personal intelligence Dmitri Alperovitch, director of Again carried by the device, Secure intelligence analysis at Secure According to Secure Computing, Computing expects that mali- Computing. “Through our ad- one prediction that’s relatively cious parties will begin to de- vanced TrustedSource global easy to make given the nearly velop malware for the purpose reputation system and our re- half a decade of historical obser- of harvesting these devices for search team’s ability to analyze vations of this trend is the fact data, which can be made avail- and classify terabytes of email, that every single year, spam able through a black-market Web and network traffic in real- volumes increase dramatically in botnet, and additionally attempt time, we are in an excellent po- the second half of the year and to turn these devices into zom- sition to identify new trends and peak by December/January be- bies capable of saturating not protect our customers from new fore declining in the first months only networking targets, but tele- insidious threats.” of the new year. There are many phone-based targets. Further- Summary of Key Threats in theories floating around con- more, the iPhone’s combination Q2 2008: cerning this trend but whatever it of camera, audio, location is, come late August/early Sep- awareness, and personal data The threats challenging the tember, expect your mail vol- in a full features operating envi- enterprise today are becoming a umes to start their annual dra- ronment makes it a good target blended variety that challenge matically (sometimes by as for a type of spyware used as both Email and Web security. much as 50-60%). voyeurism, cyber-stalking, or Without integrated and corre- Secure Your Wireless Router other very directed forms of lated protection between the phishing. two, the ability to stay ahead of The bad guys have discovered these threats will become in- networking equipment as an Other Developments to Watch creasingly difficult. additional vector to gain control • Topical spam was on the rise Threats are becoming more over computing resources. this year and Secure Com- and more sophisticated as re- Since most users never touch puting expects a surge of cipients of threats are better their wireless router once it’s set topical spam and malware educated on what to look for. up (and many times not even attacks Users are more cautious and change the standard password), utilizing the wireless router for • More and more legitimate site this has lead to a rise in more being compromised through cunning ways to harvest per- attacks is very tempting to ad- versaries. iframe injections, cross-site sonal information without users’ scripting attacks and ad- apparent involvement. Secure Computing warns to ex- network compromises. Spammers are continuing to pect more attacks of internal • Integration of social networking use pop culture and current network infrastructure during the components into a wide vari- events (elections, Olympics) to coming year. Once such a de- ety of sites is going to con- entice end users into respond- vice is exploited, malware can tinue to grow ing or clicking on links whose do its job more or less clandes- sole purpose is to download tinely. While this is mostly a Secure Computing researchers malware. The excitement over threat for home networks, enter- recommend that both enter- seeing a video of breaking news prises should also make sure prises and consumers assure of an earthquake in China or the that there infrastructure is se- their software and patches are new sensational photos of your cure. Vulnerabilities in network up-to-date, and that they imple- favorite celebrity can occasion- printers are not unheard of too. ment a multi-layered approach ally encourage even the most When was the last time you to preemptively detect and block cautious users to open what checked your printers for mal- attacks.◊ could be suspicious mail. ware? By Shanti Anne Morais

Spam is viewed as a growing ent is in Singapore when the noted that problem and threat every- message is received. the Act itself where, and Asia has not been Bulk unsolicited email may still has been spared. The questions, does be sent out though, but it must criticized often for its lack of am- anti-spam legislation help has include an unsubscribe facility biguity in certain areas such as been thrashed by many, and that must be in English if it applies to text messages was one of the questions (additional languages are o.k.). sent to fixed lines and instant posed at MediaBUZZ’s Anti- The unsubscribe facility must be messaging. Some also criticize Spam panel discussion on clear and conspicuous, cannot it for its support of businesses October 23, 2008. cost more than normal, must be and marketers in general. It’s All the panelists there agreed valid and capable and able to important to note that unless the that while anti-spam legislation receive the requests, maintained spam itself is unscrupulous in is a step in the right direction it for 30 days from date message nature and origin, what one per- in no way will stem the tide of was sent. Companies are given son views of as spam, may be a spam. The major reason for this 10 business days to comply and message of importance to an- is the fact that most spam origi- cannot disclose details to other other. nate from outside (how much of parties without consent. Japan’s Anti-Spam Law the spam in your Inbox actually In addition, labeling must be of the forerunners of anti-spam originates from a Singapore provided. Here the subject/ legislation in Asia is Japan. The source?). header of the message cannot country passed its Anti-Spam In this article, we take a brief be misleading, must be law in 2002 . However, the glance at some of the Anti- included at the beginning of the country’s spam problem has Spam laws in the region. subject for email and the mes- evolved since its legislation sage for SMS/MMS. The email came into play and this has re- Singapore’s Anti-Spam Act of address that is sending out has sulted in amendments made to it 2007 to be accurate and functional. in June 2008, the most substan- This law which came into effect Who’s liable for non-compliance tial being that the country has on the 15th of June 2008, was to the Act? switched from an opt-out regime by no means an easy issue for to one that is completely opt-in. • The sender or person who the Singapore government. Its As late as 2004, the vast major- causes or authorizes the goal is not the prohibition of ity of spam in Japan was sent to sending spam but the control of spam. It mobile phones rather than applies only to electronic mes- • Any person who knowingly PCs. This no longer holds true: sages and does not cover mail, allows his product/services to Japan has been largely suc- voice mail, fax and telemarket- be advertised or promoted cessful in its efforts to reduce ing. It also only applies to com- unless that person has taken mobile spam; however, spam mercial emails unless part of a reasonable steps to stop the sent to PCs has exploded and dictionary attack or address har- sending of such messages now constitutes the vast majority vesting software scheme. There • The Consequences? of spam in the country. In 2006, is a government exception relat- close to 90% of spam in Japan ing to public emergencies, mes- • Civil liability – anyone can was sent to PCs (it was less sages that touch public interest take action so long as loss or than 30% in 2004). Of the spam and security and national de- damage can be proven sent to PCs, more than 90% fense. The Act applies to unso- • Any person who contravenes was advertisements for match- licited commercial mail that are or aids/abets/procures a con- making (dating) sites, 2% was sent in bulk via electronic mail, travention may be sued for adult sites and the remaining text messaging (SMS) to mobile Statutory damages are capped messages were for all other phones, multi-media messaging at S$25 per electronic message content. to mobile phones – and only and cannot exceed S$1 million The History of Japan’s Anti- those with a Singapore link. By unless actual loss is greater. Spam Legislation this, it means that the message originates in Singapore; the While the Singapore govern- A large increase in spam sent to sender is in Singapore and the ment can definitely be ap- mobile phones gave rise to in- device used to access the mes- plauded to finally introducing dustry self-regulation in 2001 by sage is in Singapore; the recipi- this long-awaited bill, it has to be continues on Page 48

From Page 47 — Asian Anti-Spam Acts mobile operators and, in 2002, wanted spam and has Additional Requirements two national laws were enacted switched to an “opt-in” regime In addition to requiring opt-in to combat spam – the Law Con- where recipients must af- consent; there are four further cerning the Proper Transmission firmatively agree to receive requirements under the New of Specified Electronic Mail (the commercial email before Anti-Spam Law that Senders “Anti-Spam Law”) and the Law Senders can send it. must fulfill: for the Partial Amendment to the • Fines for violating the law or • Senders must keep records Law Concerning Specified Com- relevant regulations have which prove that the recipi- mercial Transactions (the been substantially increased. ents requested the emails; “Revised Transactions • Senders must honor opt-out Law”). The Japanese govern- Permitted Recipients of Com- requests received from indi- ment first amended the Anti- mercial Email (Opt-In) viduals; Spam Law in 2005 (the “2005 Anti-Spam Law”). Most re- Under the New Anti-Spam Law, • Senders must include certain cently, on June 6, 2008, the a Sender may only distribute information in the commercial government amended the Anti- commercial email if the recipient email sent; and Spam Law a second time (the falls into one of the following • Senders are prohibited from “New Anti-Spam Law”) in hopes categories: sending email using proof curtailing its continuing spam • Individuals who have notified grams that generate email problem. The New Anti-Spam the Sender in advance that addresses and from falsifying Law will go into effect once the they request or agree to re- information about them- government issues an imple- ceive commercial email; selves. menting order with regulations • Individuals who have pro- supplementing the law, which it vided the Sender with their Record-Keeping Require- must do by December 6, own email addresses; ments 2008. The Ministry of Internal • Individuals who have a pre- Senders who send commercial Affairs and Communication email must keep records that (“MIC”), which is in charge of existing business relationship with the Sender; and prove that the recipients agreed regulating the telecommunica- to receive commercial emails in tions and broadcasting industry, • Individuals (limited to those advance. The implementing or- enforces the New Anti-Spam engaged in for-profit activi- der will specify exactly what in- Law. ties) or groups that publicly formation the Sender must pre- announce their own email The New Anti-Spam Law ap- serve to fulfill this requirement. addresses. plies to all commercial email Honoring Opt-Outs sent to or from Japan by for- Because all of these categories Senders are prohibited from profit groups or individuals en- require affirmative acts by the sending commercial email to gaged in business. Therefore, recipient before a Sender is per- recipients from whom Senders the law is now applicable to any mitted to transmit commercial have received subsequent opt- Sender who sends commercial email, Japan has essentially out requests. There is no “grace email to recipients in Japan, adopted a modified opt-in sys- period” for complying with such regardless of where the Sender tem for commercial email regu- a request. (s) are located. lation.

Labeling Requirements The New Anti-Spam Law does Commercial email must contain Several substantial amend- not describe how individuals ments to the 2005 Anti-Spam the Sender’s name and title, as must notify Senders of their well as an email address that Law were made in June 2008: email addresses for the opt-in to recipients can use to send opt- • Previously, the law provided be valid. Nor does it indicate out notifications. These items for substantial categories of what constitutes a “business must be clearly indicated so commercial email that were relationship” or how an individ- they are visible on the recipi- exempt from its rules. These ual or group “publicly announces ent’s screen. Although these exemptions no longer exist. their own email address” for opt- requirements are less strict than in purposes. These are ex- • Before the amendments, the those imposed by the 2005 Anti- pected to be clarified in the gov- law established an “opt-out” Spam Law, the Japanese government’s implementing order regime, much like the U.S.’s ernment may impose additional (expected to be out in Decem- CAN-SPAM Act. Japan has labeling requirements when it ber 2008). decided that this framework is issues the implementing order. insufficient to curtail un- continues on Page 49

From Page 48 — Asian Anti-Spam Acts

Computer Generated Email Lastly, the New Anti-Spam Law and text messages which don’t Addresses and False Sender authorizes MIC to share infor- have the receivers’ consent will Information mation with foreign govern- be fined up to VND80 million. Senders may not send email to ments.] Accordingly, non- email addresses that have been Japanese Senders may face Hong Kong’s Unsolicited generated using a program that scrutiny from their home regula- Electronic Messages Ordi- automatically combines sym- tors in regard to commercial nance (the UEMO) bols, letters and numbers to cre- email they send to Japan. The Unsolicited Electronic Mes- ate email addresses. They may sages Ordinance (the UEMO) not send blank emails, which Vietnam’s Decree on Spam was enacted in May 2007 and attempt to obtain active ad- A survey by the Vietnam Com- came into full effect in Decem- dresses, or disguised emails, puter Emergency Respond ber 2007, with the aim of regu- such as those apparently from Team (VNCERT) under the Min- lating the sending of all forms of friends of the recipient. Senders istry of Information and Commu- commercial electronic mes- must also not disguise or falsify nications (MoIC), the agency sages (CEMs) with Hong Kong the email address used to send compiling the decree on spam links. It establishes the rules for commercial email or the sym- email, revealed that around 30% sending CEMs such as provid- bols, letters or numbers that of the survey participants said ing accurate sender information identify the electronic communi- that 80% of the emails they re- and unsubscribe facilities as cation device or facility used to ceive are spam emails. Half of well as the launch of the do-not- send the email. them said that over 30% of the call registers, and prohibits pro- spam emails are in Vietnamese. fessional spamming activities Penalties for Violation More than 78% said they hate such as the use of unscrupulous If a Sender violates its obliga- spam and 63% want to have means to gather/generate recipi- tions under the New Anti-Spam regulations to control spam ent lists for sending CEMs with- Law, the Minister of MIC can emails. Bearing this in mind, it’s out the consent of recipients, order the Sender to take meas- no surprise then that Vietnam is and fraudulent activities related ures to bring itself into compli- the latest Asian country to intro- to the sending of multiple CEMs. ance. The Sender may also be duce anti-spam legislation. subject to a fine of up to According to the Ordinance, all The country’s Anti-Spam Decree ¥1,000,000 or imprisonment for senders of commercial elec- bans organizations and individu- up to a year if it violates such an tronic messages (including als from using electronic means order. emails, short messages, faxes, to deliver spam mails, exchange pre-recorded telephone mes- The Minister of MIC may also or trade e-mail addresses or sages) are now required to pro- require Senders to submit re- deliver software products that vide clear and accurate sender ports regarding the Sender’s collect e-mail addresses, etc. information in the message, in- transmission of commercial Senders of spam e-mails and cluding name, contact telephone email, and may inspect the text messages which aim to number and address. If the mes- Sender’s premises, books and cheat, disturb people, diffuse sage is an email, the sender is other documents. A Sender may viruses, or advertise will be also required to provide the con- be subject to a penalty of up to fined. tact email address. It is also not ¥1,000,000 if they refuse to sub- Fines of from VND200,000 to permitted to send email mes- mit such reports or to cooperate VND500,000 will be imposed on sages with misleading subject with an inspection. those who collect e-mail ad- headings. Senders are required In addition, under the New Anti- dresses for advertising without to provide an "unsubscribe facil- Spam Law, Senders may face the consent of the email owners. ity" for their recipients to submit additional penalties if their "unsubscribe requests", and Fines of between VND5-10 mil- agents violate the provisions of honor such requests within 10 lion will be imposed on those the law. A Sender whose agent working days after the requests who allow others to use their violates an administrative order have been sent. Unless consent electronic means to deliver from MIC to comply with the law has been given by the regis- spam emails. is subject to a fine of up to tered user of the relevant tele- ¥30,000,000. If a Sender’s Fines of VND20-40 million will phone or fax number, commer- agent refuses to cooperate with be given to those who trade in cial electronic messages should a MIC investigation, the Sender and diffuse software products not be sent to numbers regis- is subject to a fine of up to that collect e-mail addresses. tered in the Do-not-call Regis- ¥1,000,000. Organizations that provide ad- ters. vertising services through email continues on Page 50

From Page 49 — Asian Anti-Spam Acts China’s regulations on Inter- porting. Users who receive Self-management net Email Services spam are also encouraged to by users On 20 February 2006 the Chi- report to the Spam Reporting Tier 2 : nese Ministry of Information In- Center run by Internet Society of dustry (MII) of P. R. China China accredited by MII. Forward complaint to Service provid- adopted the “Regulations on Internet E-Mail Services”. The Malaysia Communications ers regulations took full effect on 30 and Multimedia Act of 1998 Tier 3 : March 2006 and aims to regu- There are no specific provisions If complaints remain unresolved, late Internet email services and on the illegality of Spam. How- next recourse is to complaint to to protect end-users. ever, the Communications and Consumer Forum of Malaysia Multimedia Act of 1998 states According to the regulations, Tier 4 : Still unresolved, matter that a person who initiates a one should not send commercial escalated to the Malaysian communication using any appli- emails without prior consent Communications and Multime- cations service, whether con- from the recipients, which dia Commission tinuously, repeatedly or other- means the “opt-in” principle is wise, during which communica- adopted. Even if one has prior Anti-Spam Law in Korea tion may or may not ensue, with consent from recipients, the law The Information Network and or without disclosing his identity states that the sender has to Privacy Protection Act ("INPPA") and with intent to annoy, abuse, add the label “AD”, which is the of Korea sets out the minimum threaten or harass any person at abbreviation for “Advertise- procedural requirements for law- any number or electronic ad- ment”, in front of the subject line ful online transmissions. In Ko- dress commits an offence. of a commercial email. The rea transmissions of advertised According to the Malaysian sender of commercial email materials against recipients' re- Communications and Multime- should also provide valid contact fusal to accept are strictly pro- dia Commission (MCMC), Ma- information for the recipients to hibited. Although these rules are laysia has no immediate plans unsubscribe. It’s prohibited to applicable to unsolicited com- to legislate. It will pursue this get others’ email addresses by mercial e-mails via the internet, recourse when there is no other harvesting, selling or sharing they were intended to apply to viable alternative. MCMC is of harvested addresses. all modes of telecommunication the opinion that for legislation to such as cellular phones, fac- Consequences: The MII can be effective, anti-Spam laws in similes, etc. send a simple warning to the all countries must be of similar The Korean government has sender, or apply a fine. In addi- nature and standard so as to made continuing efforts since tion, online fraudulent activities prevent spammers from forum 1999 to curb the increase in and misuse of computer re- shopping. It also feels that legis- spam mail and has since been sources, such as spreading vi- lative action would consequently monitoring the effectiveness of ruses, are considered criminal be dependant on continuous co- the implementation of additional violations according to other operation between countries provisions. The new law targets Chinese laws, and can be pun- and legal systems to ensure that senders of spam mail that are ished with more severe penal- Spam received in one country commercial in nature. Consis- ties, such as detention. will result in legal action being tent with its effort to protect mi- Compared to other national anti- taken in another. Thus, the nors from being exposed to ob- spam laws, the Chinese regula- MCMC will continue to follow scene and violent materials tion does not only regulate the closely the development of online, the Korean government sending of email messages, but countries that have enacted anti has also included a provision in also the provision of email ser- -Spam legislations. the INPPA that requires senders vices. For example, email ser- to label those materials as such. vice providers are asked to The MCMC’s approach to tack- strengthen the protection of their ing spam includes self- The sender must disclose his email servers to avoid their regulation by users through edu- name, contact information (e.g. fraudulent utilization by spam- cation and awareness initiatives e-mail/ mailing address, tele- mers. Also, to make it easier to and management by service phone number), the purpose/ find the evidence of spamming, providers. It has a four-tiered content of the transmitted mate- ESPs are asked to log the email strategy in place to address rials (i.e. "advertising materials") related behavior of their users. spam: as well as an opt-out procedure both in Korean and English. In addition, ESPs are also asked Tier 1 : to accept users’ complaint re- continues on Page 51

From Page 50 — Asian Anti-Spam Acts

New Zealand Unsolicited Elec- the person who authorizes tralia has observed that it can tronic Messages Act sending the message and be reasonably inferred (in the

New Zealand’s Unsolicited Elec- how that person can be con- absence of evidence to the con- tronic Messages Act came into tacted; trary) that a purchaser by email force on 5 September 2007. The • “Address–harvesting soft- order would wish to be kept legislation prohibits unsolicited ware” must not be used in aware of the business of the commercial electronic mes- connection with, or with the vendor. In the case in question sages with a New Zealand link intention of, sending unsolic- the purchaser’s consent to re- from being sent. It also requires ited commercial electronic ceiving future emails could rea- marketers to obtain the consent messages. “Address- sonably be inferred. However, of the receiver of any commer- harvesting software” is soft- the Court also recognizes that cial electronic message before ware that searches the Inter- whether consent can be inferred the message is sent. The term net for electronic addresses from the relationship of the “commercial electronic mes- and collects and compiles sender and the recipient will sage” includes electronic mes- those addresses. Restrictions always be a question of fact and sages (email, SMS text, instant also apply to the use of lists the particular circumstances. messages, but not voice calls or produced (directly or indi- The deemed consent provision facsimile) that market goods, rectly) by use of this software. only applies where: services, land or business op- Obtaining consent • the recipient’s electronic ad- portunities. dress has been published; The consent requirement ap- The Act affects not only those plies to all commercial electronic • the publication is not accom- who send the commercial elec- messages sent, whether to new panied by a “no spam” type tronic messages but also those contacts or existing contacts. statement; and who are directly or indirectly This means that senders of • the message being sent to knowingly concerned in the commercial electronic mes- the recipient is relevant to the sending of them. However, tele- sages will need to have con- recipient in a business or communication service provid- sents from persons on their ex- official capacity. ers are not caught by the new isting electronic marketing lists. legislation merely by the fact of On the flipside, if you use an their providing telecommunica- A positive consent (or an “opt- email addresses on a business tion services that enable the in”) to receive future emails is website, you should include a electronic messages to be sent. required. Including an unsub- “no spam” statement if you do Also, even although a message scribe message – “tick the box if not wish to be “deemed” to have does not contain marketing ma- you don’t want to receive these consented types of emails” – will not of it- terial, it may still be caught by Australia’s Spam Act of 2003 the new legislation if it provides self suffice for consent. The consent requirement ap- Under Australia’s Spam Act a link or directs a recipient to a 2003, it is illegal to send, or message that does contain mar- plies to the sending of one-off emails as well as bulk mail-outs. cause to be sent, unsolicited keting material. commercial electronic mes- The consent of recipients can be either express, inferred or sages. The Act covers email, Key points for compliance: deemed. instant messaging, SMS and • a commercial electronic mes- MMS (text and image-based Express consent is a direct indi- sage must not be sent unless mobile phone messaging) of a cation from the recipient that the receiver has first con- commercial nature. It does not they consent to the sending of sented to receiving the mes- cover faxes, internet pop-ups or the message. This consent can sage; voice telemarketing. be given by the person respon- all commercial electronic • sible for the electronic address The Australian Communications messages must (unless or any other person who uses it. and Media Authority (ACMA) is agreed otherwise) include a Inferred consent arises from the responsible for enforcing the “functional unsubscribe facil- conduct and the business and Spam Act and actively works to ity” which allows the recipient other relationships of the sender fight spam in Australia. (at no cost) to inform the and the recipient. Such relation- For more on Australia’s Spam sender that such messages ships giving rise to consent are Act 2003, read our article ‘Anti- should not be sent to them in likely to exist, for example, be- Spam Legislation and Enforce- the future; tween a service provider and ment Down-Under’◊ • all commercial electronic subscribers to the service. Re- messages must include infor- cently the Federal Court of Aus- By Shanti Anne Morais mation which clearly identifies

Social Networks have become into the costs companies incur Spam and Social Networks: the new playground of spam- when they fight spam, In addi- The Cycle Continues mers. tion, it's doubtful MySpace will So if you have been under the ever see any of the money. impression that social networks This gloomy expectation fuels are safe havens from spam- doubts that the award -- or the mers, think again. Junk mes- law underpinning it -- will serve sages are following users and as any deterrent whatsoever advertising dollars to social net- against the volume of spam working sites, according to an flowing into in-boxes. While the anti-spam researcher, who CAN-SPAM Act of 2003 has a found that spam levels have very large share of detractors, it tripled in recent months. and the penalties it establishes are better than nothing. This Recently, Cloudmark, a com- While earlier this month, the US latest prosecution for example at pany which specializes in anti- federal court awarded MySpace the very least sends a clear spam platforms for service pro- nearly US$230 million in its suit message to fraudsters and viders says it tracked a 300 per- against Sanford Wallace and his spammers. In addition, the fact cent rise in junk messages at a partner Walter Rines -- aka the that such amounts are poten- major social network site it "Spam King” and scoring a win tially recoverable under the anti- works with. In fact, according to for those fighting the anti-spam spam legislation provides addi- the company, in the six months war, the battle is far from over. tional incentive for firms such as leading up to March 2008, social MySpace to prosecute offend- networking sites saw a four-fold Yes, the judgment, especially ers, thereby heightening their growth in the amount of spam given the size of the award, risk levels. on their network. In addition, at represents a decided victory for several major social networking e-commerce sites in their costly Social Networking Vulnerabili- sites, 30 per cent of new ac- battle against spam. Yes, it is so ties counts created are automated far, the largest award since the The case also highlights the lax fraudulent 'zombie' accounts, enactment of the CAN-SPAM security on social networking designed to be used for the pur- Act in 2003. In case you are sites, Matt Shanahan, senior pose of sending advertising wondering, MySpace received vice president at AdmitOne Se- messages, spam and other ma- $223,770,500 in damages under curity. Elaborating on this, he licious attacks. CAN-SPAM, $1.5 million in an- notes, “It is very easy to hijack tiphishing damages allowed by an account," he said, and when The Modus Operandi California statute and $4.5 mil- that happens -- especially on a It does not help that social net- lion for legal fees. massive scale -- the network's works tend to have large popu-

brand suffers.” lations of non-tech savvy users. Yes, the pair were found re- In fact, MySpace did receive a sponsible for orchestrating a lot of negative press in connec- And yes, once again, just in phishing scam designed to har- tion with these incidents -- par- case you are wondering, the vest MySpace login credentials, ticularly over the delivery of type of spam advertised through prior to bombarding members spam containing links to porn social networks is the same type with messages punting gam- Web sites to minors' in-boxes. as that advertised by email bling and smut websites. As spam and punted by much the many as 730,000 bogus mes- Web 2.0 sites like MySpace same people. "There's an im- sages, rigged to appear as have to adopt the same mental- plicit trust in social networking. though they came from their ity that banks and financial insti- People don't think they're going friends, were sent to MySpace tutions did several years ago to be attacked with spam. Peo- members. concerning Internet security, ple don't trust email anymore. Shanahan continued. "All the Spammers are following peo- However, there is unfortunately banks have worked very hard to become trusted names online, ples' online habits. What’s more a bleaker side to the picture. the size and viral nature of so- Namely, the amount of the establishing cutting-edge security controls." award provides a telling look continues on Page 53

From Page 52 — Social Networks: The New Frontiers for Spam cial networks make Web 2.0 an Junk messages, rigged to ap- And of course, what’s even attractive new target for spam- pear as though they came from more frightening is that despite mers," states Cloudmark chief their friends, are more likely to anti-spam legislation, the prob- executive Hugh McCartney. be acted on by recipients on lem is not expected to disappear social networking sites com- but in fact is predicted to get It is important to note that social pared to the same messages worse. After all, anti-spam legis- network spam is not limited to received by email. Social net- lation while acting maybe as a friend invitations, but also in- work spammers try to recruit deterrent can only do so much. cludes social network tools such friends by posting profile pic- At the end of the day, though, as pokes, chats, comments, tures that depict them as attrac- users must share some of the bulletin board messages, blogs tive young women. By recruiting responsibility for protecting and application communica- people into their groups or net- themselves. Once again, it tions. works it's easier for spammers seems that user education is to subsequently send them one of the key strategies that Social networking spam can be spam. has to be employed in the never messages between users or -abating war against spam. posts to walls or other similar Furthermore, spammers are applications. Social network starting to use data-mining tech- So once again Web 2.0 and So- spammers most often hijack niques to create spam lists, cial Network users, the moral of accounts using fake log-in sorted on geographic and the story is “Always be careful of pages. Phishing-like tactics, demographic criteria. Such lists what you click on." ◊ password guessing and the use are of premium value to spam- of Trojans to capture keystrokes mers. By Shanti Anne Morais are also in play.

email messages of all types percentage who unsubscribe (including friends/family, opt-in, from irrelevant messages is work/school, spam and other) in even higher among those who these primary accounts--down have made four or more online from 41 per day in 2006. purchases during the past 12 This is a pretty huge drop. Jupi- months: 60%. terResearch attributes the fall in The second-highest driver of overall email volume partially to unsubscribes is frequency. If a decrease in spam messages. you send your emails out too However, analysts say the de- frequently, beware: 37% percent Email has been hailed as the clines also point to shifting com- of all users say they unsub- ubiquitous form of communi- munication channel usage pat- scribe when they receive emails cation, something which ex- terns, particularly among young from a sender "too often." It’s ecutives cannot live without. consumers. For example, also no surprise then that 33% However, according to Jupi- younger consumers (those be- report that they unsubscribe terResearch, email is not with- tween the age of 18-24) tend to from offers because they get out competition and is cur- rely mainly on text messages "too much" email. Furthermore, rently undergoing a downturn while via social networks, they 39% say they believe that sign- of its own. receive on 12 emails per day. ing up for permission-based The medium is facing an on- However, email is still the way to email leads to getting more slaught from new media like go for the older generation: 45- spam email while 30% state social networks and even from 54 year-olds tend to get an aver- they don't trust that the unsub- text message and mobile phone age of 28 emails per day. How- scribe link in email offers work. communication. In addition, ever, this is nothing to shout Scarily, 26% reveal that they email, says the research firm, is about as the older age group use the spam button to unsub- steadily coming under pressure demographic is also seeing a scribe. from disenchantment with email dramatic decline – in fact, those Explaining these above trends proliferation and irrelevance of aged 55 or older who reported in greater detail, David Daniels, the medium. receiving 31 or more emails per VP, research director, Jupiter- Indeed, a recent report from day has declined from 42% in Research and lead analyst of JupiterResearch shows that per- 2006 to 24% now. the company’s report entitled mission-based email marketing David Schatsky, president of "The Social and Portable Inbox: is starting to lose its shine. Ac- JupiterResearch has this advice Optimizing E-mail Marketing in cording to the study, in 2008, for marketers: “Consumers are the New Era of Communication 44% of email users purchased using other forms of communi- Tools" shares, "Consumers' online as a result of promotional cation and marketers must confidence in email have be- emails, while 41% made an off- therefore ensure their strategies come shaken by irrelevant com- line purchase. While this might adapt to consumers' changing munications and high message seem like a high number, the behavior.” frequency, which are top drivers fact is that both these numbers He also cautions marketers to of subscribers' churn and chan- reflect a decline from 2007, address the other worrying nel scepticism. Their behavior when 51% made an online pur- trends in the email marketplace and attitudes are driven by the chase while 47 percent went especially the lack of relevance unfettered volume of spray-and- offline. of emails which continues to be pray untargeted email offers, In addition, after years of seeing the top reason for unsubscrib- blurring the distinction between stable volumes of consumer- ing. In fact, the firm’s research spam and permission-based reported email for their primary, shows that 50% of total email email.” personal email accounts, this users report that they unsub- He warns that it has never been year's survey revealed a describe when the offers/types of more important than now for cline. According to JupiterRe- content do not interest them. In marketers to ensure they are search, email users now report particular, marketers have to sending relevant email responsi- receiving a daily average of 24 pay attention to the fact that the bly.◊

A recent report from Jupiter Research highlights the fact that deliverability is the number-one consideration for marketers when selecting an email service provider (ESP).

Unfortunately, there is only so much even the best ESPs in the market can do in order you in getting your marketing messages to the inbox. So what are ESPs good for you may ask? They provide the infrastructure that high-volume senders need to get through to the inbox. ESPs should also keep up with consistently good email using dents in their study of consumer the latest in authentication meth- the same IP address over time. email behavior delete or report odologies and provide workflow Good list hygiene also does messages as spam without that enforces current best- wonders for a sender’s reputa- opening the actual message. practices so senders can rest tion. You should never second- Those decisions were largely assured that every message guess your email lists or ad- based on the "from" and sent is compliant with the best- dresses. Also do not assume "subject" lines. practices and laws of the email your recipients’ preferences; i.e. This moves us onto the impor- marketing industry. These are if you’re not completely confi- tance of relevance (both of your all essential pieces of the email dent that an address rightfully email subject line as well as deliverability puzzle, but email belongs on your list, for any rea- your entire message). Always senders and marketers also son, you should remove it. After bear in mind that your email have a key part to play here, all, it is better to be safe than messages should be both useful they have to closely keep in sorry. In addition, poor list hy- as well as meaningful to your mind two other factors: reputa- giene can have dire conse- recipients. Ensure you are im- tion and message relevance. quences and lead to undeliver- mediately recognizable in the able email and/or complaints – "from" line and ensure your Reputation – The Holy Grail of both of which are red flags for "subject" line is well thought out Email Marketing? ISPs. and eye-catching. One of the most common mistakes email marketers tend to Recipients can and often will Relevance will not only increase make relates to the mispercep- complain to their ISPs in a vari- your deliverability by minimizing tion of using a brand new IP ety of ways. For example, the complaints but also lead to address. Many marketers think "spam" button within the user higher open rates, customer that this gives them a chance to interface is a popular choice. engagement, conversions and start their broadcast/campaign Customers everywhere are overall return on your invest- on a clean slate, however, in overwhelmed everyday by mar- ment in the email channel. reality; it actually can have a keting messages on a daily ba- It is also a good practice to en- negative impact on the sender’s sis, and reporting email as spam sure your recipients know how reputation. Why? Simply be- is an easy, efficient way for often to expect an email from cause spammers tend to fre- them to clear away the clutter. In you. Even better, allow recipi- quently change their IP address fact, many will use the "spam" ents to set preferences for how often in order to hide or evade button as a one-step method of often to email them to ensure the filters. Thus, ISPs very often unsubscribing from messages that you are not inundating your tend to be highly skeptical of they explicitly requested. In fact, customers.◊ the Email Sender and Provider new IP addresses. However, By Shanti Anne Morais you can build a strong reputa- Coalition (ESPC) reported last tion fairly rapidly by sending year that 80 percent of respon-

Australia is one of the pio- neers and leaders in the Asia Pacific when it comes to Anti- Spam legislation. It is also one of the few countries in Asia, which has successfully caught spammers in their country and enforced their Anti-Spam Act. Here’s a brief overview of the legislative aspect of the country’s Spam Act. ACMA can take any of the fol- Companies identified during the

The Australian Communications lowing actions for breaches of first few years as possible and Media Authority (ACMA) is the Spam Act: spammers were in the first in- responsible for enforcing Spam • issue a formal warning stance advised of the requirements of the Spam Act and how Act 2003. ACMA has a compre- • accept an enforceable under- they could meet them. In gen- hensive, multi-pronged and taking from a person or com- eral only serious repeat offend- practical strategy to fight spam, pany—these undertakings ers had enforcement action which focuses on the following usually contain a formal com- taken against them. key areas: mitment to comply with the • directly enforcing the Spam requirement of the Spam Act Having completed this extended Act 2003 that ACMA has found that education and awareness campaign, ACMA is now committed • undertaking effective educa- person or company to be in to vigorous enforcement of the tion and awareness cam- breach of. A failure to abide Spam Act. In fact, during the paigns as well as activities by an undertaking can lead to ACMA applying for an order first three years of enforcing the • working in partnership with in the Federal Court. Spam Act, ACMA issued: the industry • issue infringement notices • eleven formal warnings developing technological • • five enforceable undertakings and spam-monitoring proc- • seek an injunction from the esses, such as the Spam- Federal Court to stop a per- • fifteen infringement notices MATTERS spam reporting son sending spam • one prosecution in the Fed- toolworking with other gov- • prosecute a person in the eral court in Perth - ACMA vs ernments around the world Federal Court. Clarity1/Wayne Mansfield. In

on international activities to Penalties of up to $1.1 million a October 2006 penalties of combat spam. $4.5 million and $1 million day apply to repeat corporate The Australian Spam Act of offenders. The penalty units re- respectively were handed 2003 prohibits the sending of ferred to in the Spam Act are down against Clarity 1 and its Managing Director. ‘unsolicited commercial elec- equal to $110 each. For exam- tronic messages’ (known as ple the penalty under section 25 Since the enforcement provi- spam) with an 'Australian link'. A -(5)-(b) of the Spam Act for a sions of the country’s Spam Act message has an Australian link company with a previous record 2003 came into effect in April if it originates or was commis- of spamming and who sent two 2004, Australia has gone from sioned in Australia, or originates or more spam messages on a tenth in the Sophos list of spam overseas but was sent to an given day without consent has is relaying countries (sources of address accessed in Australia. a maximum fine of 10,000 pen- spam) to thirty-fifth for the 2007 The Spam Act covers emails, alty units. This equates to a calendar year. mobile phone text messages maximum fine of $1,100,000. Action ACMA has taken (SMS), multimedia messaging The penalty provisions of the against spammers (MMS) and instant messaging Spam Act came into force in (iM) and other electronic mes- • November 2008 - ACMA April 2004. Initially ACMA fo- issued a formal warning to The sages of a commercial nature. cused on educating electronic However, the Act does not cover Ad Company for alleged message senders and raising breaches of the Spam Act 2003 voice or fax telemarketing. awareness of the requirements of the Act. continues on Page 57

Wikipedia describes spam- Since no e-mail is solicited by The specifics traps very aptly as the owner of this spamtrap e- of how the “honeypots used to collect mail address, any e-mail mes- spam traps are utilized vary spam”. Spam traps are usu- sages sent to this address are from organization to organiza- ally email addresses that are immediately considered unsolic- tion, even from spam trap to created not for communica- ited. If you send email to such spam trap. For example, some tion, but rather, to lure spam. addresses, you risk being la- organizations rate the value of beled a spammer. their traps based on their previ- In order to prevent legitimate In practice, which addresses are ous usage; others look for hits email from being invited, the e- spam traps, where they come on multiple traps; and still others mail address will typically only from, and how they're used vary use them only in an advisory be published in a location hid- enormously. For an address to capacity along with other met- den from view such that an be useful, it must receive some rics. automated e-mail address har- amount of email. There are many different types vester (used by spammers) can of spam traps, but the most find the email address, but no Many organizations use spam traps. They include DNS block- common ones which also tend sender would be encouraged to to be more relevant to email send messages to the email lists, large ISPs, many spam address for any legitimate pur- filter providers, and email repu- pose. tation organizations. continues on Page 58

From Page 56 — Anti-Spam Legislation and Enforcement Down-Under

as a result of sending commer- issued with a $149,600 penalty • June 2007 - ACMA fined cial electronic messages by for 'missed call' marketing. - International Machinery Parts email without the consent of the Missed call marketing involves Pty Ltd (IMP Mobile) $4,400 for recipient. It is also alleged that a the sending of short duration breaches of the Spam Act. IMP quantity of the messages did not calls to mobile phones, thereby Mobile also failed to provide a have an unsubscribe link or in- leaving a ‘missed call’ message functional unsubscribe facility formation on how to unsubscribe on the phone. When the mobile when sending messages to mo- within the messages. phone owner returned the bile phones. • August 2008 - ACMA is- missed call, they received mar- 27 October 2006 – Justice sued an infringement notice to keting information from DC Mar- Nicholson in the Federal Court mBlox Pty Ltd, a multinational keting. ACMA penalized DC in Perth today to award a pecu- company headquartered in the Marketing for 102 contraven- niary penalty of $4.5 million United States, for alleged con- tions of the Spam Act 2003 re- against Clarity1 Pty Ltd and $1 traventions of the Spam Act lating to missed call marketing million against its managing di- 2003. mBlox has committed to activities in July and August rector, Mr Wayne Mansfield, for work with ACMA to ensure its e- 2006. contravening the Spam Act marketing customers are com- • June 2007 - The ACMA 2003 (Spam Act). ACMA sub- plying with the Spam Act and fined the Pitch Entertainment mitted to the Federal Court that has paid the $11,000 penalty. Group (Pitch) $11,000 for exten- Clarity1 Pty Ltd and Mr Wayne • August 2008 - Best Buy sive breaches of the Spam Act.. Mansfield sent out at least 231 Australia issued an infringement ACMA found that the Pitch En- million commercial emails in notice for $4,400 for allegedly tertainment Group, which trades twelve months after the Spam breaching the Spam Act 2003 as Splash Mobile in Australia, Act commenced in April 2004, by sending commercial elec- sent over one million commer- with most of these messages tronic messages without the cial electronic messages to mo- unsolicited and in breach of the consent of the recipient. In par- bile phones without a functional Act. On 13 April 2006, Justice ticular, customers received unsubscribe facility. Pitch and its Nicholson found that both Clari- emails from Best Buy Australia, directors have also entered into ty1 and Mr Mansfield were in including after they had re- an enforceable undertaking that breach of the Act for both send- quested to be removed from its requires future compliance with ing unsolicited commercial elec- mailing lists. the Spam Act and contains strin- tronic messages, and for using gent compliance reporting and • July 2007 - DC Marketing harvested address lists. ◊ staff education obligations.

From Page 57 — Honeypots and Spam marketing are honeypot and Organizations monitor their traps is to dormant addresses. honeypot addresses to help get permis- Honeypots them identify both spam emails sion before and their sources. adding an Spammers of course, compile Dormant addresses address to lists of email addresses to send your list. Al- their spam to. They often get Email accounts often fall into ways ensuring your lists are well these addresses by roaming the disuse because they are aban- -cleaned and maintained are Web looking for any email ad- doned by their owners or shut also crucial. dress listed on a website. Very down. As a result, the account is often, they also sell such lists to unable to receive email. Spamtraps also have their other spammers. If they find Legitimate senders of email will vulnerabilities: one, they copy the address and stop sending messages to such A spamtrap becomes tainted include it on their list. addresses. They notice a dead when a third party discovers This process is known as email address and remove it from their what the spamtrap email ad- address harvesting and is usu- system. Spammers will just dress is actually being used for. ally automated using special keep on sending regardless. This opens the spamtrap to get- "address harvesting" software. So some organizations (like ting targeted by spammers. Some organizations involved in webmail services) will take dead Spammers using spamtrap ad- tackling spam put specific email email accounts and, after a suit- dresses from their mailing lists addresses on a website for the able period of time has elapsed, as send addresses can cause sole purpose of attracting har- repurpose them as spam traps. backscatter when a reply is sent vesting software. These ad- to the spamtrap address. Back- dresses are never used for any It is important to note that if you send an email to a spam trap, scatter occurs when email serv- other purpose: they are merely ers receiving spam and other listed on a web page in such a then that hurts and negatively affects your reputation as a mail send bounce messages to way that no human would ever an innocent party. discover them or seek to send sender of email to that particular If the spammer put a spamtrap email to them. Address harvest- organization. Sending email to mailbox in the To or CC line, ing software can dig them out of spam traps tends to earn you a when any other recipient of the a website, though. tick on the "is this a spammer?" checklist. It also means that mail replies or forwards the Any email sent to such your emails to the organization message, their address will be "honeypot" addresses are im- involved will be given closer considered as spam too. mediately classified as spam. scrutiny or even blocked from Many spamtrap addresses are The address owner never added delivery. listed in search pages like the email voluntarily to any Google. The mailbox is there- email list: they just put it up on a How to avoid spam traps? The fore visible in that page and any website, so if and when used, it answer is you normally can’t, can write it without knowing that must have been harvested by a simply because they are meant mail will be caught as spam.◊ spammer and added without to be undetectable. The best permission to a mailing list. advice to avoid falling into spam

Unlike large enterprise organizations, small-to-medium sized businesses (SMBs) face multiple security threats with often limited resources to protect assets, data and customer information.

Security threats to SMBs are just as real as they are to enterprise organizations," says Eric Aarrestad, vice president of Marketing at WatchGuard Tech- nologies. "The tragedy is that many SMBs are simply unaware of the unified threat management (UTM) appliances that can combat these threats." The company’s research team has recently identified 10 leading security threats to SMBs:

Insiders – In many SMBs, business laptop can be dangerously tions and botnet attacks. ness records and customer information is often entrusted to a exposed to viruses, attacks and Reckless Web Surfing – Now malware applications. single person. Without adequate more than ever, malware, spy- checks and balances, including Reckless Use of Public Net- ware, keyloggers and spambots network system logs and auto- works – A common ruse by at- reside in innocuous looking mated reports, data loss from tackers is to put up an unse- websites. Employees who ven- within can stretch over long peri- cured wireless access point la- ture into ostensibly safe sites ods of time. beled, “Free Public WiFi” and may be unknowingly exposing

Lack of Contingency Plans – simply wait for a connection- their business networks to ex- starved road warrior to connect. treme threats. One of the biggest threats to SMBs relates to the business With a packet sniffer enabled, Malicious HTML E-mail – No impact of post-hack, intrusion or an attacker stealthily sees eve- longer are attackers sending e- virus. Many SMBs lack a data rything the employee types, and mails with malicious attach- loss response policy or disaster is then able to utilize that data ments. Today, the threat is hid- for personal gain. recovery plan, leaving their busi- den in HTML e-mail messages ness slow to recover and restart Loss of Portable Devices – that include links to malicious, operations. Much SMB data is compromised booby-trapped sites. A wrong

Unchanged Factory Defaults – every year due to lost laptops, click can easily lead to a drive misplaced mobile devices and by download. Hackers publish and maintain exhaustive lists of default logins left behind USB sticks. Although Unpatched Vulnerabilities (username and password) to encryption of mobile device data Open to Known Exploits – nearly every networked device, and use of strong passwords More than 90 percent of auto- and can easily take control of would mitigate many of these mated attacks try to leverage network resources if the default losses, many SMB users simply known vulnerabilities. Although factory configuration settings are fail to secure their mobile de- patches are issued regularly, a vices and data. not changed. short staffed SMB may likely fail

The Unsecured Home – In Compromised Web Servers – to install the latest application many small businesses, employ- Many SMBs host their own web- updates and patches to their ees often take laptops home to sites without adequate protec- systems, leaving them vulner- work. In an unsecured home tion, leaving their business net- able to an otherwise easily network environment, a busi- works exposed to SQL injec- stopped attack.◊

Know what to do when spam is in your Inbox

Generally speaking, most of us can spot spam in our In- box. However, what you do when you do spot spam can affect how much more follows it. Here is what to do if you spy spam in your Inbox:

Don't open it. In particular, don't open attachments that you are not expect- ing. Viruses often spread by hijacking the email list of affected computers. So just because you recognize the sender doesn't mean the email, or its attachment, are legitimate.

Remember the phrase “I see you”. Pixel tracking is a once legit method now used to verify and track active email accounts. It involves embedding an image from a Web server into messages. If your email reader supports HTML messages, then upon opening one with an im- Beware of spam with a subject government sponsored spam age, your IP address is recorded line suggesting your email was still being propagated. Do on the sender's web server ac- undeliverable. Simply ignore note thought that govern- cess logs. Since the image file- them. ments and subversive or- name is possibly tailored for ganizations might bury legit you, they'll also know your email Groupthink. messages within apparent account is active. Beware of spam implying you spam. Fortunately, some email clients are subscribed to some news- • Testing, testing, spam, automatically suppress images group. You'll usually get 3-10 two, three unless you turn them on for a messages simultaneously with Email security firms may re- given message. similar subject lines and content, lease innocuous spam as If you do want to take a look at a but supposedly from different part of experiments to see picture sent in a questionable people... extremely sly. how people respond. This email, try to view messages spam does no real harm, but while you are offline, or turn off Paved with good (and bad) it can still be annoying. the receipt of HTML messages. intentions. • In the name of education In addition to spam sent illegally, Don’t purchase anything from Computer Science students there are a surprising number of have been known to imitate spam emails spam emails sent by legal and Never buy anything from link in spammers in order to get legitimate organizations. This material for their theses. a spam email. If you do, you can includes: assume your details will be Again, this student sent passed around to others. • Government Approved spam is innocuous, but it still Although most governments clogs up your email ac- Return to sender: ignore false have started to clean up their count.◊ no-delivers. acts, there is little doubt that there are still some forms of

Only 40 percent of the For- For that purpose, both the re- social security or bank account tune 500 companies use tools ceiving and the sending servers numbers can be helpful. In par- for e-mail authentication ac- have to be equipped with the ticular, sophisticated technolo- cording to an investigation of appropriate technology. Filtering gies possess adaptive word rec- Secure Computing. techniques can then automati- ognition and image analysis cally block e-mails that have not technologies. In consideration of the fact that companies could fend off spam been sent through the alleged Numerous compliance require- and phishing effectively, this is domain. eBay, for example, ments demand e-mail encryp- an astounding result, especially used this method for a short tion in addition that often differ- since both threats are a con- time in cooperation with Gmail. entiate between guideline-based stant problem for IT administra- Emails from eBay or Paypal, cryptographic techniques for tors. whose signatures are not posi- B2B and B2C. tively verified get automatically Furthermore, data falling into the Many employees are not familiar deleted by the provider. And with the various encryption op- hands of unauthorized third par- therefore phishing emails that ties has also to be prevented. tions and are irritated by the want to attack eBay user data numerous given ways. Ideally, Therefore, it is crucial to track have no chance with Gmail us- both the outgoing and incoming however, are solutions, where ers. the encryption happens auto- email traffic thoroughly to ensure comprehensive mail secu- With the Sender Policy Frame- matically at the gateway. Secu- rity. work (SPF), it can be verify rity risks, posed by failed or in- whether a mail server is entitled appropriate encryption, can be According to a survey by Secure to send e-mails for a certain do- excluded in this way. Computing, 60 percent of For- main. To do so, e-mail adminis- tune 500 companies forgo e- Pro-active security by reputa- trators have to publish SPF re- tion systems mail authentication tools such as cords in DNS where it is depos- Domain Keys Identified Mail ited which computers have the A pro-active security strategy (DKIM), or Sender Policy permission to send emails to the against malware, denial-of- Framework (SPF). Moreover, of domain. However, there have to service attacks but also against the 166 companies who at least be available the SPF records of spam and phishing are also sup- employ SPF, only 65 companies many domains if possible. The ported by so-called reputation use the safest policy, which rec- larger the spread, the lower the systems which try to understand ommends that the recipient re- chance of spammers and phish- the behavior of individual IP ad- fuses e-mails from unauthorized ers, simply because if they use dresses both as a receiver as senders. The remaining 101 a false sender address, they can well as sender of messages and enterprises are satisfied with be quickly traced. to establish appropriate stan- weaker policies, namely the fact dards. Content Analysis and Encryp- that authorized senders are If an IP address, for example, listed. On the other hand they tion sends instead of usually ten also recommend accepting mes- It is not all about protecting the suddenly 5,000 emails a day, it sages from non-listed senders. company network from invading deviates from the standard and Still, such e-mail authentication emails only. the system classifies the IP as a tools can be a first step towards Outgoing, “outbound” data traffic suspicious. In addition, reputa- a better email security. requires comprehensive moni- tion systems such as that of Se- E-mail authentication with toring, too. Ultimately, a false cure Computing, Trusted DKIM or SPF handling with confidential infor- Source, also analyze the con- mation internally, whether inten- With the Yahoo DKIM standard, tent of the messages. The corre- tionally or inadvertently, can lation of a "conspicuous" IP ad- companies can encrypt their make the fall into the wrong emails asymmetrically in order dress with an unusual outcome hands possible. Also, there are of the content analysis (such as to determine whether an e-mail numerous statutory directives actually comes from the stated unwanted keywords), could re- that support the strict surveil- sult in the general blocking of domain. The electronic message lance of various electronic data. gets a signature which the re- messages from this specific In this case, a content analysis sender from the gateway itself. cipient can verify with one in the that reviews outgoing e-mails on Domain Name System’s (DNS) certain words and data such as available public key. continues on Page 62

False positives (legitimate Here’s how to minimize false email that gets blocked by positives

spam filters) are a genuine Although it might take a person problem. Think of that email only a moment to process a that you were waiting for ages message and identify it as for, but which was in your spam, it is difficult to automate spam folder all along. What that human process because no about those important emails single message characteristic which never reach you at all? consistently identifies spam. In False positives not only cause fact, there are hundreds of dif- frazzled nerves and hurt feel- ferent message characteristics ings (how many times have that may indicate an email is you come down hard on spam, and an effective anti someone for not sending you Why do false positives occur? spam solution must be capable an email, only to discover it Various anti spam solutions of employing multiple spam de- fell into your spam box?), but make use of different methods tection techniques to effectively it also cost you time, and of detecting and blocking spam. cover all bases. In addition, the maybe even lost deals and Anti spam software typically use same way one man’s meat may money. content filtering or Bayesian be another man’s poison, what’s Failing to receive critical mes- Logic, an advanced content fil- one man’s spam might be an- sages in a timely fashion can do tering method, to score each other person’s heaven. irreparable damage to customer email, looking for certain tell-tale A comprehensive anti spam ap- and partner relationships and signs of spammer habits such proach involves examining both cause important orders to be as frequently used terms like message content and sender missed, so eliminating false "Viagra", "click here" or even, history in tandem. By using a positives while maintaining high “Anti-Spam”. Other anti spam reputation system to evaluate anti spam accuracy should be of solutions reference blacklists senders based on their past be- upmost importance to any enter- and whitelists to determine havior, a more accurate picture prise anti spam solution. whether the sender has shown of their intentions and legitimacy Anti spam software is designed spammer tendencies in the past. can be discerned, and a solu- to protect your inbox from un- A false positive can occur when tion's false positive rate can be wanted messages, but unless a legitimate sender raises further lowered. Important ques- your system is properly trained, enough red flags, either by us- tions to ask include: Has the even the best software misses ing too many "spam terms" or sender engaged in spamming, the mark and flags legitimate sending their messages from an virus distribution or phishing messages as spam. IP address that has been used by spammers in the past. continues on Page 63

From Page 61 — Email Authentication tools still not widely used

These emails then are no risk to Conclusion the enterprise network and this has not only advantages for the E-mail authentication tools are employee who no longer has to useful, though so far little-used delete spam e-mails perma- defence mechanisms. For com- nently, but also for the stability panies, such standards can only of the network as a crucial provide additional security. In amount of data is already addition, companies have to blocked in the run-up and there- check their outbound traffic. fore doesn’t put a strain on the Reputation systems seem to be network. particularly promising for a pro- As can be seen, databases play active protection that intercepts a crucial role when it comes to dangerous or suspicious mail the accuracy and the quality of already at the network gate- the reputation system.. way.◊

From Page 62 — False positives are on the radar, but spam filters should not be disregarded

An effective, accurate anti spam Filters for a medically oriented solution aggregates multiple company, for instance, should spam detection technologies, be configured so that the word combining the benefits of each "breast" would not be blocked individual technique to stop when followed by the words spam while minimizing false "cancer research." Be fore- positives. It also puts suspected warned though, it takes a lot of spam into a quarantine that is work to tune a spam filter for available to end-users, and maximum effectiveness. learns how to better identify Enable whitelisting spam in the future. attacks in the past? If not, the Whitelists allow all emails from Why Spam Filters should not be trusted senders to pass through likelihood of their message get- thrown out…at least not yet ting past the email gateway just the filter untouched, even if they went up, and the chances of a If we lived in a perfect world, contravene filter settings. Find false positive declined accord- there would be no need for an anti-spam application that ingly. If they have, an effective spam filters. With the prolifera- lets end users build and man- reputation system knows and tion of spam and its ever- age their own whitelists, then flags the message. changing face, anti-spam tech- show your users how to use this nology is definitely necessary. valuable feature.

In addition, a good reputation system should work in tandem Running a company email system without spam filters risks Protect employee email ad- with an authentication system – dresses that is, every email should be forcing employees to waste pre- confirmed to be from a trusted cious time searching for real Your business will get far less source. business messages embedded spam if employee addresses in an endless stream of con of- aren't scattered all over the Self-Optimization fers, pornographic ads and just Web, where spam robots can In order to be most effective, plain gibberish. For many com- scoop them up and relay them anti spam solutions must learn panies, that's almost as unac- to spammers. Make it a com- based on a recipient’s prefer- ceptable as losing good email. pany policy to prohibit employ- ences. While most of us prefer ees from posting business- Fortunately, it's possible to use domain email addresses to Web not to receive emails containing spam filters while minimizing the the term Viagra, some medical boards, social networks and risk of losing legitimate email; similar sites. Some companies organizations might need to re- here are a few steps that your ceive these emails in order to take this practice to the next company can take. level by eliminating all employee process patient data. In order to best learn your organizational Compare products addresses from enterprise Web sites, funneling viewer inquiries preferences, anti spam solutions Remember that all spam filters should put filtered emails into a to specific, generic addresses aren't equal. Some products do such as "info@ ... " "sales@ ... " quarantine that allows users to a much better job of separating review and make decisions as to and "support@ ... " junk from legitimate emails than whether a particular message is others. Carefully read the re- Encourage end users to occa- spam. Making this quarantine views of competing products to sionally check their junk-mail available to the end-user lowers see which products and services folder the administration costs and offer the best filtering success increases the accuracy of the Most anti-spam applications rates. dump tagged messages into a anti spam system. Customize the filter file called the "junk-mail folder," Each time a user makes a deci- "spam folder" or something simi- sion about whether a particular Just about all anti-spam applica- lar. Remind employees that if an email is or is not spam, the sys- tions allow administrators to fine important, expected email fails tem becomes more personal- -tune system settings for maxi- to arrive, a quick glance in the ized and intelligent about filter- mum effectiveness. Filter adjust- junk-mail bin might be a good ing email for that individual in ment, however, is as much an idea. It is also a good idea to the future. Over time, users find art as it is a science. It's impor- periodically check your spam that they rarely need to review tant to think creatively about folders.◊ their quarantines anymore be- words and conditions that may cause the system has learned cause the anti-spam app to tag By Shanti Anne Morais how to identify messages that a legitimate message as junk. are important to that user.

Is spam making a greater comeback now than ever? What does the current spam and email security market look like in the Asia Pacific? Do you know why spam is more than just a nuisance? Are spam filters losing their effectiveness? What more can be done to fight spam? What exactly is ‘false positives’? Is anti-spam legislation an effective enough deterrent? What will next-generation spam look like? Get answers to these questions and read on how to defend your organization more in- depth from spam.

SUPPLEMENT CONTENTS

• Frost & Sullivan: Do not underestimate spam Pg. 65

• Packing even more of a punch in email security Pg. 67

• Spam’s not going away and more security with control needed Pg. 69

• Unifying Email Security is Key Pg. 71

• Email Reputation and Authentication are Crucial in the War against Spam Pg. 73

Spam is definitely a problem convenient way through which that enterprises will do well to organizations can spread their take heed of, mainly due to marketing messages. As a key firstly, the embedded threats enabler of connectivity in an which may come via spam increasingly globalized world, mails these days, be it viruses the email medium is likely to or spyware and secondly, the continue being manipulated by amount of valuable bandwidth parties looking to leverage on its it takes up which affects the widespread usage and popular- overall speed and efficiency ity. With the cost of sending of a corporate WAN setup. A Spam being almost zero, it is third reason why spam is never going to vanish soon.” much more than a nuisance In addition, spam is more das- says Arun Chandrasekaran, tardly than many people realize. industry analyst, Frost & Sulli- In fact, according to van, is due to the loss of em- Chandrasekaran, there has ployee productivity in dealing been a shift in the nature of with Spam. spam, with threats becoming “The evolution of spam from harder to detect these days, as mere nuisance emails to the they move from text and html- Photo: Arun Chandrasekaran spam of today carries with it a based platforms to PDF spams greater capability and propensity and spoofed NDR messages. stations in the process as well. for different types and forms of Increasingly, the definition of Also, the proliferation of botnets threats to be embedded within. spam is moving towards a con- in Asia and it being used as a Indeed, the common mistakes tents-based classification, vehicle for spam has seen dra- made by businesses/users whereby threats could come matic increase in spam originat- these days is to underestimate from an innocuous-looking email ing out of Asia. the level of threat posed by which becomes otherwise once One key driver for the rise of spam towards their corporate the receiver opens up the email. spam in the region is the lack of networks, in particular, the pos- As for what lies ahead, “The compliance in the area of con- sibility of spam acting as a vehi- near future is likely to witness tent security, with many govern- cle for malicious threats to in- greater convergence between ments in the region still exhibit- trude into their company’s net- email and web-based threats, ing a relatively immature mind- work. In addition, spam may with spammers looking to hide set towards the perils of email also create an indirect adverse their true intentions behind the security breaches. Moreover, effect on employee productivity façade of a legitimate looking many emerging markets in the by choking up the company’s web address sent via an email,” region, such as Vietnam were bandwidth pipes, thus resulting shares Chandrasekaran. late in fully embracing the IT in system lag and affecting vari- The Asia Pacific has of course, revolution, thus resulting in a ous business processes,” he not been spared from the on- delayed reaction to the notion of elaborates. slaught of spam. Although the email security and spam. How- Commenting on why spam is cultural and language diversity ever, with IT integration in busi- and will continue to be a never- inherent in the region has meant nesses rapidly ramping up, com- ending story Chandrasekaran that the English language spam pliance concerning email secu- continues, “With the email has not yet impacted countries rity is expected to expand ac- emerging as the key business where English is not the first cordingly, as governments and communication tool in the IT language, such as Japan and enterprises look to protect their era, it is definitely attracting a China, nonetheless, in recent IT assets amidst an increasingly fair amount of attention from years, there has been a rising sophisticated threat landscape. spammers looking to infiltrate penetration of non-English spam Chandrasekaran believes that corporate networks via the email in the region, with many coun- legislation definitely helps in gateway, as well as becoming a tries emerging as spam relaying continues on Page 66

From Page 65 — Frost & Sullivan: Do not underestimate spam contributing to the war against One common thread that was spam. “However, introducing touched on a lot during Me- compliance without a fitting en- diaBUZZ’s Anti-Spam seminar forcement strategy will also lead on October 23, 2008, was ‘false to nowhere. Nonetheless, the positives’. The term false posi- first step for governments tive first arose from the world of across APAC is to introduce diagnostic tests. An anti-spam compliance concerning email product is like a pregnancy test - security, so as to increase public it eventually comes down to a awareness towards the problem yes or a no. False positives refer of spam and drive greater adop- to legitimate email that is incor- On a serious note though, he tion of the relevant solutions,” he rectly labeled as spam by anti- advices that we have to start says. malware software/email filters. looking ahead to the future and A key characteristic of spam is Explaining why false positives remember that email integrity is its ability to evolve fast and keep are creating such a stir lately, no longer just about spam up with the current times. Chandrasekaran notes, “With emails. After all, the problems email becoming a critical piece brought about by email gate- Commenting on the latest spam in business communications ways to corporate networks are trends as well email protection these days, it is no wonder why becoming more sophisticated systems, Chandrasekaran ob- false positives are taking centre and have a more direct impact serves, “We definitely see a stage as enterprises start realiz- on businesses nowadays. It drive beyond spam in the past ing the costs of losing legitimate would be a mistake if everybody year, as more enterprises begin emails, which may actually was to remain fixated on the to take a closer look at out- translate into a more direct ad- issue of spam without looking at bound email filtering in addition verse impact on the business as the broader issues that have to the traditional inbound email compared to filtering out illegiti- emerged pertaining to email perspective regarding spam mate spam emails. Although integrity in recent times. “In fact, emails. In fact, with data leak- spam has become synonymous the war should not be waged age prevention becoming a with email security nowadays, against spam alone, but the is- buzzword in the IT sector these vendors are likely to shift their sue of email integrity as a days, it is no surprise to see focus to ensuring legitimate whole. It should be a concerted enterprises looking to ensure emails get delivered success- effort that needs effective legis- that sensitive data and informa- fully as enterprises increasingly lation, law enforcement as well tion are not being leaked out turn their attention towards that.” as co-operation between the into the public domain via the various entities – Governments, email channels. As such, we do As to whether the war against Service providers, Vendors and expect outbound email filter- spam will ever be won, businesses,” he concludes em- ing/email DLP to play an impor- Chandrasekaran has this to say, phatically.◊ tant role in driving up email se- “Obviously we have to believe curity in the near future, particu- that the war against spam can By Shanti Anne Morais larly due to Compliance.” be won, if not, security professionals like us will be out of a job!”

Photo: Participants of MediaBUZZ’s event on UTM in 2008

In September 2008 Axway Inc. and Tumbleweed Communica- tions successfully merged to become one of the leading global providers of multi- enterprise collaboration, secure content delivery, and application integration solutions. A messaging security provider, Tumbleweed Communications was the Platinum sponsor of MediaBUZZ’s event “Spam-a never ending story”. Mr. Donald Teo, Regional Manager (Asia), Tumbleweed (now part of Ax- way) presented on “The Erosion of Spam Filter Effectiveness” and allowed Asian e-marketing an interview afterwards. I was very interested in finding out more on Tumbleweed’s expec- tations regarding the joint ven- tures in Asia and wanted to get more insights into the challenges his company is facing right now and how he sees the yond secure gateway and email Phase 1 involves field integra- merger’s impact in the Asia Pa- security. tion of complementary products cific region. Axway customers also come that provide immediately two integrated solutions: The company serves now more away as winners, gaining the than 10,000 customers globally, addition of Tumbleweed's pol- SecureTransport Plus Business has around $275MM annual icy-based secure email delivery Activity Monitoring: revenue and 1,700 employees. and identity validation capabili- Tumbleweed customers can It has a global presence, with ties while Tumbleweed custom- now supplement their Secure- key offices in Scottsdale, Ari- ers gain Axway's Synchrony Transport deployments with zona (HQ of Axway), Redwood functionality, including DMZ se- Synchrony Sentinel, a powerful, City, California (HQ of Tumble- curity, end-to-end managed file easy-to-use event collection, weed), Paris and Singapore and transfer, global process visibility, management and presentation a 24x7 Global Support with cen- business-to-business integra- platform, for end-to-end visibility tres based in US, Europe and tion, application Integration, and into both B2Bi and MFT. Syn- India. trading partner management, all chrony Sentinel improves cus- built on a service-oriented archi- Both companies have merged to tomer experience, reduces oper- tecture. solidify their collective strengths ating costs and brings a true for customers in a variety of In addition, Axway will now inte- enterprise view to cross-platform categories. grate Tumbleweed’s managed and application file movement for both business and IT. Senti- Axway gains a client base file transfer (MFT), email secu- nel enables portal-based cus- strong in several key categories, rity and identity validation prod- tomer self-service, executive including an entry into the US ucts into their multi-enterprise dashboards, better visibility for Federal Government market. collaboration product portfolio customer service representa- Tumbleweed in turn gains in- with a three-phase integration tives and proactive alerting and creased global presence, im- strategy that is designed to offer event management. Sentinel proved R&D expenditures and a immediate and long-term value bridges the gaps in require- technology stack that grows be- for customers of both companies. continues on Page 68

From Page 67 — Packing even more of a punch in email security ments for visibility for both tech- continuous attempt to foresee and real so that people tend to nical and business teams. what a hacker is trying to do believe it and start buying shares. And exactly that hap- SecureTransport Plus Enter- next. “They can change a sub- pened to one listed company in prise MFT: ject of an e-mail into something that is common and that can Hong Kong that created im- Tumbleweed customers can therefore bypass the computer mense up-roar. Of course, some deploy Synchrony Sentinel and or they can break up an e-mail of the stock scams which are Synchrony Transfer to add busi- into picture files or different pic- circulated also come from US, ness activity monitoring (BAM) ture partitions to go through” using computers in China which and internal file transfer across Teo explains. That’s the reason are not as secure compared to multiple platforms and applica- why his company is constantly the one in US as barely any tions, including mainframes, updating their solutions and regulation or spam law is in AS/400 and major enterprise continuously tries to understand place. But Teo also pointed out resource planning (ERP) solu- the mind of hackers. It’s what here that businesses shouldn’t tions. Files represent 80% of the they call a pro-active approach only concentrate on spam that is data in an organization, yet en- to prevent suspects from coming coming into the organization but terprise service bus (ESB) and into the system. also focus on what goes on in SOA strategies today fall short the company itself. Tumbleweed has its own lab of providing critical services for that consists of about 40-50 en- When asked to characterize the file-based applications. By cap- gineers, based in Sofia, Bulgaria unique value propositions of turing, correlating and acting on for developing countermea- Tumbleweed and how his com- events from SecureTransport, sures. Their qualified team there pany differentiates itself from Synchrony Transfer, analyzes every day spam that is other players in their industry he and business applications, Sen- coming to a computer all over said: “Initially, we said we have tinel provides complete event- the world and on top of that, the best spam capture and less based management of all of the they work with the third party false positives, but actually business processes Secure- provider Commtouch, which is that‘s what all other vendors Transport supports today. specialized in anti-spam and now say as well. So I say that Axway will soon launch Phase anti-virus technology. we definitely have a better user interface than the rest of the 2, integrating core Tumbleweed With Commtouch, the company competitors. And in addition, we products into Axway’s service- has a honey pot at hand that is allow our users to individually oriented Synchrony™ Frame- placed all over world, Teo said. control and manage their spam, work. In the longer term, Axway And that’s the reason why they which means they decide will initiate Phase 3 to merge don’t plan to set-up a lab in Asia whether an e-mail should be any functionally similar products any time soon. They are located classified as spam or not.” into a single, best-in-class solu- in Hong Kong and Singapore tion. and think that is sufficient to un- For organizations looking for a proven, easily deployed solution So, Axway provides end-to-end derstand the trends in the mar- to stop junk email, and protect visibility, analytics, and internal ket. against viruses and worms, file transfer capabilities to cus- Commtouch has its own tech- Tumbleweed’s MailGate An- tomers of Tumbleweed’s MFT nology and they were one of the tiSpam can therefore be the solution, SecureTransport™ and first in the market that had right choice. a bigger customer base that what’s called “real spam detec- enables Tumbleweed to provide tion”. So besides using own It incorporates both proactive as a total solution not only on e- techniques to define spam, well as reactive anti-spam tech- mail security but also on product Tumbleweed is constantly in nology, delivering up to 98% services. Donald Teo revealed touch with Commtouch to lever- capture rates with extremely low that after the merger, Tumble- age on their real time detection. false positives. weed will keep the directive as a In Asia, he sees the trend that MailGate AntiSpam combines subsidiary under Axway. “We most of spam and its ensuing three technologies, Dynamic still run our own marketing cam- scams are coming from China, Anti-spam (DAS™), Intent paigns. We also still work with pointing out to the recent stock Based Filtering (IBF), and Re- the respective partners to push scam that was trying to bring current Pattern Detection Tech- our e-mail security product”, he down the market. He continues nology (RPD™) to virtually elimi- told us. to explain that it is sometimes nate spam without losing good As for the key technical chal- very difficult to differentiate real messages. The proactive IBF lenges for an e-mail security investors from scam, which ac- technology applies artificial intel- company, Teo considers the tually looks often very legitimate continues on Page 69

© MediaBUZZ Pte Ltd Asian Anti-Spam Guide 69 Spam’s not going away and more security with control needed Did you know that according Other major incidents included to Sophos, 95% of all email is the EncPk-CZ Trojan which pre- spam and virtually all spam is tended to be a Microsoft secu- sent from compromised com- rity patch, and the Invo-Zip mal- puters? Moreover, one in ware, which masqueraded as a every 416 email messages notice of a failed parcel delivery between July and September from firms such as Fedex and this year contained a danger- UPS. Windows users opening ous attachment, designed to any of these attachments ex- infect the recipient’s com- posed their PCs to the risk of This keeps both vendors and puter – a staggering eight-fold infection and potentially put their users constantly on their toes. rise compared to the previous identity and finances at risk. A Also, despite being around for quarter where the figure stood point to note, the most wide- years, spam poses significant at only one in every 3,333 spread attacks seen by Sophos challenges. In fact, one of the emails. According to the com- are not designed to run on Unix biggest hurdles when it comes pany, much of this increase and Mac OS X. to spam is the fact that it is con- can be attributed to several In addition, Sophos finds a stantly changing, says David large-scale malware attacks spam-related webpage every 3 Chow, sales & channel enable- made by spammers during seconds, which adds up to al- ment manager, Asia, Sophos. the period. The worst single most 24,000 a day. Spam, says “Spam keeps up with the times attack was the Agent-HNY the company, is a continuing and vendors and users have to Trojan horse which was problem, and spammers keep work hard to keep a few steps spammed out disguised as coming up with new, innovative ahead of them.” He also adds the Penguin PanicApple ways to get users to click on that spammers will always find iPhone arcade game. their emails. continues on Page 70

From Page 68 — Packing even more of a punch in email security ligence to identify evolving spam which means their own spam the way to go”. “Still there has to techniques. Tumbleweed’s Mes- classification, regarding content, be a lot of concentration on sage Protection Lab™ identifies subject line, special keywords awareness and data leak pro- and analyzes spam and phish- etc.” In the beginning, Tumble- tection”, he added and pointing ing attacks, publishing regular weed’s focus was mainly on the out that not “all users around the filter updates to the MailGate enterprises whose concern was world are well educated and appliance via the optional DAS always on cost-savings and pro- therefore not all computers are update service. RPD identifies ductivity of their IT. But while the protected”. According to him, spam outbreaks on the Internet enterprises kept their capability there is not a lot that vendors or through the real-time analysis of to run and buy the product in- technology providers can do, large volumes of email. A simple house instead of outsourcing, saying: “we can only protect in web interface lets users access SMBs did in general outsource terms of spam that is coming quarantined messages and fil- their services to so-called ISPs into the network but we can’t tering options. Its high perform- or hosting services and became protect the users’ PCs itself and ance, fast installation, and low dependant. Today, Teo sees play therefore only a part in maintenance provide one of the this trend morphing. Considering terms of education or user lowest Total Costs of Ownership the downturn, he expects that awareness.” (TCO) of any solution on the many enterprises will outsource Due to the fact that everybody market. Teo explained: “From a their IT needs to service provid- has more or less got more ac- single interface it is possible to ers, too. Therefore Tumbleweed customed to spam in the course see the volume of the e-mails has aligned its strategy with this of time, Teo sees more a focus coming in, how many e-mails trend and now looks at hosting on the prevention of information are classified as spam, what are providers or even ISPs to be leaking out of the company and the connections that are blocked able to provide a better anti- expects that by-and-by, the mar- by DHA and DOS, and best of spam solution to them. Tumble- ket will see a consolidation from all, users can individually do weed’s Regional Manager is anti-spam to data leakage. ◊ white-listing and blacklisting convinced that “outsourcing is By Daniela La Marca

From Page 69 — Spam’s not going away and more security with control needed new, innovative ways to send out junk email, and there will also always be a new subject. Asia is not spared at all in the spam war. More and more Asian countries are also appearing on Sophos’ list of spam-relaying countries (for example, China inclusive of Hong Kong, South Korea, Thailand, Philippines, Taiwan, Vietnam, Australia, Ja- pan, Malaysia and Singapore). Reasons for this include the rising popularity and proliferation of the Internet, more bandwidth and also the fact that many of these countries have weaker security know-how and experience. Unsecured computers are a playground for spammers, and a haven for botnets and hackers alike. Asian companies are also at great risk to spam simply because their security compliance is currently very week, states mere minutes at a time to send gence, moving away from tradi- Chow. He adds that this how- targeted messages, often using tional scheduled updates to a ever, will change over the next dynamically assigned IP ad- real-time system that provides few years as most of them in- dresses and low traffic volume quicker response to new and vest more on their security infra- to bypass traditional reputation emerging spam campaigns. structure. filtering. Sophos Sender Geno- “At Sophos we are committed to type overcomes this inherent Chow notes that the war against constantly updating and improv- weakness by monitoring con- spam will continue to escalate. ing our technology and develop- nection requests and rejecting With spam being more malicious ing new technology in the war those showing evidence of bot- now than ever, it’s no wonder against spam. Our philosophy is net connections. Even a new or than that Sophos’ advanced its simple – it’s based on security unknown sender IP (e.g. a pro-active botnet defenses with with control. newly recruited bot) that has Sender Genotype. A next- We offer complete protection never before sent a message generation reputation filtering and control to business, educa- can be blocked using Sophos’ technology designed to elimi- tion and government organiza- breakthrough technology. nate botnet spam at the IP- tions – defending against known connection level and unlike tra- Sender Genotype is a free, and unknown malware, spy- ditional reputation filters, which seamless upgrade option for ware, intrusions, unwanted ap- rely on prior knowledge of the existing and prospective cus- plications, spam, and policy sender, Sender Genotype effec- tomers of Sophos Email Appli- abuse, and providing compre- tively identifies aberrant behav- ances and PureMessage for hensive network access control ior from IP addresses, which UNIX. (NAC). Our future security and have not yet established a repu- In addition to the development control direction focuses on inte- tation and immediately blocks of Sender Genotype to counter grating information control and them from connecting to Sophos the ever-increasing volumes of security compliance into our customers’ mail systems. spam, Sophos also recently de- existing infrastructure,” Chow Based on data collected in livered eXtensible Lists (SXL) to emphasizes.◊ 2008, SophosLabs estimates its Email Security and Control that botnets generate nearly solutions portfolio. By Shanti Anne Morais 90% of all spam worldwide. This SXL is an online look-up system issue is compounded by the fact that dramatically accelerates the that spam bots appear online for distribution of anti-spam intelli-

A strong advocate and be- is because it is highly profitable What are the common mis- liever of unified security, for the spammers. In the same takes that businesses/users Proofpoint’s Gerry Tucker, way that the spammers continue make when it comes to spam? regional director, Proofpoint, to innovate, vendors must con- What do you think they gave us his take and perspec- tinue to invest in their solutions should be most aware of tive on spam especially in the to keep them up to date and when it comes to spam? What Asia Pacific region. ensure they are delivering maxi- can they do to better protect mum effectiveness to their cus- themselves? tomers. One of the most common mis- What do you think is the big- takes is to assume that what gest problem/challenge posed worked yesterday will work to- by spam today? day. This is very often not the There are a number of problems case. Users need to constantly posed by spam today: One is its review their infrastructure and growing volume; second is the security solutions to ensure they growing complexity including have the highest level of protec- techniques such as social engi- tion with the lowest total cost of neering and the third is the dy- ownership. Look for solutions namic and targeted nature of that can demonstrate an effec- Photo: Gerry Tucker these attacks. In some cases, tive solution and are dynamic in we have seen an individual user nature. Do you think spam is a huge problem (and not just a nui- receive over 100,000 messages Does the spam problem differ sance as many people tend to within a matter of hours. Organi- in any way in the Asia Pacific think)? Why? zations need to ensure that they as compared to other regions have solutions in place which Today’s spam poses a number in the world? can dynamically adapt to these of significant threats to organiza- Spam in Asia Pacific still lags threats in a rapid fashion without tions for a number of reasons behind other parts of the world adding to their administration over and above the “nuisance” but we are rapidly catching up. and maintenance overheads. value. Firstly, today’s spam is In addition to this, Asia Pacific is complex in nature and is very What are the top spam threats increasingly becoming a source often the carrier or open-door to of 2008? Has this changed in of spam either as part of botnets additional threats. It can deliver any way from the spam or as local spam gangs seek to a payload via the message di- threats of 2007? Do you think get in on the “business opportu- rectly or via the action taken by these threats will change in nity”. We are now also seeing the recipient that can result in a any way in 2009/2010? What spam that is specific to the re- breach of security to not only significant problems does gion and indeed also to certain that individual but also the or- spam pose for businesses in countries and languages. ganization as a whole. With the particular? development of techniques such Where do you think Asia As mentioned above there are a stands when it comes to as backscatter we are also now number of areas of concern for seeing spam effectively becom- spam and also where do you businesses: think we stand when it comes ing a Denial of Service Attack. • increased volume placing These are just some of the ways to the war against spam? Why an excessive strain on infra- do you think so many coun- in which spam continues to pose structure an increasing threat to individu- tries in Asia are ‘spam- • lost productivity als and organizations. relaying countries’? Do you • loss of confidential informa- think this is going to change Why do you think spam is still tion as a result of accessing in any way in the near future?

a problem after all these spam How? years? • becoming part of a botnet Although Asia makes up only The fundamental reason why themselves which can result around 16% of global spam vol- spam is still a problem is that in a virtual network outage ume, this is increasing exponen- the spammers continue to invest of their outbound email tially with India and China lead- in new technology and tech- ing the way. Internet penetration niques. The main reason for this continues on Page 72

From Page 72 — Unifying Email Security is Key in Asia is around 15%, com- is that end-users have to de- point technology we have been pared to a 75% penetration rate velop and maintain their spam able to demonstrate consistently in North America. Over the next solutions rather than the vendor the highest levels of effective- few years, Asia will be one of providing an effective solution. ness with the lowest levels of the biggest growth areas for At the end of the day it is the false positives irrespective of the internet connectivity. However vendor’s responsibility to deliver deployment models, be that on this will pose a monumental an effective security solution. premise or in the cloud. challenge. As most of these What are the benefits of using users are relatively inexperi- Do you think the war against a SaaS Spam filter? Do you enced and with limited under- spam can ever be won? think more and more busi- standing of security, they pose a I am not sure the war can ever nesses will turn to SaaS in risk for the rest of the commu- be won until we can educate this space? Why? nity as they become “relays” for people not to purchase or ac- There are several benefits to a spam and other malware. We cess spam. However, we can SaaS spam solution. The most need to work harder to educate definitely win the battles and immediate is the reduction load individuals and organizations as make it harder for the bad guys on the organization’s infrastruc- to best practices in combating to generate revenue. At the end ture as bad traffic is stopped in spam and other threats. of the day, if the economics the cloud. In theory, this should The solutions that offer help with don’t stand up the spammers reduce the levels of administra- spam and malware also need to will stop. So if everyone was to tion but this will only work if the understand that Asian spam is use Proofpoint, we might well SaaS solution is effective. If it is different from other spam, with put ourselves out of the spam not, then it could well have the spam being less focused on business at some point. Fortu- effect of increasing administra- financial services, and more nately for our business, email tion due to false posi- heavily represented in health security is broader than just tives/negatives. As with any and pharmaceutical product spam. SaaS solution, one of the keys schemes. Do you think anti-spam legis- to success is to ensure that you In Proofpoint’s presentation have the best SLA in the indus- lation helps in the war against at our Anti-Spam Forum, your try, such as that offered by spam? What do you think presenter, David Habben, Proofpoint. It then becomes the needs to be improved or noted that many users are vendor’s responsibility to ensure looked at when it comes to sending out spam them- they meet these rather then the the current anti-spam law in selves. Can you elaborate on end-user. Singapore? Overall, where do this? Is this a new develop- you think Asia stands when it What do you define as unified ment, and how can it be pre- comes to anti-spam legisla- email security? vented? tion? Today, email security covers This phenomenon is generally Unfortunately national anti-spam four key areas part of botnet activity. In many legislation in places like Singa- cases the individuals or organi- • Inbound pore, Australia and Thailand has zations are not aware of this • Data Loss Prevention (DLP) not had any significant impact activity until they get blacklisted • Encryption on the spammers. by which time it is too late. In • Email Archiving This is mainly to do with the fact that most spam does not origi- today’s work, it is necessary to These four elements need to be nate in the country where it is consider not just the inbound combined with a clear and im- finally viewed and so the legisla- threat but also those posed by plemented security solution tion is to a large degree ineffec- emails originating from within which can then be used to pro- tual. A global approach needs to the organizations’ network. This vide reports and audit informa- be adopted but it is unclear if type of threat can be potentially tion to the organization. more damaging than inbound that can actually be achieved. There was a lot of talk about threats. How do you think spam is go- ‘false positives’ during our ing to evolve in the future? Why do you think current Anti-Spam forum. What’s your spam detection is not what it take on false positives and Spam will continue to evolve should be? where does Proofpoint stand using new techniques and also Many solutions have simply here? new media. We are already seeing IM and SMS spam, as VoIP failed to keep up. They are One of the trade-offs with older networks continue to grow it is based on older techniques and technologies is effectiveness possible that they too may be technologies which have failed versus false positives. Due to to evolve. The net result of this the unique nature of the Proof- continues on Page 73

© MediaBUZZ Pte Ltd Asian Anti-Spam Guide 73 Email Reputation and Authentication are Crucial in the War against Spam It’s never been more crucial for users to realize that spam is much more than a nuisance. A study by Ferris Re- search reveals that the global cost of spam has doubled between 2005 and 2007, and is now over US$100 billion per annum worldwide. Having morphed over the last few years, a lot of spam nowadays is malicious and part of cybercriminals’ targeted attacks. What’s worse, the manner/technique of spam attacks is constantly changing. Due to the evolution of email spam, filtering companies re- sponded by combining anti- virus and spam filtering into their solution offerings. Manish Goel, CEO of BoxSentry and Chair of the International committee for AOTA (Authentication & Online Trust Alliance) notes that all anti-spam spam. It’s easy to understand malicious spam should be tools/spam filters, no matter how why as they, like spam, are blocked at all cost. good they are, suffer from false much more than an inconven- Most anti-spam vendors typi- positives – “it’s just very difficult ience. Legitimate messages that cally promise accuracy rates in to prevent.” At the same time, never reach their intended re- excess of 99 percent. cipients (i.e. false positives) can users have very high expecta- Yet, with companies' financial easily lead to confusion, frustra- tions. well-being increasingly tied to tion, anger, wasted time, double “Users have to realize three very their email service, any spam work, hurt feelings, missed important things: Firstly, spam is filter that is less than 100 per- deadlines and, most importantly, always evolving. Secondly, cent effective poses a serious incomplete business transac- spam filters are not magic risk. It’s not all bleak though; the tions. “False positives can be wands and finally, spam is never good news is as Goel points out, even more catastrophic and going to vanish into thin air,” he false positives has been making costly to a business than spam,” emphasizes. its presence heard and felt, and observes Goel. However, having the whole security industry in According to Goel, false posi- said this, he is also quick to tives are a bigger problem than point out that spam; especially continues on Page 74

From Page 72 — Unifying Email Security is Key targets for the spammers with a There are a number of areas pact. The final element is the whole new generation of voice that makes Proofpoint stand out ease of deployment with a spam. One thing is certain ven- from the crowd. Firstly, there is choice of hardware, virtual dors such as Proofpoint need to the breadth of the solution cov- (VMWare) or in the cloud mod- continue to invest and develop ering all aspects of email secu- els available. In addition to this, their technology to ensure that rity as described above. Sec- as Proofpoint focuses solely on our customers do not suffer from ondly, there is the unique nature messaging security we have this continued growth. of the technology that is in use been able to continuously inno- What do you think makes in our solutions which aimed at vate to deal with the evolving Proofpoint stand out from its achieving effective security pol- threats in the world today and competitors in this area? icy with minimum business im- into the future. ◊

From Page 73 — Email Reputation and Authentication are Crucial in the War itself is recognizing the fact that the board, from SMBs to even they are a pivotal issue that large ISPs and companies. “We needs to be addressed. are continuously improving our BoxSentry itself is a leading technology, including new part- voice in this arena and has re- nerships and also integrating defined the agenda for email new components into our tech- security by effectively creating a nology and strategy,” Goel adds. new category of email security Sharing his observation of the solutions zooming in on protect- email security market, he shares ing legitimate email. “We are that the email filtering market- very focused on anti false- place is seeing a level of con- positives, that is, the philosophy solidation. He also says that As for the Singapore Anti-Spam of being innocent until proven users are getting more aware of law, Goel has this to say, guilty. This is why a key focal the issue of false positives and “Maybe some things in the legis- point of ours is protecting legiti- its consequential damages. lative act here to be clarified or mate emails at all costs. In fact, explained more clearly. How- Commenting on the effective- ever, the law is definitely a step we have taken a contrarian ap- ness of legislation in the war proach with our ground-breaking in the right direction. Changing it against spam, Goel believes will not make an impact on the flagship solution, RealMail, that anti-spam legislation is nec- which has been developed to user experience or solve any essary but not sufficient. “Anti- spam problem. In the meantime, ensure an exceptionally low rate spam legislation is an important of false positives whilst still ef- it is important to make users component of making a strong realize that a lot of their legiti- fectively protecting against email stand and statement that spam security threats such as spam,” mate emails may just be disap- is not to be and cannot be toler- pearing.” he explains further. ated. However, will legislation RealMail in fact, is a full email solve the problem of spam? The Goel also emphasizes the im- security suite that provides com- answer here is a definite no. portance of sender authentica- plete and multi-tier email protec- The main reason for this is be- tion which he says should go tion, says Goel. cause the majority of spam origi- hand in hand with a false positives’ email strategy and solu- The company also partners with nates off-shore, plus spammers make money from it. However, tion. “In this way, trusted email other leading security compa- lists are built,” he continues. nies like CommTouch Software as mentioned, anti-spam law states that as a jurisdiction, the “Reputation is also a very impor- which provides email fingerprint- tant key here as with a good ing (i.e. real time email pattern country that imposes and imple- ments it does not tolerate spam. reputation technology system, a detection) to ensure RealMail list of trusted correspondence is stays in the forefront of email This is a very important statement to make,” he remarks. built per organization. RealMail security. In addition, they also does this using patented tech- partner with a leading anti-virus He also observes that any anti- nology. In this way, users know provider, which cannot be spam legislation that needs to that the email they are receiving named at this point of time. be introduced should be well- is from a trusted source. Email RealMail can also be deployed balanced between protecting senders with a positive reputa- as an Appliance or as a Man- the consumers while not hinder- tion and who engage in trans- aged Service. Indeed, RealMail, ing businesses. parent sending patterns get pri- shares Goel, was envisaged as “Once again, at the end of the ority over unknown senders. We a SaaS solution from day one. day, the vast majority of spam see the market shifting in this “The future is Managed Ser- comes from overseas. Bearing direction.” vices,” states Goel emphatically. this in mind, legitimate email He concludes that spam is a “For any organization, email senders should not face so security is non-strategic. It problem that will never go away. much constriction. Legitimate “Email is a crucial part of com- therefore makes more sense to senders are often the unknown have a shared infrastructure in munication for all organizations victims of spam as their emails nowadays, however it is broken place, one that provides com- get thrown out by the anti-spam plete real-time protection that is and a key question for us in the filters. This is why education of industry is to fix this. This is why at the same time, extremely cost the email senders is very impor- effective,” he continues. Con- our core mission is to do just tant. The Direct Marketing Asso- this and restore business confi- trary to the perception that SaaS ciation of Singapore is one As- only is well-received by SMBs, dence in email communica- sociation which is doing a very tion.”◊ RealMail’s customers go across good job here,” Goel says. By Shanti Anne Morais

It’s no secret that security So what exactly is UTM? Origi- While UTM was initially targeted threats are on the rise. Every- nally coined by IDC, UTM refers at SMBs, vendors have been where you look; there are re- to comprehensive network infra- trying to move the technology ports on new breaches, hack- structure devices in which multi- upstream to larger organiza- ing/phishing attacks, spam, mal- ple security technologies - often tions. But just how successful ware, Trojans, botnet attacks firewall, intrusion prevention, has this strategy been so far? and more. Security threats to antivirus and spyware - are Do you know what UTM means SMBs (small & medium enter- combined into a single appli- and does for your company? prises) are just as real as they ance. Because these devices UTM is definitely an up-and- are to enterprise organizations. provide a single, integrated incoming trend in the network se- Unfortunately, the tragedy is that terface, UTM aims to simplify curity world. MediaBUZZ’s event many SMBs are simply unaware network security management. “UTM: An Evolution or Revolu- of Unified Threat Management Most UTM devices are firewalls tion?” explored this technology (UTM) and how it can combat or IPS devices at the core, with in detail to find out more about it these threats. After all, secure other technologies available as - its current trends and chal- networks afford businesses the optional components or mod- lenges, and what these mean freedom to be productive and ules. However, did you know for both users and vendors’ operate efficiently. that conversely, nearly all mod- alike. Read all about the find- ern firewalls have UTM capabili- ings and core discussion points! ties?

The Many Threats of Network Security Pg. 76 Frost & Sullivan: The Possibilities with UTM are Endless Pg. 80 The UTM story Pg. 81 Bringing the “X” Factor to Unified Threat Management Pg. 82 UTM: Bent on Creating A Storm Pg. 85

During his presentation at While Nachreiner trivialized the Attack code is big business to- MediaBUZZ’s UTM event, above for humor’s sake, this is day, and as a result, attackers Corey Nachreiner, senior net- exactly what the threat to com- want to get onto any computer work analyst, WatchGuard puter users was in 1998. they can. Another anecdote by Technologies took us through A lot of us still carry that mental Nachreiner: Suppose you’re an the various attacks network picture today but the fact is, it is attacker and you know of a se- security face, how Internet ten years later. Some may ask if curity hole in Internet Explorer. threats have changed since the Internet has changed much Here’s what you do. You create 2003 and just why these in ten years. Well, YouTube, malicious web code that can tell threats are more dastardly Skype and social networks were if someone visiting a web site than we think or even know. unseen ten years ago. runs Internet Explorer. In 2003, security professionals You sneak your malicious web noticed a change in the quality code on as many legitimate and purpose of malicious soft- sites as possible, using various ware, which is called “malware” techniques. When victims visit for short. It soon became appar- the site, your malicious code ent that organized crime had exploits the security hole in moved onto the Internet, essen- Internet Explorer to gain access tially changing the face of Inter- to their computers. Did you tar- net threats and security forever. get a specific person? No. Did you target a company? No. You While once upon a time, all we targeted the vulnerability itself. had to worry about was com- Once you get your code on a puter viruses’ worms and maybe mass of computers, then you some spam or a server attack or can figure out what is on each of two, nowadays, there is a wide Photo: Corey Nachreiner them. The point is, it doesn’t range of malicious code directed matter if you’re a small com- Nachreiner put the threat land- at us. pany, or that you mean no harm. scape humorously and suc- For instance: Attackers will still come after you cinctly in an anecdote: We’ve all • Drive-by downloads lie in if you have vulnerabilities on been told, “Oooo, if you use the wait on web sites so that as your network. It’s not personal. Internet, a malicious hacker soon as we browse there, an might get you.” Right? This kind attacker’s code gets pushed Many of today’s attacks are of talk promotes a mental pic- onto our computer. automated mass attacks. Attack ture like this: Here’s the Inter- code wanders all over the Inter- net. Here are a bunch of us • Phishing and pharming are deception techniques de- net looking for victim machines. innocent folks, using the Inter- By comparison, it has become net. Here’s you, just another signed to trick us into giving up sensitive information by relatively rare for an attacker Internet user. Some bad guy manually send an individual at- pops up. He wants some of your convincing us that we are dealing with a legitimate site, tack to against a specific com- money. So he sends you a puter or company network. scam email: “I’m a poor crippled when it’s really a look-alike under the attacker’s control. widow in Nigeria who happens What’s happening nowadays in to have a gazillion dollars, and • SQL injection is an attack on the network security world is I’ll give you half of it if you’ll just our web applications that that there are structured teams help me get it to the United allow attackers to gain con- going after innocent computers States. But first I need you to trol of our website’s underly- now, and they are focused on pay some legal fees on my being database, and any sensi- efficiency. Setting aside rare half.” Ever gotten an email like tive data it may contain and exceptional cases, there is that? He sends the email. You What the above shows, is that almost no such thing as you receive it. You delete it. The today’s Internet attacks and defending yourself against “a bad guy twirls his handlebar threats are very diverse, and single hacker.” We are now up mustaches and says, “Curses! this is not going to change for against roving armies of well- Foiled again!” Then he sends the better but instead probably coded attackers, financed with you a virus. Your antivirus stops worsen. it.” continues on Page 77

From Page 76 — The Many Threats of Network Security big money, organized by a fields …. the web. fashioned email viruses. The highly motivated and skilled statistics, he quotes are frighten- team, who will rob us if possible Blitzkrieg attacks ing. For instance, this year while barely noticing we exist, Attackers rarely target single alone, over a million legitimate emphasizes Nachreiner. victims anymore as it’s too ineffi- web sites were hijacked by mas- cient and unprofitable. Instead sive automated attacks, and He adds that the main driving attackers try to automate their then forced to serve drive-by force of hackers is very straight- attacks on a massive scale. downloads. In these specific forward – it’s all about money for attacks, sites belonging to them. trusted entities such as Busi- Secondly, hackers/attackers The advent and rise of bot- nessweek, Computer Associ- require a lot of computing power nets ates, the Miami Dolphins, and and therefore require our com- Botnets allow attackers to blend many .edu and .gov sites were puters as resources. “Our com- many types of malware into one all hijacked and loaded with puters can help them reach their convenient package. Almost DbDs. goals if they have Internet con- every large scale hacking cam- To make matters worse, the nection, hard drive space so paign in the past few years has hacker underground even sells they can stash their files, and had a botnet behind it. pre-made web attack kits that email (after all why would an make it easy for criminals to attacker spam from his own New technologies launch these drive-by computer if he can send it from Finally, attackers are quick to downloads attacks. Some of the computers of 20 or 40 or leverage trendy new technolo- these web attack kits cost a few 100 strangers?). This is why gies. For instance, they are al- hundred to a few thousand dol- attackers are coming after our ready attacking VoIP, IM, P2P, lars on undergrounds forums, machines, regardless of who we Web 2.0, and many mobile tech- others you can find for free. are. nologies. Since attackers quickly Some examples include kits like, adopt these new technologies, Mpack, icepack, and firepack, Some of today’s attack trends they sometimes figure out ways which were all made and sold by include: to attack us that we never Russian hackers. They are de- dream of let alone anticipate. signed to detect the type of Application Vulnerabilities browser a web visitor uses and then exploit the vulnerability that Attackers used to primarily tar- Types of Attacks include: is most likely to work against get vulnerabilities in our operat- that browser. Some sellers even ing systems and/or servers. Drive by Downloads offer service and support for However, vendors have fixed Before 2003, we had to be care- their web attack kits, updating many of the most severe OS ful when checking our email, but them with the latest vulnerabili- and server vulnerabilities, and we could surf the web with indis- ties. our firewalls do a pretty good job cretion. This is no longer the of protecting our perimeter from case. Now we have to remain external attacks. So lately, at- Reflecting just how bad drive-by wary of malicious web sites that downloads have actually be- tackers have been forced to silently force malware onto our change their focus, and instead come, security firm Sophos finds computers, called drive-by about 6000 new DbDs links eve- exploit vulnerabilities in client downloads (DbD). applications, like our web ryday. browser, media player, or chat Sometimes the web sites serv- client. These attacks come from ing these drive-by downloads Web Application Attacks the inside-out rather than the are operated by attackers. How- Today, we expect websites to outside-in, and they target the ever, lately attackers have even deliver dynamic content person- weakest security link - users. started hijacking legitimate sites, alized for us.

and booby-trapped them with malicious code. So, perfectly To do this, websites have be- Web-based attacks normal websites that we visit come web applications and In general, web-based attacks often, could one day get hi- have been designed so that we have become more prominent jacked and force a backdoor can interact with them in ways than email-based attacks. Even onto our computers. we never did before. In the past, the least savvy users have fig- websites only displayed informa- ured out that they should avoid In fact, Nachreiner says that tion. Now they allow users to email attachments, so the crimi- web-based attacks like drive-by post information to them as well. nals have moved on to greener downloads have overtaken old continues on Page 78

From Page 77 — The Many Threats of Network Security

Unfortunately, this new level of Like before, with XSS, if a web finding new ways to surprise us, interaction between users and a designer doesn’t code this SQL targeting new, trendy technolo- websites has opened up a new interaction securely, an attacker gies such as VoIP, SaaS, P2P, class of security vulnerabilities— can take advantage of flaws in Web 2.0, RFID and so on. They Web application attacks. his code to sneak unexpected also often find unusual vectors SQL queries to your database of attack that we never thought Cross-Site Scripting (XSS) server. This is called a SQL In- to consider. For instance, plac- jection. One example of a web applica- ing a warez server on a printer, tion attack is Cross-Site Script- There are many evil things at- or using a Dreamcast game sys- ing. If a web designer doesn’t tackers can do with SQL injec- tem to sneakily packet sniff on a program his web application to tion. They can steal confidential network. Finally, mobility is interact with users securely, he and private date from your data- really taking off right now. gives attackers the opportunity base, such as your customer’s Whether it’s smart phones, or to inject scripts into his web credit card info, home address, USB sticks, or ipods, confiden- code. SSN, etc. They can leverage tial data is finding its way out- logic tricks within SQL to bypass side our network in many new For a long time, buffer overflows authentication mechanisms. ways. were the most commonly re- They can even add, remove, or ported vulnerability, and one According to Nachreiner, hack- modify data in your database. could argue, was the most ex- ers are hard to catch for the fol- For instance, attackers could ploited vulnerability on the Inter- lowing reasons: leverage SQL injections to net. This is no longer true. Their Botnets protect them. Bot- change the prices of your prod- Cross-site scripting flaws have masters use their victim’s com- ucts on your ecommerce site. now become the most computer to launch attacks, rather monly reported vulnerability. than their own. If authorities Jeremiah Grossman, from Botnets trace the attack machine, they WhiteHat Security, claims XSS Botnets have been around for end up at grandma’s house and vulnerabilities can be found in years. Most IT people first heard still need to find a way to trace 70 percent of websites. of them in 2000, when several the real attacker. Some botnets Cross-site Scripting allows you thousand coordinated com- have multiple technical layers of to do stuff on a victim’s computers all asked to connect to separation between the botmas- puter with the same privileges of eBay at the same time. That ter and the computers doing the some other trusted website. This many requests saturates the illegal activity. means attackers can exploit phone lines and knocks the vic- In the past, when authorities XSS flaws to read the cookies of tim off the Internet. Thus, it is found malicious phishing or other websites (among other called a “Denial of Service” at- drive-by downloads web sites, things). So if a banking site suf- tack. they could take them down in a fers from a XSS flaw, a phisher Botnets have evolved and ma- few hours. Now, botnets can can leverage that flaw to steal tured over the years and are keep these malicious sites up the cookie used for you web now ranked by every expert as for weeks using something session to your banking site. In the number one threat on the called Fast Flux DNS. In short, a other words, they could log in to Internet. One of the biggest, and botmaster feeds hundreds of his your banking site AS YOU, and most infamous, botnets in 2007 victims’ servers the exact same do whatever they wanted. was Storm, which some re- malicious web page. Then, the They’d only have to entice you searchers estimated as having attacker creates a domain name to click on some specially- up to half a million infected com- for his malicious site, for in- crafted link for their attack to puters all under the control of stance, badsite.com. Usually, a succeed. criminals. domain name like badsite.com In the Internet’s underground would point to only one IP ad- SQL Injection economy, hackers trade code, dress. However, by exploiting a Most modern websites also rely assist each other, and even sell design flaw in the DNS protocol, on a backend SQL database. attack code for bots. The result attackers can make badsite.com For instance, when you login to is that evil code is pulling ahead point to a new IP every few min- a site that requires authentica- of good guy code. Some of to- utes. That way, his malicious tion, the web application com- day’s malware can be as so- web site is constantly jumping municates with a database to phisticated as the expensive around to different bots. If the check your username and pass- commercial software you buy. authorities track down one of the bots and shut down it down, the word, and uses that to decide And if all this is not scary site just moves on to another. what content you should see. enough, attackers are always continues on Page 79

From Page 78 — The Many Threats of Network Security

In addition, criminal networks Behind it, you put a different • Gives you one throat to are almost always geographi- security control. It only stops choke (i.e. When something cally dispersed. In fact, the indi- half of the attacks coming at it, goes wrong, the vendor is vidual members of the criminal too. But since the FIRST control much less likely to point at organization itself may also live already stopped half of the the next guy – because he IS in different countries. Depending threats, and the second control the next guy!) on the international climate, and stopped half of that half, to- • Updates become predict- your relations with different gether they are 75% effective able and routine countries, you can’t always get against the total threat. If you • Pick the right one, and cooperation in prosecuting for- keep stopping half of the half, if quality is assured for years eign attacks. In fact, some coun- you line up five controls in se- tries don’t even have strong quence, you approach 100% Nachreiner says UTM was a laws against hacking. effectiveness. really nice step forward in the world of security, to reinforce yet Whenever we do find an only Nachreiner adds that in reality, a simplify a user’s defensive pos- attacker, it often tends to be the security product that’s only half ture. “campaign managers”. effective couldn’t survive in the However, recently, UTM devices This leaves the big boss to con- market. On top of this, various are starting to become yester- tinue his illegal activities with “controls” have to be selected day’s news. other campaign managers. It’s carefully to make sure they very similar to how hard it is for really do supplement one an- Why? Simply because the bad the authorities to break up real other and not just repeat each guys didn’t stop innovating, and organized crime, like the mob. other. Nachreiner points out the Internet environment hasn’t here that “security vendors are stayed the same. Now you In many cases where authorities always telling you to buy one have worms and malware travel- have found attackers and tried more thing,” in this sense, they ing via Instant Messaging, and to prosecute them, the legal bat- have a point! The answer, he over peer-to-peer file sharing. tles lasted years and cost thou- says, is simple – “defend in Attackers are targeting Web 2.0 sands of dollars. Often loses depth”. features, and putting spam in never get recuperated, and in the comments on your blog, or some cases, the attackers have Historically, “defense in depth” trying to do SQL injection continued their criminal activity required a lot of products such against your custom web appli- during and after their trials. as anti-virus, anti-spyware, spam filters, web filtering to cation. If any of your users visit So what can be done? block users from malicious or MySpace or Facebook, there The only completely secure time-wasting sites, virtual private are attacks specifically targeted computer is one that is not at- networks for confidential trans- at those communities. There is tached to the Internet. This is a actions and firewall/intrusion also the “insider” problem – i.e. trade-off: if you can use it, then prevention. employees who email sensitive it can’t be 100% secure be- This approach has its own new data. cause, by definition, there is a problems, says Nachreiner, in- Essentially, UTMs were devel- way into your computer, over cluding: oped before it became normal to the network. Security and us- have heavy networking uses • Different user interfaces to ability are often like opposite such as Voice over Internet Pro- learn sides of a teeter-totter. One tocol, or streaming video. goes up, the other goes down. • No accountability among What can solve an ever-evolving The trick is to find the balance. vendors problem? According to Watch- • Inconsistent quality Security experts have therefore Guard, beyond UTM is XTM introduced the notion of “layered • Various updates and (extensible threat management). security” to get around this prob- patches at random times “Blended threats require lem. Nachreiner illustrates the Enter Unified Threat Manage- blended protection. But you concept this way: ment (UTM). A UTM appliance want protection that fits your Security professionals use the puts “defense in depth” all into business today, and leaves you word “control” to refer to a ge- one intelligent appliance that with attractive options for tomor- neric defensive technique, with- row. That’s the exciting promise • Gets the defenses off your out specifying what technique. of XTM,” concludes Nach- computers So let’s say you have a security reiner.◊ • Runs off one management control but it only stops half of By Shanti Anne Morais the attacks coming at you. interface

There is no doubt about it, Internet threats are getting bigger, more malicious, smarter and more damaging. Arun Chandrasekaran, industry manager, Frost & Sullivan points out that the threat landscape has also been undergoing a dramatic shift – from PC viruses that were mainly floppy disk based to Internet viruses that were more email/network based, to malware that was more broadband/website based, to the present day scenario of more targeted attacks, as well as threats that are considered cyber-espionage. He elaborates that the new security landscape is seeing more covert as well as targeted blended threats, making remediation even more complex. The advent of what Chandrasekaran refers to as “the underground economy” will continue to rise with no signs of abating as the primary motive of such cybercriminals revolves mainly around the motive of He adds that UTM is con- The possibilities with UTM financial gain. Attacks here include phishing, tinuing its trend of climb- are endless and we will hacking, identity theft, money laundering, bot ing up the value chain. definitely see it evolve attacks and the like. In fact, according to him, “On the services side for even more over the next this shadow Internet economy has been val- example, in the past, 6-12 months.” ued at US$105 billion, with this figure looking there were not many While UTM has many managed security ser- set to rise even higher. merits, he says, such as vices in UTM but this is lower TCO, greater cen- As a result of all the above and the ensuing now changing especially challenges in the enterprise ecosystem like tralized management, amongst bigger enter- evolving technology con- disparate systems, little integration as well as prises and larger man- high CAPEX & OPEX, Chandrasekaran says vergence, ease of use aged security services and affordability; it also that a more holistic view of security that inte- providers,” Chandra- grates the different dimensions (such as anti- still has its fair share of sekaran states. virus, firewall, anti-spam filters, virtual private challenges – what networks, identity and access control encryp- With regards to the evolu- Chandrasekaran refers to tion, web security and so on) into a more uni- tion of UTM, he observes in his presentation as “the fied solution is needed – hence the birth of that UTM has already undelivered promises of seen a huge shift from its UTM”. These include Unified Threat Management – UTM. Chandrasekaran notes that Frost & Sullivan early days (from 2000- scalability issues, lack of has also been seeing some major trends and 2003) when its appliances “best of breed” capabili- shifts in the UTM market. For one thing, when were predominantly for ties as well as lack of in- it first started out, UTM appliances tended to firewall and anti-virus pur- telligent integration. How- be deployed by mainly small and medium en- poses. Chandrasekaran ever, he is quick to add terprises (SMBs), mainly because it was a explains further, “More that these challenges are great value proposition for them. In the last 12- and more technologies something the key ven- 18 months though, Frost & Sullivan has no- are being added on for dors are aware of and are ticed that more large multi-nationals are look- example intrusion detec- keen to address. “Again, ing into and taking up UTM, mainly for their tion. Now, even web ap- the evolution of UTM will branch offices. “UTM is definitely becoming plication security is being probably iron out a lot of more viable as a platform. For example, it is looked at. In addition, its issues.” “Some ven- becoming more scalable. Also, one of the big- non-security technologies dors are already looking gest drivers of UTM is its ability to enable the are being considered like beyond UTM”, he con- convergence of multiple technologies on a sin- WAN acceleration. cludes.◊ gle platform,” he elaborates. By Shanti Anne Morais

Over the past 5-6 years, the ance bandwagon resulting in the to develop and deal with, prefer- Unified Threat Management introduction of anti-virus, anti- ring to focus instead on merging (UTM) market in the Asia Pa- spam filters, email security, with Veritas. In the meantime cific market has been taking IDS/IPS and so on. “By though, WatchGuard, off. Anthony Lim, Security & 2003/2005, it was not difficult to SonicWall, Fortinet, F5 Net- Governance Chapter, SiTF, imagine an enterprise Security works and the rest, proceeded shares with us the colorful Operation Center (SOC) buying to solder on and eventually back story of UTM and his and stacking boxes, some of formed the UTM market that we perspective on it. which were by then imaginably know today. It is interesting to Pre-UTM colorful (and I mean red, yellow, note that they all began with blue and green instead of the different single application appli- usual grey, black or silver),” he ances,” he expands. says tongue in cheek. “Today,” he adds, “Check Point “So, it became logical to think has re-introduced a new set of that this wasn’t the best idea appliances, while Nokia has de- because you can imagine rack- cided to put their security appli- fuls of security appliances, rack- ance division up for sale.” mount servers, patch-boards, The Current UTM Market hard disks, routers, switches and all the spaghetti in between According to Lim, the present – you get the idea!” Lim contin- day UTM market in the Asia Pa- ues. cific looks set to grow and is healthy because of a number of The Advent of UTM reasons: The emergence of UTM, says What happened next was that Lim, was fuelled to a large ex- It is convenient to deploy – es- security vendors endeavored to pecially important amongst tent by the increasing popularity reduce the number of boxes at of appliance security solutions SMBs where it is often hard to the SOC by trying to increase hire experienced IT security pro- made fashionable by Nokia, the number of security solutions NetScreen, WatchGuard Tech- fessionals – and can be done within the given box (appliance), both quickly as well as effec- nologies, Cisco Systems and hence the UTM idea was born. more. “Even the likes of ISS, tively. Symantec and Trend Micro had Notably, the first commercially UTM saves users the trouble of a tryst with these appliances, known attempt at a UTM appli- trying to decide a) which anti- though I think some were more ance was probably by Cross- virus, anti-spam or IDS solutions successful than the other,” he beam Systems. “Here, I don’t they want; b) what solution us- observes. “Suddenly, everyone mean the bar refrigerator size ers may need that they may wanted an appliance firewall,” server, $100,000 super-fast, have forgotten and c) saves us- he adds. Its popularity was industry product/solution,” says ers the trouble of a human re- driven mainly by its ease of de- Lim. source management issue in ployment since the appliances In 2003, Crossbeam Systems case different engineers on your were basically plug and play. introduced the “C” series—a staff prefer different brands or Secondly, for the most part, rather large appliance with a best of breed. these appliances were by de- Check Point firewall, Trend Mi- A challenge that Lim feels the fault pre-configured to be ready- cro anti-virus and ISS’ IDS all in UTM market will face is the fact to-use. Lim elaborates, “These the same box. Over the next few that there may be an attempt to were important attributes be- years, Crossbeam introduced put too many applications into cause people were by then de- different sizes and variances of one appliance, in which case, ploying them in a hurry and by the “C” series. “Not to be out- users may end up facing a per- the droves, due to the runaway done, Check Point, ISS and formance or software manage- proliferation of internet services, Nokia were soon apparently ment issue. which were in turn, driven by the accusing one another of trying mainstream availability and high to eliminate the other by intro- “In addition, the question of volume of broadband connec- ducing firewalls with IDS in the what permutation of applications tivity back then.” same box or vice versa. Again, users will have in which UTM you get the idea!” remarks Lim. appliance might also arise,” he The end result of this was that shares.◊ other security solutions vendors “Symantec soon decided their decided to hop onto the appli- appliance was way too difficult By Shanti Anne Morais

A visionary and pioneer in the built upon the premise that net- XTM thus provides extensible security-appliance market- work security solutions funda- ownership and leads the indus- place since 1996, WatchGuard mentally need to have this qual- try with software upgradeable Technologies today, is recog- ity. XTM appliances must be UTM devices. This allows busi- nized as an advanced technol- able to proactively adapt to dy- nesses to maintain high security ogy leader of network- namic network environments, as without having to rip out and security solutions, with over well as protect against the litany replace older devices – giving 500,000 award-winning appli- of known and unknown, future unmatched asset protection and ances installed in more than threats. With extensible protec- lowering the total cost of owner- tion, as a business grows, so 150 countries. ship (TCO). WatchGuard will does its security platform. continue to provide this ex- Consistently named by IDC, WatchGuard’s XTM stands for tended life and functionality with Infonetics and Frost & Sullivan the extensibility needed for best its next-generation XTM appli- as a market leader for SME se- practices in network-security curity appliances, WatchGuard management and control. Net- ances. is dedicated to protecting SMEs work administrators do not have Lastly, the WatchGuard XTM by providing advanced-security cookie-cutter environments and vision opens the door to extensi- features in its appliances at af- have to deal with a constant ble market opportunities. Watch- fordable prices – ensuring all barrage of threats – known and Guard envisions uptake of a solutions are fully upgradeable unknown. Each environment is new class of managed security to accommodate new features unique and, therefore, has indi- service providers (MSSPs), who and meet new threats as they vidualized needs and concerns, wish to provide highly reliable, emerge. depending upon the business "in the cloud", managed-security and the industry. WatchGuard services to their customers. Widely accepted as a strong recognizes this and builds ex- viable technology provider for WatchGuard also foresees the tensibility into its network man- possibility of providing a soft- secure remote access, the com- agement and user control fea- ware platform – similar to that of pany recently created a stir in tures, so that administrators can other extensible applications, the network-security industry maximize their XTM invest- with its announcement to intro- ments, which are customized to such as XML – so that third- duce next-generation UTM solu- best suit their network and user party developers can create tions with extensible threat man- needs. customized security applications agement (XTM) and connectivity WatchGuard’s XTM represents that are tailor-made for Watch- capabilities. WatchGuard’s in- extensible choice. Not only do Guard XTM appliances. creasing market share is evident XTM appliances need to fully What makes XTM stand out in in its 190 per cent increase in interoperate and support mixed appliance shipments in 2007, the network security arena? network infrastructures, but they most of which were UTMs – What are its main benefits? need the inherent security tech- confirming the industry’s accep- Extensible security means giv- nology to be flexible, too. This tance of UTM solutions and paving customers’ unparalleled se- way, administrators can pick ing the way for the new XTM curity against the next wave of and choose the security service platform. unknown threats, giving custom- that they want from the XTM ers uncompromised network Steve Fallin, director, Rapid Re- device. For example, some may management and user control, sponse Team WatchGuard want anti-virus (AV) protection and giving customers unbridled Technologies, shares the com- provided at a different source flexibility and choice. Combining pany’s vision and ideas on XTM other than the gateway. Now, an these benefits, WatchGuard is with Asian Channels. administrator can turn "off" the uniquely positioned to give busi- AV protection at the XTM appli- What exactly is XTM accord- nesses around the world the ance, whilst maintaining full fire- ing to WatchGuard? peace of mind of knowing that wall, IPS/IDS as well as web their networks as well as their Extensibility, the “X” in XTM content filtering at the network employees’ work and data is means having the ability to add gateway. on to or extend threat- highly secure with our XTM so- With WatchGuard’s XTM, the lutions. management capabilities. customer has a choice of secu- WatchGuard’s XTM vision is rity services. continues on Page 83

From Page 82 — Bringing the “X” Factor to Unified Threat Management

WatchGuard’s extensible components include: • Extensible protection to remain secure against the unknown future threats • Extensible management for easy control in varied environments • Extensible choice for interoperability and choice of security services, whilst maintaining exceptional standards of protection • Extensible ownership through upgradeable devices, thereby offering extended product life and high functionality

Why do you think XTM is so necessary? Do you think XTM will change the face of net- Photo: Corey Nachreiner work security? ness strategy and vision? Threats are becoming more so- By 2007, the UTM market had phisticated and less conspicu- grown approximately 35 per WatchGuard Technologies, a ous. This leaves networks vul- cent year-over-year, to reach pioneer of firewall technology nerable to extremely targeted US$1.216 billion. By 2008, in- since 1996, was an early inno- attacks that include blended dustry analysts estimate that vator of UTM solutions, and was threats, such as phishing e- sales of UTM appliances will one of the first to lead the indus- mails with malware payloads. surpass traditional firewall/VPN try with high-performance UTM The challenge is to give busi- solutions. By 2010, sales of offerings. XTM is the next gen- nesses threat-management so- UTM devices are expected to eration of UTM technology, lutions that not only adapt, but exceed US $2.5 billion – creat- predicated upon the substantive can proactively address future ing infinite opportunities for the expansion of three foundational and unknown threats so that the next-generation UTM solutions. elements: more security; greater highest security is always main- XTM solutions have the capabil- networking capabilities; and tained. more management flexibility. ity to change the industry land- Adding to this, most network scape and redefine network se- With threat management being administrators work in mixed- curity. As discussed above, they constantly challenged and rede- network environments of dispa- address needs not currently met fined, XTMs are much-needed rate infrastructure components by the prevailing UTM solutions. security solutions in today’s dy- and solutions. For these admin- Although UTMs offer consider- namic environment. For busi- istrators, it is imperative to have able deployment flexibility, the ness decision makers, XTM of- a flexible and scalable gateway- increasingly sophisticated and fers an ideal cache of reliable security appliance that can be decreasingly conspicuous security and superior TCO. XTM modified, updated and custom- threats in an evolving environ- allows businesses to utilise mo- ized to meet their particular se- ment require scalable appli- bility, consumer technologies, curity profiles and postures. Web 2.0, and other new busi- ances that can be modified, up- The XTM family will enable cus- ness applications in a highly dated and customised so that tomers to choose exactly which secure manner. high security is always main- security functions they want the tained. The changing perimeter Because of the inherent flexibil- device to perform, rather than of the workplace calls for robust ity found in XTM, these solutions being forced into buying bundles security technology to face the will help businesses address the of capabilities, some of which “x” factor of unknown threats. needs of regulatory compliance may not be of interest.

and future changes that are Tell me about WatchGuard bound to come. What are your plans for this and its XTM vision and strat- What are the key drivers of strategy especially in the Asia egy? How does this strategy this strategy and vision? Pacific? tie up with your overall busi- continues on Page 84

From Page 83 — Bringing the “X” Factor to Unified Threat Management

Are you targeting XTM at cer- centric sales model is designed and feature-set customization), tain verticals, sectors and/or to attract an expansive network and ensuring extensible owner- markets? Do you think it will of resellers focused on network- ship (network interoperability, be a major attraction to both security solutions. Our tier-one total cost of ownership and re- enterprises as well as SMBs? distributors carry our full range turn on investment). Global mar- WatchGuard’s recent vision to of products and services to spe- kets for security solutions are introduce next-generation UTM cialised and value-added resel- constantly evolving. solutions with XTM and connec- lers across the region – increas- WatchGuard monitors these tivity capabilities is keeping the ing our penetration in the SME markets to ensure that we are company a step ahead in this and enterprise marketplace. We aware of the optimal time for the competitive marketplace. Creat- are growing our regional reve- introduction of new products and ing and designing network- nue at around 20 per cent per platforms. security solutions – which have year with Hong Kong, India, In- the ability to proactively adapt to donesia, Malaysia, Thailand and What can we expect over the dynamic network environments the Philippines as our key Asian next 1 year from XTM and WatchGuard? and protect against unknown markets. threats – WatchGuard’s XTM We are currently recruiting more We have established a trajec- products ensure maximized pro- resellers to boost our UTM and tory that portends more capabili- ductivity, with seamless, robust XTM sales. ties and more performance. We authentication for identity man- We are particularly interested in will be announcing our new agement and powerful endpoint adding resellers with strong XTM-branded products when protection for uncompromised technical networking capabilities the time is right. network connections. With or those with security expertise. vastly expanded security fea- Are there any major chal- tures and functionality, network- You’ll be announcing new lenges when it comes to XTM ing capabilities and manage- products that will build on in Asia? If yes, how do you ment flexibility, as well as auto- your XTM vision. Can you think these challenges can be mated processes, Watch- please elaborate on this? overcome? Guard’s XTM solutions are Currently, WatchGuard’s firm- The XTM approach blends suited for SMEs and enterprises ware release for Peak, Core and seamlessly with the needs of alike across varied sectors and Edge appliances have built-in Asian businesses today. For the verticals – purpose built to extensibility, so users can lever- discerning, skeptical buyer, it thwart attacks from today’s age this innovative technology provides a sensible and innova- smarter malware and botnets. today! Later this year, Watch- tive approach to meeting the How do your partners in the Guard plans to release XTM- region’s need for flexible, easy- Asia Pacific especially fit in branded solutions that incorpo- to-use, high-value security solu- with this strategy? rate more XTM feature sets – tions. Leading the charge with They service organizations that addressing extensible threats its pioneering XTM solutions, have been asking for some of (the next generation of blended- WatchGuard will continue to the capabilities embodied by security threats), having extensi- create a stir in the Asian net- XTM. ble management (improved work- security market. ◊ scalability and greater granular APAC buyers are amongst the control), offering extensible By Shanti Anne Morais most discerning in the choice (network interoperability world. Our two-tiered, partner-

WatchGuard’s Norbert Kiss gives us the lowdown on Uni- fied Threat Management, the company’s strategy and vision on it and its key drivers in the region. What’s your definition of UTM? Is this definition different from the standard in any way? If yes, why? Unified Threat Management, which stormed the ICT world in 2005, was created due to customer demand for a better way of managing network security for companies of all sizes. Coined by IDC as UTM, ‘Unified’ signi- fies that a single device can manage multiple threats, including blended threats – a one-stop shop for customers to manage their network security needs.

Our definition of UTM is the same as that of industry practi- tioners. However we execute this definition very differently since 1996, was an early inno- demonstrating to customers and from others within the industry. vator of UTM solutions, and was partners, that UTM and XTM An example of this is our proxy- one of the first to lead the indus- have scaled newer heights to based architecture that thor- try with high-performance UTM provide greater security technol- oughly inspects everything that offerings. Our vision is to pro- ogy than the traditional point enters the network for threats, vide customers of all sizes – solutions. We continue to pro- providing our customers TRUE SMBs or enterprises, with a sin- vide our partners with leading Zero Day Protection – compared gle device, which is easy to de- channel programmes, education to most vendors who have ploy and manage, delivers a and incentives to ensure they packet inspection, thereby quick ROI and adapts well to bank on WatchGuard products checking only a part of the con- changing threats. whilst offering solutions to their tents. UTM is a gateway tech- customers. nology as opposed to a client Our strategy to achieve this is to technology, so it successfully integrate best-of-breed network- What do you feel makes prevents threats from entering security technology into our WatchGuard stand out in UTM the network. Client-based secu- UTM devices through innovation market and from your com- rity only protects the network and partnerships with leading petitors? providers of technologies. The from threats that have already There are multiple reasons for changing perimeter of the work- invaded the network. In spite of WatchGuard’s leadership in the space, coupled with the “x” fac- working under the same UTM network-security industry today. tor of unknown threats, has cre- umbrella, the delivery of the Firstly, WatchGuard’s products ated an opportunity for future WatchGuard offering surpasses have distinct technology advan- UTMs – XTM solutions with next industry standards and prac- tages over our competitors. -generation extensible- threat- tices. Being a pioneer of appliance- management technology – based network security since Tell me about WatchGuard’s which will change the industry 1996, these include Proxy tech- vision and strategy when it landscape and redefine network nology, logging and reporting comes to UTM? security. We, as providers of this features and more. WatchGuard Technologies, a technology, continue to be evangelists in the market by pioneer of firewall technology continues on Page 86

From Page 85 — UTM: Bent on Creating A Storm

Secondly, WatchGuard’s long- pan, although a technologically It’s true that UTM has been pri- standing reputation as a leading advanced country, has been marily focused towards SMBs. provider of network-security so- slow to accept the UTM technol- This was due to the fact that lutions gives us an edge in this ogy, but we are currently seeing large enterprises had large IT crowded industry. With over growing adoption there now. budgets, multiple staff and 500,000 devices around the Other parts of the region have would often roll out specific point world protecting networks at this just begun to realise the varied solutions for specific security very moment, our technology benefits of UTM and the impor- threats. This is changing rapidly speaks for itself. Thirdly, our tance of network security in an in these more challenging eco- sales model relies highly on our increasingly mobile world, which nomic times. The benefits of partners, who have successfully represents a significant opportu- UTM, including improved threat helped to build our brand in the nity for us to tap into these fast- management and performance market. We continue to provide growing markets. are opening new opportunities them with superior products at for UTM in the enterprise space. What are the key drivers of competitive pricing, coupled with We can see clear evidence of UTM? Do you think there are education and incentives, so this as enterprises often take any underlying factors in the they can, in turn, offer the best advantage of UTM in their security landscape that are in available technology to their branch offices and remote loca- particular, driving UTM? customers. tions where having multiple All organisations, irrespective of point solutions is just not viable. From your experience, do you their size, are exposed to the UTM in the enterprise space see any UTM trends that are same set of security threats. offers significant benefits to the particular to the Asia Pacific? However, SMBs today have lim- customers. Are you seeing a shift in ited budgets for internal or com- trends in any way when it “Performance is one of the pletely outsourced security for comes to UTM? biggest gotchas in UTM”? Do technology infrastructure man- you agree with this and what The face of the network security agement. is WatchGuard doing in the market is changing continuously They seek security solutions area of UTM performance? due to increased internationali- that ensure increased productiv- sation and globalisation, cou- ity, lower cost of ownership, This has been an unfair percep- pled with dynamically-changing compliance assurance or ease tion of UTM for some time. If a and highly sophisticated internet of deployment and manage- customer buys a separate unit threats. Even SMBs are finding ment, as well as resource scal- for SPAM and separate unit for they must maximise productivity ability and availability. Con- Web blocking, a separate unit for their remote and mobile us- stantly evolving network-security for IPS, etc. and then switches ers, whilst ensuring a highly se- threats that can cause immeas- them all on, they will naturally cure network. With SMB net- urable inconvenience, affect a see a slowdown in network traf- works expanding at an ever- company’s reputation and result fic. The same is true with a increasing pace, UTMs play an in unpredicted support costs – UTM device. If you turn every- important role in addressing forcing SMB management to thing on, it will slow down the these changing trends. UTM as address these needs. network. So the issue is not just a technology is standard across Traditional remote-access- true for UTMs, but for any net- the world. We haven’t seen any security solutions are no longer work-security solution. specific requirements by geog- viable solutions for SMBs that However, there are areas that raphy, apart from local language require uncompromised network can be improved. Multiple lev- requirements and the need to connections, so SMBs are turn- els of hardware can improve the manage and block local social- ing rapidly to UTM solutions. performance, giving customers networking sites and chat WatchGuard’s UTM appliances the choice to move up the prod- rooms. However, we have seen are purpose-built, not only to uct chain to gain higher perform- a significant difference in the meet enterprise needs, but SMB ance levels. Also, the UTM speed of adoption of this tech- needs as well. hardware itself has become nology. Many regard UTM as a tech- much faster, with dramatic im- I would say that mature IT mar- nology for SMBs. What’s your provements in UTM perform- kets such as Australia, Hong take on this? Do you think the ance over the past 12 months – Kong and Singapore have a enterprise also benefits from a trend one will continue to see. high level of acceptance for UTM? Do you think the enter- In spite of this, UTM solutions UTM and penetration continues prise is ready for UTM? have been widely accepted by to grow in these markets. Ja- continues on Page 87

From Page 86 — UTM: Bent on Creating A Storm customers, and the UTM market CLI-based management, along UTM and it will mean that we has seen enormous growth with with local-language support and can adapt faster to new threats, vendor revenue of US$100 mil- localisation. Customers across work in much larger networking lion in 2004 to US$1.3 billion in the board, from SMBs to large environments and ensure ease- 2007. Sales are forecasted to enterprises, will benefit from of-use in terms of management. exceed $2.5 billion in 2010*. WatchGuard’s new XTM tech- There is a lot of talk about UTM solutions have typically nology. WatchGuard’s XTM- “cloud computing” and dominated the network-security branded solutions incorporate “application hosting” and many arena essentially containing a XTM feature sets – addressing companies are now adopting firewall, network-intrusion detec- extensible threats (the next gen- these technologies, which open tion and prevention, and gate- eration of blended-security entirely new security threats – way anti-virus capabilities. threats), having extensible man- which is exactly what XTM is designed to address. XTMs ad- WatchGuard created a stir in agement (improved scalability dress needs not currently met the market when it announced and greater granular control), by the prevailing UTM solutions. its plan to introduce next gen- offering extensible choice The changing perimeter of the eration UTM solutions called (network interoperability and workplace calls for robust secu- extensible threat manage- feature-set customisation), and rity technology to face the “x” ment. Can you tell me more ensuring extensible ownership factor of unknown threats, and about your XTM vision and (network interoperability, total XTMs have the ability to proac- how you are paving the way cost of ownership and return on tively adapt to dynamic network for your XTM solutions? What investment), which without a environments and protect are the benefits of XTM, why doubt are essential and benefi- cial to any global organisation. against unknown threats. do you think it is so crucial to businesses and what types of Primarily, XTMs offer enhance- When can we expect to see companies do you think will ments in security, networking WatchGuard’s XTM solutions benefit the most from it? and management capabilities. in Asia?

Yes, XTM is a very exciting new In addition, XTMs will manage Currently, WatchGuard’s firm- direction for UTM indeed and we security threats from new ware release for our Peak, Core are focused on XTM research emerging areas, such as VoIP and Edge appliances have built- and development. WatchGuard and HTTPS and provide en- in extensibility, so users can is the first network-security ven- hanced SSL security – which is leverage this innovative technol- dor to provide a vision on what unique to XTM. In the area of ogy today! Early next year, Chris Kolodgy, IDC Industry network capabilities, XTMs will WatchGuard plans to release Analyst, defines as “the next offer features such as high XTM-branded solutions (XTM- generation of Unified Threat throughput and high availability, 1050 will be the first one in Q1 Management (UTM), integrated clustering technology – what 2009) that incorporate more pur- network-security appliances,” can be provided with UTM to- pose-built XTM feature sets – called Extensible Threat Man- day. On the management side, addressing extensible threats, agement (XTM). Fundamen- there will be significant en- having extensible management, tally, XTM is the new UTM and hancements in visual reporting offering extensible choice, and is extensible in its ability to pro- and connectivity to enterprise- ensuring extensible ownership. tect existing and future unknown management software such an Global markets for security solu- threats. Openview, Tivoli, etc. tions are constantly evolving. We announced our XTM direc- WatchGuard monitors these tion a few months back and ex- Do you think XTM will change markets to ensure that we are pect to have the first products the face of network security? aware of the optimal time for the hitting the shelves in Q1 2009. How? introduction of new products and

These 10GB throughput prod- Yes, XTM is on its way to be- platforms. We are putting a lot of ucts will offer best-of-breed, ro- coming the new standard. XTM development effort into XTM bust and comprehensive net- solutions have the capability to and XTM will be the basis of our work protection, in-house man- change the industry landscape strategy and products in 2009.◊ agement, using an intuitive, cen- and redefine network security. It By Shanti Anne Morais tralised console, options to for is the next logical progression to

INTERNATIONAL ANTI-SPAM LEGISLATION SNAPSHOT Singapore USA Australia Hong Kong Japan Date Com- 15 June 2007 1 January 2004 11 April 2004 (some 1 June 2007 1 July 2002 menced part came into effect 12 December 2003) Legislation Spam Control Act CAN-SPAM Spam Act (Federal) Unsolicited Electronic Law on Regulation of Title (Federal) Messages Ordinance Transmission of (UEMO) Specified Electronic Mail (Law No. 26 of April 17, 2002), as amended by Law No. 87 of July 26, 2005 (the “Anti-Spam Law”) Application Singapore “link” US Australian “link” Hong Kong “link” Japan Options Opt-out Opt-out Opt-in [purely factual Opt-out Opt-out emails are exempt] “Bulk” Must be sent in bulk to be No requirement No requirement for Must be sent in bulk to be No requirement for spam for message to be message to be sent in spam message to be sent in (>100 during 24hrs period, sent in bulk bulk (>100 during 24hrs period, bulk >1,000 during a 30 day >1,000 during a 30 day period, >10,000 during a period) one year period) Penalty Not Criminal Injunction Criminal Not Criminal Criminal Criminal S$25 per message up to US$250 per A$220,000 for indi- HK$1million (individual)/ ¥1million (individual)/ S$1million message up to viduals, A$1million for Maximum 5 years impris- Maximum 1 year US$2million companies onment imprisonment Other Not necessarily required to Must have a valid Even requested email Unsubscribe must be in Must have valid postal have a valid postal address postal address require an opt-out Chinese and English address requirement No specific refer- function No specific reference Must be in English ence to to (but must (but must be be signposted as an signposted as an advertisement) advertisement)

Points to note: Prepared July 2008 by AOTA (Authentication & Online Trust Alliance)) • Criminal prosecution maybe under related legislation • All require accurate header and sender info • All prohibit dictionary attacks and address-harvesting software • “Link” means the legislation not only apply to emails physically originated in that country but also sent by an organization having a legal entity in that country (regardless of where the offending email was commissioned and sent from)

Please note that this snapshot is not intended and should not be taken as a substitute for professional legal advice. Please consult your own legal counsel to ensure communications are in full compliance with Singapore and International law.

Reg. No. 200407301C MediaBUZZ Pte Ltd aims to make an impact in the region through two unique electronic publications Asian Channels and Asian e-Marketing, and through events relating to and serving these two industries.

Asian Channels is the very first of its kind in the region and the only guide for technology channels in the Asia Pacific. More information: www.mediabuzz.com.sg/asian-channels/

Asian e-Marketing is a pioneer e-publication in the Asia Pacific, covering the digital age and zooming in on the increasingly valuable and indispensable tool of today’s marketers – the Inter- net. More information: www.mediabuzz.com.sg/asian-emarketing/