According to a recent study done on email addiction, Denver is the ninth most email addicted city in the United States (click here for more info and for the other cities in the top 10.  BTW, I LOVE the picture on the top of that linked page.  Even if you don't care about the list, go for the picture.  It's worth it!).

This is not surprising considering the technical culture that exists in and around Denver and I would say its ranking is about right in comparison with the other cities.  My biggest surprise was Detroit.  I have never been to Detroit, but it has never struck me as a tech-centric city so I am surprised that one is on the list.  You could easily win an argument with me on that point though since I really have no personal experience of the city to speak of.

As I sit here in the San Jose airport, I see a number of people checking email on their laptops an on Blackberries (this is San Jose!  Where are the iPhones?!).  People who are addicted to email need effective email filtering to keep all of the junk off of their mobile devices and out of their inboxes.  As more and more malware is developed for mobile devices and as more and more personal information is being stored on those devices, that need will only continue to increase. 

This list will be definitely be making it over to our sales folks :)

Happy emailing!

According to information being posted by many news outlets the DNS cache poisoning vulnerability that we commented on back on July 9th, the window that researchers and network operators had hoped would be open to patch DNS servers until the Blackhat conference has closed.  Several examples of exploit code have been released out into the wild which show how to take advantage of this vulnerability and attacks have also been spotted in the wild (Thanks to Websense for providing some of the links). 

The folks working on the Metasploit Project were one of the first to jump on the bandwagon by making the exploit available via their freely available Metasploit application. 

So, if you have not yet updated your DNS servers, the time is now to test the patch and update your production servers.  Patches are available from all of the major vendors.  It was widely expected that once the details of the vulnerability were released, exploits would follow very quickly afterward. 

Many have bemoaned the fact that the details of this vulnerability were kept under wraps for so long while others viewed it as a commercial ploy for the Blackhat conference.  My personal opinion is that in the name of responsible disclosure this situation was handled with 100% professionalism and sensitivity as to the nature and severity of the problem.  Based on the amount of coordination that was required to get all of the vendors together, discuss the problem, and patch their applications, there was no way that this could have been done such that it would please everyone involved.  The overly vocal minority is trying to put a black eye on a process that worked as well as it possibly could given the number of stakeholders involved.  It is truly impressive to me that the details were not disclosed sooner. 

It cannot be said strongly enough.  Protect your users and your network.  This is not a problem you can ignore.

I've officially had enough of the moniker "Spam King."  In an attempt to continually overplay the significance of every American spammer arrest, the media insists on calling every arrested, indicted, and convicted spammer a "Spam King."

The latest example is Eddie Davidson who recently walked away from a minimum security lockup in Florence, CO (By the way, how is Colorado getting so popular for spammers lately?) while serving his 21 month sentence for mass mailing stock pump and dump spam on behalf of nearly 20 companies.  According to this article, he is yet another to earn the spam monarch title.

If the numbers reported in the article posted by thedenverchannel.com are true, hundreds of thousands of stock pump and dump spam (over what time frame these messages were sent was not given) hardly puts Mr. Davidson in the realm of a king in the spammer community.  Compare that to the hundreds of millions of messages that MX Logic processes alone on a daily basis and I would put him more into the realm of a child learning to walk.   If you want your true Spam Kings, check out the Top 10 Worst ROKSO Spammers according to Spamhaus here.
As I've stated previously, I am certainly not bemoaning the fact that governments around the world are stepping up their efforts in order to get as many spammers off the streets as they possibly can, but can we please not sensationalize them by calling them Spam Kings?

CAPTCHAs - Completely Automated Public Turing test to tell Computers and Humans Apart.

In other words, an attempt at verification that a human is filling out a web form as opposed to an automated agent/bot.

Or, in other other words, a test that has become almost impossible for humans to even pass due to the increased levels of obfuscation being put into the tests themselves.

Usually CAPTCHAs are done via some kind of image where the user types in the contents of said image into a text box at the end of a web form.  If the user's guess is correct, then the form is successfully submitted, and whatever follow up action that is supposed to happen afterward is performed (e.g. successful signup to a mailing list, comment post to a blog, etc).

The problem is that in an effort to make these CAPTCHA images more and more difficult for software to break down to allow bots to bypass them, they have also been made very difficult for humans, those who are supposed to be able to read them, to figure out.

Take the following image that I was presented with on Facebook, a popular social networking site, this morning:

 

Are you kidding me?

Obviously the second word is "mountains", but I challenge even the most competent forensic experts to tell me what the first word is supposed to be.

Despite it's fallibilities, I can understand as a technical person the need to have technologies like this in place.  As a technical community, we need to make sure that we aren't making our products and systems impossible to use "in the name of security."  Users will only accept a certain amount of inconvenience before they go find solutions that are simpler to use while still providing acceptable levels of security.

Those who know me know that I enjoy listening to podcasts.  In particular, I enjoy security related podcasts, especially when waiting for a flight or during the 50 minute drive into work every day. 

One podcast that recently raised my ire a bit is one that I listen to quite frequently, the Security Now podcast which is done by Steve Gibson (of Gibson Research Corporation) and Leo Laporte.  I am a frequent listener of this podcast, and was somewhat excited to hear the MX Logic name mentioned in episode #150,  "Listener Feedback Q&A" (audio version here).  Unfortunately, that joy quickly turned to aggravation as I listened to Steve not only give a completely uninformed response, but then also basically accuse us of using tactics similar to what spammers use to track active email accounts.  Unfortunately, I have yet to receive a response to my letter to Steve, so I wanted to be sure to clear the air on any misconceptions that he created during his podcast.

If you aren't familiar with the Security Now podcast format, every other week he and Leo go through the Security Now mailbag and select 12 questions from listeners that they will address on-air.  Question number 12 of episode 150 was from one of our customers.  Essentially he was concerned about tracking devices in email because he noticed that as he read an email on his Blackberry we were supposedly injecting graphics into his email.

Steve immediately jumped on the bandwagon and said "...this is absolutely tracking.  And this is why I'm so down on third-party cookies"  Here is where everything started to go completely wrong for him, especially since immediately afterward he also said "...there's no other information in the URL".  So, on one hand he says that "it is absolutely tracking" but on the other hand he says "there is no other information in the URL."  So, if there is no tracking information in the URL and we aren't setting a cookie of some kind when the image is pulled (another thing he got wrong since he mentions third-party cookies in his original response), what are we possibly tracking?  Sure, the IP address of the client pulling the image will appear in our web server logs, but that doesn't tell us anything.

The truth of the matter is Steve completely missed the mark in his response. 
The reason that this "injection" happened is a result of a customer configurable feature of our offering called HTMLShield.  With HTMLShield customers can configure their email filtering options such that certain HTML tags (such as javascript and iframes which are frequently the cause of drive-by malware downloads) within an email message are stripped (note that this is off by default, so customers have to specifically configure how they want this feature to work).  As part of HTMLShield, customers can also choose to have image links within an email replaced with a transparent GIF image (note that this is also turned off by default, even if HTMLShield is enabled.  So to enable this feature, a customer has to not only enable HTMLShield, but then also separately enable the feature to replace image links).  No tracking is done of images that are replaced.  We simply substitute the image link with a transparent gif, then pass the message down to our customer.

I would've hoped that someone with as much experience in the security industry would have been a bit more responsible in his answer and done a bit more homework before responding to the listener's question the way that he did, especially knowing that his podcast is so widely listened to amongst security professionals.  Since I have been a long time listener of Steve's podcast I like to think that his desire to jump all over this question and even go so far as to at one point agree with Leo that what we are doing is similar to spammer's "spam beacon" tracking mechanisms wasn't a backhanded plug for his primary sponsor, Astaro.....I guess I am just not that trusting. 

It was announced yesterday that a serious vulnerability exists in the DNS (Domain Name System) such that an attacker could take over a DNS server and corrupt it in such a way that legitimate traffic could be diverted to malicious web sites.

If you are not familiar with how DNS works, it essentially functions as an internet phone book (if you are interested in a more technical description with examples, click here).  The internet works on what are called Internet Protocol (IP) addresses, but in order to make the internet easier for users like you and me to use we are more familiar with using hostnames like yahoo.com, google.com, and cnn.com).  What DNS systems do is translate those hostnames to IP addresses so that (for example) Internet Explorer knows where to retrieve web page content from. 

So, how does this DNS vulnerability potentially affect you?

If your DNS server is compromised, the hacker could redirect legitimate web traffic (say, to bankofamerica.com) such that instead of your computer being directed to the IP address for the real bankofamerica.com web site, it could be directed to malicious, look-alike web site that is either hosting malware or is setup strictly for the purposes of capturing login credentials to be sold in the underground market. 

It is important to note that this vulnerability is related to the actual DNS protocol itself and is not specific to any particular DNS implementation.  It is also important to note that at this time there are no known exploits that are taking advantage of this vulnerability.  Technical details of the flaw will be released at the Black Hat Conference in Las Vegas on August 6th.  Once more specific details are released at Black Hat all bets are off so it is important that you test and deploy the patch that is specific to your  DNS implementation as soon as possible.
If you are interested in reading more about the information that has been released thus far, you can read the Executive Summary here.  You can also read the CERT Advisory that was released here.

Hot off the presses and posted to the MX Logic web site is the July 2008 edition of our Threat Forecast and Report. 
In this latest edition we look ahead to some of the threats and scams that we see upcoming for the month of July (Teaser:  the iPhone will be featured prominently this month!) as well as a lookback to what we saw during the month of June (In our previous report we estimated that spam volume would go up in June after being down in May.  Oops!). 

There is also something about name calling between pots and kettles....

Check out this month's Threat Forecast and Report here.