Restoring Trust

Email Security

Subscription Options

Our world has become increasingly reliant on the Internet. Businesses run on it, consumers rely on it and boundaries are removed by it. This medium has a tremendous amount of promise, and seemly-unlimited potential for innovation. But can we trust it? Consumer Reports recently published its 2007 State of the Net. Not surprisingly the survey, conducted by the Consumer Reports National Research Center reveals that the risk associated with using the Internet remains high. The four leading online hazards included spam, viruses, spyware and phishing. The survey noted the national incidence ratio for spam was one in two would experience high levels of spam. For viruses, one in five will have a major and costly problem—with a total damage of US$3.3 billion. The spyware stat is one in 11 to have a major and costly problem—with a total damage of US$1.7 billion. Lastly, phishing remains high. The report cites 23,000 attacks in April of 2007, with one in 81 losing money from an account, with total damage of US$2.1 billion. While enterprises have been aware of the threats for a long time, consumers are becoming savvier to online dangers.

In late August, Cloudmark, Inc., released the results of its nationwide poll conducted on its behalf by Harris Interactive, which revealed that 89 percent of U.S. online adults are equally or more concerned about becoming a phishing victim than they were last year. Nevertheless, according to the poll, online adults still engage in at least one of the five major activities that often lead to being the victim of a phishing attack. Among those who indicated that they are more concerned about phishing attacks, some have actually changed their behavior by decreasing certain online activities. This change can negatively impact online business and transactions: 29 percent only use certain credit cards or accounts when they shop online; 21 percent only pay certain bills online; and 20 percent have decreased the frequency of their online shopping. There is also a growing concern among consumers of malware (other than phishing). For example, consumers are more concerned about viruses (38 percent), spyware (35 percent) and spam (30 percent) than they were last year. The Cloudmark survey was conducted online within the United States in August among 2,215 U.S. adults aged 18 or older.

“The reason email is the killer app is because it helps people reach out, all over the world, any time of day, to all kinds of people, and stay connected,” says Dave Champine, senior director of product marketing for Cloudmark. “Unfortunately, this also makes for a natural target for attackers. Something that cuts across so many demographics and is so pervasive is obviously a great place to perpetrate some type of crime. As the volume of legitimate use has increased, so too has the volume of illegitimate use.” It has been unfortunate, that the sophistication of illegitimate use has been so dramatic. What Cloudmark has seen (and is verified by the Harris Poll results) is not a change in people’s fundamental behavior or their reliance on email as a communications channel. They see that users are more aware of the threats.

“Consumer awareness has increased regarding taking care not to open an application, and looking for ways to validate and authenticate what is in their inbox. Which is where we come in,” explains Fran Maier, executive director for TRUSTe. TRUSTe works to advance privacy and trust for a networked world. Through its Web Privacy Seal, Email Privacy Seal and Trusted Download Program, TRUSTe helps consumers and businesses identify trustworthy online organizations. TRUSTe certifies more than 2,500 websites, including major Internet portals and leading brands such as Microsoft, IBM, Oracle, Nestle, Intuit and eBay among many others. ”It is very confusing to consumers,” continues Maier. “They are looking for signposts, and ideally would like the problem to just go away. Consumers are so busy managing their spam filters, and virus filters that the idea of managing spyware too can be overwhelming.”

Anti-Spyware Victory

Besides, managing spyware is not easy. According to Consumer Reports, spyware infections prompted 850,000 households to replace their PCs in the past six months. Just last month, an important spyware case that threatened to undermine the effectiveness of anti-spyware technology was decided in favor of consumers. “The case pitted Kaspersky Lab—which offers a range of anti-spyware and anti-virus tools—against notorious adware distributor Zango,” writes Center for Democracy & Technology Deputy Director and Coordinator of the Anti-Spyware Coalition Ari Schwartz. “A ruling in favor of Zango would have had wide-ranging negative impact, not just for Kaspersky, but for all anti-spyware developers, and, in turn, for the millions of consumers who rely on those companies to keep their computers free of unwanted, often malicious programs.” While the law protects consumers’ rights to decide what goes on their own computers, Schwartz notes that it is anti-spyware and anti-virus technologies that allow consumers to enforce those rights. “User empowerment is the best response we have to emerging Internet threats. The more control consumers have over their own computers, the less likely they are to fall victim to the unceasing flood of scams and exploits that menace the global Internet,” states Schwartz.

Keeping defenses up while staying connected, gets even more complicated with the ever-growing bot and zombie malware that continually feed spam and identity theft networks. The Messaging Anti-Abuse Working Group (MAAWG) released in October the first best practices developed cooperatively by major Internet and email service providers for managing infected subscribers. The MAAWG Best Practices for the Use of a Walled Garden provides recommendations for directing customers to a safe online environment where downloadable self-remediation tools can help users remove the malicious code installed on their computers. “The industry needs to define best practices to address this problem, just as a public health department would define quarantine procedures for a biological infection that is affecting its citizens. These best practices are the first effort at unifying and educating ISPs and service providers on how to effectively confront this rapidly spreading malware,” said Scott Chasin, editor of the MAAWG walled garden recommendations and chief technology officer for MX Logic, Inc. Wall gardens are closed online environments created by service providers where subscribers can safely disinfect their systems. When subscribers with infected computers try to access the Web, their browsers are automatically redirected to a protected environment provided by the ISP where the malicious code can be securely purged. The MAAWG best practices recommend these walled garden sites include downloadable tools that allow users to remove the malware themselves and that once the malicious code has been deleted, subscribers’ Web access will be restored.

Currently, a large percentage of spam is sent through these ill-gotten networks. According to Richard Cox, the chief information officer at the Spamhaus Project, a nonprofit that tracks malicious online activity, “Every day we see between 750,000 and 1.2 million new IP addresses, proxies and botnet zombies attempting to send spam. This does not mean they are all new infections, as infected PCs tend to move around the Internet IP address space of the users’ ISP.”

It Takes a Community

Cloudmark takes a collaborative approach to fighting spam. They employ the nearly 200 million consumer mailboxes of its service provider customers. The end-users identify, report and corroborate suspect messages in real time. “We give a star rating, based on the number of times that people report spam or block a phishing attempt,” explains Champine “They can work up to a gold star. The feedback that we have gotten from consumers has been tremendous. The rating is based on a number of factors such as how many times did you respond, how quickly did you respond, and how often your response agrees with other trusted members within the system.” Champine says that people get fanatical about their rating. “There was one time when we tweaked a few parameters, and peoples’ ratings dropped. They were not getting as much image spam, and therefore they were not getting the opportunity to report as much. Their trust rating dropped a bit, so they called Cloudmark support and complained saying they needed to maintain their gold star!”

According to Cloudmark, its collaborative approach has proven more effective and faster than traditional blocking or filtering methods. At the core of the Cloudmark Global Threat Network is this Trust Evaluation System (TES). TES ensures the “reputation ” of reporters by tracking how often the larger recipient community agrees with their assessment of a message. In addition, Cloudmark uses an automated system of fingerprinting algorithms. Advanced Message Fingerprinting maintains the privacy of the content and reduces the amount of data to be analyzed. Once a message fingerprint is cataloged as spam, all future messages matching that fingerprint are automatically filtered. Because a reputation-based collaborative system does not draw blanket conclusions about terms, hosts or people, it has proven to increase accuracy, particularly as it relates to false positives. “It helps end-users feel like they are empowered,” says Champine. “As well as helps them maintain faith and trust in the system.”

Trust is indeed a fragile thing. Arvel Hathcock, founder and CEO of Alt-N Technologies, believes the impact of phishing has struck at the heart of peoples’ trust in messaging. “How the world has changed in a few short years,” observes Hathcock. “You still want to communicate with your customers for legitimate business reasons, but your customers won ’t even open your messages. Industry surveys reflect that nearly 80 percent of banking customers are less likely to respond to your communications and 19 percent will not enroll in online banking or bill payment because of the fear of identity theft. Statistics like these make you wonder if trust in email can ever be restored again between you and your customer.”

One of the reasons Hathcock has been so active in the development and implementation of Domain Keys Identified Mail (DKIM) from its early beginnings is that Alt-N does not want trust in email to diminish because of the exploits of a few bad characters. Hathcock developed the MDaemon email server back in the mid-1990s because he believed in the benefits that communication via this new medium brought. His motivation is clear: he does not want the bad guys to destroy the trust people have in their ability to freely communicate with others around the globe. “To help rebuild this trust, a layered approach to messaging is progressively making in-roads. Authentication protocols used by email platforms, like Alt-N’s MDaemon email server, uses DKIM and Sender ID to provide important steps to confirm a message’s authenticity. Hathcock goes on to say that according to the Authentication and Online Trust Alliance (AOTA) nearly 7 million domains and 43 percent of email traffic contains some form of authentication. “But authentication is just one of the many layers of protection needed to restore the confidence email users need,” says Hathcock. “Another area to work on is the practice of email certification and reputation services. While there are some forms of proprietary certification available today, an open standards approach will help to move this technology into the mainstream.”

Possible Solutions

Peter Firstbrook, research director at Gartner is not sure that authentication holds as much promise as people hope. “Because it is complex and expensive to implement, I am not sure this is going to work. Even though it seems simple on the surface, for large organizations, just understanding who sends email on its behalf is phenomenally hard. And this is not a one-time activity, you have to keep up every time a new server comes online or affiliate is added. It is a continuous process, because no one has automated it,” comments Firstbrook. “Plus, it only deals with one issue, somebody impersonating my specific domain, but the issue is they can impersonate your domain by stealing a similar sounding domain. For example if my domain is bankofamerica.com, they could use bofa_support.com or any number of variations. All the criminals have to do is look for a variation and use it and publish their DKIM or SPF statistic. The incoming message will look like it is coming from a trusted source. Then where are we?” Firstbrook points out that it does not disclose if what they are sending, from a content perspective, is something they are allowed to send. So the server is authenticated, but the content is false. “I do not think it is possible to solve that issue unless you link anti-spam security, to try to filter through all the garbage and look for the bad senders. I do not think the solutions are nearly adequate yet—except for your basic anti-spam security. From an enterprise perspective, the enterprise anti-spam is pretty good, but the consumer stuff is pretty horrible.”

Firstbrook feels that today’s reputation services are very useful. “Spamhaus and other RBLs are becoming less useful because they are advertising who they are putting on the list, and they are not fast enough. Someone has to report spam, and investigate, and then put them on the list, and by then the bot is gone.” Firstbrook points out that on average, spam is fatter than regular email. Therefore, when spam is 90 percent of email, dropping 40 to 60 percent of it at the connections layer can have a huge impact on scalability. “Reputation as a detection technique and management technique has a lot of legs on it.”

Lists do have their place. “The whole idea is that blacklists and anti-spam programs can work harder, if there is a whitelist. It is the same with spyware. The anti-spyware programs can work harder, because they can go full force if they have the whitelist exception,” believes Maier. “That is what we did with the Bonded Sender program, and what we are doing now with the Web Seal and Trusted Download program.” Maier is pleased with the efforts of TRUSTe, but recognizes that there is still much education that needs to happen.

Champine agrees. “When people hide their pin as they enter it at an ATM or don’t walk away from a bank with all their money in full view, they do not necessarily think of it as a counter-fraud activity. Instead, these are common sense habits in order to have safe banking practices.” Champine does not think people will shy away from using email. But he does believe that they are starting to acclimate and incorporate some online common-sense practices. “It is still early days for a lot of people and they are making mistakes,” says Champine. “Honestly, I think the big burst in activity from the attackers side represents that they recognize that they have to stay creative, and stay ahead of the curve and the curve is gradually growing.”

Most all agree that it is a battle between those that want to continue online exploitation, and those that want to keep the medium safe. It may be too late to restore online trust and confidence to its original state, but consumer and businesses alike show no signs of abandoning the race. “The challenges keep on coming,” concedes Maier. ”I guess the overall theme here is that those of us on the side of legitimacy and trust and that believe in the full promise of ecommerce and community have got to get behind each other and continuously come up with solutions. It is not going to be a one shot deal.”