This week, at the Federal Cybersecurity Conference & Workshop in Baltimore hosted by the Department of Homeland Security, there was a panel on Email Authentication that explained why authenticated email is vital to their interests. Being able to trust email from federal agencies is highly important to them, not merely for communication among agencies but also between the government and its constituents.

It was explained that in the recent past a couple of US senators have had to arrange sudden press conferences to spread the word that, contrary to what’s been said in email, they are not dead. Apparently there had been forged email campaigns making such claims, causing some amount of chaos, and they needed to be dispelled. The FBI, IRS, and the House domains have also been the target of forged email or phishing campaigns.

Cloudmark was invited to present the perspective of industry to the audience of mainly CIO-level representatives from various branches of the federal government. We highlighted not only the importance of deploying email authentication technologies like SPF and DKIM and why they’re great, but also why they’re not enough. Domain reputation, the obvious next step along the path to securing email, became the focus. Some good questions were asked about the viability and vulnerability of such systems when they’re based on user feedback. Fortunately, we have a lot of good experience in that area from our commercial product and open source history, which supported the discussion.

We’re encouraged to see that the federal government has taken such an interest in these issues. We presented some ideas of how they can help with respect to deploying policy and services from their side of the fence, and we’re looking forward to making progress with them.

Cloudmark’s drive to equip users with the power to report messages they didn’t sign up for (using the 7726 (S-P-A-M) GSMA service) and protect mobile users from spammy text messages,  means that we spend a lot of time thinking about the negative content that gets sent by spammers.

So it’s nice to be reminded that text messages have a lot of power to be used for good.

I love this story from tatango’s SMS marketing blog.  The Boy Scout National Jamboree allowed parents and scouts to sign up for text message updates.  They then used text messaging to keep in touch and send updates.  They sent the scouts messages like: “As u head back, stay with the group or at least a buddy. Remember to go left at the asphalt road and head back.”

They were also able to let parents know that a tornado that touched down in DC, hadn’t impacted the Jamboree and that everyone was ok, minutes after the tornado passed through.

It’s a really nice example of the positive power of  text messaging.  You can check out the full story here: http://www.tatango.com/blog/tatango-customer-spotlight-boy-scout-troop-831/

After numerous discussions and spirited debate, the IETF has finally published a couple of important new RFCs related to DKIM. RFC6376 is the update to DKIM itself that does a thorough job cleaning up the original version, and RFC6377 provides recommended practices for using DKIM with respect to mailing lists. With this, DKIM has advanced from being a Proposed Standard to a Draft Standard, indicating a level of maturity and stability held by only a small fraction of Internet protocols in use.

As I’ve written before, DKIM (DomainKeys Identified Mail) allows one to attach a domain name to a message in a way that provides some assurance of its valid use. Since the rest of an email message can essentially be forged, this is a big development in the advancement of messaging trust and security. DKIM is an important input to concepts like domain reputation systems, a topic that will be covered during a session at the MAAWG conference next month. Domain reputation stands to be a key component of message security systems in the future, especially as the transition to IPv6 continues. The IETF is also considering a working group to tackle the concept of delivering reputation services in a reliable and open way, and DKIM will likely be a prominent figure in sample implementations.

Cloudmark is pleased to be a part of the support and advancement of this work!

An interesting new report* from The Pew Research Center’s Internet and American Life project, says that 95% of 18 to 24 year olds own a cell phone, 97% of the cell phone owners use text messaging, and they send an average of 110 text messages per day.

That’s a lot of texting they’re doing.

People in the older age groups, tend to send fewer texts per day on average.  It would be interesting to know if the younger age group sends more texts because they have more time to send text messages or because they’re more comfortable with the technology.

Either way, text messaging is an important part of how people communicate, which is why Cloudmark supports the rollout of a common short code: 7726 (S-P-A-M) to report any unwanted text messages, so that those 110 messages per day, continue to be messages that people want.

Text Messages per Day by Age Group

*Smith, Aaron. Americans and Text Messaging. Pew Internet & American Life Project, Sept 19, 2011. http://pewinternet.org/Reports/2011/Cell-Phone-Texting-2011/Main-Report.aspx?view=all, accessed on Sept 21, 2011.

Don Bailey and Mat Solnik from iSEC partners made a YouTube video showing the use of text messaging to hack into a Subaru Outback to unlock the door and start the engine.

This was possible because systems like OnStar and Ford SYNC use text messaging to communicate with the car, via M2M (machine to machine) communication.

The video isn’t particularly exciting to watch, but NPR  (security-firm-hacks-a-car-with-a-text) and CBS (Theft via text: Cars vulnerable to hack attacks) went a bit deeper with their coverage, pointing out that it’s not just cars using wireless communication chips, but other devices as well,  such as ATMs, medical devices and traffic lights.

Obviously the manufacturers need to ensure that communications with these devices are secure.  But it’s also another type of malicious activity over mobile messaging networks that the mobile operators are going to need to take into consideration.

Take a close look at the message below, and then continue reading:

Is this message spam or not? It looks related to a well-known brand, and looks fairly innocuous–submit a survey, get a gift card. It does sound a bit too good to be true, and the mailing address for the unsubscribe link looks a bit strange.

The things that make the message definitely 100% spam are the things you can’t see. In several different ways the spammer sending this message is using techniques to circumvent spam filters, including the following:

• Sending from an IP address that has never sent mail before. Using a brand new IP address circumvents real time IP blacklists and exploits default throttling policies that can allow a spammer to send many messages before being blacklisted.
• The html message content includes meaningless word salad in several blocks of html comments. This is usually an attempt to confuse Bayesian spam filters that use word frequencies to determine spam/legit status.
• The message contains raw non-ascii characters in an attempt to confuse spam filters that treat messages as null-terminated strings.
• The message contains several meaningless href= links surrounded by css markup that makes them invisible in an attempt to confuse spam filters looking for a mix of links as an indicator of legit status.
• The visible href= links in the message use numeric IP addresses instead of hostnames.
• The IP addresses in the href links are represented in a legal-but-obfscuated format in an attempt to defeat url parsing code. Here’s what the href= link looks like (the IP address has been changed)

<a href="http://10.000000204.00000044.000031/axkdt/nsn/?clk=...">

• All of the readable “text” in the message is actually an image. Attempting to click on the unsubscribe link (or anywhere else around it) sends you to a questionable-looking unsubscribe page.

It can actually be really tough to determine whether a message is spam or not. Just because an email refers to well known brands doesn’t make it legitimate. Subway most likely doesn’t even know that these spam messages are being sent, even though it has the potential to hurt their image. The best advice is that if it seems too good to be true, it probably is…and/or if you didn’t sign up for messages from the organization, no matter how reputable they are, it may be spam. Other steps you can take are:

• If possible, configure your email client to not show remote content such as images.
• Look for unsubscribe links. If the message doesn’t have one, it’s probably not from a well-behaved sender who is adhering to good sending practices.

A recent article from New Zealand indicates that Vodafone New Zealand also encourages their users to report SMS spam to 7726 (S-P-A-M). (See: http://www.theaucklander.co.nz/news/txt-for-trouble/1080298/)

“Vodafone says if a customer does receive spam they should forward the message to 7726…”

Vodafone also lets you know how to report your complaint to the  New Zealand government’s Department of Internal Affairs, so that they can take action.  It appears that New Zealand takes spam seriously.

Hopefully more and more mobile operators around the world will support reporting spam to a well known short code, so that messaging streams can be protected.  People should be able to get the messages they want and they shouldn’t have to deal with or be charged for, the messages they don’t want.

Cloudmark provides spam and abuse filtering for email, text messaging and social networking traffic.  So in addition to encouraging email senders to follow good email sending guidelines, we also want text message senders to follow good text message sending guidelines.

Over on tatango, which is an SMS Marketing Blog, they have a good write up today on making sure that your text messaging marketing is compliant with the Mobile Marketing Association’s (MMA) Consumer Best Practices. (See: Lessons Learned From Trump Mobile Alerts)

Just like in email, senders need to tell people up front and make it very clear, what they’re going to be sending people and how often they’re going to be sending it.   And senders need to check that the phone number a person signed up with is actually their phone number and not someone else’s phone number.  Just like senders should confirm that the email the person signed up with is their email address and not someone else’s.

Unlike email, some people get charged per message for each text message they receive.  Plus their phone is going to beep or buzz when the message arrives.  So senders better make sure the person wants that SMS.

Spam buttons have been available in email clients for a long time and when people get annoyed by email messages they don’t want, they often mark the email as spam.  Although many people aren’t aware of it, some mobile providers also have a system for reporting unwanted SMS text messages.  The process differs by operators but can be as easy as people forwarding unwanted SMS text messages to “7726” (S-P-A-M).

Of course, if a person legitimately signed up for an SMS message, and they trust the sender, they should be able to unsubscribe by replying STOP to the sender.  If the sender is playing by the rules, no further SMS messages should come from that sender.

Cloudmark is involved in an initiative with the GSMA to collaborate with operators globally on the war against SMS spam. See: http://www.gsmworld.com/our-work/mobile_lifestyle/spam/spam_reporting.htm for more details.

In summary, text messages senders should check to make sure they’re following all the rules and only sending to people who know what they’ve signed up for.  Because 7726 and similar services, are going to let the Mobile providers see which senders are not playing by the rules.

A recently posted twelve month timeline traces the emergence and exponential growth of malware targeting the Android mobile platform.  The variety and rising sophistication of malware provided a number of “firsts” for the Android platform:

• Trojans capable of generating Premium Rate SMS messages to expensive short code services.
• Spy applications that track a user’s location, SMS history, Wi-Fi information, and voice call information.
• Payback malware that targets Android users who download pirated software.
• Trojans that attempt known root exploits in order to install additional software without the user’s knowledge.
• Mobile botnet controlled via SMS or web-based C&C systems.
• Apps capable of perpetrating fraud by allowing intercept and forward two factor mTAN validation SMS messages used by online banking sites and confirmation systems other types of services.

Many of malicious applications were repackaged versions of popular legitimate applications.  Repackaging of applications is made possible by the ease at which many Android apps can be extracted to readable Java code that can then be easily modified, repackaged, signed by an unauthenticated certificate, and uploaded to the official Android Marketplace or unofficial third party marketplace repositories.  This problem is confounded by the fact that neither the official Android Marketplace nor the third party app marketplaces employ rigorous review of app quality, legitimacy, or intent prior to posting.  While the overall amount of malware discovered on the official Android Marketplace was smaller overall than the amount found in third party app stores, Google still had to clean up multiple malicious apps via their remote app kill functionality, from their own marketplace, as well as release a tool that would attempt to clean up previous infections.  Unfortunately, this Android Market Security Tool was also subject to repackaging and re-release by malware writers, this time packing a variant of the DroidDream Trojan.

How can I reduce the chances of inadvertently installing malware on my Android phone?

• Stick to downloading applications from the main Google Marketplace – Chances are that malicious apps reported to Google will be removed quickly.
• Don’t download pirated or knock-off applications – As we’ve seen over the past year, this is a likely infection vector on Android due to the ease with which malware authors can repackage an app with additional “functionality”.
• Install an anti-virus application – Your chosen application must be able to scan apps upon installation, can scan preinstalled apps for known malware signatures, scan the contents of any removable memory card, and scan stored media or data on your phone.
• Pay close attention to the list of permissions that a new application is requesting – Does it make sense for a calculator application to read incoming SMS messages, originate SMS messages, and connect to the Internet?  If the requested permissions don’t match up with your expectations for the app’s functionality, don’t allow it to install.
• Ensure you are running the latest version of the Android OS – To minimize your handsets risk to possible exploits, keep your handset upgraded to the latest Android version available.

A recent infographic from Tatango caught my eye this week. Aside from the headline finding that 68% of the population is affected by text message spam (and only 60% eat breakfast!) around 1 in 8 Americans don’t have a text messaging plan and end up paying for the SMS spam they receive.

Despite some pretty stiff penalties being given out by the FCC the volume of spam texts continues to rise. Unwanted texts are enough of an irritation in their own right but if you are one of the 12% of the population that has to pay up to 20 cents per message to receive them then this is going to be a big problem.