21 April 2014

Why Am I Having Problems Getting My E-Mail Delivered?

One of the most frustrating issues facing any e-mail [MX] server operator is non-delivery of e-mail!
 
As ISPs, none of us wants to hear from a customer who is having issues trying to send e-mail, but, the unfortunate fact is more and more of our customers are encountering non-delivery issues and they can be extremely difficult to troubleshoot.
 
There are many reasons an e-mail message might not be delivered, including, but not limited to:
  • bad e-mail addresses;
  • forgotten passwords;
  • having a user's domain or account listed as a source of spam;
  • being blocked by the recipient - especially common with AOL users
Here are some of the other common causes of temporary non-delivery issues:
  • design - to help prevent spammers from flooding everyone's mailbox with junk mail and spam;
  • network congestion - sometimes the networks which carry the data are extremely busy and alternative routing is not available;
  • technical issues - sometimes the DNS servers, the master databases which tell all of the other servers using the Internet where everyone is supposed to be located have become corrupted or unreachable;
  • software issues - sometimes the software on the other end is non-responsive;
  • DDoS attacks - sometimes the receiving e-mail server is bogged down because it is under a "Distributed Denial of Service" attack.  DDoS attacks are extreme situations where someone has illegally targeted a server or network appliance in an attempt to hack or take that machine out of service and can cause major, and sometimes extended, delivery delays;
  • hardware issues - sometimes the hardware on the receiving end is in trouble or is undergoing maintenance
If the message was rejected by the receiving MX server you should receive a reason code for the rejection.
 
These delivery codes are based on the Extended SMTP (ESMTP) standards, where X can be 4 or 5, depending on the error type (Persistent Transient or Permanent).
 
Here's a summary of those codes:
  • X.1.0 Other address status
  • X.1.1 Bad destination mailbox address
  • X.2.0 Bad destination system address
  • X.1.3 Bad destination mailbox address syntax
  • X.1.4 Destination mailbox address ambiguous
  • X.1.5 Destination mailbox address valid
  • X.1.6 Mailbox has moved
  • X.1.7 Bad sender's mailbox address syntax
  • X.1.8 Bad sender's system address
     
  • X.2.0 Other or undefined mailbox status
  • X.2.1 Mailbox disabled, not accepting messages
  • X.2.2 Mailbox full
  • X.2.3 Message length exceeds administrative limit.
  • X.2.4 Mailing list expansion problem
     
  • X.3.0 Other or undefined mail system status
  • X.3.1 Mail system full
  • X.3.2 System not accepting network messages
  • X.3.3 System not capable of selected features
  • X.3.4 Message too big for system
     
  • X.4.0 Other or undefined network or routing status
  • X.4.1 No answer from host
  • X.4.2 Bad connection
  • X.4.3 Routing server failure
  • X.4.4 Unable to route
  • X.4.5 Network congestion
  • X.4.6 Routing loop detected
  • X.4.7 Delivery time expired
     
  • X.5.0 Other or undefined protocol status
  • X.5.1 Invalid command
  • X.5.2 Syntax error
  • X.5.3 Too many recipients
  • X.5.4 Invalid command arguments
  • X.5.5 Wrong protocol version
     
  • X.6.0 Other or undefined media error
  • X.6.1 Media not supported
  • X.6.2 Conversion required and prohibited
  • X.6.3 Conversion required but not supported
  • X.6.4 Conversion with loss performed
  • X.6.5 Conversion failed
     
  • X.7.0 Other or undefined security status
  • X.7.1 Delivery not authorized, message refused
  • X.7.2 Mailing list expansion prohibited
  • X.7.3 Security conversion required but not possible
  • X.7.4 Security features not supported
  • X.7.5 Cryptographic failure
  • X.7.6 Cryptographic algorithm not supported
  • X.7.7 Message integrity failure
As of January, 2013, there's a new reason your customer's e-mail might not be delivered, and many MX operators are not aware of it.  This document will not only help you figure out why you are having issues with e-mail delivery, but will also assist you in ensuring that future e-mail is properly delivered.
 
TO WIT:
 
YAHOO!, Comcast, Google, Hotmail and many other large ISPs adopted new measures to help prevent spam from being delivered to user's in boxes.
 
When you factor these measures in with the requirements of the US CAN SPAM ACT of 2003, and also factor in the European Can Spam Act [which we must, by default, both recognize and abide by in the US because all BLACKBERRY devices use SMTP servers in Vancouver BC Canada; Canada is under British rule and Great Britain is part of the European Union], mailing list management can begin to get really complicated.
 
Based on my experience with YAHOO!, AOL, GMAIL and COMCAST - now the LARGEST ISP in the United States and processes more e-mail than anyone else in the US - and based on the rules, which were put into place by those two operators in January, 2013, these are requirements which should be put into place by every MX server operator:

When you factor these measures with the US CAN SPAM ACT of 2003, and also factor in the European Can Spam Act [which we must, by default, both recognize and abide by in the US because all BLACKBERRY devices which directly access Blackberry e-mail systems use SMTP servers in Vancouver BC Canada; with Canada being under British rule, and Great Britain being a part of the European Union], mailing list management can begin to get really complicated.

Canada's antispam law kicks in on 1 July, 2014
 
Here are a few of the basic requirements which must be implemented to ensure you are in compliance with the new requirements set forth by YAHOO! and COMCAST.
 
By following these requirements you will also be in compliance with all of the other large ISPs:
 
  1. Make certain you are in full compliance of ALL THREE can spam acts with every e-mail which leaves your e-mail servers.
     
  2. While you and your customers may believe the destination of their e-mail is a US based e-mail account, Internet data can cross international borders without our knowledge.  Once that data crosses a country's border, it is subject to that country's regulations.

    Here are links to the three major CAN SPAM ACTS:
     
    1. US CAN SPAM ACT of 2003;
       
    2. European Can Spam Act;
       
    3. Canada's antispam law
       
  3. Make certain PORT 587 is OPEN on ALL MAIL SERVERS.
     
    1. The IETF, under RFC 5068, has now PROHIBITED providers from blocking port 587.
       
    2. RFC 5068 clearly says: "Access Providers MUST NOT block users from accessing the external Internet using the SUBMISSION port 587."
       
    3. The complete RFC is available here: http://tools.ietf.org/html/rfc5068
       
  4. Make certain you have received ADVANCE PERMISSION from everyone who is on your mailing list in the form of DOUBLE OPT IN.  Because of requirements contained in the European Can Spam Act, it is no longer acceptable to add an address because you have done business with them.
     
  5. In any SIGN-UP forms DO NOT ADVANCE CHECK the OPT-IN BOX.
     
    1. The OPT-IN box MUST be SELECTED or COMPLETED by the INDIVIDUAL who might be interested in signing up for an e-mail list.
       
    2. EU regulations prohibit the pre-completion or pre-selection of any field in a newsletter or mailing list sign-up form.
       
    3. Contrary to US antispam regulations, the EU mandate includes those who purchase items from online stores.  They must ACTIVELY INITIATE the SIGN ME UP process by either CHECKING A BOX or ENTERING THEIR E-MAIL ADDRESS into a box - you cannot pre-populate that data.
       
    4. Even though someone makes a purchase from a website, they must still complete the double-opt-in process described below.
       
      1. All sign-ups must include a follow-up e-mail which forces the customer or person signing up for the list to actively complete the DOUBLE-OPT-IN step.

        IE: The customer must MAKE THE CHOICE a SECOND TIME to validate their initial sign-up process for the list.
         
      2. To see an example of how this works, go to http://www.chicagonettech.com/subscribenewsletter.asp, and enter your e-mail address.
         
      3. In a few minutes, you will receive a request to CONFIRM your subscription request.
         
      4. Once you click on the link, you will be added.  If you do not complete the confirmation step, you will not be added to the list.
         
      5. NOTE: This is entirely handled by our SmarterMail e-mail server's list serve package which is standard in the Enterprise edition of the software.
         
      6. An alternative to using the SmarterMail list server is to use CONSTANT CONTACT, MAIL CHIMP or one of the other third-party services which provide bulk mailing services and automatically include double-opt-in as part of their sign-up process.
         
      7. Should you choose to use a 3rd party bulk mailing service, you MUST also include the appropriate SPF INCLUDE statement in your SPF record so bulk messages sent on behalf of any of your hosted domains which choose to use the external bulk mailing services are not rejected because the proper SPF information is not included.
         
  6. Make certain you have a VISIBLE, PUBLIC, WORKING PRIVACY PAGE posted on each website which has a domain hosted on your MX server.

    YAHOO will actively VERIFY THIS via a human being who will actually open and read your privacy page before they will approve you for the FEEDBACK LOOP [see Item #11 below for more information on Feedback Loops].

    See our privacy policy at: http://www.chicagonettech.com/privacy.asp as a sample page and feel free to copy it if you do not already have one.
     
  7. All bulk list, sales, and promotional messages must include complete contact information, including: a mailing address and unsubscribe link.
     
  8. Make certain ALL e-mail is sent via an AUTHENTICATED E-MAIL ACCOUNT.  Do NOT send e-mail directly to a recipient from a webpage, form or shopping cart.  Instead, setup the form, website or shopping cart to use a designated e-mail address to AUTHENTICATE with your MX server and send the message THROUGH the MX server.

    This may mean going back and revisiting the code in some web pages, but it must be done because messages which are not authenticated will be treated like spam and rejected by many MX servers.

    OBSERVATIONS:
     
    1. In spite of the inclusion of that information, most AOL users will still report you as SPAM and fail to unsubscribe from your lists.  That's where the FEEDBACK loops come in.
       
    2. The feedback loops will mostly protect you from the brainless AOL users because you will be notified and, if you have properly included an unsubscribe link in the message, will be able to open the attachment and click on the unsubscribe link to remove the brainless user from future mailings.
       
  9. Make certain you IMMEDIATELY REMOVE someone from the list if they request such an action - an automated removal format is preferred.

    REMEMBER: all AUTO-GENERATED and COMMERCIAL e-mail messages must contain a WORKING opt-out link.

    NOTE: You are NOT ALLOWED to require any kind of input or reason in the removal form.

    NOTE: You should attempt to auto-populate the e-mail address requesting removal in the removal form, if possible, and CANNOT enforce a removal reason to be entered as part of the removal request.  You can ask that they provide a removal reason, but cannot deny removal because someone refuses to enter a reason.
     
  10. You [your hosted customers] MUST AUTO-REMOVE ALL bouncing e-mail addresses.  We auto-remove all users after a list or newsletter bounces 3 or more times.  Again, our MX server package, SmarterMail, takes care of this automatically.
     
  11. Make certain you have setup FEEDBACK LOOPS with all of the major providers.  The setup of these loops can be effected via Henry's UNLOCKTHEINBOX.com website and will require a login to the site to complete.
  1. Make certain ALL OUTGOING MESSAGES are AUTHENTICATED VIA SMTP.
     
    1. Do not send directly from a web form or newsletter generator.
       
    2. While it is OK to generate a message via a website, or generate a newsletter via a website, you MUST use SMTP AUTHENTICATION to SEND the generated message or sales receipt THROUCH AN MX SERVER using a VALID E-MAIL ADDRESS and PASSWORD from the DOMAIN which corresponds to the WEBSITE or other message generator because sending via an SMTP AUTHENTICATED account will properly created HEADERS in EVERY OUTBOUND MESSAGE!
       
  2. Use rDNS, SPF, 2048 BIT DOMANKEYS, DKIM, and DMARC on ALL OUTGOING MESSAGES.  The first five are now REQUIRED by COMCAST and YAHOO!  DMARC is optional, but strongly suggested.
     
  3. DMARC is a logical addition [see http://www.dmarc.org/ or see the DMARC information at http://www.unlocktheinbox.com/] because it truly locks down where your e-mail can be sent from and will literally block delivery of unauthorized messages originating from non-authorized MX servers and user accounts
    .
  4. Do not omit the SPF and rDNS keys, most large ISPs, and many smaller ISPs as well, will never even accept your e-mail.  The receiving MX server will simply drop the connection and never allow the message to be received – without any notification to you.
     
  5. Remember, GREYLISTING is now commonly used to help reduce spam.
     
    1. In order to make certain you are not contributing to Greylisting problems, make certain you RETRY messages which are not delivered the first attempt.

      ChicagoNetTech’s SmarterMail RETRY times are set as follows:

      [in minutes]: 5, 5, 15, 30, 30, 30, 30, 60, 90, 120, 240, 480, 960, 1440, 2880
       
    2. Trying more frequently during the first few attempts will probably result in your MX server being blocked by the receiving server.
       
    3. This retry schedule shown above will ensure that the IETF requirement of attempting to resend e-mail for UP TO FIVE DAYS is enforced.
       
    4. The number of retries is based on RFC 2821.4.5.4.1, which defines SMTP retry intervals and says, "Retries continue until the message is transmitted or the sender gives up; the give-up time generally needs to be at least 4-5 days."
       
    5. We allow messages to come through greylisting after 2 minutes and list the sender in our non-Greylisted database for 144 days after the initial successful delivery attempt.
       
    6. Many ISPs still have a 15 minute initial greylisting time established, so don't lose out on potential messages which are never delivered because of greylisting.
 
SUMMARY:  E-Mail is no longer just an “add-on” which is included with a webhosting package as a convenience for our customers.
 
E-Mail must be constantly monitored and a good ISP / MX operator is cognizant of what’s going on in his or her network and e-mail servers at all times.
 
Whether you’re confused or just need some help deciphering and implementing these new requirements, get in touch with us and we’ll be glad to help you out.
 
Just open a ticket with us and ChicagoNetTech will be glad to take a look at your SmarterMail or other e-mail server and help you sort things out.  If you don't already have an account on our Customer Service Portal, you'll need to create one prior to opening your new ticket.
 
Licensed SmarterMail software owners get a 35% discount over our standard rates when they require updates, troubleshooting, configuration, or any other SmarterMail server and/or maintenance assistance.

We can work on a case-by-case basis or on a monthly maintenance retainer with a level of support and/or service set by agreement with us and you.

Please setup an account and open a ticket or contact us via our contact form for more information on how we can turn your already great product into a minimum of maintenance and headaches.
 
 
ChicagoNetTech's hosting and technical support rates are reasonable and we accept all major credit cards via PayPal.

For references and examples of my support of SmarterMail, please see my entries at: http://forums.smartertools.com/members/chicagonettech.7401/, where I have accumulated more than 3,550 support conversations since 2007.
 
Additional references upon request.
 
Copyright 2013 - 2014, ChicagoNetTech Inc, All Rights Reserved

1024 Bit Encryption Depreciated!

Editor's Note: This is a reprint of an article which I originally published on the SmarterMail technical support forum on 22 August, 2012.  It has been republished, both here, and in my ChicagoNetTech Knowledge Base, because I still run into situations where a customer is totally unaware of the fact that all 1024 bit SSL certificates have been retired.


Given recent certificate and SSL security hacking issues, it is important that this information be pushed out to as many server and web services operators as possible.




Until the recently, the RSA algorithm, first publically described in 1977 has been the only algorithm available for commercial digital signing certificates. The RSA algorithm remains the de facto standard although commercial certificates based on the DSA and ECC algorithms are now available.

 Simply put: The larger the certificate key size in an RSA certificate, the more difficult it is to compromise the encryption.

As raw computing power increases over time it becomes possible to factor or crack smaller sized RSA keys. Key sizes smaller than 1024 bits were voluntarily discontinued by Microsoft on 12 December, 2012.

Seventeen RSA key sizes have been factored since 1991. Most recently most of the industry has standardized on certificates with 1024-bit RSA keys. However, industry experts warn that the oft used 1024-bit RSA key size is now at risk of being compromised by cyber criminals.

As a proactive measure, effective 31 December, 2013, the
NATIONAL INSTITUTE OF STANDARDS and TECHNOLOGY [NIST] recommended that 1024-bit RSA certificates be eliminated and replaced with 2048-bit or stronger keys.

As a result of the NIST recommendation, the Certification Authority/ Browser (CA/B) Forum, created to develop best practices within the SSL/TLS industry, created a mandate to bring the 1024-bit RSA key size to end of life by December 31st, 2013.

The Responsibility of a CA

All responsible Certificate Authorities (CAs) should have their customer base of this regulation change and assisted them with their migration to a more secure keysize.  

Due to the industry’s end-of-life mandate on 1024-bit certificates, Certification Authorities have the difficult requirement to revoke 1024-bit RSA certificates that expire after 12/31/13.




If you have an SSL certificate which was issued by a CA, and have not been contacted by them regarding issues with either your PRIMARY or SECONDARY SSL certificates, you should open an inquiry with the issuing CA as quickly as possible to prevent possible intrusion into your networks and systems.


If you believe you have issues with non-complient SSL certificates, you should immediately contact the issuer of your SSL certificate, you should immediately contact the issuer of your SSL certificate and ask them to ensure that both your primary and secondary SSL certificates are at least 2048 bit certificates.

What Does This Mean?

As a result of these changes, mandated by NIST, all current CERTS with a key size of 1024 bits or less than bits should have been replaced by 31 December, 2013, or users of smaller certs will run the risk of having them denied when they are checked in situations where they are used for encryptions.  The minimum recommended SSL certificate length is now 2048 bits.

For More Information:







Bruce Barnes, owner of ChicagoNetTech is an active member of the SmarterTools online support team who's posts can be found on the SmarterTools Technical Support Forums.

Checkout the new ChicagoNetTech APP at: m.chicagonettech.com



03 December 2013

FBI Notifies Businesses to be aware of "Man in the E-Mail" Scam

This is a re-post of a notification sent out by the FBI

The original link is located at: http://www.fbi.gov/seattle/press-releases/2013/man-in-the-e-mail-fraud-could-victimize-area-businesses?utm_campaign=email-Daily&utm_medium=email&utm_source=seattle-press-releases&utm_content=278754

======================================================================

Man-in-the-E-Mail’ Fraud Could Victimize AreaBusinesses

Dec. 2, 2013

The FBI Seattle Division is aware of a fraud victimizing Washington state-based businesses, nicknamed “man-in-the-e-mail” scheme for being an e-mail variation of a known “man-in-the-middle” scam. The FBI wants the public to learn about this scam in order to avoid being victimized.
In 2013, at least three area companies—in Bellevue, Tukwila, and Seattle—were led to believe they were sending money to an established supply partner in China. In reality, fraudsters intercepted legitimate e-mails between the purchasing and supply companies and then spoofed subsequent e-mails impersonating each company to the other. The fraudulent e-mails directed the purchasing companies to send payments to a new bank account because of a purported audit. The bank accounts belonged to the fraudsters, not the supply companies.

Total loss experienced by the three area companies is roughly $1.65 million. In some cases, the metadata on the spoofed e-mails indicated that they actually originated in Nigeria or South Africa.

Under this scam, both companies in a legitimate business relationship can be victimized. The supplier may first ship out the legitimately ordered products and then never receive payment (because the purchasing company was scammed into paying the scammer-controlled bank account). Or, the purchasing company may first make a payment and then never receive the ordered goods (because the supply company never receives that payment).

Here are some of the ways businesses can reduce their chance of being scammed by this man-in-the- e-mail fraud:
  • Establish other communication channels, such as telephone calls, to verify significant transactions. Arrange this second-factor authentication early in the relationship and outside the e-mail environment to avoid interception by a hacker.
  • Utilize digital signatures in e-mail accounts. Be aware that this will not work with web-based e-mail accounts, and some countries ban or limit the use of encryption.
  • Avoid free, web-based e-mail. Establish a company website domain and use it to establish company e-mail accounts in lieu of free, web-based accounts.
  • Do not use the “Reply” option to respond to any business e-mails. Instead, use the “Forward” option and either type in the correct e-mail address or select it from the e-mail address book to ensure the real e-mail address is used.
  • Delete spam: Immediately delete unsolicited e-mail (spam) from unknown parties. Do not open spam e-mail, click on links in the e-mail, or open attachments.
  • Beware of sudden changes in business practices. For example, if suddenly asked to contact a representative at their personal e-mail address when all previous official correspondence has been on a company e-mail, verify via other channels that you are still communicating with your legitimate business partner.
If you or your business has been targeted by the man-in-the-e-mail fraud, report it to the Internet Crime Complaint Center (IC3) at www.ic3.gov. The following information is helpful to report:
  • Header information from e-mail messages
  • Identifiers for the perpetrator (e.g., name, website, bank account, e-mail addresses)
  • Details on how, why, and when you believe you were defrauded
  • Actual and attempted loss amounts
  • Other relevant information you believe is necessary to support your complaint
  • Reference to the man-in-the-e-mail fraud
Filing a complaint through IC3’s website allows analysts from the FBI to identify leads and patterns from the hundreds of complaints that are received daily. The sheer volume of complaints allows that information to come into view among disparate pieces, which can lead to stronger cases and help zero-in on the major sources of criminal activity. The IC3 then refers the complaints, along with their analyses, to the relevant law enforcement agency for follow-up.

The public can learn about other common scams by visiting http://www.fbi.gov/scams-safety/frauds-from-a-to-z and learn about ways to reduce their risk of being scammed: http://www.fbi.gov/scams-safety/fraud/Internet_fraud.

To subscribe to the FBI news feeds, goto: https://delivery.fbi.gov/subscribe

02 November 2013

Keep Yourself Safe on the Internet


Every year, as the holidays approach, nefarious individuals roll out old techniques to steal data and information from computer users.  Each year that add additional tactics to their arsenal as well.

Each of us who has a computer is using that computer to access Internet locations throughout the day.  Each of us is also unique and no one uses the Internet in the same way.

What you do on the Internet is NOBODY else's business. And it can be a big deal if you're not careful.

Here are a few tips that will significantly protect your privacy:


1. Log Out of Search Engines:


Many of today's popular search engines now require you to log in to access all their  convenient features.  Those features might include calendars, branded e-mail, file storage, and news sources. 

Whatever you're searching for and looking at, you want privacy as part of those online searches, because your privacy is something you never want to loose.


2. Avoid Filling out Unnecessary Forms:

Ask yourself why the website you are on is asking for that personal information and think twice before putting it in.

Many sites store your information on their servers and not all of those servers are as secure as they should be.  If you do fill out a form, make certain the only use of the information you enter will be by the vendor or website, and that it will not be sold to other sites or businesses.

Avoid completing forms or using banking sites when you are on public WiFi networks.  Keep your personal information away from the public’s eye.


3. Be Careful What You Download:


When you download ANY file you are at risk of installing malware and viruses which can potentially track anything you do, freeze your computer and make it malfunction, erase your files and operating system or even encrypt your files and hold them hostage until you pay for an unlock key.

As a general rule of thumb, if you receive an attachment you were not expecting, or receive an attachment or link in an e-mail from a total stranger, DELETE the message.  DO NOT download the file or open the link.


4. Be Cautious When Using Social Media:


Assume everybody has access to your site, and always will.  Never post vacation dates in advance, and never post photographs of where you are while you are traveling.  Burglars watch social media sites and frequently use that information to conveniently schedule break-ins while you are away from home.

If your birth date is public, you talk about where you were born, or give your parents names, you may have given them all they need to hack your bank and credit card accounts.

Think carefully before posting information or photos.


5. Use Common Sense:


This is probably the best advice we can give you. The Internet mirrors the physical world. What goes on in the real world also happens on the Internet.

If it's too good to be true, then it probably is.


6. Monitor Your On Line Reputation:


Regularly search for your name and see what comes up.  You can also use an automated news-alert from either Google and Yahoo to monitor your name.


7. Clean Your Search History:

Everything you do on Internet is stored on your computer. Including: every website you visit, every photo and video you view and every chat message you send including passwords. All this information can be accessed by ANYONE.

Important that after every use you’ll delete all your tracks from your computer.   This is done via your browser.  Each browser is slightly different, but the information is available in the browser's help file.

27 August 2013

1024 Bit RSA Key Size END OF LIFE Announced!

Until the recently, the RSA algorithm, first publicly described in 1977 has been the only algorithm available for commercial digital signing certificates. The RSA algorithm remains the de-facto standard although commercial certificates based on the DSA and ECC algorithms are now available.

The larger the certificate key size in an RSA certificate, the more difficult it is to compromise the encryption.

As raw computing power increases over time it becomes possible to factor or crack smaller sized RSA keys. Key sizes smaller than 1024 bits were voluntarily discontinued by Microsoft on 12 December, 2012.

Seventeen RSA key sizes have been factored since 1991. Most recently most of the industry has standardized on certificates with 1024-bit RSA keys. However, industry experts warn that the oft used 1024-bit RSA key size is now at risk of being compromised by cyber criminals.

As a proactive measure, effective 31 December, 2013, the NATIONAL INSTITUTE OF STANDARDS and TECHNOLOGY [NIST] has recommended that 1024-bit RSA certificates be eliminated and replaced with 2048-bit or stronger keys.

As a result of the NIST recommendation, the Certification Authority/ Browser (CA/B) Forum, created to develop best practices within the SSL/TLS industry, created a mandate to bring the 1024-bit RSA key size to end of life by December 31st, 2013.


The Responsibility of a CA

All responsible Certificate Authorities (CAs) should be informing their customer base of this regulation change and assisting them with their migration to a more secure keysize.

Due to the industry’s end-of-life mandate on 1024-bit certificates, Certification Authorities have the difficult requirement to revoke 1024-bit RSA certificates that expire after 12/31/13.


What Does This Mean?

As a result of these changes, mandated by NIST, all current CERTS with a key size of 1024 bits or less than bits will have to be replaced by 31 December, 2013, or users of smaller certs will run the risk of having them denied when they are checked in situations where they are used for encryptions.



For More Information:







SUMMARY:
 

Start planning to upgrade your SSL / TLS / DOMAIN KEY and DKIM certificates now.  Don't wait for the "rush," because most of them will become obsolete on 31 December, 2013.

Remember, the Holidays are coming, too.  If an upgrade to your certificates requires anything more than an "automatic approval" your upgrade could potentially be delayed and your websites or e-mail stop working because of an invalid certificate key length.

=====================

Be certain to like us on FaceBook, too.

26 July 2013

Now the STORES are Tracking Our Movements - VIA OUR CELL PHONES!

I guess I should have seen this one coming and should either slap myself in the face or go find someone to do it for me to remind me that when the opportunity is there, someone will take advantage of it.  After all, I have worked in this industry for more than 40 years now and am usually keenly aware of the less than appetizing uses to which new technology is frequently adopted, but I didn't and now am . . .   shame on me!

For those who don't know what I'm talking about, the issue is the fact that major corporations like Target, Nordstrom's, Family Dollar, Cabela’s, Macy's and Mothercare, along with untold other numbers of stores, are now using the WIFI PING capabilities on your cell phone to track you while you are shopping in their stores.

Not only are they tracking the number of customers who come in the stores, but they are also tracking how long you spend stopped in front of a particular item, what parts of the stores you spend the most time in, and, depending on the level of service they have subscribed to, may even be able to tell what items you are actually considering based on the number of times you go back and forth between items to do comparison shopping and price checking of various like items.

So how are they able to track us within their stores, and just what information can they gather?

The how part is easy:  they take advantage of the fact that our cell phones are, in many cases, constantly pinging for available WIFI networks so they can notify us that free or "open"  WIFI service is available for our use.  They are taking advantage of the fact that most of us are cheap and too lazy to do manual searches for WIFI, allowing our mobile devices to do the searching for such service and automatically notify us when those services are available.

They are also taking advantage of the fact that the steel roof and iron girder superstructures of their stores, along with the other wireless signal absorbing materials used in the construction of such facilities frequently absorbs so much of the cellular network's signal level as to make it unusable within those stores and take advantage of the fact that, by our very nature we will almost automatically take advantage of their free WIFI network to see if we can find an item sold within their stores for less money on Amazon or another web-based sales portal - which is frequently the case with most overpriced items, especially in major electronics stores like Bust Buy and the former Circus City stores where there was not, nor has there ever been, such a thing as a knowledgeable sales person or good customer service.

In defense of those stores who have adopted this tracking method, they are at a disadvantage when it comes to tracking customer spending habits.  Online vendors like Amazon have technology to their advantage because they can follow our every move electronically, keep a digital record of every item we look at, set cookies in our browsers, and use our logins and purchase history to know what our preferences are, how much we like to spend, and what we are looking for as soon as we walk in the digital door.  The poor bastards at the brick and mortar locations don't have such advantages and most of the human employees they have would not be capable of compiling such data even if they had the tools to do so in real time.  Fortunately someone created the sales person and equipped those ruthless individuals with the tools to bring tracking similar to the online retailers to the physical store level . . .

The Actual Technology:  I've already eluded to the fact that these stores are using our mobile devices to track us via their WIFI networks, but exactly what technology are they using?   It's simpler than it sounds:  they track our MAC addresses . . .

The MAC address is a unique code which is assigned to every network interface.  Whether a connection is made via Bluetooth, a hard-wired connection, or a wireless connection, there's a MAC address involved.  The MAC address is a HEXIDECIMAL or BASE 16 number which is hard encoded into the electronics of the device and looks something like this:  00:4B:9F:21:6C:A7.  This unique set of 12 numbers, which can range from 0 through F, gives the ability to set a unique, non-repeating identifier to every network device and is the code which is tracked by the services which the stores have now authorized third-party vendors to collect and store in the cloud -- WITHOUT first gaining your permission to do so -- tracking your every move and spending habits.

So Who's Collecting the Actual Data:  While there may be other vendors, the largest culprits in the shopper MAC address conspiracy business are currently Euclid Elements, NOMI, RetailNext, and Sparkfly.

What Can You Do to Protect Yourself:  The simplest solution is to turn off your cell phone whenever you get out of the car to go shopping.  No matter where you go, someone is going to try to figure out how to more effectively make you think you really need to purchase something you don't actually want to spend your money on.

The other solution is to OPT OUT.

OPTING OUT:  The bad news is that, at least in most cases, you'll never know you're being tracked.

Both Euclid Elements and NOMI provide OPT OUT websites where you can plug in your the MAC address of your cell phone and have them remove all tracking of that unique ID from their databases.

To opt out or Euclid Elements, go to: https://signup.euclidelements.com/optout

To opt out of NOMI, click on this link and then scroll down to the OPT OUT link at the very bottom of the screen.

RETAILNET does not provide an opt-out solution at this time.

SPARKFLY does not provide an opt-out solution at this time.

To opt our of being tracked requires that you look up your MAC address on your cell phone or wireless device so you may want to do that ahead of time so you can have it handy.  Pay close attention to the format you use when entering that number as the format is six sets of two hexadecimal digits separated by a COLON ":"

Finding your MAC address:

  • Settings > General > About > Wi-Fi Address
  • Iphone1

    Iphone2


    Iphone3

  • Settings > About > "Status" or "Hardware information" > Wi-Fi MAC address
  • OS 4.5-5.0: Options > Status > WLAN MAC
    OS 6.0-7.1: Setup > Options > Device > Device and Status Information > WLAN MAC
  •             
    Settings > About > More info > MAC address


SUMMARY:

 
If you want to be truly safe from tracking while shopping, turn off your cell phones before you even pull into the parking lot!

=====================

Be certain to like us on FaceBook, too.
 

06 July 2013

Who Owns Your Corporate Internet Property Identity?



Whenever I speak with a customer I am invariably deluged with questions about how to make their website more prevalent in search results, help them get rid of the deluge of spam messages they are receiving in their e-mail and asked why their digital presence costs so much money to maintain when they used to have an employee who did it as part of their daily work routine. 

I then take a look at the fact that their website has not been updated in several years because they don't have access to the login accounts at hosting company and, in many cases, don't even have legal ownership of the domain name.  

When I ask them how this happened they look at me like a deer caught in the headlights on a dark road and, invariably, reply, "what do you mean we don't own our domain name?  We still receive our e-mail!"  

Fortunately, so long as the hosting and domain name registration bills are paid, both the website and e-mail accounts will usually continue to work.  Unfortunately, a business in this position does not have any control over what they are paying for and, more often than not, they don't even have a copyright statement on the website.

Why should the ownership of your corporate Internet property identity be important to you?  

Your ownership of corporate information is important because if you are the owner of a company and have any kind of an Internet representation what is posted under your company name is the representation of your business in the digital world.  Unfortunately, even placing a valid copyright statement on a website or on a published or printed work does not always protect you from those wordy and very lengthy "digital agreements" which you must agree to, but almost no one ever reads, anytime you setup an online account.  So, in order to help protect you, here are some highlights of some of the terms set forth by companies who provide online file storage:

Dropbox, who's terms terms can be found here, says:
"Your Stuff & Your Privacy: By using our Services you provide us with information, files, and folders that you submit to Dropbox (together, “your stuff”).  You retain full ownership to your stuff. We don’t claim any ownership to any of it.  These Terms do not grant us any rights to your stuff or intellectual property except for the limited rights that are needed to run the Services, as explained below."

Microsoft SkyDrive, who's terms can be found here, says:
"5. Your Content: Except for material that we license to you, we don't claim ownership of the content you provide on the service.  Your content remains your content.  We also don't control, verify, or endorse the content that you and others make available on the service."
 and Google Drive, who's terms can be found here, says:
"Your Content in our Services: When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes that we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content.
The rights that you grant in this licence are for the limited purpose of operating, promoting and improving our Services, and to develop new ones.  This licence continues even if you stop using our Services (for example, for a business listing that you have added to Google Maps)."

At the very least, everything you post publicly should have a copyright statement.  The proper format for a copyright statement is: 

"Copyright © 2010 - 2013 Lakes Region Historical Society, All Rights Reserved"

Of course, your copyright statement would contain your proper business name and the appropriate year range.  If this is the first time something is posted, it may contain only one year.

Photographs and documents should also contain copyright information.  How the individual copyrights are embedded in the individual documents and photographs will depend on the software you are using.  If you are selling photographs online, consider placing a watermark into the photograph showing both the owner's name and copyright information.  This should also be embedded into the meta data for the image file.

No matter how simplistic you make your effort, so long as you note that an article is copyrighted you have made the initial effort to protect yourself and your digital assets from illegal pilferage and use.

===================

Be certain to like us on FaceBook, too.

Henderson Nevada Police Officers Sued for Invading Home, Assaulting Resident | Federal Case Cites 3rd Amendment: Ban on Quartering Soldiers


A lawsuit has been filed against the Henderson, Nev., police department over an incident in which its officers allegedly demanded to use a private home as a lookout for an investigation, then arrested the resident when he refused.

It raises the unusual claim that the police violated the Third Amendment, which prohibits the “quartering of soldiers” in private homes in peacetime without the owner’s consent.

“Whatever the ultimate outcome of this case, it is clear that lawyers and legal scholars should start taking the Third Amendment more seriously,” commented legal scholar Eugene Volohk. “Contrary to conventional wisdom, there is in fact a history of violations of the Third Amendment, such as the military’s brutal treatment of Alaska’s Aleutian Islanders during World War II.”

In the new case, filed just days ago, plaintiff Anthony Mitchell is suing Henderson, North Las Vegas and a long list of police officials and officers including Jutta Chambers, Garret Poiner, Ronald Feola, Ramona Walls, Angela Walker, Joseph Chronister and Christopher Worley.

Joining as plaintiffs are his parents, Michael and Linda Mitchell, who live nearby and also allegedly were physically rousted by police from their home.

They allege on July 20, 2011, Henderson officers responded to a domestic violence call at a neighbor’s residence.

According to the complaint, “At 10:45 a.m. defendant Officer Christopher Worley (HPD) contacted plaintiff Anthony Mitchell via his telephone. Worley told plaintiff that police needed to occupy his home in order to gain a ‘tactical advantage’ against the occupant of the neighboring house. Anthony Mitchell told the officer that he did not want to become involved and that he did not want police to enter his residence. Although Worley continued to insist that plaintiff should leave his residence, plaintiff clearly explained that he did not intend to leave his home or to allow police to occupy his home. Worley then ended the phone call.”

The complaint then explains that members of the police departments “conspired among themselves to force Anthony Mitchell out of his residence and to occupy his home for their own use.”

According to a report in Court News, “Defendant Officer David Cawthorn outlined the defendants’ plan in his official report: ‘It was determined to move to 367 Evening Side and attempt to contact Mitchell. If Mitchell answered the door he would be asked to leave. If he refused to leave he would be arrested for 

Obstructing a Police Officer. If Mitchell refused to answer the door, force entry would be made and Mitchell would be arrested.’”

The lawsuit explains at least five police officers banged on Anthony Mitchell’s front door and demanded he leave, then broke down the door and pointed their guns at him.

“As plaintiff Anthony Mitchell stood in shock, the officers aimed their weapons at Anthony Mitchell and shouted obscenities at him and ordered him to lie down on the floor. Fearing for his life, plaintiff Anthony Mitchell dropped his phone and prostrated himself onto the floor of his living room, covering his face and hands.”

His parents were lured out of their home and arrested, the lawsuit alleges.

According to the complaint, “Plaintiffs Anthony Mitchell and Michael Mitchell were subsequently transported to Henderson Detention Center and were booked on charges of Obstructing an Officer. Both Anthony and Michael Mitchell were detained for at least nine hours and were required to pay a bond to secure their release from custody.

“A criminal complaint was subsequently filed by the Henderson city attorney’s office … charging them with counts of Obstructing an Officer. All criminal charges against plaintiffs were ultimately dismissed with prejudice.”

The cities are named because they “developed and maintained policies and/or customs exhibiting deliberate indifference to the constitutional rights of United States citizens, which caused the violations of plaintiff’s rights.”

The legal action alleges assault, battery, false arrest and imprisonment, intentional infliction of emotional distress, negligent infliction of emotional distress, conspiracy, defamation, abuse, malicious prosecution, and negligence, and it claims the plaintiffs are due compensation for each offense.

Volokh noted that one question that would have to be resolved for damages to be due under the Third Amendment, one of several standards under which claims are being made, is whether “police … qualify as ‘solders.’”

“On the other hand, as Radley Balko describes in his excellent new book ‘The Rise of the Warrior Cop,’ many police departments are increasingly using military-style tactics and equipment, often including the aggressive use of force against innocent people who get in the way of their plans.

“In jurisdictions where the police have become increasingly militarized, perhaps the courts should treat them as ‘soldiers’ for Third Amendment purposes.”

The claim also seeks damages under the Fourth and 14th Amendments and under state law.

Police could not be reached over the holiday period for a comment.

=================

Be certain to like us on FaceBook, too.

10 April 2013

The New Normal | How Did We Allow This To Happen?

For more than 10 years, China was able not only to hack into Nortel's networks, but do so without anyone attempting to stop them!

How did this happen?

Who was watching the network?

According to Brian Shields, a former 19-year Nortel veteran who led an internal investigation, used seven passwords stolen from top Nortel executives, including the chief executive officer of Nortel, to gain widespread  access to the corporate computer network of the once-giant telecommunications which has since firm fallen on hard times.

During their access to Nortel's networks, the Chinese hackers, over what is believed to have been a ten year period, beginning in 2000, downloaded technical papers, research-and-development reports, business plans, employee emails and other documents.

A group of hackers in China breached the computer defenses of America's top business-lobbying group and gained access to everything stored on its systems, including information about its three million members, according to several people familiar with the matter.



The WSJ's Jerry Seib details a cyber attack against the U.S. Chamber of Commerce in which emails were stolen. Correction: An earlier caption incorrectly said more than 300 Internet addresses were breached.

The break-in at the U.S. Chamber of Commerce is one of the boldest known infiltrations in what has become a regular confrontation between U.S. companies and Chinese hackers. The complex operation, which involved at least 300 Internet addresses, was discovered and quietly shut down in May 2010.



It isn't clear how much of the compromised data was viewed by the hackers. Chamber officials say internal investigators found evidence that hackers had focused on four Chamber employees who worked on Asia policy, and that six weeks of their email had been stolen.

It is possible the hackers had access to the network for more than a year before the breach was uncovered, according to two people familiar with the Chamber's internal investigation.

One of these people said the group behind the break-in is one that U.S. officials suspect of having ties to the Chinese government. The Chamber learned of the break-in when the Federal Bureau of Investigation told the group that servers in China were stealing its information, this person said. The FBI declined to comment on the matter.

A spokesman for the Chinese Embassy in Washington, Geng Shuang, said cyberattacks are prohibited by Chinese law and China itself is a victim of attacks. He said the allegation that the attack against the Chamber originated in China "lacks proof and evidence and is irresponsible," adding that the hacking issue shouldn't be "politicized."

In Beijing, Foreign Ministry spokesman Liu Weimin said at a daily briefing that he hadn't heard about the matter, though he repeated that Chinese law forbids hacker attacks. He added that China wants to cooperate more with the international community to prevent hacker attacks.

The Chamber moved to shut down the hacking operation by unplugging and destroying some computers and overhauling its security system. The security revamp was timed for a 36-hour period over one weekend when the hackers, who kept regular working hours, were expected to be off duty.

Damage from data theft is often difficult to assess.

People familiar with the Chamber investigation said it has been hard to determine what was taken before the incursion was discovered, or whether cyberspies used information gleaned from the Chamber to send booby-trapped emails to its members to gain a foothold in their computers, too.

Chamber officials said they scoured email known to be purloined and determined that communications with fewer than 50 of its members were compromised. They notified those members. People familiar with the investigation said the emails revealed the names of companies and key people in contact with the Chamber, as well as trade-policy documents, meeting notes, trip reports and schedules.



"What was unusual about it was that this was clearly somebody very sophisticated, who knew exactly who we are and who targeted specific people and used sophisticated tools to try to gather intelligence," said the Chamber's Chief Operating Officer David Chavern.

Nevertheless, Chamber officials said they haven't seen evidence of harm to the organization or its members.
The Chamber, which has 450 employees and represents the interests of U.S. companies in Washington, might look like a juicy target to hackers. Its members include most of the nation's largest corporations, and the group has more than 100 affiliates around the globe.

While members are unlikely to share any intellectual property or trade secrets with the group, they sometimes communicate with it about trade and policy.

U.S. intelligence officials and lawmakers have become alarmed by the growing number of cyber break-ins with roots in China. Last month, the U.S. counterintelligence chief issued a blunt critique of China's theft of American corporate intellectual property and economic data, calling China "the world's most active and persistent perpetrators of economic espionage" and warning that large-scale industrial espionage threatens U.S. competitiveness and national security.

Two people familiar with the Chamber investigation said certain technical aspects of the attack suggested it was carried out by a known group operating out of China. It isn't clear exactly how the hackers broke in to the Chamber's systems. Evidence suggests they were in the network at least from November 2009 to May 2010.

Stan Harrell, chief information officer at the Chamber, said federal law enforcement told the group: "This is a different level of intrusion" than most hacking. "This is much more sophisticated."
Chamber President and Chief Executive Thomas J. Donahue first learned of the breach in May 2010 after he returned from a business trip to China. Chamber officials tapped their contacts in government for recommendations for private computer investigators, then hired a team to diagnose the breach and overhaul the Chamber's defenses.

They first watched the hackers in action to assess the operation. The intruders, in what appeared to be an effort to ensure continued access to the Chamber's systems, had built at least a half-dozen so-called back doors that allowed them to come and go as they pleased, one person familiar with the investigation said. They also built in mechanisms that would quietly communicate with computers in China every week or two, this person said.

The intruders used tools that allowed them to search for key words across a range of documents on the Chamber's network, including searches for financial and budget information, according to the person familiar with the investigation. The investigation didn't determine whether the hackers had taken the documents turned up in the searches.

When sophisticated cyberspies have access to a network for many months, they often take measures to cover their tracks and to conceal what they have stolen.

To beef up security, the Chamber installed more sophisticated detection equipment and barred employees from taking the portable devices they use every day to certain countries, including China, where the risk of infiltration is considered high. Instead, Chamber employees are issued different equipment before their trips—equipment that is checked thoroughly upon their return.

Chamber officials say they haven't been able to keep intruders completely out of their system, but now can detect and isolate attacks quickly.

The Chamber continues to see suspicious activity, they say. 

A thermostat at a town house the Chamber owns on Capitol Hill at one point was communicating with an Internet address in China, they say, and, in March, a printer used by Chamber executives spontaneously started printing pages with Chinese characters.

"It's nearly impossible to keep people out. The best thing you can do is have something that tells you when they get in," said Mr. Chavern, the chief operating officer. "It's the new normal. I expect this to continue for the foreseeable future. I expect to be surprised again."

=================

Be certain to like us on FaceBook, too.