by Orlando Scott-Cowley
The mail you want, but just not right now. Seems like an odd way to talk about email, either you want it or you don’t. For years we’ve been talking about the unwanted types of email, like spam, that have grown to be a pest, but which have largely been dealt with by effective anti-spam services; but now there’s a less distinct line between good and bad as far as our users are concerned. The email that sits in this middle ground has become known as graymail.
Mimecast’s new Graymail Control automatically categorizes graymail and moves it to a separate folder – allowing end users to review the messages at their leisure and keeping the inbox optimized.
More specifically, graymail is email like newsletters, notifications and marketing email. The types of email marketing you are bombarded with receive when you buy something online or use your email address to sign up for something. Normally you are opted-in to these marketing emails unless you manage to spot the often well-hidden opt-out tick box. These emails are initially interesting, but grow tiresome quickly.
You’re unlikely to want them all in your inbox right now, but somewhere else that makes them easier to read later. Many consumer grade email providers offer a way of categorizing graymail, such as Gmail’s Primary Inbox and Promotions tabs.
Graymail isn’t new. The idea was first suggested by Microsoft researchers in 2007, at the now defunct CEAS conference. Graymail, or Gray Mail as it was called then, was defined as messages that could be considered either spam or good. It’s fair to say many end users consider newsletters that they opted-in to, mostly unknowingly, as spam even though they could easily unsubscribe from the sender’s distribution lists.
Graymail is also described by the phrase “Bacn”, (as in bacon). The first use of the term Bacn is thought to have been coined at PodCamp Pittsburgh 2, as a way to differentiate between spam, ham and bacn in your inbox.
The unwillingness of end users to unsubscribe, or understand the problem as being somewhat self-inflicted, has led many enterprise IT teams to look for a solution. As a provider of email security services, Mimecast’s Threat Operations and Spam teams know first-hand how users are inclined to report bacn or graymail as spam email. A large percentage of the email submitted to Mimecast for analysis as spam is in fact legitimate marketing email with valid unsubscribe links.
It has become increasingly obvious that end users will continue to be frustrated by this graymail problem. The most straightforward solution is stemming the flow in such a way that keeps an enterprise inbox free of bacn so legitimate business-related emails take priority. Mimecast’s new Graymail Control provides this capability, by automatically categorizing graymail and moving it off to a separate folder – allowing your end users to review the messages at their leisure and keeping the inbox optimized.
If you’d like to find out more technical detail about how to configure Mimecast’s Graymail Control please visit our Knowledge Base article here.
by Orlando Scott-Cowley
eBay seems to be coping with the hack of its user database. Weeks on from the announcement that its user database had been breached and we’re seeing millions of users change their passwords after receiving notifications from the online auction giant.
If you missed the news, around 145 million eBay users had their email addresses and encrypted passwords stolen when one of eBay’s databases was breached.
We now know that hackers were able to gain access to the user database by compromising three corporate eBay employees and using their credentials to access the eBay network. eBay has also told us that it believes there was no customer data compromised initially, but gives little more information than that.
We can speculate that the attack was most likely perpetrated through a targeted attack in email or a spear phishing attack. If this is right, the corporate employees of eBay who had their credentials compromised would have been sent a link in an email that tricked them into giving away their user details. We don’t yet know if those credentials were eBay’s website username and passwords or if they were network or corporate credentials.
Spear phishing and targeted attacks have become the de facto attack vector for anyone hacker trying to compromise an enterprise. Attackers know that most organizations have been lulled into a false sense of security regarding spear phishing – thinking that their existing legacy anti-spam and anti-virus systems protect them from spear phishing. While it would be true to say the majority of Secure Email Gateway vendors have started to build in protections for spear phishing; we also know that all the recent major and most public breaches have successfully snuck past major security vendors.
This week brings another personal data compromise. Office, a UK shoe retailer has admitted that its website has been compromised to the extent that customer personal data has been stolen. Office is asking all its customers to change their passwords.
Office and eBay are both quick to point out that no “financial information” was stolen. While this seems to be the case, stealing personal data, as in the Office hack, may give the attackers enough information to allow them to steal your identity. Once you lose that, you risk losing that key financial information.
The CIOs and CISOs I talk to are generally worried; none of them want to be the next big breach. They all understand the risks associated with spear phishing and are all trying to educate their users, but many worry constantly about those few users who still click the link in the email, or enter their user credentials in mystery websites.
Protecting against this human risk is a much tougher task, and until we solve that, these big breaches will continue. It’s why new security technology to counter spear phishing like our Targeted Threat Protection service must be combined with effective user monitoring and education if we are to successfully counter this growing threat to our organizations.
by Orlando Scott-Cowley
The news over the last week confirmed that eBay has been hacked. Media comments suggest that upwards of 145 million users have had their account details, including passwords and personal information, stolen.
According to reports, the story started when a bizarre blog post appeared on PayPal’s website that indicated eBay was asking users to change their passwords. The post was quickly deleted, but not before it had been retweeted dozens of times. The cat was out of the bag and eBay started making the headlines.
What we know
eBay has been hacked! If this isn’t alarming enough, consider that eBay’s user-base is huge and the data that appears to have been stolen contains more than just usernames and passwords. eBay is obviously worried that the breached database contains personal information as well as encrypted passwords.
What we don’t yet know
So far eBay has been reasonably tight lipped about the breach. But there are some significant unanswered questions that it needs to address quickly:
- How much data was stolen, and how easy would it be for the attackers to use that data?
- How was the data encrypted?
- How were the passwords encrypted? How strong was the hash function and were the passwords salted too?
The trophy hack
eBay is one the world’s largest websites and given the nature of its business need to retain a significant amount of personal information about its users. In terms of a target for attackers, eBay is a holy grail and a trophy, because a compromise of its databases would be the one-stop-shop attackers need to gain personal and financial information.
What you should do now
The advice in the event of hacks like this is always the same. Change your password. Consider also changing your PayPal password in this case. Although PayPal appears not to have been affected, I’m betting lots of people use the same password for PayPal as they do for eBay.
Then consider which other sites you may have used that password on. This is yet more proof if you need it why you must never share passwords across websites, but despite the common sense of this many people still do it. Also change and rotate your passwords regularly.
Better still, use a password tool like LastPass (other password tools are available) which will generate a long and complex password for you, then remember the site and password for you.
I’m waiting to see how this incident pans out and I’m expecting we’ll learn a lot from it. I’ll provide more analysis on this blog shortly.
by Orlando Scott-Cowley
When Bloor’s ‘Taking control of file sharing services’ white paper was made public on this blog last month we were pleased it became a hot topic in numerous conversations with customers and prospects planning their file sharing strategy.
Learn about the risks of uncontrolled cloud file sharing caused by attachment size limits placed on your staff, and how to retake control. Register now http://mim.ec/1fADyIQ
As predicted, it’s a report which taps into the growing trend of office workers using consumer-grade personal file sharing services to send and store corporate data. However, there have also been a number of new conversations and ideas sparked by the report we are keen to explore further.
The increasing interest in IT-sanctioned file sharing service is why we’re hosting a free 40 minute webinar with Bloor (‘Deal with the file sharing menace’ on 20th May 10am EST US, 3pm UK, 4pm South Africa) next week. Fran Howarth, Security Analyst, Bloor Research will be presenting an overview of the enterprise grade file sharing options and revealing the real-life horror stories encountered by Bloor.
I’m delighted to say that joining Fran and I will be Joel Edwards, Director of IT, Wiggin and Dana LLP who brings his own unique perspective on the risks associated with uncontrolled cloud file sharing caused by attachment size limits placed on staff and enterprise best practice that will enable you to retake control.
You can register for the free ‘Deal with the file sharing menace’ webinar on 20th May here. Hope to share ideas with you then.
In the spirit of interactivity we’re hoping participants will bring along questions to ask the experts – feel free to send me the questions directly (firstname.lastname@example.org) or enter a comment after this post.