I now have the complaint. Thanks JP.

The news is slowly trickling through the news outlets so I would like to comment on it a little bit. For those not familiar with the story yet, a major anti-spam lawsuit has been filed in the U.S. District Court in Alexandria, Virginia. The suit was filed by Project Honeypot and seeks the identity of individuals responsible for harvesting millions of email addresses on behalf of spammers.

The lead attorney is Jon Praed, with whom I had the privilege to work, and I can only confirm what Honeypot are saying about him, [i]n the world of anti-spam lawyers, Jon is the best of the best.” I am sure that Jon would help the Internet community at large by taking this novel case to a success.

Now about the case. I do not have the complaint yet (will post it here as soon as I have it) but and the news sources provide sufficient initial information on the details. The complaint is filed on behalf of 20,000 honeypot users who have “installed” honeypots on their web pages. The honeypots are designed to be hidden from plain view so that only spiders can see them. Once a spider sees a honeypot, the honeypot issues a new and unique email address for the particular spider and then records the spider’s information. Project Honeypot then monitors the email addresses which were issued to spiders for spam. If a piece of spam comes then it can be linked to the spider and this allows Project Honeypot to identify spam email harvesters.

The lawsuit goes after the harvesters, and not the spammers. In fact, the harvester and the spammer may be the same person, but under CAN-SPAM Section 5(b)(1) it is unlawful to send spam if the spammer has actual knowledge or knowledge fairly implied from the circumstances that the spammed email address was obtained “using an automated means from an Internet website or proprietary online service operated by another person, and such website or online service included, at the time the address was obtained, a notice stating that the operator of such website or online service will not give, sell, or otherwise transfer addresses maintained by such website or online service to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.”

Based on this section, the lawsuit can target the harvesters and the spammers. As it is a “John Doe” lawsuit, the initial phase of the litigation will likely be to unmask the identities of the people standing behind the harvesters. According to Project Honeypot statistics, close to 23% of the harvesters are U.S.-based and subject to the District Court’s jurisdiction. It may be harder to unmask the Romanian (10%) or Chinese (7%) harvesters, but out of 15,610 total spam harvesters identified, this makes at least 3,000 harvesters that are based in the United States. Once the identify of the harvesters is verified, the next step is probably to see whether they are the actual spammers or they resell the email addresses to a third party. My hunch is that under the threat of large civil damages and an expensive lawsuit, a harvester is likely to disclose any relationship he or she may have with a spammer.

The strategy behind the lawsuit is brilliant and it shows what Jon Praed and Honeypot can do very well - find novel ways to gain an advantage in the increasingly difficult war against spam. Because this lawsuit is of enormous importance and magnitude, feel free to check back as I will be updating as often as I can about the status of the case and I will try to throw some of my thoughts into it as well.

Many information security officers face a difficult task in educating their user base on proper security practices and procedures. Education is a key element of a good security practice and Microsoft has given us all a hand in this process.

The Security Awareness Program developed by Microsoft includes a white paper Key Considerations for Developing Effective Information and Training Programs and an End User Security Awareness presentation template and video, providing material to help articulate what is involved with building an information security awareness and training program to your management and peers within your company. One cool thing is a set of templates for various types of communications (emails, powerpoint, factsheets, etc.) which allow easy customization to your audience but help convey important security awareness topics.

The entire package is a 120MB download but it is well worth it.

Spreadsheets — often spread across servers, network drives, usb keys, or email messages — are what makes a modern business function properly. The information stored in Excel sheets is often critically important not only to the organization but also to the data subjects - ranging from business plans to competitive proposals or salary or HR data.

Considering the prevalence of data stored in Excel and the importance of such data, it is surprising that there are few good technical information security solutions to protect Excel data. Microsoft doesn’t provide much security with Excel. In fact, as Microsoft has stated, the security features in Excel are not actually there to provide security but to make life easier for users. For example, you can hide worksheets from users so as not to confuse them and you can apply what locking is available for the same reason: so that users just focus on what they need to do and not on other stuff.

Phil Howard has an article in the Register in which he criticizes all major enterprise spreadsheet management vendors for not focusing at the right place. Currently, such vendors put emphasis on Sarbanes-Oxley (and similar) compliance regulations - for example, the ability to track changes on spreadsheets so that there is an accountability track if a spreadsheet turns out to “misstate” corporate earnings by a major amount. This is an important task in corporate governance and after SarbOx regulations created a need and (pretty lucrative) market for such kind of software, many vendors have not looked at the building blocks of spreadsheet security.

What good does a tracking mechanism do if a spreadsheet is so insecure that can be manipulated easily? We should not be putting the cart in front of the horse. Instead, spreadsheet vendors (including Microsoft) should focus on providing adequate tools for spreadsheet security (cell locking, role-based access, etc.) before they focus on money- and headlines-making features. Because without baseline security the enterprise is likely to lose money and make the wrong headlines when it suffers a breach because of its poor lack of spreadsheet security.

I received this book a couple of weeks ago but my schedule was very busy so I just had a chance to review and comment on this new book. The book is a very interesting collection of essays from leading scholars and practitioners in the area focusing on the “newness” of cybercrime prosecution and law enforcement. This site aims to highlight the new ways of committing crime and the new ways that are required to prevent it, combat it, and prosecute it so the book is a good paper source for those readers who like this site.

The book is divided in five major parts - the new crime scene, the new types of crimes, the new cops, the new tools available for prosecution, and the new procedural aspects of cybercrime. Among the topics covered are crimes in virtual words, policy issues of cybercrimes, Internet surveillance, cybercrime conventions and legal issues surrounding digital evidence. The selection of authors is excellent - the presence of authors such as Orin Kerr, Susan Brenner, to name a few, lend a great deal of credibility to the entire collection.

My thought - an excellent selection of relevant materials. The timing of this book’s release cannot be better - legal crime issues in virtual worlds, surveillance of electronic communications, and the procedural and substantive legal issues with cybercrime are something courts and practitioners should be well familiar with.

You can purchase here.

Disclosure - I am not affiliated with any of the authors, editors, or the publisher of this book. I do not stand to gain monetarily or in any other way from this book.

It is not often when the Securities and Exchange Commission is involved in prosecution of cybercrimes. But in this case the SEC has successfully prosecuted cybercriminals for allegedly hacking into protected systems containing nonpublic information about publicly traded companies and then using the information to make trades for profit.

According to the SEC complaint, Blue Bottle Limited, a Hong Kong chartered company and Matthew Charles Stokes of Guernsey “fraudulently gained access to material nonpublic information through fraudulent devices, schemes, or artifices, which may include, but are not limited to, hacking into computer networks or otherwise improperly obtaining electronic access to systems that contain information about imminent news releases.” As a result, the defendants used the information to trade and make a profit of $2,707,177.

The SEC claims are under Section 17(a) of the Securities Act of 1933, Section 10(b) of the Securities Exchange Act of 1934 (Exchange Act), and Exchange Act Rule 10b-5. The complaint sought permanent injunctions, disgorgement of illegal profits plus prejudgment interest, and civil money penalties and on March 7, 2007, a United States District Court for the Southern District of New York entered a preliminary injunction order against the defendants.

It is interesting that it is the SEC bringing this action and not the Department of Justice. The Computer Fraud and Abuse Act would seemingly provide a better deterrent for criminals as it provides for jail time. However, the DOJ may not have been able to successfully prosecute the defendants as they may not be under the US jurisdiction. The SEC, on the other hand, can impose asset freeze and provide a relief when jurisdictional and other issues prevent successful criminal prosecution.