EarthLink Position on Heartbleed Bug on Consumer Systems

heartbleed

The Heartbleed bug is a recent vulnerability that has been circulating news articles this week.  EarthLink has validated that we are not using any impacted versions of OpenSSL in our consumer systems like webmail.earthlink.netmyaccount.earthlink.net andmy.earthlink.net.

Please keep in mind that using the same email and password combination for multiple sites can pose a risk if any one of those sites is compromised. We strongly suggest that you choose a unique password for your EarthLink email address that you do not use on any other websites. This will greatly improve the security of your EarthLink account, and thank you for being a customer of EarthLink.

New Spam Technique Used to Hide ID Theft

First the good news about spam: most EarthLink Internet access subscribers feel that the problem of spam is generally under control. Not that they don’t get any (unfortunately). But it’s typically a very small amount that doesn’t detract much from their overall email experience.

And that’s impressive considering that 86.7% of all email sent is spam, according to Network Solutions. In May, spam accounted for 165.6 billion (yes, billion with a b) messages.

How do we go from 86.7% spam to the very small percentage our members experience? Our EarthLink spamBlocker tool, on its default Known spam Blocking setting, automatically filters most of the spam out, so our subscribers never have to deal with it.

We also offer a higher level of spamBlocker protection, called Suspect Email Blocking, which blocks all messages from senders who aren’t in your Address Book. This is a very effective way of ridding your Inbox of virtually all spam, but you do need to actively manage it so that you don’t end up missing email you do want because you forgot to put someone in your Address Book.

Distributed Spam Distraction or Spam Blizzard

Unfortunately there’s some bad recent news to report about spam: It’s a new spam technique called Distributed Spam Distraction or, in more colorful terms, a spam blizzard.

Both names give you a clue to what this type of spam is all about: distraction and cover-up. Like a blizzard of snow that causes a “whiteout” in which you can’t see anything, a spam blizzard prevents you from seeing.

What the blizzard of spam prevents you from seeing is evidence of ID theft and fraudulent transactions: specifically, the automatic email alerts and confirmations that are normally sent out to confirm bank transfers, online purchases, and other financial transactions.

It works like this:

  • The bad guys somehow get access to your sensitive personal account information (bank accounts, credit card numbers, passwords, etc.) as well as your email address.
  • Just before they start to use your information to make illegal bank transfers and fraudulent purchases, they start targeting your email address with a blizzard of spam.
  • A spam blizzard can last from several hours to more than 24 hours and may send more than 50,000 messages to your email account.
  • The bad guys then use your account information to steal from you. When they do, the automatic email confirmations that would normally alert you to the fact that someone transferred money from your bank account or used your credit card to make multiple purchases get lost in the blizzard of spam you’ve been receiving.
  • With the blizzard of spam overwhelming your email account, the bad guys have more time to take advantage of your stolen personal information without you seeing the evidence and putting a stop to it.

Because this Distributed Spam Distraction technique is targeted at the one individual whose personal information has been stolen – the opposite of most spam, which works by hitting as many people as possible – it’s harder to block with standard spam blocking filters. These spam blizzard emails also don’t contain links to malicious content, viruses or other malware that can trigger filters. And they typically avoid content filters by keeping messages very brief and based on random text rather than the sales pitches or other spam promotions that can trigger content filters.

What You Can Do Before ID Theft Happens to You

As with many health and security issues, prevention is the best cure. If you prevent ID theft in the first place, there’s not going to be any spam blizzard directed at you to cover it up. So make sure your personal information is kept as secure as possible.

  • Don’t email sensitive information like credit card numbers, bank account numbers, PIN numbers, and passwords. Email is not secure. EarthLink will never ask customers for their passwords over email.
  • Don’t click on links in emails asking you for account information. They are often “phisher” emails sent by criminals. If you need to go to your bank or Internet provider to check your account or make a change, type the URL directly into your browser. Learn more about phisher email and ID theft here. 
  • Create long, strong, unique passwords to log into your accounts. Don’t use simple, easy-to-guess passwords – and don’t reuse passwords. Here are three simple tips to help you create safer passwords.
  • Change your passwords frequently. You can change your EarthLink password here.
  • Make your PINs random. PIN numbers are typically 4-digit numbers, so you can’t make them stronger with length or other techniques. But make sure the numbers are random and not associated with you in any way, such as your birthday, year of birth, address, etc.
  • Be careful giving out account information over the phone, unless you initiated the call. Just like phisher emails, sometimes ID thieves will call people claiming to be from their bank or a government agency.
  • Make sure Known spam Blocking is turned on for your EarthLink account. It should be on by default, but if you’re not sure, here’s how to check and activate it. This spam filtering may not work depending on the exact spam blizzard techniques used, but it could be helpful. (The stronger Suspect Email Blocking setting would prevent you from getting the blizzard of spam, but it would likely also filter out the email alerts the bad guys don’t want you to see.)
  • Install and use security software on your computer. EarthLink provides our Protection Control Center all-in-one security suite free of charge to all Internet access members and offers discounts on Norton security products, such as Norton 360 Online and Norton Internet Security for Mac. Security software can prevent spyware and other malware from accessing your computer and stealing your sensitive personal information that is then used in fraudulent transactions.
  • Set up text alerts for as many important accounts as you can. Banks often let you add your mobile phone number to your customer contact preferences, so you can get account alerts sent as texts to your phone in addition to email alerts. This way, if your email account gets hit with a spam blizzard, you should still be aware of the problem via text. See what alert options are available for your credit cards as well.
  • Maintain good records of all your account numbers, account history, phone numbers and other account information. You may need to quickly inquire about your accounts and you may need these records to verify account information.

What You Can Do If a Spam Blizzard Ever Happens to You

First, don’t over-react to spam. If tomorrow or next week you get twice as much spam as usual, you don’t have to worry that this is an attack. The amount of “regular” spam that gets by our network filters and makes it to your inbox will always vary. Remember, for the spam blizzard technique to work and bury your legitimate messages, it requires a huge, blinding volume of spam, not just an annoying amount of spam.

Also, keep in mind Distributed Spam Distraction is a very new spam technique and it is still extremely rare. We are not blogging about it because it is likely to happen to you, but rather because if it ever does we want you to be aware that it can indicate ID theft that you should deal with quickly.

  • Act fast. If you do get a sudden blizzard of spam, be safe and assume it is being sent to cover up fraudulent account transactions.
  • Check your most important accounts first (either online or by phone). These are likely to be your bank, investment accounts, credit cards, and any other financial accounts you have.
  • Notify the fraud departments at your bank and other financial institutions that you may be victim of ID theft.
  • See if the accounts can be temporarily frozen or put on alert for suspicious activity.
  • Change your account passwords if you can, starting with the most sensitive accounts.
  • Notify the fraud department at one of the three credit reporting companies (Experian, Equifax and TransUnion). Once you notify one that you are at risk of identity theft, they report to the other companies for you.
  • Fill out an ID Theft Affidavit (download a PDF here) that can help you report the ID theft to multiple institutions and also file a police report (once you are sure you were a victim).
  • Monitor your credit reports closely or “freeze” your credit reports so credit issuers can’t access your credit files (to issue new credit, for example) without your permission.

For a comprehensive list of ID theft recommendations, links to valuable resources, and contact information to help you deal with ID theft, visit Identify Theft: What to Do If It Happens to You from the Privacy Rights Clearinghouse.

If you need further assistance with your spamBlocker settings or have questions about how to protect yourself from spam, call EarthLink Customer Support at 1-888-EARTHLINK (888-327-8454).

4 Email Account Security Tips

submitted by Peter Chronis

These days criminals are using a variety of techniques to compromise and gain access to accounts across the Internet.  They then often use these compromised accounts to send spam or gain unauthorized access to a victim’s private information (emails, banking information, etc.).

Just take a look at all the recent stories about stolen passwords and hacked accounts from some of the most popular sites on the Internet today.

phishingpasswordsTo reduce the risk of getting your accounts hacked into or compromised, we recommend that you take the following precautions to protect yourself:

1. Be Careful What You Click
Never reply to emails or click on email links that ask for your username and password. Our spam prevention partners have tracked a significant increase in phishing worldwide. Criminals often use phishing scams to help gather credentials.  Phishing is a term used to describe false emails sent from spammers claiming to be sent from a legitimate company (for example, EarthLink or well-known banks) and asking for your username and password. These fraudulent emails may look quite authentic – so beware.

2. Use Varying Usernames and Passwords
Don’t use the same username and password across multiple sites like email, banking and social network sites. Recent security research revealed that, on average, people use the same credentials to log into 49 different sites. Email usernames and passwords can be acquired from security breaches suffered by other service or product providers (tens of millions of credentials have been reported this year alone by other service or product providers). If you are using the same password for your EarthLink account as other accounts that were breached, then spammers may use this information to access your EarthLink email and send spam.

For these reasons, it’s good to have a system to generate strong, unique passwords for all the sites you use. Just follow these three simple steps.

You can change your EarthLink password here at any time.

3. Run an Antivirus Program to Curb Malware Infections
Some malware today is designed to run stealthily on your computer while it records the usernames and passwords to sites you access (your Web Mail, online banking, etc.).  Some security firms are reporting malware infection rates as high as 1 in 3 computers worldwide.  To protect yourself, the first step is to run an antivirus scan on your computer.  This can be done with any antivirus program of your choice.  EarthLink offers Norton 360 Online as a premium antivirus subscription with a Free 30-Day Trial if you want to check it out.

4. Choose Your Secret Hint and Word Wisely
A secret word or hint is often used to verify your identity when account changes are being made. You should not use information associated with you that is readily available on the Internet or through other sources. If you are unsure, try doing a quick Internet search for yourself to see what you can find.  If you can find it, so can a hacker.

Stay safe out there and never hesitate to reach out if you have additional questions around email or password security.

For further support from EarthLink, visit our Knowledgebase Support Center.

Mitigate Your Business’s Security Risk – 10 Ways How

Even with the most advanced technology, the most effective security systems, and best-planned preventative controls, a company’s data will still be at some risk. New and sophisticated cyber-attacks are created every day, with threats coming from profit-motivated criminals, hackers with various agendas, unscrupulous competitors, and even foreign governments.

So perfection is not a possible option. BUT…and here’s the good news: you can get very close.

But you have to approach your cyber-security in an intelligent and systematic way, implementing a strategic array of countermeasures that protect multiple points of vulnerability for your business (e.g., network, servers, desktops, and smartphones). Implemented correctly, you can greatly reduce your security risk to the point that you can feel confident that you can prevent security breaches.

For most organizations, this goal requires an increased level of dedication to security. After all, small and midsize companies typically have few or no resources dedicated to information security. Most of these organizations don’t even have a way of determining how much sensitive information is stored on their systems. And while most businesses do know they need anti-malware tools and a firewall, they don’t fully understand how comprehensive their security measures need to be.

There are 10 key areas that we advise businesses to focus on in order to mitigate information security risks:

1. Security Awareness Training

This is one of the areas companies ignore…at their peril. No, it’s not high-tech. No, it’s not sexy. But security awareness training has the greatest security ROI and highest security impact. It’s true.

Most security breaches actually originate inside companies by disgruntled or negligent employees.

So, what should you do? Educate everyone in your company so they can help identify a variety of security risks.

For example, employees should be able to spot and identify email phishing and spoofing attacks.  They should also be trained not to store, send or copy sensitive information that’s unencrypted. And they should know not to share sensitive information over the phone unless they are 100% sure of the audience.

Again, our #1 advice to mitigate your security risk: train employees on security policies and practices. And make sure to revisit the issues and retrain at least yearly (sooner if you can).

2. Anti-Virus & Anti-Malware Protection

Virus outbreaks make the news (like the recent Flame virus), so most people know they should have anti-virus and other malware protection for their personal computers. And most people assume businesses are protected. Often they are not. Or at least not adequately protected.

Malware infections can hit your bottom line hard. They can cause fraud, loss of data, identity theft, or decreased companywide productivity due to slow or unusable computers.

Businesses are increasingly adopting an “endpoint security” strategy to combat malware threats. Endpoint security is an information security concept that means that each device (or endpoint) on a network should be responsible for and capable of providing for it’s own security.

Whatever your anti-malware solution, it should scan email for attached viruses, monitor files in real time for infections, and perform thorough scans of every file.

3. Data Encryption

Encrypted data isn’t any less likely to be stolen by hackers or other intruders. But data encryption is still a powerful part of your business’s information security. Encryption protects your data even after it has been accessed. Once it is encrypted, your business data is worthless to the bad guys and remains protected. They would need the encryption key to read your data. So we advise all businesses to encrypt data in case it is compromised or lost (employees leaving unencrypted laptops at airports or coffee shops has caused some serious data breaches).

4. Access Controls

Your business should not be a free-for-all for your employees. When everyone has access to everything, your information security is at risk. For increased security, only give employees (and partners) access to the data they need. This includes both physical and logical access. A good strategy is to start by granting the least privilege. You can then escalate privileges to allow access to unauthorized data on an as-needed basis.

5. Patching

Patching is essential to minimizing the risk to your computer systems. Patches are often released to fix security holes in systems and applications. Make sure you keep all operating systems and applications you run patched. Install the latest firmware updates on all network devices.

6. Mobile Devices

Laptops, smartphones, and tablets have increased the productivity and mobility of today’s workforce. But along with that productivity comes vulnerability. Lost or stolen laptops and other mobile devices are the top cause of data breaches. We recommend you manage endpoints centrally to allow your security policies to be easily deployed. You should also enable auto-lock or require a password to access all devices.

EarthLink Business offers managed laptop security services to address these risks.

7. Monitoring

Knowledge is power. In the security realm, monitoring is the knowledge you need to be confident you have powerful protection. Make sure your business is set up to monitor systems and network devices for any abnormalities.

Deploy a SIEM (security incident & event management) that correlates logs form all levels of infrastructure – network, systems, and user activity. Don’t just block activity at a firewall or IPS. Log it, review it and learn from it. Attackers are finding new ways to expose networks. Know what is happening so you can continue to address it.

You should also install content filtering to monitor user activity from within your business. The most common form of employee misuse of the Internet is to surf porn. Another co-worker witnessing this misuse of your company resources can result in legal action and a monetary judgment against your company. Employees also often download or email viruses, causing security breaches. So it is imperative that you need to monitor what your users are doing on the Web.

8. Firewall

A firewall is the first line of defense against any attack (network or host). It acts a barrier between a public network and a private network.

EarthLink offers managed firewalls that are designed to allow good traffic in and to keep malicious traffic out. A majority of firewall breaches are caused by the misconfiguration of firewall rules and policies.

9. Remote Backup

Backup is one of the most neglected areas of computing and therefore typically one of the biggest opportunities your business has to mitigate risk. Why? Because stuff happens. All the time.

Theft, floods, fires, tornadoes, hurricanes, and other unforeseen occurrences can cause large amounts of data loss that can cripple your business.

Often, businesses invest in securing data from hackers or malware, but then the data is physically destroyed by natural causes. If the data doesn’t exist, securing it from outside threats doesn’t matter.

That’s why it’s so important to backup your company’s data to an remote location so data will be retained in the event of a disaster at your main location.

10. Security Assessments & Penetration Testing

To secure your business you must stay vigilant. There are always bad guys looking for the next way to compromise your business’s information. So you have to perform annual or, better, quarterly vulnerability assessments to identify new risks. The ever-changing security environment is always creating new risks. Identify the new risks that apply to your business and fix them before someone else finds them.

We also recommend that all businesses have a formal Information Security Risk Assessment done every three years, which is the life cycle of most products these days.

If you need more information on security for your business, contact us and one of our IT experts can help you ensure your data is as secure as possible.