Andrew LaVallee

A new type of spam has been finding its way into inboxes by taking advantage of a well-worn technology: PDF files.

In recent weeks, spammers have been bypassing corporate email filters by hiding their content in PDF attachments instead of the body of messages. Like most junk email, the messages hawk things like penny stocks, prescription drugs and lotteries.

The so-called PDF spam is the latest volley in the cat-and-mouse game between spam senders and network defenders. Despite the federal Can-Spam Act of 2003 and heavy spending by corporations on antispam technologies, junk email remains a problem. It accounts for more than three-quarters of email transmitted over public networks, according to Ferris Research Inc., a San Francisco market-research firm. Spammer techniques have become increasingly sophisticated as filtering methods have improved, and spam fighters admit that they frequently play a reactive role.

Read The Latest Inbox Scourge: Spam Disguised as PDFs

New Services Help Safeguard Outbound Messages Against Forwarding and Tampering

People who want to open email from patent attorney Andrew Currier have to know the drill. First, they must answer a predetermined question, such as “Where did we first meet?” If they answer correctly, they will then be allowed to view the contents of the email — but they can’t alter it or forward it to anyone else.

Concerned about privacy, the Toronto-based lawyer has begun using a new service that encrypts his emails and tries to keep unintended recipients from reading the contents. The tool, developed by Echoworx Corp., adds a “send secure” button to his Microsoft Outlook email program. Unlike other email-security systems Mr. Currier has tried, this one doesn’t require recipients of his emails to download any software or use the same email program.

“I really need it to be easy for the client on the other end,” says Mr. Currier, who says that leaked information could be disastrous for one of their patent applications. “People don’t appreciate just how vulnerable email is.”

Amid heightened privacy concerns, a handful of technology companies are touting new services designed to make existing email programs, such as Microsoft Corp.’s Outlook, more secure, with features ranging from emails that can’t be forwarded to self-destructing messages that can be viewed only for a limited time. While most email programs by themselves guard against inbound attacks such as viruses and spam, they give computer users little control over the messages that are sent. So these third-party developers, which aren’t working directly with Microsoft or other email companies, aim to fill that hole.

Read more

(Also appeared in AOL Money & Finance, Arizona Republic, Arkansas Democrat-Gazette, Bonita [Fla.] Daily News, Bradenton [Fla.] Herald, Contra Costa [Calif.] Times, Detroit News, [Toronto] Globe and Mail, Pittsburgh Post-Gazette and Seattle Times.)

In the wake of AOL’s recent leak of search queries from 650,000 customers, a new service has launched that says it masks computer users’ online activities. But unlike other so-called anonymizer tools, which have been around for some time, the Relakks service comes with a twist: The service and the company behind it are based in Sweden, where backers say stiff privacy laws make it more difficult for law-enforcement authorities and others to gain access to customer information.

Relakks, which costs €5 ($6.44) a month, has attracted about 21,000 customers – with two-thirds of them coming from the U.S. — since its debut last week, according to Labs2 Group AB, the Lund, Sweden-based broadband company that runs the service. “To be quite frank, we did not anticipate the hornet’s nest we stirred up,” said Jonas Birgersson, Labs2’s 34-year-old chief executive, who rose to prominence in Sweden during the dot-com boom when he founded Framfab, a large Internet consulting firm. That company has since been broken up; Labs2 is a remnant.

Many anonymization tools are aimed at helping users avoid being tracked as they surf from one Web site to another. Relakks takes a more comprehensive approach, setting itself up as the gateway for all communication between a user’s computer and the outside world.

Subscribers use their existing Internet connections to access Relakks’s encrypted network. Once connected, any Internet traffic, including email, Web browsing and online file sharing, is routed through the company’s computers in Sweden. The user’s local Internet service provider would see only the connection to Relakks, and wouldn’t have any record of the user’s online activities beyond that, according to Labs2.

Read more (subscription required; contact me for a copy)

For some time, banks and credit-card companies have been warning computer users about so-called phishing emails that link to counterfeit Web sites where customers are asked to enter their account numbers and other personal information.

Now, savvy con artists are adding a new twist dubbed “vishing.”

Customers of Santa Barbara Bank & Trust recently received emails telling them that their accounts with the company’s online banking system had been disabled after the bank detected unauthorized access. They were told to dial a telephone number (with a local, Southern California area code) where an automated voice prompted them to enter their account numbers, personal-access codes and other details. It’s not clear who was on the other end of the phone line, but it wasn’t Santa Barbara Bank & Trust.

The incident was among the latest in a string of vishing, or voice phishing, attacks. Security experts say such schemes are made possible by Internet-telephone services, which allow computer users to quickly establish phone numbers, often without undergoing some of the verification checks used by traditional telephone companies. Also, Internet phone companies dole out numbers with a choice of area code, regardless of where in the country — or world — the user is located. That can make it much more difficult to locate fraudsters.

Read more

(This article also appeared in the Chicago Sun-Times, [Toronto] Globe and Mail, Arizona Republic, Pittsburgh Post-Gazette, South Florida Sun-Sentinel, [Denver] Rocky Mountain News and AOL News.)

With the simple swipe of a card, students at Pennsylvania State University can unlock doors, pay for meals and borrow books from the library. Some students also link their IDs to a bank account and use them like debit cards at local stores. For others, the cards are virtual time slips, recording hours logged at campus jobs.

These cards have become a fixture of campus life as U.S. colleges and universities have doled them out to students, faculty and staff over the years. The cards were first introduced to save money and eliminate the need to issue new room keys each year. But as schools have added more sophisticated features to the cards, they have amassed a mountain of personal data about the cardholders.

“There’s a tension here between security and privacy concerns,” said Ari Juels, a research scientist at RSA Security Inc., a Bedford, Mass.-based maker of ID card systems.

Each time a card is used, information is relayed to a central database. Colleges differ widely on how they use this information: some see it as a burden best left untouched, while others make a point of purging it regularly. Some store the data indefinitely and mine them for criminal investigations. Card records have been cited as a key piece of evidence by defense attorneys representing a Duke University lacrosse player accused of rape.

Students are often in the dark about how card data are being used. Portland State University ignited a controversy when it began using a combination ID-debit card system from an outside company. Students were angered to learn the company had access to their personal information, said student body president Courtney Morse.

Lindsay Desrochers, Portland State’s vice president for finance and administration, said the students had some “legitimate issues” with the new system, but that the school didn’t do anything improper. “Most campuses are going in the direction of providing a card like this, and it’s a service that most students want,” she said.

Read more