Cisco Blogs


Cisco Blog > Cisco Interaction Network

Michael Jackson – King of Spam

July 7, 2009
at 12:00 pm PST

imageNo. Michael Jackson was not known for any kind of email scam…but like any other major event in the news, his demise was big enough to warrant attention from people who are always looking to defraud us. This kind of thing will not go away of course and as users we need to be ever vigilant. This particular surge started on June 27 and provides a nice back story highlighting the type of protection (protection from ourselves often) as provided by Cisco IronPort. This information from Cisco’s Security Intelligence Operations: Starting on June 27th, 2009, cyber-criminals sent many spam messages targeting Michael Jackson’s death. The demise of the King of Pop provides spammers with a high probability that users will open their spam and malware messages. Spammers are using this lure to get users to (1) launch unsuspecting malware, (2) provide personal sensitive information (identity theft),(3) advance-fee fraud (419 spam),(4) go to fake pharmaceutical websites, and even (5) purchase spamming services.The most common spam subject lines? Michael Jackson dead? NO!!! Who killed Michael Jackson? All M. Jackson’s faces Remembering Michael JacksonGood security is always a balancing act of course and it is unreasonable to think we can ever completely remove the ‘stupid user tricks’ from the equation. We can train people to be more suspicious of course and not open things from people or places that would not expect…but this is hard to do and getting harder. Many of us are exposing our lives via the digital breadcrumbs we voluntarily spread each day as we engage with umpteen social engines day in and day out. The risk is that as we put more out there (and I am just as guilty) the ability to correlate these bits becomes easier and although we may like the benefits we get…it makes it easier to ‘fool’ us. Take this account recently covered in the news and you can see how we could be getting notes from ‘friends’ (or so it appears) and they may contain subject matter very in sync with what we would be chatting about already…very very hard to distinguish reality all of a sudden. All the talk about delivering cloud services these days and perhaps trying to figure what the heck each vendor means when they say ‘cloud’ (add this term to your corporate bingo games by the way) can be a challenge. There has been a surge of ‘cloud based’ security services growing in importance now. From Cisco’s perspective this would be the HUGE benefits we accrued from our IronPort acquisition. So the question becomes, can we offer cloud services and do something ‘better’ than what we could have done on our own using our own local equipment? Good security will never be a ‘fire and forget’ type of thing…as much as any executive would love to say ‘we spent a ton of money on security in our last budget cycle’ and thus we have moved on..no need to keep spending. How dangerous that is. C’mon…we know that there will be a solid balance between equipment you own, services you pay for and user education -- all of which will need constant tweaking over time. The adversary is well motivated, well paid and much more patient than us. So back to our King of Pop example. Cisco IronPort claims that customers were protected WITHIN SECONDS. Now most vendor claims need to examined for when that timer started…its way to easy to make broad claims that sound good on the surface. The typical challenge here with traditional security models is that although a ‘fix’ may be available very quickly, the point in which your local devices are actually using the new definitions can be drastically different. “Your mileage may vary.” Its the cloud model however that holds such great promise by not only delivering benefits today but going forward as well. IronPort’s reputation services form the backbone for a multitude of valuable services our customers now enjoy and these have been recently extended into the botnet protection offered in our more traditional hardware. These socially driven attacks can now be addressed in three new areas: 1. Anti-Spam services addressed the email vector.2. Web Reputation addressed the instantly identified websites that could not be trusted.3. The botnet traffic filters now available were able to disrupt the command and control behavior from your local network.The ability to see worldwide activity, spot trends and leverage sanitized info from the thousands of customers that participate increases the shared knowledge that then benefits everyone else. The wisdom of crowds if you allow me that is at work here…but it is overseen by a 24 hour team of security specialists who lend that educated ‘human touch’ that will probably always be valuable in our dynamic world. Understand the value that reputation offers and this foundational knowledge will help you understand why my company can get away with such bold claims. Read up on it. Decide for yourself. UPDATE July 9:Some good reading and info on the ASA 8.2 Software just released with these new ‘bot fighting’ enzymes (not enzymes actually…just sounded cool).The ASA 8.2 Software Release and ASDM Version 6.2 for the Cisco ASA 5500 Series Adaptive Security Appliances are orderable and FCS. All software licenses associated with ASA 8.2 are also now orderable across ASA 5505-5580. Cisco ASA Software Release 8.2 offers a wealth of features that help organizations protect their networks against new threats, securely connect, communicate, and conduct business, and flexibly extend security to various deployments. This release is supported across the entire Cisco ASA 5500 Series. Highlights of the ASA 8.2 Software Release include the ASA Botnet Traffic Filter, Global Correlation for ASA IPS modules, IPS-SSC on the ASA 5505, the AnyConnect Essentials license, Premium VPN shared licensing, SNMP v3, IPV6 transparent firewall, H.239 inspection, UC proxy on 5580, Netflow and more. A 30-day trial license is available for customers wishing to try out the Botnet Traffic Filter feature. Note that the Botnet Traffic Filter is only available as a spare license. Additionally, the ASDM 6.2 supports the features above and offers unique features such as One Time Password, Botnet Traffic Filter reports, and public server configuration. CSM 3.3 and MARS 6.0.4 will be supporting the ASA 8.2 releases. Software Availability: · Cisco.com (CCO): Available now on Cisco ASA 5500 Series (for customers with a valid SMARTnet contract).· Manufacturing: Available now.· Note: For this release, the ASDM Upgrade feature in the tools menu of ASDM will not upgrade the ASA image. To get the images, you will need to download the images directly from the download site to your machine. Hardware Availability: IPS SSC Availability: The IPS Security Services Card for the ASA 5505 will be orderable in July Cisco ASA 5500 Series Software Pricing Information

  • $0 for customers with a valid SMARTnet contract for their Cisco ASA 5500 Series appliance
  • $1,000 for customers without SMARTnet (ASA-SW-UPGRADE=)


Useful Links:Cisco.com Software Center page for Cisco ASA 5500 Series software releasesASA 8.2 Product BulletinASA 8.2 FAQBotnet Traffic Filter White Paper

Info courtesy of our Cisco ASA Product Team and friend of TechWiseTV…Danelle Au!

Comments Are Closed