Members-Only Pre-Meeting Newsletter-Feb. 2016

With M3AAWG 36 just around the corner, we pulled together this special pre-meeting newsletter to bring you up-to-date on work coming out of Atlanta and the plans for the San Francisco gathering. Think of it as a primer for our February 15-19 working meeting.

As always, this newsletter is confidential to M3AAWG members and our usual advisory applies here: Per your M3AAWG membership agreement, you cannot re-post, blog, tweet or otherwise share the information here without the written permission of both the M3AAWG Executive Director Jerry Upton and the noted authors. However, you can share and post information about public documents and videos that are specifically noted below.

Please send any feedback on this update to Jerry Upton at jerry.upton@m3aawg.org. For more information on the projects described below, contact the committee chairs through our Committees/SIGs page or the listed email.

Meeting Announcements

Important San Francisco Meeting Registration Notes

A couple of quick reminders:

1) The online meeting registration closes at the end of the business day on Thursday, February 11. After this date, you will have to register onsite at the meeting and pay the higher registration rate.

2) If you have speakers, panelists or guests attending the meeting, make sure they have registered for the meeting. If you have any questions, contact Jerry Upton, Executive Director, at jerry.upton@m3aawg.org.

Want to Live Tweet or Post on Other Social Media in San Francisco?

We're trying something new in San Francisco: For the first time, if you sign up either in advance or at the meeting, we'll give you special permission to live tweet, blog or post on your business or personal social media account about selected, pre-approved sessions.

Everyone is welcomed (and encouraged) to participate, but you MUST sign up with Linda Marcus (LMarcus@astra.cc) and be confirmed as part of the program by her before posting. We will also be posting on @maawg (#m3aawg36) for everyone to re-Tweet and get a pin, as usual.

How to Contribute to M3AAWG

Give Us Your Best Ideas

We're serious about strengthening the "work" in the "working group" that's in our name and making it easier for you to participate and get the most value from your time in M3AAWG. In Atlanta, we launched our first participation training session outlining the various tools and structure to help you find information and engage in committees. We had an outstanding 140 attendees in the session, which ended in a networking opportunity allowing members to meet committee chairs related to their interests and discuss existing and potential projects they'd like to see.

We will continue to offer How to Contribute to M3AAWG training at our meetings this year in San Francisco, Philadelphia and Paris to make it convenient for everyone to attend or repeat the session. In San Francisco, the Tuesday morning session looks at how we are organized, the work features on our new website, the document development process, and how to find open work items that might be important to you.

We also are taking our member outreach a step further and have created a new How to Contribute to M3AAWG SIG. Have an idea that would bring more value to our members or help us get more work done? Have a question on how to connect with a project or committee? Go to the Committees/SIG page on the members website and join the new SIG or send an email to the SIG chairs at hcm-sig-chair@mailman.m3aawg.org.

M3AAWG was founded by a small group of committed individuals who seriously wanted to save end-users from spam overwhelming their inboxes. We need to keep that same drive, spirit and inventiveness alive if we are to stay a step ahead of the cybercriminals. We can only do that by tapping everyone's expertise and encouraging the continued engagement within our membership. We hope to see you in one of the upcoming How to Contribute to M3AAWG sessions and to hear from you in the new SIG.

Michael Adkins, M3AAWG Chairman

New Resources

Note: The items listed in this New Resources section are all public resources. You can link to them, share them on social media, blog about them or send the URL to non-members.

New Feedback Loop Resources Web Page

A general explanation and a list of links to currently available feedback loops is now available to the industry on the M3AAWG website under the For the Industry menu tab. The page was developed by the Collaboration Committee and you can send updates using the Contact Us form on our website. This is a public page – please share it widely and freely.

Committee Website Work Areas Now Available

Starting work on a new document? We highly encourage you to make sure new work-in-progress is posted in your committee workspace so your committee members can see all projects, determine the status of work in progress, find drafts and more easily participate in the group's work. The document tracking features we added as part of our new website are now functional and you can upload drafts or reference URLs, add notes and set the status, among other activities. Contact Amy Cadagin at amy@m3aawg.org or Jerry Upton at jerry.upton@m3aawg.org if you have any questions.

New Pervasive Monitoring Paper

M3AAWG has just published a new paper from the Pervasive Monitoring SIG outlining M3AAWG Initial Recommendations for Using Forward Secrecy to Secure Data. It explains why forward secrecy is needed with guidelines on how to implement it.

New Videos on Our YouTube Channel

Speaking of pervasive monitoring, three new videos are now available on our YouTube channel dealing with the Keys Under Doormats document that makes the case against government mandated access to encrypted documents:

Josh Benaloh accepted the J.D. Falk Award in Atlanta on behalf of the report's 15 authors. The video of his presentation, Keys Under Doormats 2015 Falk Award: How and Why the Report was Developed includes video comments by many of the other authors.
Josh takes a deeper look at the security issues involved in providing government special access to documents in Tutorial and Content Review video.
M3AAWG Senior Advisor Dave Crocker (Brandenburg InternetWorking) sat down for a short conversation on the impact of the report with Josh in the third video, A Conversation with Co-Author Josh Benaloh and Dave Crocker.

Committee Reports

Open Round Tables

Atlanta Report

The Open Round Tables is the place to start the work for the working group at M3AAWG. The ORT allows M3AAWG members the opportunity to have a voice, weigh in on the importance of a topic, and to discuss and participate in developing a topic into a panel, a document, a best practice or much more.

Every M3AAWG the attendance grows, the topics become more interesting and Atlanta was no exception. It was one of the best attended ORTs and produced some great papers, panels and best practices projects. Among the suggested work from M3AAWG 35 round table discussions last October:

A panel on preserving the value of TLDs
A panel with a credit card company representatives discussing phishing
A document explaining waterfalling
A training session looking at guidelines on content scanning to detect phish with early detection
A possible meeting, a best practices document and other activities focusing on encouraging providers to turn on TLS by default in their products, including follow up-discussions, evangelization, and a survey
A panel called You've Found Phishing: Now What?

We continue to collect ideas so please submit yours on the ORT Submission Form. All ideas are reviewed for inclusion in the next available M3AAWG meeting.

Contact Open Round Tables Co-Chairs Melinda Plemel (Return Path) and Vincent Schonau (Abusix) at open_roundtables-chair@mailman.m3aawg.org

Guides Program

Spot on – Guides Help Navigate Meeting

Since the M3AAWG Guides Program and New Attendees Orientation joined forces a number changes have occurred. Starting with M3AAWG 36 in San Francisco, the guides will be much more easily identifiable among the crowd of attendees as they will be sporting a new bright yellow “GUIDE” button.

In collaboration with the Growth and Development Committee, the Guides Program is also formalizing a process to match and track Guides with first time attendees and guests. While the peer-to-peer Guides Program helps new members and those who want to get more involved in M3AAWG better navigate the committee process and meetings, some potential new members and guests typically have different needs. The formalized process will position M3AAWG to better address these needs on an individual basis.

To help new members and new attendees at the meeting, we are also continuing the New Attendee Orientation, which will be on Monday at 5:15 p.m. It is an excellent opportunity for M3AAWG newcomers to be presented with an overview of M3AAWG and to be introduced to the M3AAWG Guides program.

If you are interested in serving as a Guide, please check the appropriate box on the meeting registration form or contact us at guides-chair@mailman.M3AAWG.org. If you would like to be paired with a Guide in San Francisco, check the "Want to be paired with a Guide?" box when you register for the meeting or let us know when you attend the Monday orientation.

Contact Guide Program Co-Chairs Alyssa Nahatis (Adobe) and Bill Wilson (M3AAWG Senior Privacy Advisor) at guides-chair@mailman.m3aawg.org.

Training Committee

What Training Do YOU Need?

Bring your lunch and come share your ideas at the Training BoF that is open to everyone on Wednesday in San Francisco. You do not need to be a committee member - nor must you commit to anything. But we do want to know what training content the M3AAWG community needs and is interested in. The chairs seek qualitative training ideas or specific topics and presenters for Philadelphia (June 2016) and Paris (October 2016)

If you'd like to add to your industry knowledge, you can also participate in any of the Monday training sessions:

Pretty Good Privacy (PGP)/GNU Privacy Guard (GPG): Just Enough Training To Make You Dangerous – M3AAWG Senior Technical Advisor Joe St Sauver (Farsight Security, Inc.) will give you just enough PGP/GPG skills to let you become minimally functional while skipping esoteric options and more theoretical considerations.
Climbing Mount DDoS: Preparation and Handling for Small to Medium Size Companies – Presented by Carel of Spamhaus, this session is designed to assist companies that do not have the infrastructure, budget or human resources to respond to a DDoS attack effectively on their own.
Detecting Phish Properly – A panel on early phish detection using tools and content scanning with Paul Rock (AOL), Paul Kincaid-Smith (SendGrid) and Autumn Tyr-Salvia (Message Systems).
Maximizing Group Collaboration with Michael Goldman (Facilitation First) – This session is required for new committee chairs.

In Atlanta, we had a diverse, well-attended and productive training day this past October with 318 attendees taking advantage of the training opportunities. If you're interested, the slide decks from some of these the sessions are available on the Atlanta Past Meeting Presentations page for M3AAWG 35.

Deploying DMARC While Under Attack: Barry Jones (Brightball.com) and Steve Jones (Crash.com) reviewed how they helped an auction site survive an email-vector attack by deploying DMARC and other solutions on the fly, and how this experience could help others.
Climbing Mount DDoS: Carel (Spamhaus) gave a talk on DDoS preparation and handling for small to medium size companies. Attendees were supplied with an actionable checklist to be used in the event of such an attack. An encore session is being presented in San Francisco.
Getting To Know You: Client Onboarding & Vetting Training: Sri Somanchi (Google), James Koons (Dotmailer), Peter Cholnoky (e-hawk.net) and Geralmy Swint (Trend Micro) provided real-world scenarios of client onboarding and vetting, how to evaluate new clients, why this process is critical to ESP success, what data receivers and filter vendors expect, and a lot more.
My Customer’s Account Has Been Hacked! What Do I Do Now?: Tom Payne (Comcast), Patricia Andrews (Constant Contact), and Joe Sykes (Cox) discussed the importance of having a mitigation process for hacked user accounts, the steps that should be taken in such a process, and how their respective companies handle compromised accounts.

Training has become an important component of the value offered at our meeting so please attend the San Francisco BoF or share your ideas with us through the Meeting Submission Form or by email.

Contact Training Co-Chairs Chris Arrendale (Inbox Pros), Annalivia Ford (IBM) and Udeme Ukutt (Mailjet) at training_committee-chair@mailman.M3AAWG.org.

Program Committee

Looking for Philadelphia and Paris Keynotes

While we might be closing-in on M3AAWG 36, we need your help in soliciting ideas and contacts for potential keynote presenters at the upcoming June meeting in Philadelphia and the October meeting in Paris. The high-level executives, industry experts and public policy advisors we want to engage with us in our plenary session at each meeting generally require a long lead time to schedule. Please submit your suggestions using the Meeting Submission Form and mark your entry as "keynote."

M3AAWG had a great meeting in Atlanta. We have to say that finishing one meeting and starting the planning for the next has its usual bumps in the road, but the February meeting at the first of the year is much harder due to the time constraints associated with the holidays. Our schedule for going public with the agenda is much shorter and as such the committees' leadership had their work cut out for them to confirm speakers, get titles and descriptions in, and orchestrate another valuable meeting. As usual, those chairs came through with flying colors and met those time constraints to ensure that your time in San Francisco will be well spent.

As noted, as we finalize plans for San Francisco we are already looking forward to future meetings, including the 37^th General Meeting on June 13-16, 2016 in Philadelphia and the 38^th General Meeting on October 24-27, 2016 in Paris. We would love to hear from you on what you would like to see there. You can submit session ideas at /submissions as well and to submit Open Round Tables discussion topics, go to /roundtable-ideas.

As usual, we appreciate your efforts to continue the work within the committees that you participate in and to move the work of M3AAWG forward, both between the meetings and at the meetings themselves.

Contact Program Committee Co-Chairs Kurt Andersen (LinkedIn), Dennis Dayman (Return Path) and Len Shneyder (Message Systems) at program-chair@mailman.m3aawg.org

Hosting Committee

Looking at New Best Practices and Membership Growth

A quick wrap-up before the February meeting:

Document updates and kickoffs

In San Francisco, the Hosting Committee will begin new work on the M3AAWG Anti-Abuse Best Common Practices for Hosting and Cloud Service Providers that was released last year. The focus of the update will be on developing more detail on the cloud and specific issues related to their offerings.

The collaboration between the Hosting Committee and the Brand SIG will continue in the development of a best practices document for reporting abuse to hosting providers in specifically phishing situations.

Focus on Phishing and Fraud

As with many other committees and SIGs, the sessions that the Hosting Committee is presenting will focus on phishing and fraud. Potentially, the outcome of these sessions will be the addition of new best practices documents relating to building a fraud detection framework for hosting businesses and methods for enhanced phishing takedown techniques.

Growth

One of the M3AAWG goals for 2015-16 is to grow membership of the hosting and cloud community since in the past few years malicious parties have begun to prey on the users and systems of these companies. A well-rounded community will provide the Hosting Committee with the feedback and expertise to combat the issues facing the hosting and cloud industry.

Contact the Hosting SIG Co-Chairs Justin Lane (Blue Host) and Matt Stith (Rackspace) at hosting-chair@mailman.m3aawg.org

Technical Committee

New DDoS SIG, Mailing Lists

To better facilitate work between meetings, individual mailing lists were created for Messaging, Malware and Mobile after the Atlanta meeting and are now active. The lists are itemized under the Technical Committee on the members' Committees/SIGs page and are open to all M3AAWG members. Just click on "Join now" to be added to a list.

Some other updates:

The new M3AAWG DDoS SIG will have its first meeting in San Francisco with a document working session on Tuesday.
We have a co-chair opening for Mobile. Please contact either Technical Committee Co-Chair, Paul Ferguson or Alec Peterson, if you have a candidate.

In terms of reviewing and updating previously published best practices and documents that are aging:

After an initial evaluation of the "M3AAWG Email Anti-Abuse Product Evaluation Best Current Practices" document, we will have an ORT discussion in San Francisco on current methodologies for document inclusion.
The "MAAWG Recommendation: Methods for Sharing Dynamic IP Address Space Information with Others" document review effort is looking to gather consensus concerning IPv6 handling and potential new standards in this space.
A draft of recommended revisions for "Configuring Human Readable Delivery Status Notifications" has been submitted and will be provided to the Board for review shortly.

Contact Technical Committee Co-Chairs Paul Ferguson (Trend Micro) and Alec Peterson (Message Systems) at technical-chair@mailman.m3aawg.org

VTA SIG

Data to Share and Getting the Inside Story

The Voice and Telephony Abuse SIG will be holding a four-session workshop on Thursday, February 18, at the M3AAWG San Francisco meeting. We’re very excited to have:

The unpublished inside story of how the FCC and FTC worked with industry to trace, identify and stop two notorious robocallers
An overview of U.S. law permitting service providers (even highly regulated telcos) to share abuse data without legal process
A caller intelligence data sharing workshop inviting you to give and receive caller reputation and honeypot data (yes, there’s data for you)
A service provider call-tracing workshop bent on expanding the recent collaboration between the three largest U.S. carriers
The kickoff of the new VTA SIG telephony abuse mailing list

These sessions are open to all M3AAWG members. We look forward to seeing you on Thursday!

Contact Voice and Telephony SIG Co-Chairs Mustaque Ahamad (Georgia Tech) and Alex Bobotek (AT&T) at vtasig-chair@mailman.m3aawg.org

Academic Committee

Bringing Actionable Research to M3AAWG

We continue to work to bring M3AAWG members the latest research into anti-abuse techniques. In San Francisco, we hope to help bridge the gap between academia and business with these sessions (see the agenda for a full description):

SABOT: Specification-based Payload Generation for Programmable Logic Controllers: SABOT automatically maps the control instructions in a PLC to an adversary-provided specification of the target control system’s behavior, and at this point, can compile and upload a malicious payload to the PLC. Our evaluation shows that SABOT correctly compiles payloads for all tested control systems when the adversary correctly specifies full system behavior, and for four out of five systems with unspecified features, in under two minutes. Presented by Patrick McDaniel (Pennsylvania State University).
Don't Shoot the Messenger: Understanding Security Notifications at Scale: The Heartbleed vulnerability was one of the most impactful OpenSSL breaches to date, allowing attackers to read sensitive memory from vulnerable servers. As researchers, we analyzed the impact of the vulnerability and tracked the server operator community's responses. The most interesting lesson from our study is the surprising impact direct notification of network operators can have on patching. Presented by Michael Donald Bailey (University of Illinois).
No Honor Among Thieves: A Large-Scale Analysis of Malicious Web Shells: Web shells typically allow an adversary to navigate and control a compromised server, maintain access and elevate privileges, playing a crucial role in modern attacks. Yet Web shells have been treated as malicious black boxes that need to be detected and removed, rather than malicious pieces of software that need to be analyzed and understood in detail. This talk reports on the first comprehensive study of Web shells. Presented by Nick Nikiforakis (Stony Brook University).
Bringing Bro to the Enterprise: Comprehensive Visibility & Response for Every Corner of Your Network: Bro has recently gained substantial traction in large-scale corporate environments seeking monitoring capabilities beyond what traditional off-the-shelf commercial products can offer. The Bro team is working to bring the system's full power to enterprise environments by catering to their specific demands and challenges. This talk will present current efforts to provide deep visibility into every corner of your network, preserve activity comprehensively for analytics and forensics, and respond to threats in real-time through dynamic, fine-granular counter measures. Presented by Robin Sommer (Broala).

At the last M3AAWG event in Atlanta, the Academic Committee had the pleasure to host four sessions. Here we summarize the two sessions that received the highest interest from the M3AAWG community.

Internet attacks are an enduring if not permanent phenomenon. On a daily basis, defenders must contemplate the levels of insecurity in their networks to determine what risks require attention and resources. Unfortunately, objectively defining cyber risk remains difficult, given the lack of an objective and repeatable metric. Network administrators often guess what parts of their network remain insecure and spend their resources based on estimates. Dr. Yacin Nadji from Georgia Tech discussed how he can deliver a novel capability that will enable the perpetual data-driven reasoning about the security risk of a network using objective passive network measurements.

Click fraud is a scam that hits a criminal sweet spot by both tapping into the vast wealth of online advertising and exploiting that ecosystem's complex structure to obfuscate the flow of money to its perpetrators. Paul Pearce from the University of California at Berkeley illuminated the intricate nature of this activity through the lens of ZeroAccess. Through his analysis he was able to estimate that the botnet's fraudulent activities plausibly induced advertising losses on the order of $100,000 per day.

Contact Academic Co-Chairs Dr. Manos Antonakakis, Georgia Tech, and Carel, Spamhaus at academic-chair@mailman.m3aawg.org.

Public Policy Committee

Cybersecurity Information Sharing Act Enacted into Law

Attend the Public Policy Regulatory Updates sessions in San Francisco on Wednesday for a discussion on the policies descriped here, international regulatory updates and other topics.

Cybersecurity Information Sharing Act (CISA)

The Cybersecurity Information Sharing Act (CISA) was enacted into law as part of the omnibus spending measure passed by Congress and signed by President Barack Obama in December 2015. The aim of CISA is to promote voluntary sharing of cybersecurity threat indicators between private entities, and between the private sector and the government.

The bill affords broad liability protection for voluntary monitoring of networks for cybersecurity purposes and for voluntary sharing or receiving of cyber threat information in accordance with the Act. The legislation also permits private entities to operate defensive measures applied to their networks to protect those networks from cybersecurity attacks (not including, absent consent, measures that adversely impact third-party networks or data), but liability protection is not granted for defensive measures.

Entities are not subject to liability for declining to engage in monitoring, information sharing or operating defensive measures, and do not have a duty to participate in any of these voluntary activities.

Prior to sharing cyber threat information, companies must review and remove any information not directly related to a cybersecurity threat which is known to be personal information of, or identifying, a specific individual, or must implement and utilize a technical capability to do the same.

Cyber threat information shared with the Federal government under CISA is exempt from disclosure under the Freedom of Information Act, as well as agency ex parte rules, and generally prohibited from being used for regulatory purposes by Federal or State agencies. However, information shared with the Federal government may be used by agencies with specific authority to mitigate cyber threats to “inform” the development or implementation of regulations relating to information systems.

Efforts are already underway to implement CISA. The timeline for implementation is as follows:

February 16, 2016: The Department of Homeland Security (DHS) and the Attorney General will issue interim privacy and civil liberties guidelines governing Federal government receipt of cyber threat indicators; and interim guidelines to assist entities and promote sharing of cyber threat indicators.
March 17, 2016: DHS will develop and implement a portal for real-time receipt of cyber threat indicators and defensive measures.
June 15, 2016: The privacy and civil liberties guidelines governing Federal government receipt of cyber threat indicators, and the guidelines to assist entities and promote sharing of cyber threat information, will be finalized by DHS and the Attorney General and submitted to Congress.
December 18, 2016: Heads of the appropriate Federal agencies must submit a detailed report to Congress on implementation of CISA.
December 18, 2018: The Comptroller General must submit a report to Congress on actions taken by the Federal government to remove personal information from cyber threat indicators or defensive measures.
September 30, 2025: CISA sunsets.

National Institute of Standards and Technology Cybersecurity Framework under Review

The National Institute of Standards and Technology (NIST) issued a Request for Information (RFI) on December 11, 2015, seeking comments on ways in which the Framework is being used to improve cybersecurity risk management; how best practices for using the Framework are being shared; the relative value of different parts of the Framework; possible need for an update of the Framework; and options for long-term governance of the Framework. This effort may be the beginning of the development of a second iteration of the NIST Cybersecurity Framework.

Responses to the RFI are due on February 9, 2016. The Public Policy Committee will discuss whether M3AAWG should participate in a response.

Efforts Underway to Develop Information Sharing and Analysis Organizations

In February 2015, President Obama signed an Executive Order (EO) to promote cyber threat information sharing within the private sector and between the private sector and Federal government. The EO directs DHS to establish certification standards for privately-run Information Sharing and Analysis Organizations (ISAOs) and adopts measures to foster greater sharing of classified cyber threat information by the Federal government with these ISAOs.

An ISAO could be a non-profit group, membership organization, or single company facilitating sharing among its customers or partners. Under the EO, ISAO member-companies would receive limited liability protection if they share through an ISAO and comply with privacy safeguards, though this element of the Order will be impacted by the passage of CISA.

The University of Texas at San Antonio will be the standards-setting body for ISAOs over the next five years. Under the EO, and consistent with CISA, the National Cybersecurity and Communications Center (NCCIC) will coordinate with the ISAOs on sharing information related to cyber risks and incidents. In addition, eligible ISAOs and other private entities with appropriate clearances also will have the opportunity to receive classified cyber threat information pursuant to procedures under CISA jointly developed by the Director of National Intelligence, DHS, and the Defense and Justice departments.

DHS held an initial public meeting on ISAO Standards Organization on November 9, 2015 to identify capabilities, criteria, processes and strategies for the operation of future working groups. Future meeting dates have not yet been announced.

Contact Public Policy Co-Chairs Chris Boyer (AT&T), Rudy Brioche (Comcast) and Frank Ackermann at publicpolicy-chair@mailman.m3aawg.org

Pervasive Monitoring SIG

New Forward Secrecy How-To Paper; Work to Encourage Secure Communications

Protecting against pervasive monitoring and the use of encryption by companies continues to be a huge industry focus. Global industry leaders and governments – per Apple's Tim Cook pushes White House to take stand on encryption, Global tech giants back encryption, The debate over government ‘backdoors’ into encryption isn’t just happening in the U.S., Dutch government says no to 'encryption backdoors' – are pushing back on regulations for preventing the implementation of encryption to secure their data and their downstream customers' data. The M3AAWG Pervasive Monitoring Special Interest Group continues the journey to provide technically sound yet approachable advice on these complex topics, while maintaining a balanced perspective and coordinating our efforts with other organizations.

We continue to monitor industry progress toward adopting opportunistic TLS as a first step in securing email in transit, as outlined in our initial paper. At M3AAWG 36 in San Francisco, we are including a progress update for opportunistic TLS adoption in our Wednesday session on improving email security. Toward this goal, we took an action item from an Open Round Tables discussion at M3AWWG 35 in Atlanta to encourage providers to turn on opportunistic TLS by default on their platforms. Progress on this will be discussed at future meetings and in this newsletter.

While keeping an eye on industry adoption of opportunistic TLS, we also have been working to address the more aggressive Man-in-the Middle (MITM) attack scenarios against messaging. We previously published basic industry guidance in the paper "M3AAWG Initial Recommendations for Addressing a Potential Man-in-the-Middle Threat" and have been heavily focused on this during M3AAWG meetings. The Pervasive Monitoring SIG has been evaluating IEFT, DNSSEC and DANE technologies as well as creating the draft of a new protocol, "SMTP Strict Transport Security (STS)," to improve email security and guard against MITM attacks. To increase our industry outreach, we hosted Curt Barker and Scott Rose of the National Institute of Standards and Technology (NIST)/National Cybersecurity Center of Excellence and Viktor Dukhovni, IETF DANE working group owner, to provide their feedback and hear industry concerns during the meeting in Atlanta. We will continue evaluating existing technologies and investing efforts in reviewing other technological options so we will be able to provide the industry with proper guidance, as appropriate.

Newly completed, and to complement our initial TLS recommendations and MITM papers, we recently published "M3AAWG Initial Recommendations for Using Forward Secrecy to Secure Data." The paper includes basic guidance for implementing forward secrecy and an explanation of why it's needed.

While most of our work has primarily been focused on email crypto to date, there are areas other than email that are also in need of cryptographic protection. We are hosting a session at M3AAWG 36 in San Francisco on Wednesday titled “Pervasive Monitoring: Protecting Messaging Other Than Email, Plus Network Link Protection.” During this session we will discuss cryptographic protections for other forms of messaging (e.g., voice telephony and chat/text messaging) as well as options for protecting higher bandwidth internal ISP network links. In the coming months, we will be publishing our next wave of best common practices, targeting the completion of the drafts of Crypto Isn’t Free, Traffic Analysis and SMTP Strict Transport Security (STS) by the end of April 2016.

Contact Pervasive Monitoring SIG Co-Chairs Alex Brotman (Comcast) and Janet Jones (Microsoft) at pervasive_monitoring-chair@mailman.m3aawg.org.

Senders Committee

Educational, Interesting, Timely

For San Francisco we have some educational, interesting and timely sessions. Educational: A redo of our “Role with it Baby” session with new content from different senders. Interesting: Learn how one company had to tame their own organic 600,000 person email list that turned into a monster of good intentions. Timely: A panel on the highs and lows of sending political email.

Current work: We are seeking a new co-champion for our Click Tracking Abuse paper to help bring the document into a cohesive final draft.

Contact Senders Committee Co-Chairs Tara Natanson (Constant Contact) and Andrew Barrett (Exact Target) at senders-chair@mailman.m3aawg.org

Collaboration Committee

Small Business Email, Phishing Notification and New Papers

In Atlanta, the Collaboration Committee continued the conversation around data sharing by co-hosting, with the APWG, a session centered on their Data Exchange system and User Awareness program, as well as hosting a session regarding experiences with Facebook’s ThreatExchange program. In keeping with one of the "themes" of M3AAWG 35, the committee hosted a session revolving around the security implications that ISPs should be aware of in the age of the Internet of Things.

Following an Open Round Tables discussion during our previous Brussels meeting, the Collaboration Committee is pleased to announce the publication of the Feedback Loop Resources page on the M3AAWG public website. This page offers visitors information about various Feedback Loop (FBL) types and resources and can be found at /fbl-resources.

Coming up in San Francisco, the Collaboration Committee will be brainstorming ways that M3AAWG can help small or naive businesses, whose primary focus isn’t email, make sure they’re doing things right in a session that will lead to further Open Round Tables discussions. The committee will also be hosting sessions exploring how to best notify all interested parties when phishing is found on your network and methods for handling fraud in ways that support law enforcement while minimizing abuse. Two document working sessions on abuse of new TLDs and a possible standard for one-click unsubscribe – the result of two Open Round Tables discussions at our most recent meeting in Atlanta –are also slated for San Francisco.

As always, the Collaboration Committee would also like to invite all members to submit their meeting topic ideas for future meetings at /submissions.

Contact Collaboration Co-Chairs Dave Romerstein (Apple) and Sara Roper (CenturyLink) at collaboration-chair@mailman.m3aawg.org.

67th General Meeting

M3AAWG Blog - Recent Posts