Tired of getting phony calls from Visa about an alleged abuse of your credit card? Angered about the way your firm’s logo is being used in phishing attacks? There’s a big meeting this week in Montreal among leading industry companies trying to do something about these and similar problems.
The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) one of the biggest security-related internet industry groups, is holding its 47th general meeting since 2004. (There are general meetings three times a year.)
In Montreal dozens of carriers, platforms and vendors from around the world are continuing their fight to find new ways to reduce spam, denial of service attacks, robocalls, bots on their networks and more.
Most sessions are closed to the public, but the association has said there will be presentations on preparing for the threat to encryption of quantum computing, how Google fights spam, AT&T’s efforts to automatically mitigate DDoS attacks, creating security standards for IoT devices, ways of detecting phony corporate logos in phishing and emerging threats. It will also be discussing diversity in the industry.
In an interview Len Shneyder, Twilio SendGrid’s vice-president of industry relations and a former board member, said there are also sessions on how members might help solve problems with election and data security.
The conference “gives us a chance to check in with our partners in industry and have candid conversations about what they’re seeing and how we can be of service to one another,” he said.
Many of the security-related protocols used by Internet providers and enterprises such as DMARC (Domain message authentication reporting) and the new anti-phone spoofing STIR/SHAKEN certificate system are polished by the group.
It publishes a number of advisory papers for the industry. For example, its most recent was on best practices for domains that send bulk email.
M3AAWG has some 200 members, led by a number of big names as sponsors: Carriers AT&T, Comcast and Orange; social media platforms Facebook, Google, LinkedIn, Verizon Media (Yahoo), Microsoft; and security vendors VeriSign, Proofpoint. Full members include IBM, Cisco Systems, Symantec and McAfee.
Canadian participation is small: Among Canadian telcos and Internet providers, only Bell Canada and Eastlink are member supporters. TD Bank is the only Canadian financial institution. Also a supporter member is Toronto-based domain registrar and mobile service provider Tucows.
In general, Shneyder said, the association is a place for providers of all shapes and sizes to learn how to secure themselves. “If you want to have a conversation about the proper way to set up email authentication, this is the place,” he said.
Janet Jones, a M3AAWG vice-chair who is also a senior security program manager for Microsoft’s customer security and trust engineering organization, gave another example of the work: Looking at how organizations will implement the new TLS 1.3 transport layer security protocol.
“Some organizations want to be able to inspect traffic, and others want to be able to lock them down,” she said. “We have to be able to work together on adoption.
“One of the main focuses is making sure we have a group of industry experts, companies and governments all participating to solve problems that would require more interaction among different parties. If you think about encryption in particular, it’s only as exciting as what your partners are doing. If one company is doing encryption over TLS and the other company isn’t, when data moves from one to the other it will be in cleartext.”
The group does more than put out best practices, she added. It also works with similar-minded groups in Latin America, India and Japan.