Epsilon Breach Used Four-month-old Attack

schliz writes "Marketing giant Epsilon knew that it was vulnerable to an attack for 'some months' before suffering a high-profile breach last week. According to Epsilon's technology partner ReturnPath, the breach was part of a series of socially engineered attacks discovered in November."

Good News / Bad News

I unfortunately have gotten emails from about 5 or 6 companies that used epsilon- fortunately for me it was all the same email address.

Re:Good News / Bad News

[elrous0]

A got a bunch of those too. Some of them asked me to click on links and give them my username and password too, so they could scan my system and make sure I was okay. I did this immediately of course, as I value my personal security greatly.

On an related note, has anyone else noticed that Bank of America has relocated to Russia? Kind of ironic, don't you think? And they really needed to do better proofreading on their website.

Re:Good News / Bad News

[Toe,+The]

Beloved,

It is welcome that you took this forward action to pervert critical contanimation of your most personal datas by submitting to computerscan with fantastic quick.

Please be noted that Bank of Armerca is not changed to Russia. Is only important and extremely trusted vender who is making home inside of beautiful Mother Russia. This vender is to be deeply trusted by you very much and often. Examine the emails addressing on this emails and be aware that it comes from Bank of Armerca. Also to see the Bank of Armerca logo is on this emails, so you know it is very trust.

Greetings,

Ivan Petrovitch
Bank of Armerca President
snerksky772@hotmail.com

Stupid

[The+Grim+Reefer2]

Why aren't there more laws to fine the hell out of companies like this when they are grossly negligent. This is their business, they should know better.

Re:Stupid

[fuzzyfuzzyfungus]

Arguably, their management team should be given a life-sentence of manually deleting penis-pill spam using the 'Incredimail' client on a virus-riddled WinME box with inadequate RAM and AOL dialup.

The rest of the company can be sold for scrap, and their mailing lists tossed into the nearest smelter.

Re:Stupid

[slashdottedjoe]

Why not have law enforcement work harder on these crimes than drug enforcement?

Re:Stupid

[WrongSizeGlass]

Why aren't there more laws to fine the hell out of companies like this when they are grossly negligent. This is their business, they should know better.

I'm guessing that there aren't more laws because legislators don't know shit about data & security so when they try to enact laws about these things they miss the mark by being too lax, too broadly defined or they just don't get it at all. Massachusetts seems to get it and recently handed down their first penalties.

Re:Stupid

[truk138]

You sir have inspired me. perchance you have a news letter ?

Re:Stupid

[Locke2005]

You can have much more fun parties with confiscated drugs than you can with confiscated emails lists. Seriously, when was the last time you heard anyone say, "Cops always have the best lists of spamable email addresses!"

Re:Stupid

[jhigh]

If I only had mod points... Well played, sir.

Re:Stupid

[KingBenny]

because more laws dont automatically breed more competent people ? If a law against stupidity and negligence would work, i'm sure it would have been perfected by now.

good

very good post. enjoy

Proving once again

[jayhawk88]

That users are children. They lie, they don't listen, they ignore your advice, they actively look for ways to get around the measures you put in place for their benefit, and at the end of the day, when the users have done something galactically stupid, IT'S ALL YOUR FAULT!

Your users are children. Treat them as such.

Re:Proving once again

[piripiri]

I wish I had a mod point left.

Re:Proving once again

[gstoddart]

That users are children. They lie, they don't listen, they ignore your advice, they actively look for ways to get around the measures you put in place for their benefit, and at the end of the day, when the users have done something galactically stupid, IT'S ALL YOUR FAULT!

And, since they're storing other people's data (some of mine for example) they have a responsibility to make sure they're actually taking steps to protect it.

So, I say don't treat them like children ... I say treat them like adults who are expected to know better, and make sure they have consequences, because they've been entrusted with this stuff. Don't coddle them and say "mustn't touch", this is serious stuff.

I must say, I'm somewhat annoyed at the companies I dealt with who farmed out this stuff. But I figure if your industry is doing this stuff, you should be held to a standard similar to my banking information ... if you lose track of it, or allow a breach, there should be significant (and increasing) fines for something like this.

There are now several companies I have a business relationship from whom I will have to largely distrust emails until I can bypass any links in the email and verify ... some of these companies have had over $10K in business from me in the last year. They're going to have to work awful hard to repair my trust.

Re:Proving once again

Stop blaming users. We, as IT professionals, need to start owning up to allowing these things to happen.

We've let marketing and profits and our own paychecks get in the way of creating secure systems for the last several decades.

Re:Proving once again

[ThatsNotPudding]

Your users are children. Treat them as such.

This is why IT guys are so universally loved and respected.

Re:Proving once again

[jayhawk88]

You know what though? It's time to stop letting user get a free pass with crap like this. They've been told. Don't follow unknown links you get in emails. Don't reply to emails asking for sensitive information. Don't give the dude who cold-called you your password. But they still keep doing this crap.

If someone calls me up out of the blue and wants to know the schedules for building security, and the locations of all the security camera's, and I give it to them, I'm responsible. If someone backs a truck up to the loading dock saying they need to take all the office furniture in for a monthly cleaning and I open the dock door for and help them load it all up, I'm responsible. If someone asks me to provide them with information on all of my businesses customers, and I give it to them, I'm responsible. I'm fired, I'm possibly fined, I maybe even go to jail. Why does it suddenly become an "Oopsie" when there's a computer involved? It's Two thousand and fucking eleven already. These people have been using computers at their job daily for the better part of a decade in most cases by now. They know better, and if they really don't, then they need to hurry up and learn, or face the consequences.

Open source bug resolution is sluggish.

Companies that maintain proprietary software have whole teams devoted to fixings bugs in the software and thus are more reliable. Oh wait...

returnpath and co are evil

the whole business of returnpath and other "esp"s is blacklisting the hell out of our email servers.

and then yahoo and others kindly redirect you to the "esp" where you pay ridiculous sums to send e-mail in inbox not in spam...

i say fuckem

and also they probably hacked themselves in order to be able to spam the shit out of their lists and then blame it on hackers...

Vulnerable

[haystor]

Epsilon has always been vulnerable to attack by some smaller value of x.

Re:Vulnerable

[thsths]

Let epsilon be zero.

Re:Vulnerable

int epsilon = 0;
int x = -1;
if (xepsilon) { // Magic happens here
        perform_breach();
}

Re:Vulnerable

s/xepsilon/x<epsilon/

It was your fault, after all

[Toe,+The]

The letters from Chase and Citi, both say effectively: "your data was stolen, here's what you should do to protect your data." They then go into a litany of minor data hygiene practices, failing to point out they themselves did not vet their vendor's security practices. There is no claim of culpability for bad security policy nor any indication that they will try to do better in the future. In other words, no reason why you should trust them with your data (and this response is sadly commonplace).

Re:It was your fault, after all

[mlts]

I'm sure none of their minor data hygiene practices have stuff that really matters too:

If one has Chase, Citi, or a bank that is affected, change the E-mail address to one, preferably something just opened on a non-free domain, like me.com. This way, if the bank does send an official notification, it definitely will be correct, while the phishers will continue to send to the last address.

Well, this is until someone gets haxxored again and the new E-mail address gets compromised. I doubt there will be more than lip service paid to actually preventing a subsequent breach from happening in the future, because to PHBs, security has no ROI.

Re:It was your fault, after all

[sjames]

Oh, they'll put plenty of effort into making sure news of any future breaches stays quiet.

Attacked by a four-month-old?

Are YOU afraid of a baby?

More Apologies

[coinreturn]

Every day since this story broke, I get yet another apology letter or two from another major company.

socially engineered Windows attacks?

"He said that the phishing attacks were targeted specifically at employees .. The link in the body of the email took the user to a page that downloaded three malware programs – one that disables anti-virus software, another (iStealer) that is a Trojan keylogger to steal passwords, and a third (CyberGate) which offers hackers remote administration of the infected machine" ..link

Did any of this malware prompt for the admin password or where they already logged in as administrator. How they managed to write that story without once mentioning Microsoft Windows is incredulous. Solution: configure your email server to scrub all active content in emails. ie. Remove autorun scripts in msOffice files, mangle URL links and overwrite the header at the start of anything executable that's trying to download itself ...

Re:socially engineered Windows attacks?

[Tolvor]

Solution: configure your email server to scrub all active content in emails.
The original article states that there wasn't any active content in the email. The email was just a social engineering ploy to cause a person to go to an innocent looking but actually malware loaded web page. The email that the person in Epsilon received mentioned a forgotten friendship and recent wedding. Everyone has forgotten past friends, and wedding photos can be nice to look at. Certainly an employee would not worry about violating the company's acceptable use policy on this site.

The part I'm curious about is how the website managed to install the malware on the computer. Most company computers now days have the administration functions locked out and cannot be changed by the computer user. Even if Epsilon did not secure the PC's against installation I cannot figure out how the webpage delivered a malware payload that would disable the anti-virus without any warning. After that installing the keyloggers and remote administration is easy.

I'm also surprised that Epsilon did not have any network analyzers already installed. A good system administrator keeps watch over even tiny leaks like Microsoft Office products checking their versions (and serials numbers) with the Microsoft site. System Administrators keep watch to see where their fellow employees have been browsing (www.somethingxxx.??? will get you fired, www.timewastingfunsite.??? will get you a warning, a family site like www.weddingphotos4u.net (the malware site used against Epsilon) will be ignored). How did they miss this traffic going back and forth on their network?

Anyone can be fooled into visiting a hostile site if the attack and site are constructed to be as attractive as possible. I do blame Epsilon for missing the impact and changes that such a site will have on a computer and network.

Re:socially engineered Windows attacks?

[Locke2005]

In Windows XP, you have to give everybody Admin privileges, otherwise they can't install _anything_ themselves. In Windows 7 (and presumably Vista as well), it will prompt for the Admin password every time you try to install, so you don't have to run all the time with Admin privilege. But that's still no protection against social engineering; if you give users the ability to modify their own machines, they will be able to install malware.

Re:socially engineered Windows attacks?

[klubar]

I disagree about giving administrative prvileges...why would a user ever need to install anything on their machine? There should be a standard build that is locked down very tightly that is deployed to every desktop. Group policies should prevent/log all users actions. In general, intstalling an application should be a firing offense. This is pretty much security 101.

Re:socially engineered Windows attacks?

[Locke2005]

Generally that's true. But as an engineer, I'm required to install drivers for the software I'm writing all the time, and calling IT to type in a password every time I get new hardware to support is kind of a pain.

Re:socially engineered Windows attacks?

[klubar]

True... I was mostly referring to average office employees... Recently I needed to do some work on rebuilding a Mac and felt the same way... intrusive pop-ups asking for a password all the time. (The same might be true for linux--everything needs a sudo or just run as su.).

The recommendation for developers & engineers is that they be on a completely separate network that is isolated from live data. And they probably should be getting emails on the development machines (nor clicking on wedding web sites).

Textbook example of how not to run an IT business

[billrp]

Employee clicks a phishing link in an email - that site is not filtered by their firewall
The site requests and the employee allows downloads of executables - improper employee training and exes not filtered by firewall
Employee allows exes to run - no exe blocking installed in the employee's PC
Uploads of clear email lists - stored lists should be encrypted, and also no firewall monitoring/blocking of file transfers

It's an education probleml

[Locke2005]

Which engineering schools are now offering degrees in Social Engineering? Can I go back to school and get my MSSE?

Re:It's an education probleml

[Tolvor]

Actually, there is a couple of degrees for that...

One is majoring in Political Science ("I do not do this for me, nor for my community, but because it the right thing to do for our CHILDREN.")

The other is getting a degree in law (any specialty) ("Is it true that you still beat your wife?")

I work for...

[holmedog]

A direct competitor for Epsilon and I can say that everyone in our business (Epsilon included) has security measures in place to stop these kinds of things. Problem is, everyone at these types of companies are people. We might have millions invested in keeping data safe, but when you pay someone $10/hr to flip tapes in the data warehouse, you're still taking a risk that person might be doing something stupid in the interim. The simple fact is, data warehousing happens because it is cost efficient for companies to pay us to do it. That cost savings is seen by the consumer in the rates being knocked down for services. Why do you think you can get insurance so cheap? (well, here goes my karma...)

Re:I work for...

What? You're saying that these firms take data security so seriously that they'll destroy their multimillion dollar investments in data safety by underpaying the people who work with the data? So they blow millions on a fence and then pay the guys who make copies of the gate key minimum wage? Why build the fence in the first place?

Re:I work for...

Because the guy who's making copies of the gate keys has undergone a background check, and we know he's a security expert because he worked for the military!

Or in other words, they do it to say they "did their best"

Re:I work for...

[holmedog]

Because it isn't exactly hard to sit on your ass all day and occasionally walk over to a tape deck, pull one out, and put a new one in. Not exactly a job that requires a ton of college education. And, as we all know, you pay for the work that's done, not the security that is expected of the worker.

Re:I work for...

[rmstar]

So they blow millions on a fence and then pay the guys who make copies of the gate key minimum wage? Why build the fence in the first place?

What normally happens in companies is that the people that do the hiring ("Human Resources") might not even understand what the companies actually do. So yes, they end up hiring someone for 10$ an hour and feel great because they have saved the company money. That it is stupid is something lost on them.

It seems that it is even lost on the guys working on the product.

Re:I work for...

Because it isn't exactly hard to sit on your ass all day and occasionally walk over to a tape deck, pull one out, and put a new one in. Not exactly a job that requires a ton of college education. And, as we all know, you pay for the work that's done, not the security that is expected of the worker.

Why not use robots?

Re:I work for...

[holmedog]

Why build a robot for a ton of money, have someone to program and run the robot, pay for upkeep on the robot, etc when you could just pay some college student $10 to play on his PSP until a tape needs flipped? It's a matter of money. And, just a poor example at any rate. These people who were socially engineered were probably people at the help line, who's job is a bit more complex than flipping tapes. They still aren't exactly the highest hitters in the workpool, but they are given the ability to reset and hand out passwords, which gets you a lot close to the data.

Re:I work for...

That cost savings is seen by the consumer in the rates being knocked down for services. Why do you think you can get insurance so cheap?

I'm still laughing, maybe the stockholders of insurance companies get a break but my rates have never gone down in thirty years unless coverage decreased. Cost savings in any industry does not get passed along to the customer these days it goes to bonuses and dividends.

thx

good job. this is very really cool post. thx :)

Deltas

Just because there is always a delta doesn't mean you don't pick a smaller value of epsilon.