Slashdot Mirror

← Back to Stories (view on slashdot.org)

Epsilon Breach Used Four-month-old Attack

Posted by CmdrTaco on from the way-to-go-guys dept.

schliz writes "Marketing giant Epsilon knew that it was vulnerable to an attack for 'some months' before suffering a high-profile breach last week. According to Epsilon's technology partner ReturnPath, the breach was part of a series of socially engineered attacks discovered in November."

13 of 48 comments (clear)

  1. Stupid by The+Grim+Reefer2 · · Score: 4, Insightful

    Why aren't there more laws to fine the hell out of companies like this when they are grossly negligent. This is their business, they should know better.

    1. Re:Stupid by fuzzyfuzzyfungus · · Score: 4, Funny

      Arguably, their management team should be given a life-sentence of manually deleting penis-pill spam using the 'Incredimail' client on a virus-riddled WinME box with inadequate RAM and AOL dialup.

      The rest of the company can be sold for scrap, and their mailing lists tossed into the nearest smelter.

    2. Re:Stupid by WrongSizeGlass · · Score: 5, Interesting

      Why aren't there more laws to fine the hell out of companies like this when they are grossly negligent. This is their business, they should know better.

      I'm guessing that there aren't more laws because legislators don't know shit about data & security so when they try to enact laws about these things they miss the mark by being too lax, too broadly defined or they just don't get it at all. Massachusetts seems to get it and recently handed down their first penalties.

  2. Proving once again by jayhawk88 · · Score: 4, Insightful

    That users are children. They lie, they don't listen, they ignore your advice, they actively look for ways to get around the measures you put in place for their benefit, and at the end of the day, when the users have done something galactically stupid, IT'S ALL YOUR FAULT!

    Your users are children. Treat them as such.

    1. Re:Proving once again by gstoddart · · Score: 3, Interesting

      That users are children. They lie, they don't listen, they ignore your advice, they actively look for ways to get around the measures you put in place for their benefit, and at the end of the day, when the users have done something galactically stupid, IT'S ALL YOUR FAULT!

      And, since they're storing other people's data (some of mine for example) they have a responsibility to make sure they're actually taking steps to protect it.

      So, I say don't treat them like children ... I say treat them like adults who are expected to know better, and make sure they have consequences, because they've been entrusted with this stuff. Don't coddle them and say "mustn't touch", this is serious stuff.

      I must say, I'm somewhat annoyed at the companies I dealt with who farmed out this stuff. But I figure if your industry is doing this stuff, you should be held to a standard similar to my banking information ... if you lose track of it, or allow a breach, there should be significant (and increasing) fines for something like this.

      There are now several companies I have a business relationship from whom I will have to largely distrust emails until I can bypass any links in the email and verify ... some of these companies have had over $10K in business from me in the last year. They're going to have to work awful hard to repair my trust.

      --
      Lost at C:>. Found at C.
  3. Vulnerable by haystor · · Score: 5, Funny

    Epsilon has always been vulnerable to attack by some smaller value of x.

    --
    t
  4. It was your fault, after all by Toe,+The · · Score: 5, Insightful

    The letters from Chase and Citi, both say effectively: "your data was stolen, here's what you should do to protect your data." They then go into a litany of minor data hygiene practices, failing to point out they themselves did not vet their vendor's security practices. There is no claim of culpability for bad security policy nor any indication that they will try to do better in the future. In other words, no reason why you should trust them with your data (and this response is sadly commonplace).

  5. Re:Good News / Bad News by elrous0 · · Score: 3, Funny

    A got a bunch of those too. Some of them asked me to click on links and give them my username and password too, so they could scan my system and make sure I was okay. I did this immediately of course, as I value my personal security greatly.

    On an related note, has anyone else noticed that Bank of America has relocated to Russia? Kind of ironic, don't you think? And they really needed to do better proofreading on their website.

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
  6. Re:socially engineered Windows attacks? by Tolvor · · Score: 2

    Solution: configure your email server to scrub all active content in emails.
    The original article states that there wasn't any active content in the email. The email was just a social engineering ploy to cause a person to go to an innocent looking but actually malware loaded web page. The email that the person in Epsilon received mentioned a forgotten friendship and recent wedding. Everyone has forgotten past friends, and wedding photos can be nice to look at. Certainly an employee would not worry about violating the company's acceptable use policy on this site.

    The part I'm curious about is how the website managed to install the malware on the computer. Most company computers now days have the administration functions locked out and cannot be changed by the computer user. Even if Epsilon did not secure the PC's against installation I cannot figure out how the webpage delivered a malware payload that would disable the anti-virus without any warning. After that installing the keyloggers and remote administration is easy.

    I'm also surprised that Epsilon did not have any network analyzers already installed. A good system administrator keeps watch over even tiny leaks like Microsoft Office products checking their versions (and serials numbers) with the Microsoft site. System Administrators keep watch to see where their fellow employees have been browsing (www.somethingxxx.??? will get you fired, www.timewastingfunsite.??? will get you a warning, a family site like www.weddingphotos4u.net (the malware site used against Epsilon) will be ignored). How did they miss this traffic going back and forth on their network?

    Anyone can be fooled into visiting a hostile site if the attack and site are constructed to be as attractive as possible. I do blame Epsilon for missing the impact and changes that such a site will have on a computer and network.

  7. Re:Good News / Bad News by Toe,+The · · Score: 5, Funny

    Beloved,

    It is welcome that you took this forward action to pervert critical contanimation of your most personal datas by submitting to computerscan with fantastic quick.

    Please be noted that Bank of Armerca is not changed to Russia. Is only important and extremely trusted vender who is making home inside of beautiful Mother Russia. This vender is to be deeply trusted by you very much and often. Examine the emails addressing on this emails and be aware that it comes from Bank of Armerca. Also to see the Bank of Armerca logo is on this emails, so you know it is very trust.

    Greetings,

    Ivan Petrovitch
    Bank of Armerca President
    snerksky772@hotmail.com

  8. I work for... by holmedog · · Score: 5, Interesting

    A direct competitor for Epsilon and I can say that everyone in our business (Epsilon included) has security measures in place to stop these kinds of things. Problem is, everyone at these types of companies are people. We might have millions invested in keeping data safe, but when you pay someone $10/hr to flip tapes in the data warehouse, you're still taking a risk that person might be doing something stupid in the interim. The simple fact is, data warehousing happens because it is cost efficient for companies to pay us to do it. That cost savings is seen by the consumer in the rates being knocked down for services. Why do you think you can get insurance so cheap? (well, here goes my karma...)

    1. Re:I work for... by holmedog · · Score: 2

      Because it isn't exactly hard to sit on your ass all day and occasionally walk over to a tape deck, pull one out, and put a new one in. Not exactly a job that requires a ton of college education. And, as we all know, you pay for the work that's done, not the security that is expected of the worker.

    2. Re:I work for... by holmedog · · Score: 2

      Why build a robot for a ton of money, have someone to program and run the robot, pay for upkeep on the robot, etc when you could just pay some college student $10 to play on his PSP until a tape needs flipped? It's a matter of money. And, just a poor example at any rate. These people who were socially engineered were probably people at the help line, who's job is a bit more complex than flipping tapes. They still aren't exactly the highest hitters in the workpool, but they are given the ability to reset and hand out passwords, which gets you a lot close to the data.