CAUCE: April 2011

« March 2011 | Main | May 2011 »

April 2011

11 April 2011

Facts & Tips for Consumers about the Epsilon Breach

Epsilon Interactive, who sends commercial email on behalf of hundreds of companies, admitted to a security breach that they detected some time in March. Epsilon and its parent company, Alliance Data, have posted two press releases about the breach.

Epsilon Notifies Clients of Unauthorized Entry into Email System – April 01, 2011
Alliance Data Provides Statement Surrounding Unauthorized Entry Incident at Epsilon Subsidiary - April 06, 2011

How many companies’ customers' email addresses were lost?

Epsilon has not revealed any statistics beyond ‘2% of our clients’, of which they reportedly have 2,500.

Journalists covering the story have collected notifications sent by about 70 companies, including many financial institutions. The names of these companies have been published at:

What information was lost?

Epsilon has stated that the names and email addresses of their clients' customers were taken. Presumably the attackers were also able to access the names of each client.

What does this mean for consumers?

If you received a notification from one of Epsilon's clients, the thieves know your name and email address. Depending on which company had your information, the thieves may also be know the hotels you may stay at, which credit cards you may use, or where you buy stuff online. If your email address shows up on several of these lists, the criminals can draw together a pretty accurate profile of who you are, and what you typically do, and can guess your income level. Ironically, that is what companies like Epsilon do with the data, too.

Do the criminals have any more information about me?

While it's common for the contents of an email message to include more personal information than your name and email address, as far as we know, this information was not stolen. Often times, different data is stored in different places, and the thieves may have not been able to access the contents of previously sent messages. There is a pretty good explanation of the way these marketing databases generally work here

My address was lost in the Epsilon breach; CAUCE says the only way protect myself against phishing is to change my address. Isn't that is a rather extreme approach?

Sadly, it may not be extreme enough. The Anti-Phishing Work Group reports that there are about 360,000 unique phishing sites, annually [2010].

Anti-virus software catches new malware about 20% of the time, leaving computer end-users exposed to a tremendous amount of viruses, keyloggers, and spyware, and other bad things. Anti-spam software does a pretty good job, getting well upwards of 90% of all spam, but some trickles through. We know that phishing attempts were successful at companies, ESPs, who were on high alert for the attempts.

While some phishing attempts are obvious, almost silly, others can be extremely difficult for end-users to recognize. Our friends at Word to the Wise took apart a legitimate email from an Epsilon client-company, and even email experts had a hard time determining if the email was real. See their article ‘Real. Or. Phish?’.

If your email was lost by a client company of Epsilon, we stand by our suggestion that changing your address is the best way to avoid receiving and having to deal with the phishing emails and other spam that will inevitably come from this data theft. Even if you don't want to abandon your current address entirely, this would be a good time to set up a new address and move your important communications there.

I unsubscribed from a customer list at Epsilon, and still received a notification from them. Isn’t this illegal?

It is arguably illegal under some laws, but it makes good sense that they did mail you. It doesn’t mean you weren’t unsubscribed. Here’s how it works: When you unsubscribe from an emailer’s list, they put your address into what they call a ‘suppression list’. The criminals presumably stole these too. The companies did the right thing by alerting you to the fact that your address was stolen.

How can I unsubscribe from everything at Epsilon?

Epsilon maintains a list of places where you can unsubscribe from a variety of their clients' newsletters.

We do not know if this will ensure that another of their clients will not upload your address to Epsilon in the future, and of course there are many other ESPs out there.

Are the authorities involved? Can I sue someone?

Epsilon is reportedly working with the Secret Service, presumably because information related to bank and credit card clients was lost. Previously, some of the companies who were targets or victims of the previous series of breaches (which, again, may not be connected to the Epsilon incident) have been working with law enforcement.

The Australian Communications and Media Authority and Australian Privacy Commissioner are aware of the attack, having been alerted to it by Dell Australia, whose data was stolen. The breach may prompt an investigation by the UK Information Commissioner's Office, Connecticut Attorney General George Jepsen and Consumer Protection Commissioner William Rubenstein are investigating, and have written a letter to Attorney General of the United States asking him to investigate. Leaders of the House Energy and Commerce panel in the United States have written to the CEO of Alliance Data, Epsilon’s parent company, asking for more details on how many customers were affected and how the breach occurred.

You could try to sue someone: the company holding your data, or Epsilon, or both. There may be class action lawsuits coming out of this, as well as lawsuits by Epsilon’s client companies. If you do file with a class-action, you should not expect a large financial settlement, as these are generally quite small.

CAUCE suggests that if you live in a relevant jurisdiction, you can file a complaint with the local authorities about the breach:

Australia (Australian Communications and Media Authority)
Australia (Privacy Commissioner)
Canada (Office of the Privacy Commissioner of Canada)
United States (Federal Trade Commission)
United Kingdom (Information Commissioner's Office)

If you have incurred a financial loss as a result of any phishing attack, or see suspicious activity on your bank account, contact your financial institution to alert them and report your credit card stolen immediately. Then, call your local and federal police forces to file a complaint (the bank will not do this for you).

BACKGROUNDER

How was the hack accomplished?

Epsilon has not released details about the mechanics of the breach. If it is similar to the hacking attempts targeted at ESPs last year, the hackers may have used social engineering and spear-phishing techniques, leading to an employee mistakenly typing their username and password into a web page controlled by the hacker. However, at this time, we do not know what happened or whether there's any connection to the previous attacks.

Has Epsilon been hacked before?

Maybe. Epsilon has not publicly admitted to any previous attack, but their customer Walgreens has indicated that this is the second time they have lost data by way of Epsilon.

“After the incident last year, Walgreens requested that Epsilon put a number additional security measures in place. Apparently, that expectation was not fully met.” – Walgreen spokesperson, via databreaches.net

Is the Epsilon breach part of the previous series of attacks on the ESP industry?

These attacks appear to have begun as early as November 2009, the first victim being a company called aWeber.

Typically, the criminals would hack into an ESP by sending an employee an email that infected them with keylogger spyware, take over one of their client accounts, and send spam for fake Adobe or Skype software. More than a dozen different ESPs, including Epsilon, were targets or victims of these attacks in 2010.

It is impossible to say if this is the same as what happened to Epsilon more recently. Adobe or Skype spam was seen during previous breaches. This did not happen with the current breach with Walgreen or any other Epsilon customer.

This could have been the same group, using the same point of attack. It could have been a copycat using the same tactics, or an entirely different approach. We do not know, and there are too many variables for anyone to say they know definitively — though if Epsilon were to share what they know with the security community, it's likely that we could understand quite a bit more.

Did Epsilon have lax security?

We do not know what changes they made after their first breach, so it is impossible to say.

Were there things they could have done to improve security?

Obviously — they were hacked, after all. Epsilon will presumably address whatever let the hackers get into their systems this time, but any security professional will tell you that security is never perfect. What appears secure today may be exploited tomorrow.

There are many steps ESPs can take to much improve their security related to client lists and outbound email – we have listed them here

I heard that someone warned ESPs about breaches in November.

They did. Return Path provides services to ESPs, blogged about their own breach, and those at ESPs in November 2010. In fact, the ESP industry was becoming aware of this series of breaches all the way through 2010, as they were happening.

Security isn’t 100%? Why?

Software, and the way it interacts with various web applications is very complicated. Many sites do not, or cannot update all components that go into a web application, because to do so may break functionality on the site, or they are negligent. Home computers are pretty much the same. Microsoft, for example, issued 67 updates this past ‘Patch Tuesday’. Have you updated your computer?

Who is the real victim here?

You are. Epsilon suffered the initial attack. Their clients suffer as well, losing consumer trust. There may also be marketing or advertising agencies involved. But as far as CAUCE is concerned, the people who stand to suffer the most are the regular Internet users who trusted that the major brands whose products they enjoy would keep their email addresses and other personal information safe and secure. If these companies do not take immediate, public actions to prove that they deserve our trust, then they do not deserve our business.

Posted by Neil Schwartzman on 11 April 2011 in Canada, Frequently Asked Questions, Press Releases, United States, Warnings, World | Permalink | Comments (0)

08 April 2011

Was your Email lost by Epsilon? Change your Address!

So far, 67 companies have admitted to having lost your personal information (PII) as a result of the Epsilon breach, including at least 8 financial institutions (list here).

Epsilon, and their customers are issuing advice to end-users like you. They are telling you not to answer emails from strangers, and to not provide information in response to emails. They are telling you to:

Just hit delete.

That is, at best, bad advice. These stolen addresses will probably be used to send you phishing mail and attempts to install spyware, keyloggers and other malware on your computer: you will be at great risk of handing over even more information to the criminals behind these thefts.

CAUCE has a much safer alternative to protect yourself:

Change your address!

Your old address is ruined, and although changing is a hassle, Identity Theft and losses at your bank are a much bigger hassle. Changing is the only 100% guaranteed way you can avoid all the spam that is about to head your way.

Change all of your login accounts at various retailers and banks, and other services you use, update them all with the new address. Today is a good time to come up with some fresh passwords to use, too. Keep the old address account in case you forget your password somewhere, but you can ignore it, moving forward.

If you want to get fancy, you can ‘tag’ your new address. Security blogger Brian Krebs has information on how to do this here. No matter what, change your address as soon as possible. Consider it one of your 'To Dos" for the weekend.

Posted by Neil Schwartzman on 08 April 2011 in Canada, United States, Warnings, World | Permalink | Comments (0) | TrackBack (0)

06 April 2011

Why the Epsilon-Fukushima Analogy Was Apt

A few days ago, CAUCE published a blog post entitled “Epsilon Interactive breach the Fukushima of the Email Industry” on our site, and the always-excellent CircleID.

A small coterie of commenters was upset by the hyperbolic nature of the headline. Fair enough, an analogy usually has a high degree of probability that it will fail, and clearly, no one has died as a result of the release of what appears to be tens of millions of people’s names and email addresses.

But, the two situations are analogous in many other ways, and here’s why. When I wrote the piece, I had in mind an article I recently read at The Economist, ‘When the steam clears - The Fukushima crisis will slow the growth of nuclear power. Might it reverse it?’, which sums up the aftermath neatly.

“FEAR and uncertainty spread faster and farther than any nuclear fallout.” – The Economist

There has been tremendous initial effect across the email industry as a result of Epsilon-shima. That whooshing you may have heard last Saturday was the sound of a collective frightened intake of breath at major brands and ESPs. A security staffer noted he had slept very little over the weekend, as the news broke. The fact of the matter is, this happened to Epsilon, but it could just as easily have happened to any of their competitors, of which there are many hundreds.

Followers of the Twitter #epsilon hashtag, see that regular, everyday people are furious. They are furious that the trusted brands they do business with handed over their personal information to a 3rd party, they are furious that it was stolen due to lack security, and they want to know who the hell Epsilon is (CAUCE Director Dennis Dayman wrote about the need for transparency among emailers here). End-users are also beginning to blame every piece of spam they receive on Epsilon, even though, to date, there has been no verifiable reports that I have seen that the thieves have sent a single piece of spam out. End-users are gun-shy. Unfortunately, they’ll get over it, of course, and drop their guard, making them vulnerable to spear-phishing.

“There will certainly be more durable effects too. Years of cleanup will drag into decades” – The Economist

It’s true. Once lost, these email addresses will very likely be used as spear-phishing targets (remember, the criminals also have the proper names of victims, as well as a list of who they did business with, including their financial institutions). Once they have served that purpose, they will be sold to other spammers, who will send untargeted spam to them. While spam filters will likely take care of most of this problem, there will undoubtedly be financial loses and successful instances of Identity Theft as a direct result of the Epsilon breach. This is a mess that simply can’t be cleaned up by form letters downplaying the theft, assuring people the criminals ‘only’ stole the data they did.

Make no mistake about it, an email address is considered to be personal identifiable information in Canada and Europe, and for good reason, because quite simply it is private information. Canadian and European brands were affected by the Epsilon breach. While the United States lags far behind the rest of the world with regard to breach and privacy legislation, this thing is far from over from an investigative and legal standpoint.

(An ESP) “Looks dangerous, unpopular, expensive and risky. It is replaceable with relative ease and could be forgone with no huge structural shifts in the way the world works. So what would the world be like without it?” – The Economist

ESPs are simply out-sourced services that many companies use to maintain their customer database, and send email marketing campaigns, and sometimes-transactional email, to clients.

We know that Epsilon lost 50 companies’ client information. What if all 50 of those companies were doing their own email and database management? In practical terms, I could see that making things worse. Relying on relatively unskilled, or even incompetent IT and marketing departments at retailers to do email correctly from a technical and policy standpoint is a highly unlikely scenario. Mass emailing is quite complicated these days, with laws, technical requirements, and methodologies ever-changing. Better to centralize the adherence to industry standards in the hands of the experts. If ESPs magically disappeared, mass email marketing would be in a bigger mess that it is today.

Like Fukushima, there were plenty of preemptive rumbles that should have reasonably warned Epsilon and the other ESPs that something bad was coming. There had been at least a dozen breaches of ESPs in the last year, and database and site breaches are as ‘common as car crashes’ as British telecom Chief Security Officer Bruce Schneier said.

Akin to the Tokyo Electric Power Company, even in light of prescient safety reports, ESPs failed to react appropriately to secure their sites. Databases should be encrypted, industry-standard security technologies and policies deployed, and 2-factor authentication implemented to access private data, across the board, as quickly as humanly possible.

Sadly, none of these is a silver bullet that will make data 100% secure. There is no such thing as 100% security, but all holders of private information, including ESPs must be held accountable to the highest standards, and not continue to allow themselves to be dumb, low-hanging fruit for criminals.

ESPS … “won’t go away, but … must to some extent remain a sideshow, however spectacular it looks when (they go) wrong. – The Economist

Epsilon, and other members of the sending and ESP communities have a tremendous opportunity to change in front of them, to become competitively better than ever. Epsilon will likely recover from this debacle, but the next ESP breached in a similar manner? Their fate remains quite uncertain.

Posted by Neil Schwartzman on 06 April 2011 in Canada, Technology, United States, World | Permalink | Comments (0) | TrackBack (0)

04 April 2011

Epsilon Interactive breach the Fukushima of the Email Industry

Marketing as Usual? Not a chance. – Epsilon corporate catch phrase

A series of attacks on the Email Service Provider (ESP) community began in late 2009. The criminals spear-phish their way into these companies that provide out-sourced mailing infrastructure to their clients, who are companies of all types and sizes.

Upon gaining access to an ESP, the criminals then steal subscriber data (PII such as names, addresses, telephone numbers and email addresses, and in one case, Vehicle Identification Numbers). They then use ESPs’ mailing facility to send spam; to monetize their illicit acquisition, the criminals have spammed ads for fake Adobe Acrobat and Skype software.

On March 30, the Epsilon Interactive division of Alliance Data Marketing (ADS on NASDAQ) suffered a massive breach that upped the ante, substantially. Email lists of at least eight financial institutions were stolen.

Thus far, puzzlingly, Epsilon has refused to release the names of compromised clients. CAUCE has drawn the a list of from news reports (below)

The obvious issue at hand is the ability of the thieves to now undertake targeted spear-phishing problem as critically serious as it could possibly be.

What to do?

CAUCE is calling on the ESP industry and ISP and Email Receivers to implement these measures across the board, to protect the PII of end-users everywhere. What follows are best common practices that have existed for many years. It is time to take a stand against the data-thieves, and begin to properly protect end-users, without fail.

ESP & Senders

Security must be the top corporate priority. Both Silverpop and Epsilon Interactive were either breached repeatedly, or failed to fully mitigate their initial security lapse in December. I was told by one ESP security staffer that he hadn’t been given sufficient resources to affect all the appropriate changes. That is at best lamentable.

Two-factor authentication must be implemented for ESP system access for both staff and clients.

Senders and ESPs must sign all email with DKIM, and authenticate all mailing IPs with SPF.

ESPs must check all outbound content against domain blacklists such as SURBL and the Spamhaus DBL before deployment.

ESPs must deploy extended-validation certificates on web properties.

ESPs and senders must rigourously adhere to the MAAWG Senders’ BCP

ESPs and brand owners should use the services of email authentication services such as Authentication Metrics, eCert, Return Path, and Truedomain, as well as anti-phishing services like BrandProtect, Internet Identity and tools such as Lashback’s BrandAlert

ESPs must adopt and embrace a culture of transparency and commit to cooperative full disclosure

“Epsilon has refused to provide additional details on what other brands may have been affected.” – Security Week

“SilverPop did not respond to requests for comment” – Krebs on Security

While it is the instinctive corporate reaction to be secretive, such a strategy exacerbates the frustration of the other set of victims of data-theft, namely the end-users. A complete list of breached clients is fundamental to protecting end-users, and allowing them to protect themselves.

Receiving Systems

We need desperate measure for desperate times, CAUCE calls upon the receiving community to better their protection of end-users.

Email receivers must follow Yahoo! Mail’s lead and deploy multi-layer phishing protection.

Email receivers must deploy DKIM and SPF checking, and treat messaging failing such checks accordingly by labeling the subject line, placing it in a spam folder, or blocking it entirely.

Email receivers must deploy checks using URI blacklists like SURBL and Spamhaus on message headers and content domains.

Email receivers must take extreme measures, even if there are false positives. Better safe that sorry, and given the potential damage these breaches can cause to a recipient, far better that there are false positives (legitimate email refused or sidetracked to the bulk folder) than false negatives (illicit email delivered to the inbox).

The list of breached companies

Posted by Neil Schwartzman on 04 April 2011 in Canada, Frequently Asked Questions, Technology, United States, Warnings, World | Permalink | Comments (0) | TrackBack (0)

03 April 2011

Impenetrable Processes and Fool's Gold at ICANN

A couple of weeks ago, I attended part of the ICANN meeting in San Francisco. I've been watching ICANN and been peripherally aware of their issues since the organization began, but this was my first chance to attend a meeting.

What I learned is that ICANN is a crazy behemoth of a bureaucracy, steeped in impenetrable acronyms and processes that make it nearly impossible for someone new to get up to speed.

The best example of this is the recent approval of the .XXX top-level domain. There are already top-level domains for specific types of companies or organizations: .MUSEUM for museums, .COOP for co-ops. None of them have been very successful — there are only a few hundred museums in .MUSEUM and 6000 co-ops in .COOP — but they've been mostly harmless. So okay, the adult entertainment industry wants a top-level domain, why not let them have it?

The problem is, the adult entertainment industry doesn't want this top-level domain. As far as I can tell, the only people who want it are the registry who will start selling .XXX domains and a few countries (such as India) who plan to block those domains. The registry wants it because they know that legitimate adult sites will be forced to register domains in .XXX to avoid trademark dilution. For example, even if they already have example.com, example.org, example.net, example.biz, and example.info, they'll now have to register example.xxx just to make sure nobody else does – and to make sure users aren't confused or scammed. Famous brands will have to register for trademark protection, too: they've mentioned disney.xxx.

When CAUCE Executive Director Neil Schwartzman asked on one of the ICANN mailing lists why .XXX was going to be approved even though the community that supposedly wants it didn't want it, an ICANN insider (a former Board member) replied that they'd had their chance to object, and didn't. That "chance" wasn't anything that got any press, though — it was a "Report of Possible Process Options" published somewhere deep within icann.org after ten years of false starts. In ICANN's insular world, it's everyone else's job to pay attention and keep ICANN from screwing up.

The bigger controversy at the meeting, however, was the disagreement between the Government Advisory Committee (GAC) and the ICANN Board. At its heart, the issue is that the ICANN Board would like to be free of government oversight (they've said so), while the governments of the world don't want anything to be entirely outside of their control. Much of the hubbub is built upon overblown fears that the governments want to control absolutely everything (admittedly, some do.)

But most of what the GAC wants doesn't get into that scary territory. They want to make sure that trademark laws apply fairly. They want law enforcement to be able, through due process of law, to find out who registered a domain name — a position we've consistently supported. And they want ICANN to have some oversight, because there are a lot of people complaining.

I don't know what's going to happen. ICANN says the long delayed new TLD process is almost done (although they've said it before), and they'll open things up for all sorts of new top-level domain names this summer. There's already a gold rush mentality as potential registries realize how much money they think they can make. But when you look at .COOP, .MUSEUM, .AERO, .MOBI, and others...they're hardly ever used. Even when they are used, there's an accompanying .COM or .ORG or country-code domain. As CAUCE President John Levine put it, the new TLD experiment is a failure. Nonetheless, there appear to be hundreds of applicants willing to put down the $185,000 application fee for a new domain, all of whom presumably think they can get enough registrations, somehow, to make it worth their while — which does not suggest they'll be particularly picky about who can register, nor that they will have the resources to make registrants follow whatever each TLD's rules are supposed to be.

And it doesn't even matter, because most users don't navigate by domain names anymore. They use Google search, and click on the first result. Today the #5 "hot" search on Google is "youtube video", obviously from users who don't know (or don't care) to type youtube.com into their address bar. But there's also danger here: any time a scammer manages to SEO their site into the top position in Google or another search engine, users who aren't paying close attention will find themselves on the wrong site: bankofwherever.scam when they wanted bankofwherever.com. So, again, legitimate brands will find themselves forced to register in each new TLD even though there's no real benefit to them or their users.

It's pointless and insecure for users, it's annoying and expensive for brands...all this new TLD craziness is a gold rush in a world that doesn't even want gold. ICANN doesn't care, and those of us who do care are effectively locked out of the process. Even regular participants are often shut out. Something, clearly, has to change...but what?

Posted by J.D. Falk on 03 April 2011 in Warnings, World | Permalink | Comments (1) | TrackBack (0)