Epsilon Breach Used Four-month-old Attack

schliz writes "Marketing giant Epsilon knew that it was vulnerable to an attack for 'some months' before suffering a high-profile breach last week. According to Epsilon's technology partner ReturnPath, the breach was part of a series of socially engineered attacks discovered in November."

Re:Good News / Bad News

[elrous0]

A got a bunch of those too. Some of them asked me to click on links and give them my username and password too, so they could scan my system and make sure I was okay. I did this immediately of course, as I value my personal security greatly.

On an related note, has anyone else noticed that Bank of America has relocated to Russia? Kind of ironic, don't you think? And they really needed to do better proofreading on their website.

Re:Good News / Bad News

[Toe, The]

Beloved,

It is welcome that you took this forward action to pervert critical contanimation of your most personal datas by submitting to computerscan with fantastic quick.

Please be noted that Bank of Armerca is not changed to Russia. Is only important and extremely trusted vender who is making home inside of beautiful Mother Russia. This vender is to be deeply trusted by you very much and often. Examine the emails addressing on this emails and be aware that it comes from Bank of Armerca. Also to see the Bank of Armerca logo is on this emails, so you know it is very trust.

Greetings,

Ivan Petrovitch
Bank of Armerca President
snerksky772@hotmail.com

Stupid

[The Grim Reefer2]

Why aren't there more laws to fine the hell out of companies like this when they are grossly negligent. This is their business, they should know better.

Re:Stupid

[fuzzyfuzzyfungus]

Arguably, their management team should be given a life-sentence of manually deleting penis-pill spam using the 'Incredimail' [incredimail-corp.com] client on a virus-riddled WinME box with inadequate RAM and AOL dialup.

The rest of the company can be sold for scrap, and their mailing lists tossed into the nearest smelter.

Re:

[truk138]

You sir have inspired me. perchance you have a news letter ?

It was your fault, after all

[Toe, The]

The letters from Chase and Citi, both say effectively: "your data was stolen, here's what you should do to protect your data." They then go into a litany of minor data hygiene practices, failing to point out they themselves did not vet their vendor's security practices. There is no claim of culpability for bad security policy nor any indication that they will try to do better in the future. In other words, no reason why you should trust them with your data (and this response is sadly commonplace).

Re:

[mlts]

I'm sure none of their minor data hygiene practices have stuff that really matters too:

If one has Chase, Citi, or a bank that is affected, change the E-mail address to one, preferably something just opened on a non-free domain, like me.com. This way, if the bank does send an official notification, it definitely will be correct, while the phishers will continue to send to the last address.

Well, this is until someone gets haxxored again and the new E-mail address gets compromised. I doubt there will be more

Re:

[sjames]

Oh, they'll put plenty of effort into making sure news of any future breaches stays quiet.

Re:

[slashdottedjoe]

Why not have law enforcement work harder on these crimes than drug enforcement?

Re:

[Locke2005]

You can have much more fun parties with confiscated drugs than you can with confiscated emails lists. Seriously, when was the last time you heard anyone say, "Cops always have the best lists of spamable email addresses!"

Re:

[jhigh]

If I only had mod points... Well played, sir.

Re:Stupid

[WrongSizeGlass]

Why aren't there more laws to fine the hell out of companies like this when they are grossly negligent. This is their business, they should know better.

I'm guessing that there aren't more laws because legislators don't know shit about data & security so when they try to enact laws about these things they miss the mark by being too lax, too broadly defined or they just don't get it at all. Massachusetts seems to get it [wikipedia.org] and recently handed down their first penalties [slashdot.org].

Proving once again

[jayhawk88]

That users are children. They lie, they don't listen, they ignore your advice, they actively look for ways to get around the measures you put in place for their benefit, and at the end of the day, when the users have done something galactically stupid, IT'S ALL YOUR FAULT!

Your users are children. Treat them as such.

Re:

[piripiri]

I wish I had a mod point left.

Re:Proving once again

[gstoddart]

That users are children. They lie, they don't listen, they ignore your advice, they actively look for ways to get around the measures you put in place for their benefit, and at the end of the day, when the users have done something galactically stupid, IT'S ALL YOUR FAULT!

And, since they're storing other people's data (some of mine for example) they have a responsibility to make sure they're actually taking steps to protect it.

So, I say don't treat them like children ... I say treat them like adults who are expected to know better, and make sure they have consequences, because they've been entrusted with this stuff. Don't coddle them and say "mustn't touch", this is serious stuff.

I must say, I'm somewhat annoyed at the companies I dealt with who farmed out this stuff. But I figure if your industry is doing this stuff, you should be held to a standard similar to my banking information ... if you lose track of it, or allow a breach, there should be significant (and increasing) fines for something like this.

There are now several companies I have a business relationship from whom I will have to largely distrust emails until I can bypass any links in the email and verify ... some of these companies have had over $10K in business from me in the last year. They're going to have to work awful hard to repair my trust.

Re:

[ThatsNotPudding]

Your users are children. Treat them as such.

This is why IT guys are so universally loved and respected.

Re:

[jayhawk88]

You know what though? It's time to stop letting user get a free pass with crap like this. They've been told. Don't follow unknown links you get in emails. Don't reply to emails asking for sensitive information. Don't give the dude who cold-called you your password. But they still keep doing this crap.

If someone calls me up out of the blue and wants to know the schedules for building security, and the locations of all the security camera's, and I give it to them, I'm responsible. If someone backs a truck up

Vulnerable

[haystor]

Epsilon has always been vulnerable to attack by some smaller value of x.

Re:

[thsths]

Let epsilon be zero.

Attacked by a four-month-old?

[Anonymous Coward]

Are YOU afraid of a baby?

More Apologies

[coinreturn]

Every day since this story broke, I get yet another apology letter or two from another major company.

Re:

[Tolvor]

Solution: configure your email server to scrub all active content in emails.
The original article states that there wasn't any active content in the email. The email was just a social engineering ploy to cause a person to go to an innocent looking but actually malware loaded web page. The email that the person in Epsilon received mentioned a forgotten friendship and recent wedding. Everyone has forgotten past friends, and wedding photos can be nice to look at. Certainly an employee would not worry about viol

Re:

[Locke2005]

In Windows XP, you have to give everybody Admin privileges, otherwise they can't install _anything_ themselves. In Windows 7 (and presumably Vista as well), it will prompt for the Admin password every time you try to install, so you don't have to run all the time with Admin privilege. But that's still no protection against social engineering; if you give users the ability to modify their own machines, they will be able to install malware.

Re:

[klubar]

I disagree about giving administrative prvileges...why would a user ever need to install anything on their machine? There should be a standard build that is locked down very tightly that is deployed to every desktop. Group policies should prevent/log all users actions. In general, intstalling an application should be a firing offense. This is pretty much security 101.

Re:

[Locke2005]

Generally that's true. But as an engineer, I'm required to install drivers for the software I'm writing all the time, and calling IT to type in a password every time I get new hardware to support is kind of a pain.

Re:

[klubar]

True... I was mostly referring to average office employees... Recently I needed to do some work on rebuilding a Mac and felt the same way... intrusive pop-ups asking for a password all the time. (The same might be true for linux--everything needs a sudo or just run as su.).

The recommendation for developers & engineers is that they be on a completely separate network that is isolated from live data. And they probably should be getting emails on the development machines (nor clicking on wedding web sit

Textbook example of how not to run an IT business

[billrp]

Employee clicks a phishing link in an email - that site is not filtered by their firewall
The site requests and the employee allows downloads of executables - improper employee training and exes not filtered by firewall
Employee allows exes to run - no exe blocking installed in the employee's PC
Uploads of clear email lists - stored lists should be encrypted, and also no firewall monitoring/blocking of file transfers

It's an education probleml

[Locke2005]

Which engineering schools are now offering degrees in Social Engineering? Can I go back to school and get my MSSE?

Re:

[Tolvor]

Actually, there is a couple of degrees for that...

One is majoring in Political Science ("I do not do this for me, nor for my community, but because it the right thing to do for our CHILDREN.")

The other is getting a degree in law (any specialty) ("Is it true that you still beat your wife?")

I work for...

[holmedog]

A direct competitor for Epsilon and I can say that everyone in our business (Epsilon included) has security measures in place to stop these kinds of things. Problem is, everyone at these types of companies are people. We might have millions invested in keeping data safe, but when you pay someone $10/hr to flip tapes in the data warehouse, you're still taking a risk that person might be doing something stupid in the interim. The simple fact is, data warehousing happens because it is cost efficient for companies to pay us to do it. That cost savings is seen by the consumer in the rates being knocked down for services. Why do you think you can get insurance so cheap? (well, here goes my karma...)

Re:

[holmedog]

Because it isn't exactly hard to sit on your ass all day and occasionally walk over to a tape deck, pull one out, and put a new one in. Not exactly a job that requires a ton of college education. And, as we all know, you pay for the work that's done, not the security that is expected of the worker.

Re:

[holmedog]

Why build a robot for a ton of money, have someone to program and run the robot, pay for upkeep on the robot, etc when you could just pay some college student $10 to play on his PSP until a tape needs flipped? It's a matter of money. And, just a poor example at any rate. These people who were socially engineered were probably people at the help line, who's job is a bit more complex than flipping tapes. They still aren't exactly the highest hitters in the workpool, but they are given the ability to reset

Re:

[rmstar]

So they blow millions on a fence and then pay the guys who make copies of the gate key minimum wage? Why build the fence in the first place?

What normally happens in companies is that the people that do the hiring ("Human Resources") might not even understand what the companies actually do. So yes, they end up hiring someone for 10$ an hour and feel great because they have saved the company money. That it is stupid is something lost on them.

It seems that it is even lost on the guys working on the product.