Fallout from the Epsilon Security Breach

As many people know from reading the news over the last month, Epsilon, a permission-based email marketing provider, suffered a major security breach. Their clients’ customer data was exposed as a result of an unauthorized entry into Epsilon’s email system. Their customers include big brand names such as Target, Red Roof Inn, Best Buy, Chase, Marriott and Brookstone.


6 May 2011

As many people know from reading the news over the last month, Epsilon, a permission-based email marketing provider, suffered a major security breach. Their clients’ customer data was exposed as a result of an unauthorized entry into Epsilon’s email system. Their customers include big brand names such as Target, Red Roof Inn, Best Buy, Chase, Marriott and Brookstone.

It’s safe to assume the people that launched this attack on Epsilon are no script kiddies that accidentally hit the jackpot. The recent breaches at Epsilon as well as RSA have proven that there are individuals or groups out there that are willing to commit significant resources to hacking and anticipate a decent return on their investment. The Epsilon breach is essentially part of a criminal business model that simplifies the attackers’ task in crafting e-mails targeted to specific people. Sadly, we can only expect that these so-called spear-phishing attempts will soar.

Following the breach, most Epsilon clients sent numerous notification emails to their customers (that’s us, common folks) advising what to be aware of in the new post-hack world. The intentions are noble and all of the companies included some very good advice in their letters, e.g., “we will never ask you for passwords or credit card numbers via e-mail, so don’t provide them”, “ignore e-mails threatening to close your account”, etc.

However, I’m concerned that the base assumption from most companies of how to distinguish normal from dangerous e-mail is potentially flawed and could help the would-be attackers. Almost all of the senders included an adage of “do not trust e-mails from unknown parties” at the end of their e-mails. The statement implies that there is such a thing as a ‘known party’ sending you e-mails, which can be misleading because return addresses cannot be trusted. One useful piece of information to take from this situation it is that all senders of e-mails are unknown. There is no reliable way of determining where an e-mail comes from. One could examine the headers to trace the path and see where it really comes from but it is impractical to do so for every single e-mail that one receives.

So, should we stop completely using e-mail to avoid the potential threats? Putting aside some of the impracticalities that would come with taking that step, consider that regular mail is based on the same kind of honor system. We have trusted for decades that the name on an envelope is genuine. We can, therefore, safely ignore the hype and bad advice and also apply common sense strategies when dealing with digital world.

My advice is to adhere to the following steps:

  • Never use business e-mail accounts for communications that’s unrelated to work
  • Use a ‘decoy’ e-mail account for relatively unimportant web sites that you subscribe to, e.g., news services, loyalty programs, etc
  • Don’t stay logged into websites you are not using, e.g. social networking sites
  • Always view unsolicited e-mails on personal accounts as suspect
  • Never open notification e-mails from social networking sites or any other site, for that matter. Just to go to the site directly when you receive a notification for ‘account updates have arrived’ or ‘so and so has a message for you’
  • Don’t ever open the ‘have you seen this?’ type of messages

 

Following these points will hopefully enable you to avoid being victimized by a hacker.



Mushegh Hakhinian

Mushegh Hakhinian

Mushegh Hakhinian represents Intralinks at the Cloud Security Alliance SME Council, is a certified information systems security professional, and is a frequent contributor to industry publications. Prior to joining Intralinks, Mr. Hakhinian lead security functions at a multi-tenant online banking service provider and an international bank.