E-mail in the Wake of the “Epsilon Valdez”

Much has been written recently about the ongoing attacks on E-mail Service Providers and their clients by criminals looking to steal lists of e-mail addresses, and to use their infrastructure to send malware-laden spam. While reports of the attacks have appeared in mainstream media only within the last few weeks, attempts to breach ESP customer accounts and the systems of the ESPs themselves have been ongoing since late 2009. The attacks are only now coming to the attention of the general public because of one recent, high-visibility data spill.

On March 30th, email service provider Epsilon, with its roster of A-list clients, had its systems compromised. Lists belonging to at least 112 Epsilon customers were stolen – clients that include household names, like American Express, Citi, Sears, BestBuy, Disney, Marriott Rewards, Target, Verizon and others – and the list continues to grow as the affected companies send notifications to their own subscribers. Epsilon itself has not produced a list of compromised customers.

It does not appear that the thieves acquired any personally identifiable information beyond that which Epsilon’s customers might use to send e-mail, but that doesn’t mean the information they stole is without value. The thieves could conceivably use the information to send carefully disguised e-mail designed to look like it came from the compromised brands in an effort to fool recipients into exposing account numbers or log-in credentials at fake web sites, or load a trojan or other dangerous malware. I’ve seen no confirmed reports of messages like these that can be connected directly to the breach, but some analysts assert it’s only a matter of time.

What makes this breach particularly scary is that the attackers appear to have been targeting employees of ESPs specifically, in an attempt to get the kind of access they obtained to Epsilon’s systems. This is different from most of the other ESP data breaches we’ve seen in the past (and another breach since). In the majority of those instances, attackers obtained log-in credentials for individual ESP accounts directly from the account holders’ compromised computers.

No security scheme is 100% bullet proof, but there are steps ESPs and their customers can take to make themselves harder targets. My employer has implemented two-factor authentication on all administrative access for associates and contractors. Even if an attacker managed to download all user names and passwords from a Real Magnet employee’s computer, they still wouldn’t have what they need to log in to our systems. They’d be missing a second required “factor” or credential in order to obtain access.

At the beginning of the year, we also implemented stronger password requirements for new customers, and we’re rolling out those requirements to existing customers in stages. This will certainly help keep attackers from guessing and “brute forcing” passwords, but even the strongest password is useless if it’s copied from the owner’s computer. I use and recommend a password vault that generates and stores strong, random passwords. Some give you the option of encrypting all of your passwords on your hard drive; others let you store them on a hosted application instead of on your computer – either way, passwords are much, much harder to copy if your machine is compromised or stolen.

ESP data leaks are a lot more common than one would assume, given the amount of play the Epsilon breach is getting in the press. What makes this instance remarkable (besides all the coverage) are the ubiquity of the brands impacted, and that the attackers appeared to have been armed with the names and e-mail addresses of ESP employees. Breaches like these will continue to happen until ESPs and their customers can step up their defenses – and that’s probably not going to be quite enough, either.

Post Script: John Levine has written an outstanding analysis of what the industry needs to do to protect itself. And Steve Atkins at Word to the Wise has a very useful rundown on what two factor authentication means – and doesn’t mean – in a broader security implementation strategy.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s